bugzilla-daemon at netfilter.org
2013-Jun-20 18:12 UTC
[Bug 696] Extra tcp options for REJECT --reject-with tcp-reset-both / tcp-reset-destination
https://bugzilla.netfilter.org/show_bug.cgi?id=696 Phil Oester <netfilter at linuxace.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |netfilter at linuxace.com --- Comment #2 from Phil Oester <netfilter at linuxace.com> 2013-06-20 20:12:15 CEST --- Could you explain the use case for this? The only thing I can think of is that you want to reset an existing connection. But that would mean that you have to put this REJECT rule before any RELATED/ESTABLISHED conntrack ctstate match rules (which is suboptimal). And if you really want to reset an existing connection with a tcp reset, you need to track the sequence number of the remote side so you can craft a reset packet which isn't simply ignored by the client due to an out of range sequence (ack). So overall, it is difficult to understand the motivation for this request. And even more difficult would be actually implementing it. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Possibly Parallel Threads
- [Bug 696] Extra tcp options for REJECT --reject-with tcp-reset-both / tcp-reset-destination
- [Bug 696] Extra tcp options for REJECT --reject-with tcp-reset-both / tcp-reset-destination
- [Bug 696] Extra tcp options for REJECT --reject-with tcp-reset-both / tcp-reset-destination
- [Bug 531] Bridge + ip_forward + REJECT with tcp-reset not working as intended
- [Bug 874] New: Any conntrack conditions specified with --ctstate INVALID are not checked