Time-out like behaviour for ICMP port unreachable errors

Sun, 27 Oct 2019 07:57:38 -0700 

While trying to debug a networking problem, I ran into an unexpected
behaviour: when the kernel receives an ICMP port unreach error, it
keeps trying the connection until it times out (but still says
"connection refused" as an error).


On VM test1 I have this in /etc/pf.conf:

block return-rst proto tcp from any to any port 10001
block return-icmp proto tcp from any to any port 10002
block drop proto tcp from any to any port 10003

Now from another VM I try to connect to these ports:

[weerd@test2] $ time telnet test1 10001
Trying 192.168.34.157...
telnet: connect to address 192.168.34.157: Connection refused
Trying 2a02:long_v6_address...
telnet: connect to address 2a02:long_v6_address: Connection refused
    0m00.01s real     0m00.00s user     0m00.00s system

[weerd@test2] $ time telnet test1 10002
Trying 192.168.34.157...
telnet: connect to address 192.168.34.157: Connection refused
Trying 2a02:long_v6_address...
telnet: connect to address 2a02:long_v6_address: Connection refused
    4m58.13s real     0m00.00s user     0m00.00s system

[weerd@test2] $ time telnet test1 10003
Trying 192.168.34.157...
telnet: connect to address 192.168.34.157: Operation timed out
Trying 2a02:long_v6_address...
telnet: connect to address 2a02:long_v6_address: Operation timed out
    4m57.44s real     0m00.00s user     0m00.00s system


When the connection is refused with TCP RST ('block return-rst'), it
is immediately closed but with ICMP port unreachable ('block
return-icmp'), the connection is attempted 4 times and eventually
times out.  However, the error given is not 'Operation timed out' (what
you get when trying port 10003) but 'Connection refused'.

If I tcpdump the traffic on the VM, I see 1 SYN + 1 RST (per AF) in
the 10001 case, 4 SYNs + 4 ICMP port unreachable errors in the 10002
case and 4 SYNs in the 10003-case.

Why is the ICMP port unreachable error not treated like the TCP Reset
situation?  Why are four connection attempts made in this case?  The
error message makes sense, but the timeout doesn't.

Note that I first spotted this behaviour while trying to SSH to a
Linux machine that sends ICMP port unreachable errors from its
iptables firewall; I've seen it on various types of machine, and
tested two "different" architectures (amd64 and i386).

Cheers,

Paul 'WEiRD' de Weerd

-- 
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/

Reply via email to