On Mon, Jul 28, 2008 at 01:27:46PM -0400, Vlad Yasevich wrote:

So the suggestion really is then to remove the length check icmp_unreach()?

Yes.

Because as it stands right now, the protocol error handler will not be invoked
if we don't have the iphdr + 8 bytes worth of data.  That's is actually a requirement
from the ICMP rfc 792.

That requirement only makes sense if the original packet has at
least 8 bytes of payload.  Since the RFC doesn't talk about
padding in case it doesn't have 8 byte, the behaviour in that
case is clearly undefined.

As far as Linux is concerned, we've never done padding if there
is less than 8 bytes of payload.  So as such we must be prepared
to deal with that on the input side as well.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} [off-list ref]
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt