Understanding conntrack: Delete and manual readd of same entry possible?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Roman Fiedler <roman.fiedler@ait.ac.at>
To: netfilter@vger.kernel.org
Subject: Understanding conntrack: Delete and manual readd of same entry possible?
Date: Mon, 5 Oct 2009 09:55:20 +0200	[thread overview]
Message-ID: <4AC9A668.3050009@ait.ac.at> (raw)

Hi list,

The failure to conduct a simple test with conntrack makes me believe, 
that I misunderstood some part of the concept.

The testcase:

* Create one forwarded tcp connection via iptables-firewall and leave it 
open
* Delete the conntrack entry of this connection
* Readd the same conntrack entry with conntrack -I
* Verify, that old and new entry looked the same (conntrack -L)
* Send one more byte over the still open tcp connection

The expected result:
* TCP flow continues without creating a new conntrack entry, using the 
one added manually
* ACCEPT via ESTABLISHED rule because of valid conntrack entry

The actual result:
* Conntrack code seems to believe, that packets do not belong to 
conntrack entry
* Conntrack code does not create new conntrack entry
* Conntrack code cannot update conntrack-entry even when packet is accepted.

Can someone enlighten me, if manual entry creation is possible?

Thanks, Roman

next             reply	other threads:[~2009-10-05  7:55 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-10-05  7:55 Roman Fiedler [this message]
2009-12-23 23:05 ` Understanding conntrack: Delete and manual readd of same entry possible? Pablo Neira Ayuso
2009-12-29 10:42   ` Roman Fiedler
2009-12-29 17:40     ` Pablo Neira Ayuso
2009-12-29 20:06       ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4AC9A668.3050009@ait.ac.at \
    --to=roman.fiedler@ait.ac.at \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.