Re: conntrack: ICMP type 3 code 3 responses should break TCP connections

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Israel G. Lugo" <israel.lugo@lugosys.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: conntrack: ICMP type 3 code 3 responses should break TCP connections
Date: Thu, 15 Sep 2011 23:09:07 +0100	[thread overview]
Message-ID: <4E727783.8090904@lugosys.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1109131327230.502@blackhole.kfki.hu>

Hi,

On 09/13/2011 12:49 PM, Jozsef Kadlecsik wrote:
> Yes, at present ICMP(v6) error codes does not terminate TCP connections in 
> conntrack. The problem with acting at receiving ICMP error codes is that 
> it's easier to fake an ICMP error packet than a TCP RST one, because the 
> latter must be acceptable according to the receiver's window too.
>

I hadn't thought of that; you are correct of course. It might be a bad
idea to enable this for all cases, out of the box. Still, it think it
would be good for the option to be available. It could be disabled by
default, as you suggested, with a new switch --match state
--honor-icmp-errors or something.

I believe this would also make sense for UDP state tracking (perhaps
even more so than for TCP, since UDP has no receive window). I don't
have the data in front of me now, but I'm pretty sure I saw UDP sessions
in UNREPLIED state on my router, although the host had replied with an
ICMP type 3, code 3. Of course, the UDP timer is usually quite short,
but it wouldn't hurt to have the _option_ to honor ICMP errors, as
stated above.

Best regards,
Israel G. Lugo

     prev parent reply	other threads:[~2011-09-15 22:09 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-09-12 20:13 conntrack: ICMP type 3 code 3 responses should break TCP connections Israel G. Lugo
2011-09-13 11:49 ` Jozsef Kadlecsik
2011-09-15 22:09   ` Israel G. Lugo [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4E727783.8090904@lugosys.com \
    --to=israel.lugo@lugosys.com \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).