if rp_filter is enabled some ICMP messages may get dropped by checking the wrong IP address information. Setup: Host - GW1 - GW2 - Server The host has IP 192.168.1.1/24 and only a single route to 10.1.1.0/24 via its gateway gw1, there is no default route. rp_filter is set to 1. GW1 links to GW2 on link 172.16.1.0/24 GW2 has IP address 172.16.1.2 pointing to GW1 and 10.1.1.1 pointing to server, MTU on link 10.1.1.1 is 1400. Server has IP 10.1.1.2 Now the host is sending a packet with MTU 1500 to the server: 192.168.1.1 -> 10.1.1.2 GW1 is passing the packet to GW2 GW2 is checking the packet and reject it because of the MTU of the outgoing link. The generated packet is 172.16.1.2 -> 192.168.1.1 ICMP fragmentation needed with the original packet header in payload. GW1 is passing the packet to host. Host is checking the packet and dropping by rp_filter, because the sender IP address is not in the routing table. This is a wrong behavior. The rp_filter routine should in this case check the IP contained in the payload of the ICMP unreach packet because the packet is related caused by the 192.168.1.1 -> 10.1.1.2 packet and relates to this session. If rp_filter drop this ICMP the MTU-path-discovery gets broken. There is no need to route all transfer networks in a provider cloud, but the related ICMP unreachable messages should pass the filter. Regards Christian
Can you send a summary of this to netdev@vger.kernel.org if you've not already done so. Thanks