* Send a TCP RST packet, rather than an ICMP port-unreachable packet,

  for (apparently) open TCP connections that connection tracking 
  doesn't know about.  This prevents TCP connections to this machine
  from hanging in CLOSE_WAIT for a long time.

svn path=/nixos/trunk/; revision=26802

1 files changed, 9 insertions, 1 deletions

diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix
index a8dd253d70b..50790ba3135 100644
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@@ -147,7 +147,15 @@ in
               ip46tables -A FW_REFUSE -j LOG --log-level info --log-prefix "rejected packet: "
             ''}
 
-            ip46tables -A FW_REFUSE -j ${if cfg.rejectPackets then "REJECT" else "DROP"}
+            ${if cfg.rejectPackets then ''
+              # Send a reset for existing TCP connections that we've
+              # somehow forgotten about.  Send ICMP "port unreachable"
+              # for everything else.
+              ip46tables -A FW_REFUSE -p tcp ! --syn -j REJECT --reject-with tcp-reset
+              ip46tables -A FW_REFUSE -j REJECT
+            '' else ''
+              ip46tables -A FW_REFUSE -j DROP
+            ''}
 
 
             # Accept all traffic on the loopback interface.