Re: Dynamically adding rules - are connection tracking states maintained?

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Josh Cepek <josh.cepek@usa.net>
Cc: levynoa@yahoo.com, netfilter@vger.kernel.org
Subject: Re: Dynamically adding rules - are connection tracking states maintained?
Date: Fri, 02 May 2008 03:10:28 +0200	[thread overview]
Message-ID: <481A6A04.1010000@netfilter.org> (raw)
In-Reply-To: <481A47D3.6080201@usa.net>

Josh Cepek wrote:
> noa levy wrote:
>> Thank you again for your response. Suppose I do want drop existing
>> connections, but I don't want to add the "drop" rule above the "allow
>> established" rule, for performance reasons. Does netfilter provide any
>> API for flushing the conntrack table (all of it or specific entries)?
> 
> Not easily, and not without disrupting other active connections.  If
> conntrack support is compiled in as modules you can unload and reload
> them, but this requires that no iptables rules reference the conntrack
> module (ie: you must delete such rules first.)  Once unloaded, the
> kernel will forget the maintained state table, but this also has the
> side-effect of breaking any active sessions that were in an ESTABLISHED
> state when you deleted the rules and reset the state table.
> 
> AFAIK there is no way to manually flush the conntrack state table or
> remove specific entries.

This is no longer true as we have the conntrack-tools.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

next prev parent reply	other threads:[~2008-05-02  1:10 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-04-28 22:27 Dynamically adding rules - are connection tracking states maintained? noa levy
2008-04-29 23:37 ` Pascal Hambourg
2008-05-01 20:22   ` noa levy
2008-05-01 22:44     ` Josh Cepek
2008-05-01 22:56       ` Petr Pisar
2008-05-02  1:10       ` Pablo Neira Ayuso [this message]
  -- strict thread matches above, loose matches on Subject: below --
2008-04-24 16:12 noa levy
2008-04-24 19:24 ` Pascal Hambourg
2008-04-25 17:39   ` Jan Engelhardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=481A6A04.1010000@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=josh.cepek@usa.net \
    --cc=levynoa@yahoo.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox