REJECT patch


From kadlec@blackhole.kfki.hu Mon Sep 17 10:00:20 2001
Date: Mon, 28 Feb 2000 15:45:54 +0100 (CET)
From: Jozsef Kadlecsik 
To: Rusty Russell 
Subject: Re: [PATCH] netfilter-0.1.16 

Hello Rusty,

On Fri, 18 Feb 2000, Jozsef Kadlecsik wrote:

> > > 1. REJECT: different reject packets can be selected:
> > > 
> > > 	- ICMP net, host, proto or port unreachable 
> > > 	  (just for the sake of completeness :-)
> > > 	- TCP RST for TCP
> > > 	- faked echo reply for echo request
> > 
> > 	This is cool.  Any chance of:
> > 1) Only allowing tcp-reset for rules off the INPUT hook 
> >   (otherwise Alexey will kill me 8-)
> 
> In my opinion, it is useless then. The whole point of the patch
> is actually the faked TCP RST: if someone wants not to drop but reject
> a connection, then the only way to tell - successfully - to the sender 
> to shut up is to send back a faked TCP RST. According to my simple test,
> Windows 98/NT, AIX, IRIX, OSF ignores the ICMP port unreachable packets,
> so for those clients the default ICMP reject packets are sent back in
> vain. Not everyone is RFC compliant.
> 
> Strange, that no one complained against the feature to fake echo
> reply packets :-).
> 
> > 2) Porting to 0.90 (shouldn't be too hard).

The attached patch is against 0.90.2. Sorry, I had no time to do it
earlier as I promised. I had to play with some webmail solution to ease my
boss and the users and I hadn't planned this extra work.

> > > 2. state: simple protection against SYN flooding
> > > 
> > >    After the server sent SYN-ACK, an ACK packet coming from the client 
> > >    can be faked, thus protecting the server against SYN flood attempts.
> > 
> > This seems really wierd.  Better TCP state tracking is on my TODO
> > list (ie. window and sequence number tracking), but...
> 
> I know: it's a dirty hack, probably doesn't deserve to live. However
> it was sooo easy to implement based on the routines for the TCP RST :-).

OK, in this patch I left out this questionable feature.
netfilter-0.90.2.patch.bz2
netfilter-0.90.2-kernel.patch