Director not sending icmp unreachable to expired clients

[Janusz Krzysztofik]

Janusz Krzysztofik napisał(a):
> ... Now I am going to try some logic used by
> netfilter tcp_reset to originate the icmp packet from VIP.
> I will let you know if this helps.

After investigating several possibilities, I have finaly applied a small 
patch to ip_route_output_slow() that allows VIP-less director to 
generate packets originating from VIP if sysctl_ip_nonlocal_bind is set 
(attached, for those who may be interested, comments are welcome).
However, as there is no logic inside ip_vs_in() for responding with icmp 
errors to at least the first packet after a connection has expired (I 
still do not know if this is intentional or not), to get it working as 
expected I have to set up my iptables marking in such a way that packets 
for expired connections are passed through ip_vs_in() untouched and icmp 
errors are now returned by udp_rcv() in my case, I guess.
Furthermore, I have also tired with ip_vs_in() moved before input filter 
hook (I can still filter ipvs related packets on output, what do you 
think?) and iptables input filter rules rejecting ipvs related packets 
that have passed through ip_vs_in() - works as well.

Unfortunately, all these do not help my ipsec clients. Icmp port 
unreachable messages do not provoke them to invalidate current ipsec 
connections and start rekeying. But this is a different problem, of course.

Joe, Julian, thanks again for your hints.

Cheers,
Janusz

P.S. I can provide more info on my setup if it can be interesting for 
anyone.