Section 33.8.  Egress ICMP REDIRECT Rate Limiting

33.8. Egress ICMP REDIRECT Rate Limiting As discussed in Chapter 25, the kernel generates ICMP REDIRECT messages when it detects suboptimal routing. These ICMP messages are handled by the routing subsystem, which rate limits them as suggested by section 4.3.2.8 of RFC 1812. The algorithm used is a simple exponential backoff algorithm. If the destination keeps ignoring ICMP REDIRECT messages, the kernel keeps sending them up to ip_rt_redirect_number, doubling each time the interval between consecutive messages. After ip_rt_redirect_number such messages have been sent, the kernel stops sending them until ip_rt_redirect_silence seconds pass while no input packet arrives that would trigger the generation of an ICMP REDIRECT. Once ip_rt_redirect_silence seconds are passed, the kernel starts sending ICMP REDIRECT messages again, if they are needed. The initial delay for the exponential backoff algorithm is given by ip_rt_redirect_load. All three ip_rt_redirect_xxx parameters are configurable via /proc. See Chapter 36 for the default values of those variables. All the logic for egress REDIRECT messages is implemented in ip_rt_send_redirect, which is the routine called by the kernel when it detects the need for an ICMP REDIRECT (see Chapter 20). Two dst_entry fields implement this feature: rate_last Timestamp when the last IMCP REDIRECT was sent. rate_tokens Number of ICMP REDIRECT messages already sent to the destination associated to this dst_entry instance. rate_tokens-1, therefore, represents the number of consecutive ICMP REDIRECT messages that the destination has ignored.