A)PublicBUG
Actions

Assigned To

None

Authored By

	dex
	Oct 15 2022, 11:00 AM

Description

Enabling ICMP redirects through set firewall send-redirects enable does its job by setting the appropriate kernel parameter:

admin@vyos# sysctl -a | grep send_redirects
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.eth3.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 1
net.ipv4.conf.wg0.send_redirects = 0

However, no ICMP redirects get sent from the router.

Before having access to the LTS release, I was doing some testing with the rolling release (VyOS 1.4-rolling-202210090955) with the exact same configuration (with the version specific config syntax of course) and ICMP redirects worked perfectly fine.

Checking for differences between LTS and rolling release, I noticed that the kernel parameters look very different and I'm not sure if this is intentional.

With the rolling release, after set firewall send-redirects enable and commit they look like this:

net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.eth0.send_redirects = 1
net.ipv4.conf.eth1.send_redirects = 1
net.ipv4.conf.eth2.send_redirects = 1
net.ipv4.conf.eth3.send_redirects = 1
net.ipv4.conf.lo.send_redirects = 1
net.ipv4.conf.wg0.send_redirects = 1

Rebooting the router changes them to this:

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.eth0.send_redirects = 1
net.ipv4.conf.eth1.send_redirects = 1
net.ipv4.conf.eth2.send_redirects = 1
net.ipv4.conf.eth3.send_redirects = 1
net.ipv4.conf.lo.send_redirects = 1
net.ipv4.conf.wg0.send_redirects = 0

Details

Difficulty level: Unknown (require assessment)
Version: 1.3.2 and 1.4
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Event Timeline

dex created this task.Oct 15 2022, 11:00 AM

pasik added a subscriber: pasik.Oct 15 2022, 2:18 PM

Viacheslav added a project: VyOS 1.4 Sagitta.Oct 17 2022, 6:50 AM

Viacheslav added a project: VyOS 1.3 Equuleus (1.3.3).Oct 17 2022, 9:08 AM

Just tested again with 1.3.3. When setting set firewall send-redirects enable, ICMP redirects work fine until I reboot the router.
Before rebooting:

root@vyos:~# sysctl -a | grep send_redirect
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.eth3.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.wg0.send_redirects = 0

After rebooting:

root@vyos:~# sysctl -a | grep send_redirect
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.eth3.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 1
net.ipv4.conf.wg0.send_redirects = 0

syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:38 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:29 PM

It cannot reproduce in the current 1.3 VyOS 1.3-stable-202308240442

vyos@r1:~$ sudo sysctl -a | grep send_redire
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.dum0.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.eth3.send_redirects = 0
net.ipv4.conf.eth4.send_redirects = 0
net.ipv4.conf.eth5.send_redirects = 0
net.ipv4.conf.eth6.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 1
vyos@r1:~$ 
vyos@r1:~$ 
vyos@r1:~$ reboot now

Connection to 192.168.122.11 closed by remote host.
Connection to 192.168.122.11 closed.
$ 
$ sr11
Warning: Permanently added '192.168.122.11' (ED25519) to the list of known hosts.
Welcome to VyOS!

Check out project news at https://blog.vyos.io
and feel free to report bugs at https://vyos.dev

You can change this banner using "set system login banner post-login" command.

VyOS is a free software distribution that includes multiple components,
you can check individual component licenses under /usr/share/doc/*/copyright
Last login: Wed Aug 30 17:34:03 2023 from 192.168.122.1
vyos@r1:~$ 
vyos@r1:~$ 
vyos@r1:~$ 
vyos@r1:~$ 
vyos@r1:~$ 
vyos@r1:~$ 
vyos@r1:~$ 
vyos@r1:~$ 
vyos@r1:~$ sudo sysctl -a | grep send_redire
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.dum0.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.eth1.send_redirects = 0
net.ipv4.conf.eth2.send_redirects = 0
net.ipv4.conf.eth3.send_redirects = 0
net.ipv4.conf.eth4.send_redirects = 0
net.ipv4.conf.eth5.send_redirects = 0
net.ipv4.conf.eth6.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 1
vyos@r1:~$ 
vyos@r1:~$ 
vyos@r1:~$ show version 

Version:          VyOS 1.3-stable-202308240442
Release train:    equuleus

config:

vyos@r1:~$ show conf com | match redi
set firewall ipv6-receive-redirects 'disable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
vyos@r1:~$

syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:36 PM

Viacheslav closed this task as Resolved N/A.Jan 20 2024, 11:08 AM

ICMP redirects not working / not properly configuredResolved (N/A)PublicBUGActions

Description

Details

Event Timeline

ICMP redirects not working / not properly configured
Resolved (N/A)PublicBUG
Actions