On Fri, May 29, 2020 at 10:47 AM Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: > > Am 28.05.20 um 19:14 schrieb Laura Garcia Liebana: > > REJECT statement can be only used in INPUT, FORWARD and OUTPUT > > chains. This patch adds support of REJECT, both icmp and tcp > > reset, at PREROUTING stage. > > > > The need for this patch becomes from the requirement of some > > forwarding devices to reject traffic before the natting and > > routing decisions. > > on the other hand you shoot yourself in the foot if you REJECT in > response of "ctstate INVALID" which is a such better place in "-t mangle > PREROUTING" because the reject to out of order re-transmit will kill > your connections > > in the worst case you even send ICMP responses back to a forged source The main use case is to be able to send a graceful termination to legitimate clients that, under any circumstances, the NATed endpoints are not available. This option allows clients to decide either to perform a reconnection or manage the error in their side, instead of just dropping the connection and let them die due to timeout. Thanks for your comments.
