Connection problems on large high speed connections.

Jozsef Kadlecsik kadlec at blackhole.kfki.hu
Wed Apr 27 15:58:45 CEST 2005


On Wed, 27 Apr 2005, Stian B. Barmen wrote:

> > Then there were packets flagged as INVALID by conntrack, which are of
> > course not matched by the states above. The reject line however matched
> > them and dutifully generated the RST segment, which tore down the
> > connection.
>
> But what is the reason for the difference in behaviour for -j REJECT vs
> -j RECECT --reject-with tcp-reset? Why does one kill the connection and
> not the other?

A "-j RECECT --reject-with tcp-reset" generates a TCP RST, which always
kills the connection. A "-j RECECT" generates an ICMP error message, which
- depending on the OS which receives the ICMP packet - might terminate a
TCP connection or might not. That is the very reason why "--reject-with
tcp-reset" is required.

Best regards,
Jozsef
-
E-mail  : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary



More information about the netfilter mailing list