rp_filter and dropping of ICMP packets from martian sources
The TCP/IP stack in my 2.4.18 debian linux system has Reverse Path Filtering (rp_filter) turned on by default. This makes it drop all incoming IP packets from sources which are not in its routing tables. The dropped packets include ICMP error packets destined to the local node such as the ICMP Datagram Too Large error message used for path MTU discovery.
I have a host route to a remote system through a gateway. The Ethernet interfaces on the local system and remote system have MTU set to 1500. A router along the way to the remote system has one interface at an MTU of 1442 and sends back an ICMP Datagram Too Large error packet as per RFC1191. Since I don't have a route set for that router, the ICMP error packet is dropped and my system fails to do path MTU discovery.
Is the dropping of ICMP error packets from "unknown" sources (sources without a matching routing table entry) a bug in the Reverse Path Filtering implementation or is it an intended consequence? Should ICMP error packets destined to the local node be accepted regardless of the rp_filter setting?
I am thinking of turning off rp_filter to make the path MTU discovery work correctly.
Thanks,
- Krish -
Last edited by kishku; 10-14-2004 at 01:59 PM.
|