490854 – [RHEL5] glibc reports "no route to host" on icmp-admin-prohibited

Bug 490854 - [RHEL5] glibc reports "no route to host" on icmp-admin-prohibited

Summary: [RHEL5] glibc reports "no route to host" on icmp-admin-prohibited

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	glibc
Sub Component:
Version:	5.3
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Andreas Schwab
QA Contact:	BaseOS QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-03-18 10:37 UTC by Ingvar Hagelund
Modified:	2009-11-22 22:16 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-11-22 22:16:23 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Ingvar Hagelund 2009-03-18 10:37:23 UTC

Description of problem:
When outgoing packets are filtered with icmp-admin-prohibited, glibc reports wrongly "No route to host". Correct report should be something like "Unreachable - admin prohibited filter" or something like that.

Telling the user that there is no route to a host that is clearly routable and available, may give network administrators that do not know this bug headache and sleep trouble.

Version-Release number of selected component (if applicable):
glibc-2.5-34. Also reproducable on all tested Linux distributions, including for example rhel4 and a few Fedora, Debian and Ubuntu versions, so this is an upstream bug.

How reproducible:
Always

Steps to Reproduce:
1. Filter outgoing packages with icmp-admin-prohibited, for example, on a Linux router, like this:

iptables -A SOMECHAIN -s 192.168.42.42 -d www.redhat.com -j REJECT \
--reject-with icmp-admin-prohibited

2. Test, for example with telnet

# telnet www.redhat.com 80
Trying 88.221.36.112...
telnet: connect to address 88.221.36.112: No route to host

tcpdump shows that the message "No route to host" is bogus.

# tcpdump -i eth0 -n host www.redhat.com or icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:19:52.447684 IP 192.168.42.42.41959 > 88.221.36.112.http: S 821776623:821776623(0) win 5840 <mss 1460,sackOK,timestamp 1732359844 0,nop,wscale 6>
11:19:52.447856 IP 192.168.42.1 > 192.168.42.42: ICMP host 88.221.36.112 unreachable - admin prohibited filter, length 68

3. Compair with ping that does not use glibc in the same way

$ ping -c1 www.redhat.com
PING e86.b.akamaiedge.net (88.221.36.112) 56(84) bytes of data.
From some.router.tld.net (192.168.42.1) icmp_seq=1 Packet filtered

Actual results:
glibc reports "No route to host".

Expected results:
glibc should report a correct error message, like "Unreachable - admin prohibited filter" or similar, see the ping example.

Additional info:
* Somebody reported the same bug in Debian, see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=421375

Comment 1 Ulrich Drepper 2009-11-22 22:16:23 UTC

The kernel doesn't provide more detailed information.  The connect calls fails with EHOSTUNREACH which traditionally results in the error message "No route to host".  There is nothing that can be done.

Note You need to log in before you can comment on or make changes to this bug.