[Bug 814510] New: icmp redirect appears to be ignored
https://bugzilla.novell.com/show_bug.cgi?id=814510 https://bugzilla.novell.com/show_bug.cgi?id=814510#c0 Summary: icmp redirect appears to be ignored Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: per@computer.org QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:11.0) Gecko/20100101 Firefox/11.0 I have just upgraded a desktop box from 11.4 to 12.3 - I was prepared to have to reinstall from scratch, but it appears to have worked very well! Sofar the only problem seems to be that the box is ignoring ICMP redirects. I've checked the settings: cat /proc/sys/net/ipv4/conf/*/accept_redirects 1 1 1 1 I've also checked the routing table shortly after having received a redirect, and the redirect hasn't been cached. The firewall is inactive. For us, this means no web-access because all port 80 requests are diverted to the web-cache, and this happens with an ICMP redirect. Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c1
--- Comment #1 from Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c2
--- Comment #2 from Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c3
Libor Pecháček
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c4
--- Comment #4 from Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c5
--- Comment #5 from Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c6
Michal Kubeček
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c7
--- Comment #7 from Per Jessen
There are some restrictions on what redirects are accepted but IIRC these should be already in place in 3.4. Could you, please, post output of
ip addr show
# ip addr show
1: lo:
ip route show
# ip route show default via 192.168.2.7 dev enp3s1f0 192.168.0.0/21 dev enp3s1f0 proto kernel scope link src 192.168.2.140 192.168.2.7 is the firewall that issues the redirect. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c8
--- Comment #8 from Michal Kubeček
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c9
Per Jessen
and a (tcpdump) capture containing a packet initiating the redirect and the ICMP redirect received?
The packet initiating is a simple http request to port 80 of <some server>. This tcpdump has both the request and the redirect(s). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c10
--- Comment #10 from Per Jessen
Please check values of
/proc/sys/net/ipv4/conf/*/secure_redirects /proc/sys/net/ipv4/conf/*/shared_media
Default should be 1 for both but with secure_redirects=1 and shared_media=0, redirects to an address which is not a default gateway would be ignored.
# cat /proc/sys/net/ipv4/conf/*/secure_redirects 1 1 1 1 1 1 # cat /proc/sys/net/ipv4/conf/*/shared_media 1 1 1 1 1 1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c11
--- Comment #11 from Michal Kubeček
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c12
--- Comment #12 from Michal Kubeček
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c
Michal Kubeček
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c13
--- Comment #13 from Michal Kubeček
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c14
Michal Kubeček
http://download.opensuse.org/repositories/home:/mkubecek:/branches:/openSUSE...
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c15
Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c16
--- Comment #16 from Michal Kubeček
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c17
--- Comment #17 from Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c18
--- Comment #18 from Per Jessen
Michal, I think there may also be an issue with the route cache. Yesterday after my tests, I expected to find the redirect gone after a while, but it was still there after more than 6 hours. I understand the route cache was removed as of kernel 3.6, but surely something still ought to be governing the cache time of an icmp redirect.
Looking at an old system, the redirected entry remains active for about 10minutes. On 12.3, it stays for at least 12 hours, probably more. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c19
--- Comment #19 from Michal Kubeček
https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=f96ef9...
so it should appear in 3.10 kernel. When the patch reaches master, I'm going to push it into OpenSuSE kernel git. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c20
--- Comment #20 from Michal Kubeček
Looking at an old system, the redirected entry remains active for about 10minutes. On 12.3, it stays for at least 12 hours, probably more.
I'll have to check again more thoroughly but it looks like since the IPv4 routing cache removal next-hop exceptions created in response to ICMP redirect messages have infinite lifetime. I'm not sure this is intentional (it looks so) but neither I'm sure it is wrong. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c21
--- Comment #21 from Per Jessen
(In reply to comment #18)
Looking at an old system, the redirected entry remains active for about 10minutes. On 12.3, it stays for at least 12 hours, probably more.
I'll have to check again more thoroughly but it looks like since the IPv4 routing cache removal next-hop exceptions created in response to ICMP redirect messages have infinite lifetime. I'm not sure this is intentional (it looks so) but neither I'm sure it is wrong.
Infinite lifetime would certainly be wrong. It also looks like the redirect _is_ cleared at some point, I just can't say exactly when. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c22
--- Comment #22 from Michal Kubeček
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c23
--- Comment #23 from Per Jessen
The fix is currently in openSUSE-12.3 git branch so that next 12.3 update will contain it (3.7.10-1.11 doesn't). As part of upstream 3.10-rc5, it will get into Factory soon as well.
Cool, thanks.
By "infinite lifetime" I didn't mean that the entry would never disappear but that there is no explicit time limit. I'm going to take a look at the cleanup mechanism but as the primary issue is fixed, it doesn't have high priority.
I think the redirect ought to be cleared just as it used to be, but for me it's not an issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c24
--- Comment #24 from Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c25
--- Comment #25 from Michal Kubeček
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c26
--- Comment #26 from Per Jessen
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c27
Per Jessen
As far as I can tell, the problem persists in 12.3 with kernel 3.7.10-1.16-default.
Ping? Also found in the xen-kernel. This is really annoying, any chance of an update soon? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c28
--- Comment #28 from Michal Kubeček
As far as I can tell, the problem persists in 12.3 with kernel 3.7.10-1.16-default.
Unfortunately the commit into openSUSE-12.3 branch was short after the 3.7.10-1.16 update was submitted (actually, it is the first commit after 3.7.10-1.16) and there hasn't been any 12.3 kernel update since then. (In reply to comment #27)
Also found in the xen-kernel.
Yes, due to the nature of the issue, all flavors should be affected. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c29
--- Comment #29 from Per Jessen
(In reply to comment #26)
As far as I can tell, the problem persists in 12.3 with kernel 3.7.10-1.16-default.
Unfortunately the commit into openSUSE-12.3 branch was short after the 3.7.10-1.16 update was submitted (actually, it is the first commit after 3.7.10-1.16) and there hasn't been any 12.3 kernel update since then.
Can we please push a 12.3 update? For our systems, this issue is a complete show-stopper for all moves to 12.3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c30
--- Comment #30 from Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=814510
https://bugzilla.novell.com/show_bug.cgi?id=814510#c31
Michal Kubeček
participants (1)
-
bugzilla_noreply@novell.com