Reset conntrack...

Yutaka Kondo kondo at rdd.soliton.co.jp
Fri Dec 3 12:43:09 CET 2004


Hello

I made littile change in file  ip_conntrack_standalone.c

This made, if you write IP address(in_addr_t format) to
 /proc/net/ip_conntrack, any contrack with SRC address
is written address are forced timeout/removed.

I think, this is useful for linux firewall with IDS(such as snort).

Sorry, I put many debug change to this file for my understand,
thus I cannnot post as diff/patch format.

YKND

add those 2 functions
-----------------------
/* YKND    Remove conntrack entry, if src ip address match as contrack */
static inline int
match_remove_srcip_conntrack(ulong in, struct ip_conntrack *conntrack)
{
 if( in == conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip){
  del_timer(&conntrack->timeout);   /* Delete from Timeout */
  conntrack->timeout.function((unsigned long)conntrack);
 }
 return 0;
}

/* YKND      write entry "proc/net/ip_conntrack" */
/*           Walk arround conntrack list and call remove entry */
static int
ip_conntrack_user_remove(struct file *file, const char *buffer,
    unsigned long count, void *data)
{
 unsigned int i;
 ulong in;
 if(count != sizeof(int)){
  printk("Write size error \n");
  return count;
 }

 in = *(ulong *)buffer;
 /* DEBUG */
// printk("Address=%u.%u.%u.%u was removed from conntrack \n", NIPQUAD(in));

 READ_LOCK(&ip_conntrack_lock);

 /* Traverse hash; print originals then reply. */
 for (i = 0; i < ip_conntrack_htable_size; i++) {
  const struct list_head * head = &ip_conntrack_hash[i];
  do {
   head = head->next;
   if (head == &ip_conntrack_hash[i]) {
    head = NULL;
    break;
   }
   if(head == NULL){
    break;
   }
  } while (!match_remove_srcip_conntrack(in, ((struct 
ip_conntrack_tuple_hash *)head)->ctrack));
 }
 READ_UNLOCK(&ip_conntrack_lock);
 return count;
}
-----------------------

and put 1 line in, function static int init_or_cleanup(int init)

-----------------------
 proc->write_proc = ip_conntrack_user_remove;

-----------------------

----- Original Message ----- 
From: "Sven Anders" <anders at anduras.de>
To: <netfilter-devel at lists.netfilter.org>
Sent: Friday, December 03, 2004 7:09 AM
Subject: Reset conntrack...


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello!
>
> Is it possible to reset the conntrack list or set any entry to the state 
> NEW to force
> a recheck against new filter rules?
>
> The problem is:
>
> ~  If I set the (new) filtering rules with the target DROP, I want old
> ~  (existing) connections to be dropped immediatly.
> ~  The global rule '--state RELATED,ESTABLISHED' I set would still allow 
> them...
>
> Regards
> ~ Sven
>
> - --
> ~ Sven Anders <anders at anduras.de>
>
> ~ ANDURAS service solutions AG
> ~ Innstraße 71 - 94036 Passau - Germany
> ~ Web: www.anduras.de - Tel: +49 (0)851-4 90 50-0 - Fax: +49 (0)851-4 90 
> 50-55
>
> Rechtsform: Aktiengesellschaft - Sitz: Passau - Amtsgericht Passau HRB 
> 6032
> Mitglieder des Vorstands: Sven Anders, Marcus Junker, Michael Schön
> Vorsitzender des Aufsichtsrats: Dipl. Kfm. Karlheinz Antesberger
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFBr5Kw5lKZ7Feg4EcRAsENAJ0XErp8VEr6vAIBUiyj9UM+Qm0gMgCdHQ4h
> QzBcNjCwn8da+HnPIaGjH+M=
> =cVzY
> -----END PGP SIGNATURE-----
> 




More information about the netfilter-devel mailing list