[Openswan Users] locally generated traffic originating from eth0

Paul Wouters paul at xelerance.com
Fri Jan 14 14:05:51 EST 2011

On Fri, 14 Jan 2011, Bob Miller wrote:

> This is a tad embarrassing.
> I was talking on the phone and typing at the same time, I inadvertently
> executed the command on an openswan firewall:
> ifconfig eth0 1400

I've done that a few times. Nothing to be embarrased about :0

> reported no errors.  Until an l2tp connections was tried, then I
> discovered loopback to loopback traffic was failing.  I traced the
> problem down to local traffic being sent from eth0, as seen here:
> (terminal 1)fw-ps:~# ping -I lo
> (terminal 2)fw-ps:/var/log# tcpdump -n -i lo
> listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
> 09:40:44.988414 IP > ICMP echo request, id
> 8706, seq 15, length 64
> 09:40:44.988449 IP > ICMP echo reply, id 8706, seq
> 15, length 64

I'm not sure why this is happening, but some advise on debugging....

- Always disable rp_filter. It just can't deal with packets appearing "out
   of nowhere" due to the IPsec hooks (be it klips, but especially with netkey)

- enable logigng of martians. Martians are packets that "could not have arrived"
   by any known route, and therefor must be using superiar martian technology.

so change /etc/sysctl.conf to say:

net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.default.rp_filter = 0

run sysctl -p

Then since this is not always enough to disable rp_filter for real, run:

for i in /proc/sys/net/ipv4/conf/*; do echo 0 >  $i/rp_filter; done

Martians will appear in dmesg.

hope things helps you somewhat in your quest for packets from the linux packet pie.


More information about the Users mailing list