Re: how to clear the conntrack table!

Re: how to clear the conntrack table!

[Flavio Pescuma]

You could look into using the patch I send some day ago.  the you could
set all connection to unconfirmed, and then set you rule set so that al
unconfirmed packets pass the rule set


/flavio

On Sat, 2003-08-23 at 23:08, Harald Welte wrote:
> On Fri, Aug 15, 2003 at 05:13:05PM +0800, Decoy wrote:
> > Hi!
> > 
> > how can I clear the conntrack table?!
> 
> unfortunately there is currently no other way than to unload and reload the
> ip_conntrack module :(
> 
> > Thanks very much!
> > dec0y

how to clear the conntrack table!

[Decoy]

Hi!

how can I clear the conntrack table?!

Thanks very much!


dec0y

forlegend@163.net

Re: how to clear the conntrack table!

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 616 bytes --]

On Fri, Aug 15, 2003 at 05:13:05PM +0800, Decoy wrote:
> Hi!
> 
> how can I clear the conntrack table?!

unfortunately there is currently no other way than to unload and reload the
ip_conntrack module :(

> Thanks very much!
> dec0y

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: how to clear the conntrack table!

[Eicke Friedrich]

Harald Welte wrote:
> unfortunately there is currently no other way than to unload and
> reload the ip_conntrack module :(
I've tried this a couple of times. The module seems to get deleted
(lsmod still shows ip_conntrack but as deleted) but rmmod does NOT
finish. It grabs 100% CPU for minutes. I had to reboot the box then.
Any hints?

Regards,
Eicke.

Re: how to clear the conntrack table!

[Patrick McHardy]

In case your running an older kernel (before -pre9), try the latest -rc
kernel or submitted/70_ip-conntrack-expect-drop-refcnt-combined.patch
from patch-o-matic.

Bye,
Patrick

Eicke Friedrich wrote:

>
> Harald Welte wrote:
>
>> unfortunately there is currently no other way than to unload and
>> reload the ip_conntrack module :(
>
> I've tried this a couple of times. The module seems to get deleted
> (lsmod still shows ip_conntrack but as deleted) but rmmod does NOT
> finish. It grabs 100% CPU for minutes. I had to reboot the box then.
> Any hints?
>
> Regards,
> Eicke.

Where is conntrack in the iptables chain?

[Scott MacKay]

I was wondering, where in the iptables chain does
conntrack start?  In the segment of the chain, does it
ack before or after inserted rules (like QUEUE)?
Thanks in advance!

-Scott

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Re: Where is conntrack in the iptables chain?

[Patrick Schaaf]

On Mon, Aug 25, 2003 at 04:11:12AM -0700, Scott MacKay wrote:
> I was wondering, where in the iptables chain does
> conntrack start?  In the segment of the chain, does it
> ack before or after inserted rules (like QUEUE)?

What do you mean with 'does it ack'? conntracking is not supposed
to pass verdicts on a packet, it's just looking up tracking information
for a passing packet.

That connection lookup happens before all other hooks, i.e. before a
packet enters iptables in the mangle table PREROUTING chain. Thus,
even rules in the prerouting chain can already use the tracking
information.

Does that answer your question?

best regards
  Patrick

Re: Where is conntrack in the iptables chain?

[Scott MacKay]

Lol, ack = act.  Only 1 cup of coffee this morning...


--- Patrick Schaaf <bof@bof.de> wrote:
<snip> 
> That connection lookup happens before all other
> hooks, i.e. before a
> packet enters iptables in the mangle table
> PREROUTING chain. Thus,
> even rules in the prerouting chain can already use
> the tracking
> information.
> 
> Does that answer your question?

Yup.  Are there any examples of how to manipulate
packets prior to conntrack, either as a loadable
module or via iptables?  I seem to recall a patch
which added raw tables that acted before anything else
but do not recall which rev of iptables it acted on...

-Scott

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

Re: Where is conntrack in the iptables chain?

[Patrick Schaaf]

> Yup.  Are there any examples of how to manipulate
> packets prior to conntrack, either as a loadable
> module or via iptables?  I seem to recall a patch
> which added raw tables that acted before anything else
> but do not recall which rev of iptables it acted on...

Hi again,

you want to look at the general netfilter hooks, and how their
priorities work. You can look at the iptables kernel source 
for inspiration, it's rather simple. In net/ipv4/netfilter,
grep for nf_register_hook, and look at the argument to
that function, usually a locally defined constant struct.
The conntrack hooking is in ip_conntrack_standalone.c.
Notice the NF_IP_PRI_CONNTRACK in the struct definition:
this is defined in include/linux/netfilter_ipv4.h, and
represents a numerical priority value; for each
hook that the core network stack runs, the hook
functions for all registered modules, are called
in numerically ascending priority order. Specifically,
NF_IP_PRI_CONNTRACK is the lowest, numerically -200,
so for your own hook, you'll need something even below
that value, e.g. -201.

all the best
  Patrick

Re: how to clear the conntrack table!

[Eicke Friedrich]

Hi again,

Patrick McHardy wrote:

> Eicke Friedrich wrote:
> 
>> Harald Welte wrote:
>> 
>>> unfortunately there is currently no other way than to unload 
>>> and reload the ip_conntrack module
>> 
>> 
>> 
>> I've tried this a couple of times. The module seems to get 
>> deleted (lsmod still shows ip_conntrack but as deleted) but rmmod
>>  does NOT finish. It grabs 100% CPU for minutes. I had to reboot 
>> the box then. Any hints?
> 
> In case your running an older kernel (before -pre9), try the latest
>  -rc kernel or
submitted/70_ip-conntrack-expect-drop-refcnt-combined.patch from
> patch-o-matic.


Not having time before I updated my box today to kernel version 2.4.22
from kernel.org. The system works still very well but I'm still not
able to unload the conntrack module. It's the same problem as I
described above using 2.4.21. So anyone there who knows an answer?
Thanks in advance.

Regards,
Eicke Friedrich

PS: Sorry Patrick for sending this message directly to you - I forgot
to change the receiver. :-(

My system:
Dual Athlon MP, 512 MB RAM
Following patches applied:
Enable NF on a bridge: ebtables-brnf-2_vs_2.4.22.diff
NETFILTER P-O-M:
Already applied: submitted/01_2.4.19
                  submitted/02_2.4.20
                  submitted/03_2.4.21
                  submitted/04_2.4.22
                  submitted/44_backport_ah_esp_fixes
                  submitted/45_masq_routing_check
                  submitted/54_ip_nat-macro-args
                  submitted/58-ip_conntrack-macro-args
                  submitted/60_nat_tftp-remove-warning
                  submitted/73_ipt_MASQUERADE-oif
                  submitted/74_nat-range-fix
                  submitted/75_REJECT_localpmtu-fix
                  submitted/76_snmp-checksum_h-fix
                  submitted/77_destroy-conntrack
                  submitted/78_nathelper-udp-csum
                  submitted/79_mangle_udp-sizecheck
                  submitted/80_ip_conntrack-proc
                  submitted/81_ipt_unclean-tcp-flag-table
                  submitted/83_nolocalout
                  submitted/84_local-nullbinding
                  submitted/86_getorigdst-tuple-zero
                  submitted/87_nat-helpers-u16
                  pending/59_ip_nat_h-unused-var
                  pending/61-remove-memsets
                  pending/64_masquerade-sameip-noflush
                  pending/69_amanda-helpers
                  pending/70_expect-evict-order
                  pending/72_recent_procfs_fix
                  base/connlimit
                  base/mport
                  base/quota
                  extra/CLASSIFY
                  extra/CONNMARK
                  extra/string