[ovs-dev] [RFC 3/3] OVN: add acl reject rule support using icmp4 action
Lorenzo Bianconi
lorenzo.bianconi at redhat.com
Fri Feb 9 20:58:11 UTC 2018
> On Fri, Feb 09, 2018 at 11:13:09AM +0100, Lorenzo Bianconi wrote:
>> On Jan 23, Ben Pfaff wrote:
>> > On Wed, Jan 10, 2018 at 06:59:01PM +0100, Lorenzo Bianconi wrote:
>> > > Whenever the acl reject rule is hit send back an ICMPv4 destination
>> > > unreachable packet and do not handle reject rule as drop one
>> > >
>> > > Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>
>> >
>> > It's nice to finally get this right! Thank you.
>> >
>> > I wonder about the treatment for TCP connections. A connection attempt
>> > to a TCP port that is not listening ordinarily yields a TCP RST
>> > response. I do not know whether an ICMP reply is acceptable. Do you
>> > have any thoughts on that?
>> >
>>
>> I agree, we need to add tcp feature, I was thinking to send a different patchset adding tcp stuff.
>> Do you prefer to squash tcp action to this patchset or repin it with your comments?
>
> It's OK with me to do TCP in a different patch set. It takes extra work
> to write code to generate TCP RSTs. I don't want to delay these patches
> by requiring that extra work now. I would like to see the TCP work
> done, however.
ack, I will send a new patchset soon
>
> For this patch set, do you think it is better to send ICMP for TCP or to
> continue treating reject as drop for TCP?
>
I guess we can maintain the standard 'drop' action for TCP connections
for the moment
> Thanks,
>
> Ben.
Thanks.
Regards,
Lorenzo
More information about the dev
mailing list