Re: VS: can pf send icmp protocol unreachables?

On Tue, Nov 26, 2002 at 07:45:46PM +0200, Toni Heinonen wrote:

> As far as I know, blocking any other protocol requires an ICMP protocol unreachable (or of course a simple silent drop, but that's the crude way).

It's not necessarily crude. The OpenBSD TCP/IP stack, for instance, processes all incoming ICMP errors in net/ip_icmp.c icmp_input().

There, certain ICMP types/code are consolidated into a single code, others are just ignored. Depending on what protocol the ICMP error refers to, the ctlinput() function for that protocol is called. Not many protocols beside TCP and UDP even have a ctlinput() function. For them, an ICMP error has just no effect at all.

As an example of one other protocol which does process ICMP errors, look at netiso/tp_inet.c tpip_ctlinput(). It doesn't distinguish between UNREACH_PORT and UNREACH_PROTO at all, both cause the same processing.

Another example is ctlinput for ah4 and esp4, both completely ignore UNREACH_PORT and UNREACH_PROTO messages.

Hence my question, can you name a single protocol (besides TCP and UDP) that actually uses ICMP errors for anything? Maybe a rawsock listener that does something with them? If not, it's just useless to return-icmp for other protocols, as they have no effect whatsoever. Dropping them silently would not be crude, but sensible, and save you bandwidth.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related openbsd.org Links advocacy announce bugs ipv6 misc ports ports-changes security-announce smp source-changes tech Request more information about Pantek

Daniel Received on Tue Nov 26 13:03:41 2002