Re: Dynamically adding rules - are connection tracking states maintained?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Josh Cepek <josh.cepek@usa.net>
Cc: levynoa@yahoo.com, netfilter@vger.kernel.org
Subject: Re: Dynamically adding rules - are connection tracking states maintained?
Date: Fri, 02 May 2008 03:10:28 +0200	[thread overview]
Message-ID: <481A6A04.1010000@netfilter.org> (raw)
In-Reply-To: <481A47D3.6080201@usa.net>

Josh Cepek wrote:
> noa levy wrote:
>> Thank you again for your response. Suppose I do want drop existing
>> connections, but I don't want to add the "drop" rule above the "allow
>> established" rule, for performance reasons. Does netfilter provide any
>> API for flushing the conntrack table (all of it or specific entries)?
> 
> Not easily, and not without disrupting other active connections.  If
> conntrack support is compiled in as modules you can unload and reload
> them, but this requires that no iptables rules reference the conntrack
> module (ie: you must delete such rules first.)  Once unloaded, the
> kernel will forget the maintained state table, but this also has the
> side-effect of breaking any active sessions that were in an ESTABLISHED
> state when you deleted the rules and reset the state table.
> 
> AFAIK there is no way to manually flush the conntrack state table or
> remove specific entries.

This is no longer true as we have the conntrack-tools.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

next prev parent reply	other threads:[~2008-05-02  1:10 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-04-28 22:27 Dynamically adding rules - are connection tracking states maintained? noa levy
2008-04-29 23:37 ` Pascal Hambourg
2008-05-01 20:22   ` noa levy
2008-05-01 22:44     ` Josh Cepek
2008-05-01 22:56       ` Petr Pisar
2008-05-02  1:10       ` Pablo Neira Ayuso [this message]
  -- strict thread matches above, loose matches on Subject: below --
2008-04-24 16:12 noa levy
2008-04-24 19:24 ` Pascal Hambourg
2008-04-25 17:39   ` Jan Engelhardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=481A6A04.1010000@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=josh.cepek@usa.net \
    --cc=levynoa@yahoo.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.