Connection problems on large high speed connections.

Jozsef Kadlecsik kadlec at
Wed Apr 27 15:58:45 CEST 2005

On Wed, 27 Apr 2005, Stian B. Barmen wrote:

> > Then there were packets flagged as INVALID by conntrack, which are of
> > course not matched by the states above. The reject line however matched
> > them and dutifully generated the RST segment, which tore down the
> > connection.
> But what is the reason for the difference in behaviour for -j REJECT vs
> -j RECECT --reject-with tcp-reset? Why does one kill the connection and
> not the other?

A "-j RECECT --reject-with tcp-reset" generates a TCP RST, which always
kills the connection. A "-j RECECT" generates an ICMP error message, which
- depending on the OS which receives the ICMP packet - might terminate a
TCP connection or might not. That is the very reason why "--reject-with
tcp-reset" is required.

Best regards,
E-mail  : kadlec at, kadlec at
PGP key :
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

More information about the netfilter mailing list