Am 28.05.20 um 19:14 schrieb Laura Garcia Liebana: > REJECT statement can be only used in INPUT, FORWARD and OUTPUT > chains. This patch adds support of REJECT, both icmp and tcp > reset, at PREROUTING stage. > > The need for this patch becomes from the requirement of some > forwarding devices to reject traffic before the natting and > routing decisions. on the other hand you shoot yourself in the foot if you REJECT in response of "ctstate INVALID" which is a such better place in "-t mangle PREROUTING" because the reject to out of order re-transmit will kill your connections in the worst case you even send ICMP responses back to a forged source
