how to flush conntrack entry?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "sina" <wanglonge@vip.sina.com>
To: <netfilter-devel@lists.netfilter.org>
Subject: how to flush conntrack entry?
Date: Fri, 31 Oct 2003 14:07:12 +0800	[thread overview]
Message-ID: <003201c39f75$3e40a5c0$0200200a@wangle> (raw)

hello
       i run into the problem described here and i wondered if someone knows of
a solution:

       +----------+
       |  SNAT    |
private|--------> |(eth1: public ip)
  ip   +----------+

1) setup masquerading 
(iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADING)

and ping continuously from private to public. all ok.

2) flush the NAT

iptables -t nat -F

(ping will stop working obviously but i don't kill the ping process,
just keep sending echo, no reply)

3) put back nat:
(iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADING)

!!! ping does not come back !!!

4) I have to stop the pings and 

5) restart them to make it work.

looking at the ip_conntrack proc entry it was noticed that:

after flushing (step 2) an UNREPLIED entry for icmp is there
(no reply hence unreplied) but its ttl does not decrement.
(ping echos are still hitting the nat box from private side)

stoping the ping (step 4) allows the ttl timer of the conntrack entry 
to start decrementing (30 sec)

restaring the pings (i don't have to wait till ttl goes to zero ?!?)
(step 5) but now with nat back on (step 3) I don;t get the icmp entry on
conntrack but all is ok (pings goes thru).

question is: is there a way to achieve this (looks like start
decrementing that ttl or reseting it to zero in conntrack) in the nat
box without having to stop the pings on the host side ?

thanks,
marian

next             reply	other threads:[~2003-10-31  6:07 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-10-31  6:07 sina [this message]
2003-11-03  7:43 ` how to flush conntrack entry? Harald Welte
2003-11-25 15:30   ` Herve Eychenne
2003-11-25 20:50     ` Harald Welte

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='003201c39f75$3e40a5c0$0200200a@wangle' \
    --to=wanglonge@vip.sina.com \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.