facing problem with iptables nat rules and traffic flow scnerios

facing problem with iptables nat rules and traffic flow scnerios

[rahul shrivastava]

I am using iptables for nat
kernel version is 2.6.35+
working on powerpc target

case 1) traffic is already flowing and we apply a rule, that rule will
become effective only when we stop traffic and start again.

case 2) traffic is already flowing and we delete a rule, this rule
will still be effective unless we stop and start traffic again.

observation: /proc/net/ip_conntrack file is updated only after stoping
and starting traffic again.


These two are the limitations i am facing. Is there a way to overcome
these limitations. Please reply

Thanks and Regards,
Rahul Shrivastava

Re: facing problem with iptables nat rules and traffic flow scnerios

[Andrew Beverley]

[ Please use the netfilter not netfilter-devel list for this sort of
question ]

On Thu, 2012-05-03 at 14:25 +0530, rahul shrivastava wrote:
> I am using iptables for nat
> kernel version is 2.6.35+
> working on powerpc target
> 
> case 1) traffic is already flowing and we apply a rule, that rule will
> become effective only when we stop traffic and start again.
> 
> case 2) traffic is already flowing and we delete a rule, this rule
> will still be effective unless we stop and start traffic again.
> 
> observation: /proc/net/ip_conntrack file is updated only after stoping
> and starting traffic again.

Depending what you are doing, this shouldn't happen. How are you
applying the rules? Directly with iptables commands? If so, what are the
commands? For some rules, such as port redirection, I have found that
the conntrack cache needs to be cleared.

Andy