[Bug 696] Extra tcp options for REJECT --reject-with tcp-reset-both / tcp-reset-destination

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Sat Jun 22 10:05:56 CEST 2013


https://bugzilla.netfilter.org/show_bug.cgi?id=696

--- Comment #5 from Alessandro Vesely <vesely at tana.it> 2013-06-22 10:05:55 CEST ---
(In reply to comment #4)
>> The kernel manages the seq and ack_seq counters itself, so it doesn't have
>> to try
> 
> ...for locally terminated connections, yes.  But what about forwarded traffic? 
> That is where the difficulty comes in.  Netfilter would need to be able to
> manage both local sockets and forwarded traffic.

That sounds correct to me.  I don't know why the man page for REJECT says:

  This target is only valid in the INPUT, FORWARD and OUTPUT chains

It could have excluded the FORWARD chain as well, if that could not be done
cleanly.  Similar limitations are obvious for other modules, such as xt_owner.

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the netfilter-buglog mailing list