[Openswan Users] locally generated traffic originating from eth0
Paul Wouters
paul at xelerance.com
Fri Jan 14 14:05:51 EST 2011
On Fri, 14 Jan 2011, Bob Miller wrote:
> This is a tad embarrassing.
> I was talking on the phone and typing at the same time, I inadvertently
> executed the command on an openswan firewall:
> ifconfig eth0 1400
I've done that a few times. Nothing to be embarrased about :0
> reported no errors. Until an l2tp connections was tried, then I
> discovered loopback to loopback traffic was failing. I traced the
> problem down to local traffic being sent from eth0, as seen here:
>
> (terminal 1)fw-ps:~# ping -I lo 127.0.0.1
>
> (terminal 2)fw-ps:/var/log# tcpdump -n -i lo
> listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
> 09:40:44.988414 IP 194.242.22.23 > 127.0.0.1: ICMP echo request, id
> 8706, seq 15, length 64
> 09:40:44.988449 IP 127.0.0.1 > 127.0.0.1: ICMP echo reply, id 8706, seq
> 15, length 64
I'm not sure why this is happening, but some advise on debugging....
- Always disable rp_filter. It just can't deal with packets appearing "out
of nowhere" due to the IPsec hooks (be it klips, but especially with netkey)
- enable logigng of martians. Martians are packets that "could not have arrived"
by any known route, and therefor must be using superiar martian technology.
so change /etc/sysctl.conf to say:
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.default.rp_filter = 0
run sysctl -p
Then since this is not always enough to disable rp_filter for real, run:
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/rp_filter; done
Martians will appear in dmesg.
hope things helps you somewhat in your quest for packets from the linux packet pie.
Paul
More information about the Users
mailing list