On Fri, Aug 05, 2005 at 07:43:25PM +0200, Harald Welte wrote: > On Wed, Aug 03, 2005 at 03:50:15PM +0400, Vladimir B. Savkin wrote: > > Hello! > > > > When trying to upgrade a gateway from old 2.6.10-rc2 to > > new 2.6.13-rc5, I noticed a flood of messages like > > "172.16.12.1 sent an invalid ICMP type 11, code 0 error to a broadcast: > > 0.0.0.0" > > Source IP is always that of this gateway, destination IP is always 0.0.0.0. > > could you please describe your setup in detail? Who/what creates those > error messages? > > Can you send 'tcpdump -w' captures of the original packet causing the > error, and the corresponding icmp packet? >
I found that it really is NOTRACK who causeы bogus ICMP errors.
Here is the test setup.
vlan0173 is a vlan device (MTU=1500)
lh is an IPIP tunnel (MTU=1480)
# ip ro ls dev vlan0173
172.16.16.0/22 proto kernel scope link src 172.16.16.1
# ip ro ls dev lh
172.16.0.12 scope link
172.16.16.1 is an IP of gateway associated with vlan0173
I run tracepath from 172.16.16.10 to 172.16.0.12
Without any NOTRACK rules, all is fine:
$ /usr/sbin/tracepath -n 172.16.0.12
1: 172.16.16.10 0.564ms pmtu 1500
1: 172.16.16.1 2.795ms
2: 172.16.16.1 asymm 1 0.595ms pmtu 1480
3: 172.16.0.12 asymm 2 2.377ms reached
Resume: pmtu 1480 hops 3 back 2
Then I add NOTRACK rule:
# iptables -t raw -I PREROUTING -s 172.16.16.10 -d 172.16.0.12 -j NOTRACK
and start tcpdump to capture test packets and ICMP replies.
Test packets arrive on "vlan0173", bogus ICMP errors go to "lo",
PMTU discovery breaks.
Dumps are attached.
~
:wq
With best regards,
Vladimir Savkin.
DUMP-lo
Description: DUMP-lo
DUMP-vlan0173
Description: DUMP-vlan0173
