public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Send a TCP RST packet, rather than an ICMP port-unreachable packet,

Browse Source 
for (apparently) open TCP connections that connection tracking 
  doesn't know about.  This prevents TCP connections to this machine
  from hanging in CLOSE_WAIT for a long time.

svn path=/nixos/trunk/; revision=26802
This commit is contained in:
Eelco Dolstra 2011-04-12 11:25:57 +00:00
parent 22a4047b1b
commit e9b2ebcb99
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
modules/services/networking/firewall.nix
View File

@ -147,7 +147,15 @@ in
ip46tables -A FW_REFUSE -j LOG --log-level info --log-prefix "rejected packet: " ip46tables -A FW_REFUSE -j LOG --log-level info --log-prefix "rejected packet: "
''} ''}
ip46tables -A FW_REFUSE -j ${if cfg.rejectPackets then "REJECT" else "DROP"} ${if cfg.rejectPackets then ''
# Send a reset for existing TCP connections that we've
# somehow forgotten about. Send ICMP "port unreachable"
# for everything else.
ip46tables -A FW_REFUSE -p tcp ! --syn -j REJECT --reject-with tcp-reset
ip46tables -A FW_REFUSE -j REJECT
'' else ''
ip46tables -A FW_REFUSE -j DROP
''}
# Accept all traffic on the loopback interface. # Accept all traffic on the loopback interface.