From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Tsachi Sharfman" Subject: Deleting Connection Tracking information Date: Mon, 8 Jul 2002 14:31:26 +0200 Sender: netfilter-admin@lists.samba.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C2267B.609B96BC" Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.samba.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.samba.org, netfilter-devel@lists.samba.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C2267B.609B96BC Content-Type: text/plain; charset="WINDOWS-1255" Content-Transfer-Encoding: quoted-printable Hi, =20 I would like to add a NAT rule on a gateway while connections are = passing through it, and have the rule apply to existing connections. I = understand this is not the behavior when the rule is simply added to the = NAT table, since netfilter consults the NAT table only for the first = packet of the connection. I assume that if I can delete connection = tracking information on the gateway, once a packet belonging to an = existing connection passes through the gateway netfilter will regard it = as a new connection (since there is no connection tracking information = for it), and apply the new NAT rules that existing connection. My = questions are: =20 1. Is my assumption correct? 2. Is the answer to the first question is yes, how can I delete = connection tracking information? =20 Thanks, Tsachi Sharfman. ------_=_NextPart_001_01C2267B.609B96BC Content-Type: text/html; charset="WINDOWS-1255" Content-Transfer-Encoding: quoted-printable

Hi,

 

I would like to add a NAT rule on a gateway while connections are passing through it, and have the rule apply to existing connections. I understand this is not the behavior when the rule is = simply added to the NAT table, since netfilter consults the NAT table only for = the first packet of the connection. I assume that if I can delete connection tracking information on the gateway, once a packet belonging to an = existing connection passes through the gateway netfilter will regard it as a new connection (since there is no connection tracking information for it), = and apply the new NAT rules that existing connection. My questions = are:

 

  1. Is my assumption correct?
  2. Is the answer to the first question is yes, how = can I delete connection tracking information?

 

Thanks,

Tsachi Sharfman.

=00 ------_=_NextPart_001_01C2267B.609B96BC-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: Deleting Connection Tracking information Date: Tue, 9 Jul 2002 00:50:51 +0100 Sender: netfilter-admin@lists.samba.org Message-ID: <20020708235054.PKTV16050.mta01-svc.ntlworld.com@there> References: <200207081143.g68Bh6806571@vulcan.rissington.net> <20020708233153.GB30970@aaricia.hemmet.chalmers.se> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <20020708233153.GB30970@aaricia.hemmet.chalmers.se> Errors-To: netfilter-admin@lists.samba.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter On Tuesday 09 July 2002 12:31 am, Joakim Axelsson wrote: > 2002-07-08 12:43:01+0100, Antony Stone -> > > > If you are talking about TCP, then I do not believe this assumption is > > valid, because only the very first packet of a connection contains the > > SYN flag, and only the second packet contains the SYN/ACK, which are the > > first two steps of the TCP three-way handshake. Without those the > > connection tracking system won't set up an ESTABLISHED connection, and > > the automatic NAT rules won't apply. > > That is not true. I suggest reading some old mails in the archive and > documents. Conntrack's state of NEW is NOT the same things as a TCP with > SYN-flag. The FIRST packet is sees in a flow is marked state NEW. Okay, let's think about this a little further... Suppose I have two netfilter boxes sitting side by side with identical rules on them, including NAT, identical addresses on the interfaces (suppose for the time being I've arranged to have identical MACs on the ethernet cards as well) and identical routing tables. One box is plugged into my network, client on one side, server on the other - the other netfilter box is switched on but disconnected from the network. After a bit of traffic has flowed, the netfilter box has some conntracking table entries, and the client and server have an established connection (or maybe several). Suddenly I decide to pull out the network cables from netfilter box 1 and connect them to netfilter box 2 instead. Are you saying that the first packet to flow between the client and server through this second netfilter machine, which has no connection tracking table on it yet, will cause a NEW entry to be placed in the connection tracking table, and that the reply packet will cause that entry to become ESTABLISHED, and that the NAT rules will work ? Even though both of these packets are just mid-connection ACK packets with no SYN flags in them ? If this is true, what stops us having high-availability automatic-failover netfilter machines ? Antony. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ramin Alidousti Subject: Re: Deleting Connection Tracking information Date: Mon, 8 Jul 2002 20:44:29 -0400 Sender: netfilter-admin@lists.samba.org Message-ID: <20020709004429.GA25300@cannon.eng.us.uu.net> References: <200207081143.g68Bh6806571@vulcan.rissington.net> <20020708233153.GB30970@aaricia.hemmet.chalmers.se> <20020708235054.PKTV16050.mta01-svc.ntlworld.com@there> Mime-Version: 1.0 Return-path: Content-Disposition: inline In-Reply-To: <20020708235054.PKTV16050.mta01-svc.ntlworld.com@there> Errors-To: netfilter-admin@lists.samba.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Antony Stone Cc: netfilter On Tue, Jul 09, 2002 at 12:50:51AM +0100, Antony Stone wrote: > > That is not true. I suggest reading some old mails in the archive and > > documents. Conntrack's state of NEW is NOT the same things as a TCP with > > SYN-flag. The FIRST packet is sees in a flow is marked state NEW. > > Okay, let's think about this a little further... > > Suppose I have two netfilter boxes sitting side by side with identical rules > on them, including NAT, identical addresses on the interfaces (suppose for > the time being I've arranged to have identical MACs on the ethernet cards as > well) and identical routing tables. > > One box is plugged into my network, client on one side, server on the other - > the other netfilter box is switched on but disconnected from the network. It doesn't have to. You can connect both and run vrrpd. > > After a bit of traffic has flowed, the netfilter box has some conntracking > table entries, and the client and server have an established connection (or > maybe several). > > Suddenly I decide to pull out the network cables from netfilter box 1 and > connect them to netfilter box 2 instead. > > Are you saying that the first packet to flow between the client and server > through this second netfilter machine, which has no connection tracking table > on it yet, will cause a NEW entry to be placed in the connection tracking > table, and that the reply packet will cause that entry to become ESTABLISHED, > and that the NAT rules will work ? Yes. > > Even though both of these packets are just mid-connection ACK packets with no > SYN flags in them ? Yes. > > If this is true, what stops us having high-availability automatic-failover > netfilter machines ? 1) Just think about the case where the NEW packet arrives in the wrong direction. 2) What happens to the helper information gathered by the first one? 3) What happens to the information you had from many other modules like ipt_recent... 4) ... Ramin > > > > Antony.