On 11/Jan/11 23:31, Jan Engelhardt wrote: > On Tuesday 2011-01-11 22:10, Grant Taylor wrote: >> On 01/11/11 11:39, Pascal Hambourg wrote: >>> However this sends only one RST to one side of the connection, >>> leaving the connection half-open - until the other side sends a >>> packet and gets a RST too. IMO it would be more elegant to send RSTs >>> to boths sides of the connection. >> >> Wouldn't it be possible to send packet to user space and have something else >> send the reset packets to both ends? I.e. use IPTables to match the packets >> and have a user space daemon act on what IPTables matched. > > Well, you could augment ipt_REJECT to send two packets. It does not have > to just send one. Besides practical issues about augmenting modules, RST will never be as clean as FIN. I mean, aborting will still be different from cleanly shutting down. This particular difference, the minimal-cost tarpit that results from sending RST to the local end only, may even have its merits. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
