On Tue, Dec 22, 2015 at 10:47:43PM +0100, Hannes Frederic Sowa wrote:
> On 22.12.2015 17:59, Huw Davies wrote:
> > I'm confused about this one. AFAICS, this will drop packets that we
> > can't process. We don't send the icmp error, but I can certainly add
> > that. Is that what you mean?
> Actually, the implementation of calipso_validate will accept the packets
> because it defaults to return true if we don't compile the module. At
> least we should drop the packet if it is not loaded. I am in favor of
> adding the parameter problem icmp error. So, yes, I think it should be
Yet the option value is 0x07, i.e. the two highest bits are both zero
which according to:
means we should just skip it.
In terms of sending an icmp on error while validating:
is pretty conservative in that case too. Most errors
should just be silently dropped.
To unsubscribe from this list: send the line "unsubscribe
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html