As we discussed on email, this adds support for sending an RST in response to packets from the guest which don't match an existing flow and are neither SYN (requesting a new connection) nor themselves RST. This is a sligjhtly larger patch than I'd like, but I can't really see a way to simplify it without making fairly extensive reworks to share more code with paths for RST where there is a known connection. That would end up being more churn. This doesn't (IMO) correctly handle IPv6 flow labels. Fixing that raises several additional issues regarding flow labels, so I've decided to defer that for now. v2: * Assorted cosmetic fixups * Use correct IPv6 flow label for packets * This required two preliminary patches * tcp_rst_no_conn() is now static David Gibson (3): ip: Helpers to access IPv6 flow label tap: Consider IPv6 flow label when building packet sequences tcp: Send RST in response to guest packets that match no connection ip.h | 24 ++++++++++++++++++ tap.c | 25 ++++++++++--------- tap.h | 6 +++++ tcp.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- tcp.h | 2 +- 5 files changed, 118 insertions(+), 17 deletions(-) -- 2.48.1