summaryrefslogtreecommitdiffstats
path: root/extensions/libip6t_REJECT.man
diff options
context:
space:
mode:
authorJan Engelhardt <jengelh@inai.de>2020-06-03 15:36:04 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2020-06-08 00:30:09 +0200
commit63291783a1a264b0d44606442f38435a5ac362c6 (patch)
treebf51688621491cc19afa76531d50d23872a06340 /extensions/libip6t_REJECT.man
parent14ac250946289e280fb09ef978a45042871275b0 (diff)
doc: document danger of applying REJECT to INVALID CTs
Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'extensions/libip6t_REJECT.man')
-rw-r--r--extensions/libip6t_REJECT.man20
1 files changed, 20 insertions, 0 deletions
diff --git a/extensions/libip6t_REJECT.man b/extensions/libip6t_REJECT.man
index 0030a51f..3c42768e 100644
--- a/extensions/libip6t_REJECT.man
+++ b/extensions/libip6t_REJECT.man
@@ -30,3 +30,23 @@ TCP RST packet to be sent back. This is mainly useful for blocking
hosts (which won't accept your mail otherwise).
\fBtcp\-reset\fP
can only be used with kernel versions 2.6.14 or later.
+.PP
+\fIWarning:\fP You should not indiscriminately apply the REJECT target to
+packets whose connection state is classified as INVALID; instead, you should
+only DROP these.
+.PP
+Consider a source host transmitting a packet P, with P experiencing so much
+delay along its path that the source host issues a retransmission, P_2, with
+P_2 being successful in reaching its destination and advancing the connection
+state normally. It is conceivable that the late-arriving P may be considered
+not to be associated with any connection tracking entry. Generating a reject
+response for a packet so classed would then terminate the healthy connection.
+.PP
+So, instead of:
+.PP
+-A INPUT ... -j REJECT
+.PP
+do consider using:
+.PP
+-A INPUT ... -m conntrack --ctstate INVALID -j DROP
+-A INPUT ... -j REJECT