> 2. Killing connections on a drop. This potentially violates the RFC
> check rules on time wait unless you are very careful. Also tell me
> why it cant be done in user space by turning /proc/net/ into a set
> of temporary 'reject' filter rules
Because once the PPP has been reestablished with a new
source address, the packets generated by the 'reject' rules
go to the old source address, ie they go to the ISP and keep
the connection up.
If Andi can get his solution so it
1) Works with masquerading
2) Works with SYN_SENT (perhaps by keeping the old dyn_addr already
in 2.1)
3) Gets into 2.1 at this late stage
then that's fine. Otherwise I would suggest RST-provoking as
a solution that's been tested by 1000s of ISDN/diald users on
2.0 and works, even though it is ugly.
-- Erik Corry erik@arbat.com Ceterum censeo, Microsoftem esse delendam!- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/