Hi,
I wrote that I observed that Linux 2.2.2-ac7 TCP connection setups
ignored ICMP Host Unreachable packets. And that Linux 2.0.36 honoured
the ICMP Host Unreachables by returning immediately with an error
(EHOSTUNREACH from connect() ).
The truth is a bit more complicated: 2.2.2-ac7 *does* honour ICMP HU's from
some machines and *ignores* them from other machines. This in itself
is interesting. Even more complicated: 2.2.2-ac7 *sometimes* honours
ICMP HU's from a machine that it normaly ignores.
Disclaimer: I didn't do any extensive testing with other machines or
kernels than the ones below. But I found reproduceable
test-cases.
Linux 2.0.36 has the "correct & preferred" behaviour IMO.
Claims were made that according the RFCs ICMP Host Unreachable should
be ignored and that 2.2.x does this correctly. I think that honouring
ICMP HU's during TCP's *connection setup* is NOT violating RFC-1122:
It can be interpreted that ICMP HU's should only be ignored for
*established* TCP connections. I didn't look yet for explicit
indications that ICMP HU's should be honoured during connection setup.
Anyway, I've collected some data for people interested.
Note that "Case 2" is the "strange" one. The other ones appear OK to me.
Andi Kleen asked about IcmpInErrors (/proc/net/snmp) and OutOfWindowIcmps
(/proc/net/netstat) behaviour. One could indeed think about corrupted
ICMP packets to explain the behaviour. But both IcmpInErrors and
OutOfWindowIcmps (on 2.2.2-ac7) did NOT change during any of the Cases
below.
Greetings,
Rob van Nieuwkerk
verdi (Linux 2.2.2-ac7, Red Hat 5.2, Pentium 133):
**************************************************
Case 1: The normal "quit when Host Unreachable received on TCP SYN packet":
----------------------------------------------------------------------------
verdi /home/robn 119 % telnet 130.161.38.136
Trying 130.161.38.136...
telnet: Unable to connect to remote host: No route to host
21:44:32.249443 verdi.et.tudelft.nl.1995 > 130.161.38.136.telnet: S
73312749:73312749(0) win 32696 <mss 536,sackOK,timestamp 3552397[|tcp]> (DF) [tos
0x10] (ttl 64, id 41813)
21:44:32.366542 wormhole.et.tudelft.nl > verdi.et.tudelft.nl: icmp: host
130.161.38.136 unreachable [tos 0xd0] (ttl 63, id 39975)
Case 2: The new "ignore Host Unreachable received on TCP SYN packet":
----------------------------------------------------------------------
verdi /home/robn 131 % telnet 207.90.112.142
Trying 207.90.112.142...
.
.
<wait for time-out>
21:47:20.265547 verdi.et.tudelft.nl.2006 > dlp1161.dayton.eri.net.telnet: S
251643116:251643116(0) win 32696 <mss 536,sackOK,timestamp 3569198[|tcp]> (DF) [tos
0x10] (ttl 64, id 41980)
21:47:20.479262 dayusr19.eri.net > verdi.et.tudelft.nl: icmp: host
dlp1161.dayton.eri.net unreachable (ttl 241, id 21833)
mozart (Linux 2.0.36, Red Hat 5.2, Pentium MMX 133):
****************************************************
Case 3: The normal "quit when Host Unreachable received on TCP SYN packet":
----------------------------------------------------------------------------
mozart /home/robn 25 % telnet 130.161.38.136
Trying 130.161.38.136...
telnet: Unable to connect to remote host: No route to host
21:58:35.595758 mozart.et.tudelft.nl.1098 > 130.161.38.136.telnet: S
4214243475:4214243475(0) win 512 <mss 536> [tos 0x10] (ttl 64, id 1052)
21:58:35.720455 wormhole.et.tudelft.nl > mozart.et.tudelft.nl: icmp: host
130.161.38.136 unreachable [tos 0xd0] (ttl 63, id 40006)
Case 4: The normal "quit when Host Unreachable received on TCP SYN packet":
-----------------------------------------------------------------------------
mozart /home/robn 18 % telnet 207.90.112.143
Trying 207.90.112.143...
telnet: Unable to connect to remote host: No route to host
21:53:53.714043 mozart.et.tudelft.nl.1090 > dlp1162.dayton.eri.net.telnet: S
32318299:32318299(0) win 512 <mss 536> [tos 0x10] (ttl 64, id 979)
21:53:53.929240 dayusr19.eri.net > mozart.et.tudelft.nl: icmp: host
dlp1162.dayton.eri.net unreachable (ttl 241, id 22436)
Remark 1: the 130.161.38.136 address is not used at the moment on our
network. To make the router send the ICMP Host Unreachable
you'll sometimes have to wait a little bit the first time
because it needs to give up on ARPing 130.161.38.136 first !
Remark 2: I guess these *.eri.net guys are ISP with dial-up links.
Sometimes you have to try some IP numbers in their range
(207.90.112.* ?) to find an unused one which makes the
router generate the ICMP Host Unreachable. If it's in use
you'll probably get a RST packet which results in the
completely different "Connection refused" !
I don't now *.eri.net other than from severe port-scanning
activities to a friends machine. Investigating the probing
machine / IP-number made me notice the "strange" different
Linux 2.2.2 behavour !
Remark 3: The only apparent difference between the ICMP packets in
Case 1/3 and 2/4 as seen with tcpdump is that 1/3 has the
TOS bits set to 0xd0. Haven't checked the code but I doubt
that that would explain the difference.
Remark 4: The <wait for time-out> can be interrupted when an unused
dial-up IP-number becomes used during the waiting and a
sent SYN results results in a RST packet !
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
