nf-ct-list and nf-exp-delete

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* nf-ct-list and nf-exp-delete
@ 2025-10-07  9:15 imnozi
  2025-10-07 11:10 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 5+ messages in thread
From: imnozi @ 2025-10-07  9:15 UTC (permalink / raw)
  To: netfilter

[iptables v1.8.7; old, but it's what I have.]

Why does 'nf-exp-delete -i [id]' *not* remove remove some conntrack entries even after being told to remove them multiple times? It deletes most entries for my purposes (if condition is met, delete conntrack entry and block the IP using ipset). Blocked IPs are DROPped on internet side, and RESET and REJECTed on the internal side. But from time to time, I see ESTABLISHED conns that don't get (can't be) deleted.

Thanks,
Neal

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: nf-ct-list and nf-exp-delete
  2025-10-07  9:15 nf-ct-list and nf-exp-delete imnozi
@ 2025-10-07 11:10 ` Pablo Neira Ayuso
  2025-10-07 22:45   ` imnozi
  0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2025-10-07 11:10 UTC (permalink / raw)
  To: imnozi; +Cc: netfilter

On Tue, Oct 07, 2025 at 05:15:08AM -0400, imnozi@gmail.com wrote:
> [iptables v1.8.7; old, but it's what I have.]
> 
> Why does 'nf-exp-delete -i [id]' *not* remove remove some conntrack entries even after being told to remove them multiple times? It deletes most entries for my purposes (if condition is met, delete conntrack entry and block the IP using ipset). Blocked IPs are DROPped on internet side, and RESET and REJECTed on the internal side. But from time to time, I see ESTABLISHED conns that don't get (can't be) deleted.

nf-exp-delete -i [id] ????

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: nf-ct-list and nf-exp-delete
  2025-10-07 11:10 ` Pablo Neira Ayuso
@ 2025-10-07 22:45   ` imnozi
  2025-10-08 11:50     ` Pablo Neira Ayuso
  0 siblings, 1 reply; 5+ messages in thread
From: imnozi @ 2025-10-07 22:45 UTC (permalink / raw)
  Cc: netfilter

On Tue, 7 Oct 2025 13:10:46 +0200
Pablo Neira Ayuso <pablo@netfilter.org> wrote:

> On Tue, Oct 07, 2025 at 05:15:08AM -0400, imnozi@gmail.com wrote:
> > [iptables v1.8.7; old, but it's what I have.]
> > 
> > Why does 'nf-exp-delete -i [id]' *not* remove remove some conntrack entries even after being told to remove them multiple times? It deletes most entries for my purposes (if condition is met, delete conntrack entry and block the IP using ipset). Blocked IPs are DROPped on internet side, and RESET and REJECTed on the internal side. But from time to time, I see ESTABLISHED conns that don't get (can't be) deleted.
> 
> nf-exp-delete -i [id] ????

Given:
----
# nf-ct-list --tcp-state=ESTABLISHED --reply-src=10.X.X.2 -f details
tcp ESTABLISHED 188.132.249.148:57992 -> 204.111.X.X:443 10.X.X.2:443 <- 188.132.249.148:57992 mark 17488 
    id 0xf016f3da family inet refcnt 1 timeout 10m 17s <ASSURED,DNAT>
----

then:
----
nf-exp-delete -i 0xf016f3da
----
usually removes that entry from conntrack. In my experience, some entries are not, and cannot be, removed without drastic measures that would interrupt firewall operations.

