From e9b2ebcb9920cc86b018f85c2de4adab26b7b27d Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 12 Apr 2011 11:25:57 +0000
Subject: [PATCH] * Send a TCP RST packet, rather than an ICMP port-unreachable
 packet,   for (apparently) open TCP connections that connection tracking  
 doesn't know about.  This prevents TCP connections to this machine   from
 hanging in CLOSE_WAIT for a long time.

svn path=/nixos/trunk/; revision=26802
---
 modules/services/networking/firewall.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/modules/services/networking/firewall.nix b/modules/services/networking/firewall.nix
index a8dd253d70b8..50790ba3135a 100644
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@@ -147,7 +147,15 @@ in
               ip46tables -A FW_REFUSE -j LOG --log-level info --log-prefix "rejected packet: "
             ''}
 
-            ip46tables -A FW_REFUSE -j ${if cfg.rejectPackets then "REJECT" else "DROP"}
+            ${if cfg.rejectPackets then ''
+              # Send a reset for existing TCP connections that we've
+              # somehow forgotten about.  Send ICMP "port unreachable"
+              # for everything else.
+              ip46tables -A FW_REFUSE -p tcp ! --syn -j REJECT --reject-with tcp-reset
+              ip46tables -A FW_REFUSE -j REJECT
+            '' else ''
+              ip46tables -A FW_REFUSE -j DROP
+            ''}
 
 
             # Accept all traffic on the loopback interface.