Bug#557448: linux-image-2.6.31-1-amd64: net.ipv4.conf.all.secure_redirects not working
I have a chat on the linux-kernel ml and basically you have to set both of
the redirects.
So you can close the bug.
Thanks
-----Original Message-----
From: maximilian attems [mailto:max@stro.at]
Sent: Wednesday, 3 February 2010 8:50 AM
To: Alex Samad; 557448@bugs.debian.org
Subject: Re: Bug#557448: linux-image-2.6.31-1-amd64:
net.ipv4.conf.all.secure_redirects not working
tags 557448 moreinfo
stop
On Sun, 22 Nov 2009, Alex Samad wrote:
> Hi
>
> I have a local lan network
> 192.168.11.0/24 dgw - 192.168.11.1
>
> I also have a wireless network
> 192.168.10.0/24 dgw - 192.168.10.1
>
> the router at 192.168.10.1 is a linux server with the address
192.168.11.10 as well.
>
> I have placed a ip route add/replace 192.168.10.0/24 via 192.168.11.10 on
192.168.11.1 this send the appropiate icmp redirects for 192.168.10.0/24 via
192.168.11.10
>
> what seems to be failing is this scenario.
>
> laptop connected to 192.168.11.0/24 (ip via dhcp) with
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.conf.all.secure_redirects = 1
>
> All the other interface redirects set to 1
>
> with another linux machine (alex-mini) on the wireless (192.168.10.0/24 -
ip via dhcp), I try and ssh to laptop - which fails.
>
> When I look at the tcpdump on laptop I see the packets coming in but
laptop is trying to send the packets via 192.168.11.1, it doesn't seem to
acknowledge the icmp redirects even though I have secure_redirects set to 1
and 192.168.11.1 is the default gateway..
>
> when I set net.ipv4.conf.all.accept_redirects to 1 everything works fine,
the icmp redirect is accepted....
>
> this seems to be contry to the documenation in sysctl.conf , which says
these flags are OR
>
> Alex
17:41 <bwh> Documentation/networking/ip-sysctl.txt says "secure_redirects -
BOOLEAN Accept ICMP redirect messages only for gateways, listed
in
default gateway list."
17:42 <bwh> So my guess is that in #557448 the submitter has not listed both
gateways in DHCP
can you verify please aboves?
Reply to: