path: root/include
diff options
authorToke Høiland-Jørgensen <>2021-06-18 13:04:35 +0200
committerDavid S. Miller <>2021-06-18 12:13:24 -0700
commit321827477360934dc040e9d3c626bf1de6c3ab3c (patch)
treec4a753ca7406a0a509db2c420f39241b57ee6fe3 /include
parentf6396341194234e9b01cd7538bc2c6ac4501ab14 (diff)
icmp: don't send out ICMP messages with a source address of
When constructing ICMP response messages, the kernel will try to pick a suitable source address for the outgoing packet. However, if no IPv4 addresses are configured on the system at all, this will fail and we end up producing an ICMP message with a source address of This can happen on a box routing IPv4 traffic via v6 nexthops, for instance. Since is not generally routable on the internet, there's a good chance that such ICMP messages will never make it back to the sender of the original packet that the ICMP message was sent in response to. This, in turn, can create connectivity and PMTUd problems for senders. Fortunately, RFC7600 reserves a dummy address to be used as a source for ICMP messages (, so let's teach the kernel to substitute that address as a last resort if the regular source address selection procedure fails. Below is a quick example reproducing this issue with network namespaces: ip netns add ns0 ip l add type veth peer netns ns0 ip l set dev veth0 up ip a add dev veth0 ip a add fc00:dead:cafe:42::1/64 dev veth0 ip r add via inet6 fc00:dead:cafe:42::2 ip -n ns0 l set dev veth0 up ip -n ns0 a add fc00:dead:cafe:42::2/64 dev veth0 ip -n ns0 r add via inet6 fc00:dead:cafe:42::1 ip netns exec ns0 sysctl -w net.ipv4.icmp_ratelimit=0 ip netns exec ns0 sysctl -w net.ipv4.ip_forward=1 tcpdump -tpni veth0 -c 2 icmp & ping -w 1 > /dev/null tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on veth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes IP > ICMP echo request, id 29, seq 1, length 64 IP > ICMP net unreachable, length 92 2 packets captured 2 packets received by filter 0 packets dropped by kernel With this patch the above capture changes to: IP > ICMP echo request, id 31127, seq 1, length 64 IP > ICMP net unreachable, length 92 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Juliusz Chroboczek <> Reviewed-by: David Ahern <> Signed-off-by: Toke Høiland-Jørgensen <> Signed-off-by: David S. Miller <>
Diffstat (limited to 'include')
1 files changed, 3 insertions, 0 deletions
diff --git a/include/uapi/linux/in.h b/include/uapi/linux/in.h
index 7d6687618d80..d1b327036ae4 100644
--- a/include/uapi/linux/in.h
+++ b/include/uapi/linux/in.h
@@ -289,6 +289,9 @@ struct sockaddr_in {
/* Address indicating an error return. */
#define INADDR_NONE ((unsigned long int) 0xffffffff)
+/* Dummy address for src of ICMP replies if no real address is set (RFC7600). */
+#define INADDR_DUMMY ((unsigned long int) 0xc0000008)
/* Network number for local host loopback. */
#define IN_LOOPBACKNET 127