From: Philip Craig <philipc@snapgear.com>
To: marian stagarescu <marian@ti.com>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: how to flush ip conntrack entries ?
Date: Mon, 14 Oct 2002 10:59:04 +1000 [thread overview]
Message-ID: <3DAA16D8.8070201@snapgear.com> (raw)
In-Reply-To: 1034200544.30113.140.camel@gt4rvnd11.telogy.design.ti.com
marian stagarescu wrote:
> looking at the ip_conntrack proc entry it was noticed that:
>
> after flushing (step 2) an UNREPLIED entry for icmp is there
> (no reply hence unreplied) but its ttl does not decrement.
> (ping echos are still hitting the nat box from private side)
Normally icmp conntrack entries are deleted as soon as there
is a reply. Once you remove the MASQ rule though, there is no
reply, so the conntrack stays around. Any subsequent packets
from the same ping process will match this conntrack, and thus
be NATed exactly the same way. Adding the MASQ rule back in
does not affect the existing conntrack.
> stoping the ping (step 4) allows the ttl timer of the conntrack entry
> to start decrementing (30 sec)
The timer doesn't seem to decrement while the ping is still
going because the ping packets are matching the conntrack and
refreshing the timer back to 30 seconds. Stop the ping and the
timer is no longer refreshed.
> restaring the pings (i don't have to wait till ttl goes to zero ?!?)
> (step 5) but now with nat back on (step 3) I don;t get the icmp entry on
> conntrack but all is ok (pings goes thru).
When you start a new ping process, the ping packets have a new
id, and so they don't match the old conntrack. A new conntrack
is created, and the new MASQ rule is used to masquerade them
correctly. You get a ping reply now, and so the conntrack is
immediately deleted, which is why you don't see it.
> question is: is there a way to achieve this (looks like start
> decrementing that ttl or reseting it to zero in conntrack) in the nat
> box without having to stop the pings on the host side ?
You can flush conntrack entries for masqueraded connections
by doing either a down/up or ip addr add/del on the associated
interface. This probably won't help you in this case though
because the problem conntrack is not masqueraded. I don't
know of any other ways of flushing conntracks.
Regards
--
Philip Craig Software Engineer http://www.SnapGear.com
philipc@snapgear.com Ph: +61 7 3435 2821 Fx: +61 7 3891 3630
SnapGear - Custom Embedded Solutions and Security Appliances
next prev parent reply other threads:[~2002-10-14 0:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-09 20:11 "Proper" way to transparent proxy? Kevin White
2002-10-09 20:28 ` Peter Surda
2002-10-09 20:40 ` Patrick Schaaf
2002-10-09 21:55 ` how to flush ip conntrack entries ? marian stagarescu
2002-10-14 0:59 ` Philip Craig [this message]
2002-10-14 19:20 ` marian stagarescu
2002-10-14 19:24 ` marian stagarescu
2002-10-10 1:15 ` "Proper" way to transparent proxy? Kevin White
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3DAA16D8.8070201@snapgear.com \
--to=philipc@snapgear.com \
--cc=marian@ti.com \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.