traceroute issue

Latest response

Hi experts,

I met an issue regarding traceroute.

When I set default route, I can trace all paths.

[root@localhost ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.44.2    0.0.0.0         UG    0      0        0 eno16777736
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eno16777736
192.168.44.0    0.0.0.0         255.255.255.0   U     0      0        0 eno16777736

[root@localhost ~]# traceroute -I 172.25.252.129
traceroute to 172.25.252.129 (172.25.252.129), 30 hops max, 60 byte packets
 1  192.168.44.2 (192.168.44.2)  0.089 ms  0.057 ms  0.045 ms
 2  172.27.226.254 (172.27.226.254)  36.412 ms  36.620 ms  36.645 ms
 3  172.25.252.129 (172.25.252.129)  24.081 ms  24.685 ms  24.663 ms

If I do not set default route but using static routes, I can not trace all paths.

[root@localhost ~]# route -n 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eno16777736
172.25.252.129  192.168.44.2    255.255.255.255 UGH   0      0        0 eno16777736
192.168.44.0    0.0.0.0         255.255.255.0   U     0      0        0 eno16777736

[root@localhost ~]# traceroute -I 172.25.252.129
traceroute to 172.25.252.129 (172.25.252.129), 30 hops max, 60 byte packets
 1  192.168.44.2 (192.168.44.2)  0.185 ms  0.221 ms  0.074 ms
 2  * * *    <-------------------
 3  172.25.252.129 (172.25.252.129)  5.753 ms  13.348 ms  13.770 ms

When I add static route for next hop (172.27.226.254), all is ok, but I can not add all next hops...

[root@localhost ~]# route -n 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eno16777736
172.25.252.129  192.168.44.2    255.255.255.255 UGH   0      0        0 eno16777736
172.27.226.254  192.168.44.2    255.255.255.255 UGH   0      0        0 eno16777736    <-------------------
192.168.44.0    0.0.0.0         255.255.255.0   U     0      0        0 eno16777736

[root@localhost ~]# traceroute -I 172.25.252.129
traceroute to 172.25.252.129 (172.25.252.129), 30 hops max, 60 byte packets
 1  192.168.44.2 (192.168.44.2)  0.143 ms  0.102 ms  0.065 ms
 2  172.27.226.254 (172.27.226.254)  7.625 ms  8.337 ms  8.306 ms                 <-------------------
 3  172.25.252.129 (172.25.252.129)  8.275 ms  8.258 ms  8.228 ms

Then, If I have multiple networks and I can only set one default route, so I must use static routes for other networks, but I can not trace all paths on these networks unless adding all next hops. How can I resolve this issue? Are there any alternative ways?

Responses

I suspect you have Strict Reverse Path Filtering enabled (the default setting) so the ICMP responses from the middle routers are discarded.

This is explained further at Why does Red Hat Enterprise Linux 6 and above invalidate / discard packets when the route for outbound traffic differs from the route of incoming traffic?

However, that page suggests to set to Loose RPF which still requires a route on an interface. If you don't have any route for the middle routers, their response would still be discarded, so the solution would be to disable RPF altogether with rp_filter = 0

Dear Jamie,

Thanks for your reply.

Your answer resolved my issue.

I would like to confirm whether it is safe to disable RPF. Are there any issues when RPF is disabled?

As you can see, Reverse Path Filtering controls whether the system accepts incoming packets depending on if there is a route back to the source or not.

Strict RPF requires the outgoing route to be on the incoming interface, Loose RPF requires the outgoing route to simply exist (including the default route), and disabling RPF accepts incoming packets regardless of whether there's a route back to the source or not.

It's up to you to decide whether that's safe or not, depending on your system's environment and your organization's security policy.

Dear Jamie,

Thanks for your reply.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.