netbsd-bugs: Re: kern/10134: ipfilter with careless ICMP rules will send ICMP in response to ICMP

Subject: Re: kern/10134: ipfilter with careless ICMP rules will send ICMP in response to ICMP
To: None <netbsd-bugs@netbsd.org>
From: Wolfgang Rupprecht <wolfgang@wsrcc.com>
List: netbsd-bugs
Date: 05/16/2000 17:15:24

> 	I have a lot of sympathy with just saying "dont do that".
> 	But I think the most-correct (vis-a-vis rfc1222)  action
> 	is to modify IPfilter's  "block return-icmp" to check if the
> 	blocked packet is an ICMP, and if it is, to silently
> 	drop the ICMP packet.

Although it would be beneficial if some ICMP's such as
icmp-echo-request and icmp-echo-reply were allowed to generate ICMP
error msgs.  It is only sending ICMP error messages in reply to ICMP
error messages that cause the infinite-ping-ponging error message
problem.

Personally I'd like to see as little policy in the code as possible
and just put a big fat note in the ipfilter documentation that says
always precede a return-icmp with a test for the error-icmp's and
silently drop them.

(Sort of like having the block for sending network 127.0.0.0 packets
off-host done via a user-level "route add -net 127.0.0.0 127.0.0.1
-reject" call instead of hardwired in kernel code.)

-wolfgang
-- 
       Wolfgang Rupprecht <wolfgang+gnus@dailyplanet.wsrcc.com>
		    http://www.wsrcc.com/wolfgang/
DGPS signals via the Internet  http://www.wsrcc.com/wolfgang/gps/dgps-ip.html