[ovs-dev] [RFC 3/3] OVN: add acl reject rule support using icmp4 action

Ben Pfaff blp at ovn.org
Fri Feb 9 17:27:58 UTC 2018


On Fri, Feb 09, 2018 at 11:13:09AM +0100, Lorenzo Bianconi wrote:
> On Jan 23, Ben Pfaff wrote:
> > On Wed, Jan 10, 2018 at 06:59:01PM +0100, Lorenzo Bianconi wrote:
> > > Whenever the acl reject rule is hit send back an ICMPv4 destination
> > > unreachable packet and do not handle reject rule as drop one
> > > 
> > > Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>
> > 
> > It's nice to finally get this right!  Thank you.
> > 
> > I wonder about the treatment for TCP connections.  A connection attempt
> > to a TCP port that is not listening ordinarily yields a TCP RST
> > response.  I do not know whether an ICMP reply is acceptable.  Do you
> > have any thoughts on that?
> > 
> 
> I agree, we need to add tcp feature, I was thinking to send a different patchset adding tcp stuff.
> Do you prefer to squash tcp action to this patchset or repin it with your comments?

It's OK with me to do TCP in a different patch set.  It takes extra work
to write code to generate TCP RSTs.  I don't want to delay these patches
by requiring that extra work now.  I would like to see the TCP work
done, however.

For this patch set, do you think it is better to send ICMP for TCP or to
continue treating reject as drop for TCP?

Thanks,

Ben.


More information about the dev mailing list