From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jan Engelhardt <jengelh@medozas.de>
Cc: Netfilter Developer Mailing List
<netfilter-devel@vger.kernel.org>, wintre <mikeacar@gmail.com>,
Patrick McHardy <kaber@trash.net>
Subject: Re: DROP still returns -EPERM to userspace in OUTPUT chain
Date: Sat, 23 May 2009 17:02:35 +0200 [thread overview]
Message-ID: <4A18100B.1080803@netfilter.org> (raw)
In-Reply-To: <alpine.LSU.2.00.0905231517400.4949@fbirervta.pbzchgretzou.qr>
Jan Engelhardt wrote:
> On Saturday 2009-05-23 13:43, Pablo Neira Ayuso wrote:
>>>> Returning
>>>> -EPERM seems to me quite sane to note that the kernel is explicit (via
>>>> iptables, for example) not allowing permission to send().
>>> Yeah but DROP is perceived by users to be "silently ignore it",
>>> while the "you don't have permission" is REJECT's job.
>> But the DROP and REJECT behaviours refer to the packet logic, ie. with
>> DROP nothing is done, with REJECT we send some explicit packet (like an
>> ICMP administratively prohibited). That still applies to user-space.
>
> -EPERM is an "administrative prohibited" for userspace, just like a
> returned ICMP packet. Here, functions overlap.
Indeed, I forgot about that case.
>> Reporting -EPERM seems to me a good practise to report user-space
>> applications that the kernel is explicit dropping the packet. Otherwise,
>> while diagnosing problems, people cannot be sure where the packet has
>> been lost.
>
> Then again, people might be using -m limit -j DROP to simulate actual
> packet loss, for whatever scientific interests they currently have.
For scientific purposes, like packet omission emulation, better to use
netem [1].
> So just wanting to know - are people supposed to use xt_STEAL instead
> if they really want it silently dropped?
Well, I still would like to know any application that can benefit from
this, apart from broken applications.
[1] http://www.linuxfoundation.org/en/Net:Netem
--
"Los honestos son inadaptados sociales" -- Les Luthiers
next prev parent reply other threads:[~2009-05-23 15:02 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-22 9:44 DROP still returns -EPERM to userspace in OUTPUT chain Jan Engelhardt
2009-05-23 10:47 ` Pablo Neira Ayuso
2009-05-23 11:11 ` Jan Engelhardt
2009-05-23 11:43 ` Pablo Neira Ayuso
2009-05-23 13:20 ` Jan Engelhardt
2009-05-23 15:02 ` Pablo Neira Ayuso [this message]
2009-05-25 14:56 ` Patrick McHardy
2009-06-07 4:22 ` Mike Acar
2009-06-08 13:56 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A18100B.1080803@netfilter.org \
--to=pablo@netfilter.org \
--cc=jengelh@medozas.de \
--cc=kaber@trash.net \
--cc=mikeacar@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.