On Tue, May 24, 2011 at 00:01, Patrick McHardy <kaber@xxxxxxxxx> wrote: > The interpretation and handling of the ICMP errors is up to the higher > layer protocols. This is only for DEST_UNREACH, and I was expecting that the convert table/func was the way to deal with it. But apparently not. How about e.g. "--reject-with-forced-socket-error-matching-icmp --reject-with icmp*blabla"? > Unless there's something wrong in your setup, the ICMP message should > be received by the socket anyways. My understanding was that it won't happen if an ingress packet gets rejected. In that case the icmp is only sent back out, as it uses icmp*_send(). I'll see if it is not too hard to have icmp*_send(...., direction), and call it for each direction. For now, I'll keep my reject change (after fixing the arg in the v6 convert call) as it does allow user space to not wait for incoming data after that. -- -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
