Conntrack table editing utility

Conntrack table editing utility

[ianabel]

Hi,

I've had a request to develop/find a utility that can selectively remove entries
from the conntrack table on linux 2.4. So if you changed where a tcp port dnats
to in iptables you could vape any existing conntrack entry relating to it and
any future packets will go to the new dnat target.

I'm mailing the list to find out if

a) Theres a blatant reason why this is a BAD THING to be thinking about doing.
b) See if a utility already exists

Thanks in advance for any help,
Yours,

Ian Abel

Re: Conntrack table editing utility

[/dev/rob0]

ianabel@mxtelecom.com wrote:
> a) Theres a blatant reason why this is a BAD THING to be thinking about doing.
> b) See if a utility already exists

I don't know, but I'd sure like such a utility. Would a better approach 
be to hack the kernel such that you could use echo/cat commands on the 
table?
-- 
     mail to this address is discarded unless "/dev/rob0"
     or "not-spam" is in Subject: header

Re: Conntrack table editing utility

[Philip Prudich]

[-- Attachment #1: Type: text/plain, Size: 459 bytes --]


> b) See if a utility already exists

While not a finished "utility," you probably want to look into the
nfnetlink_conntrack patch for implementation. It provides the "delete 
conntrack entry X" functionality, among other things.  I had success using 
this with a fedora core 1 release, 2.4.22 kernel (for doing a similar sort of 
thing as you're working on).  The nfnetlink_conntrack patch I used was version 
0.13.  

Hope this helps.
phil



[-- Attachment #2: Type: application/pgp-signature, Size: 185 bytes --]

Re: Conntrack table editing utility

[srg]

there is a file (don't remember the name) under /proc that have all 
contrack entries

/dev/rob0 wrote:

> ianabel@mxtelecom.com wrote:
>
>> a) Theres a blatant reason why this is a BAD THING to be thinking 
>> about doing.
>> b) See if a utility already exists
>
>
> I don't know, but I'd sure like such a utility. Would a better 
> approach be to hack the kernel such that you could use echo/cat 
> commands on the table?

Re: Conntrack table editing utility

[Ray Van Dolson]

On Tue, Aug 02, 2005 at 09:54:48AM +0200, Jörg Harmuth wrote:
> srg schrieb:
> > there is a file (don't remember the name) under /proc that have all
> > contrack entries
> 
> /proc/net/ip_conntrack

This is fine and all for viewing, but what is being requested is a utility to
"edit" (arbitrarily remove) ip_conntrack entries.   Situations arrive when I'd
like to expire a cached conntrack entry sooner.  There's a way to do this with
TCP connections, but not UDP or other protocols as far as I can tell.

This would be really handy!

Ray