[Bug 696] Extra tcp options for REJECT --reject-with tcp-reset-both / tcp-reset-destination
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Jun 20 20:12:16 CEST 2013
https://bugzilla.netfilter.org/show_bug.cgi?id=696
Phil Oester <netfilter at linuxace.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |netfilter at linuxace.com
--- Comment #2 from Phil Oester <netfilter at linuxace.com> 2013-06-20 20:12:15 CEST ---
Could you explain the use case for this? The only thing I can think of is that
you want to reset an existing connection. But that would mean that you have to
put this REJECT rule before any RELATED/ESTABLISHED conntrack ctstate match
rules (which is suboptimal).
And if you really want to reset an existing connection with a tcp reset, you
need to track the sequence number of the remote side so you can craft a reset
packet which isn't simply ignored by the client due to an out of range sequence
(ack).
So overall, it is difficult to understand the motivation for this request. And
even more difficult would be actually implementing it.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the netfilter-buglog
mailing list