return-rst/return icmp doesn't work for local clients
Brought to you by:
darren_r
Menu
▾
▴
#86 return-rst/return icmp doesn't work for local clients
when packet matches block return-rst rule two things happen:
RST packet is sent to packet sender [1]
fr_check() returns ECONNRESET [2]
[1] is important for remote TCP clients, client reports connection error once RST packet is received. client does not wait for 30sec timeout to determine connect error.
[2] is important for local clients (clients running on the same box, where IPF is enabled). IPF can't send RST packet to these clients. for local clients fr_check() returns ECONNRESET instead.
the return value is supposed to be propagated up to caller (the local client application). Unfortunately the return value is eaten by PF_HOOKS layer. This prevents local client to bail out immediately with ECONNRESET error code. Local client must wait complete 30sec timeout to detect ECONNTIMEOUT error.-
*** (#1 of 2): 2008-09-16 09:37:28 CEST alexandr.nedvedicky@sun.com
after short discussion Darren Reed came up with proposal to alter matching packet to RST, swap addresses and pass altered packet to IP stack and let it route it to its destination. I think it will work.