On 13/02/15 13:27, Mikael Abrahamsson wrote:
Packet reaches HGW2, which has no flow state, and is dropped. ICMP error message might be created. In case of ICMP error message, U1 should ignore this.
That's an application-layer issue. It all depends on how they're talking to the socket API. They might not even see the ICMP error if they're just doing dumb send() calls.
U2 sends a packet from U2IP,U2PORT to U1IP,U1PORT. HGW2 creates flow state. Packet hits HGW1 which already has a flow state, and packet successfully reaches U1. U1 now can start sending packets to U2 as well and they've worked around both of them having HGWs with stateful firewalls disallowing new connections to them. Right?
Yes.
The crucial step here seems to be the fact that initial packets might be dropped and error messages be generated, but these should be ignored by the application. Is this commonplace? Is it a problem at all?
As above, depends on how they're using the socket API. As a rule for UDP connections, you actually have to put *more* work in to see ICMP errors. It's certainly possible to ignore them.