N

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: nf-ct-list and nf-exp-delete
  2025-10-07 22:45   ` imnozi
@ 2025-10-08 11:50     ` Pablo Neira Ayuso
  2025-10-08 21:01       ` imnozi
  0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2025-10-08 11:50 UTC (permalink / raw)
  To: imnozi; +Cc: netfilter

On Tue, Oct 07, 2025 at 06:45:31PM -0400, imnozi@gmail.com wrote:
> On Tue, 7 Oct 2025 13:10:46 +0200
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> 
> > On Tue, Oct 07, 2025 at 05:15:08AM -0400, imnozi@gmail.com wrote:
> > > [iptables v1.8.7; old, but it's what I have.]
> > > 
> > > Why does 'nf-exp-delete -i [id]' *not* remove remove some conntrack entries even after being told to remove them multiple times? It deletes most entries for my purposes (if condition is met, delete conntrack entry and block the IP using ipset). Blocked IPs are DROPped on internet side, and RESET and REJECTed on the internal side. But from time to time, I see ESTABLISHED conns that don't get (can't be) deleted.
> > 
> > nf-exp-delete -i [id] ????
> 
> Given:
> ----
> # nf-ct-list --tcp-state=ESTABLISHED --reply-src=10.X.X.2 -f details
> tcp ESTABLISHED 188.132.249.148:57992 -> 204.111.X.X:443 10.X.X.2:443 <- 188.132.249.148:57992 mark 17488 
>     id 0xf016f3da family inet refcnt 1 timeout 10m 17s <ASSURED,DNAT>
> ----
> 
> then:
> ----
> nf-exp-delete -i 0xf016f3da
> ----
> usually removes that entry from conntrack. In my experience, some entries are not, and cannot be, removed without drastic measures that would interrupt firewall operations.

Where are these tools in the git netfilter.org repository ?

And how does this relate to iptables v1.8.7 as you claim ?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: nf-ct-list and nf-exp-delete
  2025-10-08 11:50     ` Pablo Neira Ayuso
@ 2025-10-08 21:01       ` imnozi
  0 siblings, 0 replies; 5+ messages in thread
From: imnozi @ 2025-10-08 21:01 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel, netfilter

On Wed, 8 Oct 2025 13:50:18 +0200
Pablo Neira Ayuso <pablo@netfilter.org> wrote:

> On Tue, Oct 07, 2025 at 06:45:31PM -0400, imnozi@gmail.com wrote:
> > On Tue, 7 Oct 2025 13:10:46 +0200
> > Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >   
> > > On Tue, Oct 07, 2025 at 05:15:08AM -0400, imnozi@gmail.com wrote:  
> > > > [iptables v1.8.7; old, but it's what I have.]
> > > > 
> > > > Why does 'nf-exp-delete -i [id]' *not* remove remove some conntrack entries even after being told to remove them multiple times? It deletes most entries for my purposes (if condition is met, delete conntrack entry and block the IP using ipset). Blocked IPs are DROPped on internet side, and RESET and REJECTed on the internal side. But from time to time, I see ESTABLISHED conns that don't get (can't be) deleted.  
> > > 
> > > nf-exp-delete -i [id] ????  
> > 
> > Given:
> > ----
> > # nf-ct-list --tcp-state=ESTABLISHED --reply-src=10.X.X.2 -f details
> > tcp ESTABLISHED 188.132.249.148:57992 -> 204.111.X.X:443 10.X.X.2:443 <- 188.132.249.148:57992 mark 17488 
> >     id 0xf016f3da family inet refcnt 1 timeout 10m 17s <ASSURED,DNAT>
> > ----
> > 
> > then:
> > ----
> > nf-exp-delete -i 0xf016f3da
> > ----
> > usually removes that entry from conntrack. In my experience, some entries are not, and cannot be, removed without drastic measures that would interrupt firewall operations.  
> 
> Where are these tools in the git netfilter.org repository ?
> 
> And how does this relate to iptables v1.8.7 as you claim ?

Sorry. My mistake. They are from the libnl package.

Please disregard.

N

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2025-10-08 21:01 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-07  9:15 nf-ct-list and nf-exp-delete imnozi
2025-10-07 11:10 ` Pablo Neira Ayuso
2025-10-07 22:45   ` imnozi
2025-10-08 11:50     ` Pablo Neira Ayuso
2025-10-08 21:01       ` imnozi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).