Re: PRIV: 2.1.102: ipchains: REJECT does only DENY - network gurus please
Tue, 19 May 1998 00:08:55 +0200

On Mon, May 18, 1998 at 11:42:33PM +0200, Steffen Zahn wrote:
> Hello,
> I tried your patch.
> 1. ipchains can now reject packets, that have destinations for which there
> is no route.
> 22:27:42.550861 taliesin.1027 > 64317+ (32)
> 22:27:42.551050 zahn > taliesin: icmp: udp port nameserver unreachable [tos 0xc0]
> 22:27:42.551501 taliesin.1027 > 64317+ (32)
> 22:27:42.551614 zahn > taliesin: icmp: udp port nameserver unreachable [tos 0xc0]
> but for some reason it generates a packet storm of > 100 DNS packets and
> the same number of icmp packets in the same second. As far as the application
> on the client (netscape) is concerned the behaviour looks fine now,
> i.e. error message window opens immediately etc.

The packet storm has two reasons: first the ICMP error rate limiting
only works with a "permanent" destination entry, but only a temporary
one that is not inserted into the routing cache. This means no rate
limiting is done because the required state is not found again when
the next packet comes in. Also the DNS resolver on zahn seems to
take port unreachable as a temporary error and retries immediately
[looks like a microsoftism, bind at least does a exponential backoff]

the problem could be solved by inserting temporary entries for not
existing routes into the routing cache, but that would probably have
other bad side effects.


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to