Caching of rules in PRE(POST)ROUTING chains?

Caching of rules in PRE(POST)ROUTING chains?

[Pavel V. Yanchenko]

Hello.

As far as I understand, rules in PRE- and POSTROUTING chains are
cached? Because when I delete a rule with SNAT target for ip
192.168.10.10 this address's packets are still SNATed for several
minutes. The same thing happens for rules in PREROUTING chains.
Is it possible to disable this feature? Maybe there is some file in
/proc where cached rules are listed?

Thanks in advance.

-- 
Best regards,
 Pavel                          mailto:balrog@msmu.eu.org

Re: Caching of rules in PRE(POST)ROUTING chains?

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 854 bytes --]

On Sat, 2003-11-15 at 10:07, Pavel V. Yanchenko wrote:
> Hello.
> 
> As far as I understand, rules in PRE- and POSTROUTING chains are
> cached? Because when I delete a rule with SNAT target for ip
> 192.168.10.10 this address's packets are still SNATed for several
> minutes. The same thing happens for rules in PREROUTING chains.
Isn't it the connection tracking table that's cached and NOT the rules?
Active connections need to timeout first.

> Is it possible to disable this feature? Maybe there is some file in
> /proc where cached rules are listed?
> 
> Thanks in advance.
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Caching of rules in PRE(POST)ROUTING chains?

[Antony Stone]

On Saturday 15 November 2003 8:07 am, Pavel V. Yanchenko wrote:

> Hello.
>
> As far as I understand, rules in PRE- and POSTROUTING chains are
> cached? Because when I delete a rule with SNAT target for ip
> 192.168.10.10 this address's packets are still SNATed for several
> minutes. The same thing happens for rules in PREROUTING chains.
> Is it possible to disable this feature? Maybe there is some file in
> /proc where cached rules are listed?

No, there is no caching of rules in netfilter; however, packets which are 
part of an ESTABLISHED connection will continue to be processed without 
reference to the rules in PRE/POSTROUTING because of the connection tracking 
table entry - onlt the first packets of connections ever go through the 
explicit rules in these tables - all following packets are automagically 
processed behind the scenes.

This is the effect you are seeing, I'm sure.

Antony.

-- 

Christianity tells you to work hard today for little or no reward, and 
tomorrow you will die and awake in paradise.

Marxism says work hard today for little or no reward; tomorrow you will die 
and your children will awake in paradise.

 - Len Deighton, Billion Dollar Brain
                                                     Please reply to the list;
                                                           please don't CC me.