[EMAIL PROTECTED] wrote:
> I wrote this comment, by the way. 8) Look at it and surrounding code
> more carefully. In established state all ICMP errors are transient,
> because tcp connection would never reach established state, if they
> were not transient.
Your point isn't relevant to the firewall. I can *already* send RSTs by
simply not binding a socket to the port. All I want is a different way
to accomplish this: at the packet firewall layer.
This doesn't have anything to do with response to received ICMPs.
(a => b) does not imply (~a => ~b).
But since you bring it up, RFC 1122 "Requirements for Internet Hosts"
has something to say:
3.2.2.1 Destination Unreachable: RFC-792
[...]
A Destination Unreachable message that is received MUST be
reported to the transport layer. The transport layer SHOULD
use the information appropriately; for example, see Sections
4.1.3.3, 4.2.3.9, and 4.2.4 below. A transport protocol
that has its own mechanism for notifying the sender that a
port is unreachable (e.g., TCP, which sends RST segments)
>>>>>> MUST nevertheless accept an ICMP Port Unreachable for the
>>>>>> same purpose.
A Destination Unreachable message that is received with code
0 (Net), 1 (Host), or 5 (Bad Source Route) may result from a
routing transient and MUST therefore be interpreted as only
a hint, not proof, that the specified destination is
unreachable [IP:11]. For example, it MUST NOT be used as
proof of a dead gateway (see Section 3.3.1).
4.2.3.9 ICMP Messages
TCP MUST act on an ICMP error message passed up from the IP
layer, directing it to the connection that created the
error. The necessary demultiplexing information can be
found in the IP header contained within the ICMP message.
[...]
o Destination Unreachable -- codes 0, 1, 5
Since these Unreachable messages indicate soft error
conditions, TCP MUST NOT abort the connection, and it
SHOULD make the information available to the
application.
DISCUSSION:
TCP could report the soft error condition directly
to the application layer with an upcall to the
ERROR_REPORT routine, or it could merely note the
message and report it to the application only when
and if the TCP connection times out.
o Destination Unreachable -- codes 2-4
>>>>>> These are hard error conditions, so TCP SHOULD abort
>>>>>> the connection.
enjoy,
-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
