Hi, On 09/13/2011 12:49 PM, Jozsef Kadlecsik wrote: > Yes, at present ICMP(v6) error codes does not terminate TCP connections in > conntrack. The problem with acting at receiving ICMP error codes is that > it's easier to fake an ICMP error packet than a TCP RST one, because the > latter must be acceptable according to the receiver's window too. > I hadn't thought of that; you are correct of course. It might be a bad idea to enable this for all cases, out of the box. Still, it think it would be good for the option to be available. It could be disabled by default, as you suggested, with a new switch --match state --honor-icmp-errors or something. I believe this would also make sense for UDP state tracking (perhaps even more so than for TCP, since UDP has no receive window). I don't have the data in front of me now, but I'm pretty sure I saw UDP sessions in UNREPLIED state on my router, although the host had replied with an ICMP type 3, code 3. Of course, the UDP timer is usually quite short, but it wouldn't hurt to have the _option_ to honor ICMP errors, as stated above. Best regards, Israel G. Lugo -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
