Connection problems on large high speed connections.
Jozsef Kadlecsik
kadlec at blackhole.kfki.hu
Wed Apr 27 15:58:45 CEST 2005
On Wed, 27 Apr 2005, Stian B. Barmen wrote:
> > Then there were packets flagged as INVALID by conntrack, which are of
> > course not matched by the states above. The reject line however matched
> > them and dutifully generated the RST segment, which tore down the
> > connection.
>
> But what is the reason for the difference in behaviour for -j REJECT vs
> -j RECECT --reject-with tcp-reset? Why does one kill the connection and
> not the other?
A "-j RECECT --reject-with tcp-reset" generates a TCP RST, which always
kills the connection. A "-j RECECT" generates an ICMP error message, which
- depending on the OS which receives the ICMP packet - might terminate a
TCP connection or might not. That is the very reason why "--reject-with
tcp-reset" is required.
Best regards,
Jozsef
-
E-mail : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
More information about the netfilter
mailing list