Dans un message du 26 f�v � 13:22, Ramin Alidousti �crivait :
> Yes. The behavior you described is what I'd have expected as no other
> machine than the dst machine can claim that the port was unreachable.
That was my point too
> _BUT_ I also tested this on a SunOS and apparently they also don't
> check the ip of the originating icmp against the dst ip.
Well, RFC792 does not require that only the destinantion host sends the
"port unreach" error. I think this is why there is no implemented check.
> I think this new module could make the linux tcp/ip stack compliant with
> RFC792 _if_ we could dynamically source the icmp with the dst ip...
It is already compliant wrt the lines above. However, I think that an
option which would fake the orig ip to the packet destination would be
very cool. Before that, since we can match the destination ip in a
iptables rule, a "for" loop could do the job.
--
Guillaume Morin <[EMAIL PROTECTED]>
What is the point of trying to dream anymore ? (Alanis Morisette)
