Re: Best way to kill a live TCP connection?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Alessandro Vesely a écrit :
> On 11/Jan/11 15:41, Jan Engelhardt wrote:
>> On Tuesday 2011-01-11 13:35, Alessandro Vesely wrote:
>> 
>>> In particular, if it is possible/convenient to design an RST injector
>>> and how to attach it to iptables?
>> 
>> If you use a ruleset that emits RST for NEW connections that are picked 
>> up rather than SYN-new,
>>
>> -m conntrack --ctstate NEW -p tcp ! --syn --dport 22 -j REJECT 
>> --reject-with tcp-reset
>> 
>> .. makes it possible to RST-kill connections using `conntrack -D`.
> 
> That's the most elegant method I've seen thus far.  Thanks a lot!

However this sends only one RST to one side of the connection, leaving
the connection half-open - until the other side sends a packet and gets
a RST too. IMO it would be more elegant to send RSTs to boths sides of
the connection.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux