[891] in linux-net channel archive
Re: Reject routes
daemon@ATHENA.MIT.EDU (Drew Eckhardt)
Sat Aug 12 22:38:47 1995
To: srb@cuci.nl (Stephen R. van den Berg)
cc: linux-net@vger.rutgers.edu
In-reply-to: Your message of "Sat, 12 Aug 1995 14:33:44 +0200."
<199508121233.OAA05166@hera.cuci.nl>
Date: Sat, 12 Aug 1995 12:36:22 -0600
From: Drew Eckhardt <drew@poohsticks.org>
In message <199508121233.OAA05166@hera.cuci.nl>, srb@cuci.nl writes:
>What I have: a machine with several dial-up ppp connections.
>The dialup connections have IP addresses like: 10.0.0.1, 10.0.0.2, etc.
>
>Now, if a dialup connection is not active, there is no route for it
>in the routing table, and in order to prevent IP packets destined for it
>to take the default route, I added the following sink route in the
>routing table:
>
>Kernel routing table
>Destination Gateway Genmask Flags MSS Window Use Iface
>10.0.0.0 * 255.0.0.0 U 1936 0 10290 lo
>
>This works quite nice. If a ppp link comes up, it's route is added before
>this route (obviously) and if the link disappears, this route will take
>effect again and will sink all packets.
>
>The only trouble is, it will sink the packets "silently". The only thing
>that will happen is that after the TTL has run out, an ICMP time exceeded
>is returned to the sender.
Actually, the packets will loop arround inside the kernel. You need to block/
reject them.
>What I'd like, however, is an ICMP host unreachable or something similar.
>
>Any clever tricks to get this behaviour in an 1.2.x kernel? Is it already
According to the IP firewalling docs/sources, this is possible; the code
LOOKS like it should send an ICMP HOST UNREACHABLE but it doesn't work
(I've tried adding it to both the blocking and forwarding chains - no
dice in either case); instead it just blackholes packets.
This is what happens in my RC files -
/etc/rc.d/rc.config :
IF1_NAME=dummy0
IF1_MODULE=dummy.o
IF1_ADDRESS=192.168.1.17
IF1_BROADCAST=192.168.1.31
IF1_NETMASK=255.255.255.240
FILTER0="blocking reject all iface $IF1_ADDRESS from 0.0.0.0/0 to 0.0.0.0/0"
and in
/etc/rc.d/rc.net1
echo -n "Configuring network interfaces : lo"
/sbin/ifconfig lo 127.0.0.1
/sbin/route add 127.0.0.1
i=0
while [ $i -lt $INTERFACES ]; do
NAME=`eval echo \\$IF${i}_NAME`
MODULE=`eval echo \\$IF${i}_MODULE`
ADDRESS=`eval echo \\$IF${i}_ADDRESS`
BROADCAST=`eval echo \\$IF${i}_BROADCAST`
NETMASK=`eval echo \\$IF${i}_NETMASK`
NET=`eval echo \\$IF${i}_NET`
echo -n " $NAME"
if [ "$MODULE" ]; then
MODULE=${MODULE_PATH}/net/$MODULE
if [ -f $MODULE ]; then
/sbin/insmod $MODULE
fi
fi
/sbin/ifconfig $NAME $ADDRESS netmask $NETMASK broadcast $BROADCAST
/sbin/route add -host $ADDRESS $NAME
if [ "$NET" ]; then
/sbin/route add -net $NET netmask $NETMASK $NAME
fi
i=$[ $i + 1 ]
done
echo
echo "Configuring firewalling and forwarding"
i=0
/sbin/ipfw flush blocking
/sbin/ipfw flush firewall
/sbin/ipfw flush accounting
while [ $i -lt $FILTERS ]; do
FILTER=`eval echo \\$FILTER${i}`
/sbin/ipfw add $FILTER
i=$[ $i + 1 ]
done
I then route all the dynamic slip interfaces through dummy0 using gated,
with a static route that has a preference of 255.
>Does it need to be patched?
I tried every way I could think of to get ICMP HOST UNREACHABLE
messages, but didn't. There's no problem in ipfw. There's some
problem in the kernel, at least up through 1.2.10, and I haven't
gotten arround to looking at it.
Alan, or anyone else who groks the firewalling code have any comments?
