В письме от 13 августа 2013 16:25:14 Вы написали:
The patch does not make sense to me - if user sets 'gw' attribute, BIRD should set immediate nexthop of the route, not setup a route with a recursive nexthop - that would be inconsistent, because reading of 'gw' attribute returns the immediate nexhop and not the recursive nexthop of a route.
Thaks, now I understand why. At least I try to fix problem by myself.
The attached patch should do that (essentially just lookup iface, fix it and force the route to RTD_ROUTER in case of setting 'gw'). Is this OK for you?
Yes, thaks. Patch works as expected.
Thanks for the thorough explanation. I am surprised that route to a Linux dummy interface works like that, i always thought that dummy interface would behave more like an ethernet with nothing connected on it than like a loopback (therefore you would get ICMP Destination unreachable instead of TTL exceeded), but i didn't tested that.
Sorry I dont have in mind to confuse you, really dummy interface is more like ethernet interface with nothing attached to it, nothing is looped back from it (nothing received actually). Anything sent to dummy interface simply discarded as with blackhole route, but no neighbor resolution (ARP, NDP) done on it, and general routing rules applied to it, like any other network interface, that makes it different from blackhole route. But network stack generates ICMP TTL Exceeded when it receives datagram destined on subnet configured on dummy interface, but cant forward to dummy interface because TTL is 1, and thus generaing ICMP TTL Exceeded. Using dummy interfce for blackholing seems simple and elegant solution:-).
And why not just use RTD_UNREACHABLE or RTD_PROHIBIT? Both would return some ICMP message.
Well, this could be solution, for just terminating address space, where packets for all currently not used addresses directed to common route (summary) that generates ICMP. However due do ICMP rate limiting in kernel for certrain ICMP types that might introduce unwanted looses then sending to these routes. But not under DDoS where we prefer not to answer in any way (even kernel network stack limit rate of ICMP Dest Unrach, and ICMP Admin Prohibited messages). -- SP5474-RIPE Sergey Popovich