On 24.05.2011 01:16, JP Abgrall wrote: > Before I go bug the kernel people, I'd like to know if this seems > reasonable from a netfilter perspective. > >>From e8b45cfd66ccc1be0bc406fc9662f0f1e7a94283 Mon Sep 17 00:00:00 2001 > From: JP Abgrall <jpa@xxxxxxxxxx> > Date: Thu, 19 May 2011 19:30:02 -0700 > Subject: [PATCH] netfilter: have ip*t REJECT set the sock err when an > icmp is to be sent > > Allow the REJECT --reject-with icmp*blabla to also set the matching error > locally on the socket affected by the reject. > This allows the process to see an error as if it received it via ICMP. > It avoids the local process who's packet is rejected to have to wait > for a pseudo-eternity until some timeout kicks in. The interpretation and handling of the ICMP errors is up to the higher layer protocols. So doing this in the REJECT target is not a good idea. Unless there's something wrong in your setup, the ICMP message should be received by the socket anyways. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
