how to flush ip conntrack entries ?
marian stagarescu
marian@ti.com
09 Oct 2002 17:55:44 -0400
i run into the problem described here and i wondered if someone knows of
a solution:
+----------+
| SNAT |
private|--------> |(eth1: public ip)
ip +----------+
1) setup masquerading
(iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADING)
and ping continuously from private to public. all ok.
2) flush the NAT
iptables -t nat -F
(ping will stop working obviously but i don't kill the ping process,
just keep sending echo, no reply)
3) put back nat:
(iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADING)
!!! ping does not come back !!!
4) I have to stop the pings and
5) restart them to make it work.
looking at the ip_conntrack proc entry it was noticed that:
after flushing (step 2) an UNREPLIED entry for icmp is there
(no reply hence unreplied) but its ttl does not decrement.
(ping echos are still hitting the nat box from private side)
stoping the ping (step 4) allows the ttl timer of the conntrack entry
to start decrementing (30 sec)
restaring the pings (i don't have to wait till ttl goes to zero ?!?)
(step 5) but now with nat back on (step 3) I don;t get the icmp entry on
conntrack but all is ok (pings goes thru).
question is: is there a way to achieve this (looks like start
decrementing that ttl or reseting it to zero in conntrack) in the nat
box without having to stop the pings on the host side ?
thanks,
marian