how to flush conntrack entry?

how to flush conntrack entry?

[sina]

hello
       i run into the problem described here and i wondered if someone knows of
a solution:

       +----------+
       |  SNAT    |
private|--------> |(eth1: public ip)
  ip   +----------+

1) setup masquerading 
(iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADING)

and ping continuously from private to public. all ok.

2) flush the NAT

iptables -t nat -F

(ping will stop working obviously but i don't kill the ping process,
just keep sending echo, no reply)

3) put back nat:
(iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADING)

!!! ping does not come back !!!

4) I have to stop the pings and 

5) restart them to make it work.

looking at the ip_conntrack proc entry it was noticed that:

after flushing (step 2) an UNREPLIED entry for icmp is there
(no reply hence unreplied) but its ttl does not decrement.
(ping echos are still hitting the nat box from private side)

stoping the ping (step 4) allows the ttl timer of the conntrack entry 
to start decrementing (30 sec)

restaring the pings (i don't have to wait till ttl goes to zero ?!?)
(step 5) but now with nat back on (step 3) I don;t get the icmp entry on
conntrack but all is ok (pings goes thru).

question is: is there a way to achieve this (looks like start
decrementing that ttl or reseting it to zero in conntrack) in the nat
box without having to stop the pings on the host side ?

thanks,
marian

Re: how to flush conntrack entry?

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1844 bytes --]

On Fri, Oct 31, 2003 at 02:07:12PM +0800, sina wrote:
> hello
> i run into the problem described here and i wondered if someone knows of
> a solution:
> 
>        +----------+
>        |  SNAT    |
> private|--------> |(eth1: public ip)
>   ip   +----------+
> 
> 1) setup masquerading 
> (iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADING)
> 
> and ping continuously from private to public. all ok.
> 
> 2) flush the NAT
> 
> iptables -t nat -F
> 
> (ping will stop working obviously but i don't kill the ping process,
> just keep sending echo, no reply)

it will not stop working 'obviously'.  It will just stop working because
you were using MASQUERADE, and MASQUERADE [still] has the policy of
flushing all conntrack/nat entries associated with the IP address of the
outgoing interface.  Would you be using SNAT, it would continue to work.

> looking at the ip_conntrack proc entry it was noticed that:
> 
> after flushing (step 2) an UNREPLIED entry for icmp is there
> (no reply hence unreplied) but its ttl does not decrement.
> (ping echos are still hitting the nat box from private side)

yes, that is true.

> question is: is there a way to achieve this (looks like start
> decrementing that ttl or reseting it to zero in conntrack) in the nat
> box without having to stop the pings on the host side ?

you can reload ip_conntrack.o at the time when you re-initialize your
nat table ruleset.

> thanks,
> marian

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: how to flush conntrack entry?

[Herve Eychenne]

On Mon, Nov 03, 2003 at 08:43:43AM +0100, Harald Welte wrote:

 Hi,

> it will not stop working 'obviously'.  It will just stop working because
> you were using MASQUERADE, and MASQUERADE [still] has the policy of
> flushing all conntrack/nat entries associated with the IP address of the
> outgoing interface.  Would you be using SNAT, it would continue to work.

By the way, Rusty has written a bit of code during the workshop, that
enables MASQUERADE not to flush current connections if the interface
address didn't change after the interface has come up again.
What is the status regarding its inclusion into vanilla kernel?

 Herve

-- 
 _
(°=  Hervé Eychenne
//)
v_/_ WallFire project:  http://www.wallfire.org/

Re: how to flush conntrack entry?

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1275 bytes --]

On Tue, Nov 25, 2003 at 04:30:43PM +0100, Herve Eychenne wrote:
> On Mon, Nov 03, 2003 at 08:43:43AM +0100, Harald Welte wrote:
> 
>  Hi,
> 
> > it will not stop working 'obviously'.  It will just stop working because
> > you were using MASQUERADE, and MASQUERADE [still] has the policy of
> > flushing all conntrack/nat entries associated with the IP address of the
> > outgoing interface.  Would you be using SNAT, it would continue to work.
> 
> By the way, Rusty has written a bit of code during the workshop, that
> enables MASQUERADE not to flush current connections if the interface
> address didn't change after the interface has come up again.
> What is the status regarding its inclusion into vanilla kernel?

this piece of code is actually in patch-o-matic in 'pending'.  Since
noone has reported any problems, it's likely to get submitted for 2.4.24
and 2.6.1

>  Herve

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]