libnetfilter_conntrack question
Patrick McHardy
kaber at trash.net
Fri Mar 16 09:58:42 CET 2007
Phil Dibowitz wrote:
> One other question - I noticed that I can't seem to delete ICMP states. This
> is true both from my own code, as well as from conntrack(8):
>
> [phil at rider libnetfilter_conntrack]$ sudo grep icmp /proc/net/ip_conntrack
> icmp 1 29 src=10.1.1.2 dst=209.40.128.125 type=8 code=0 id=43603
> [UNREPLIED] src=209.40.128.125 dst=10.1.1.2 type=0 code=0 id=43603 use=1
>
> [phil at rider libnetfilter_conntrack]$ sudo conntrack -D conntrack -s
> 10.1.1.2 -d 209.40.128.125 -p icmp --icmp-type 8 --icmp-code 0
> NFNETLINK answers: No such file or directory
> Operation failed: such conntrack doesn't exist
>
> I get the same thing either way - that the conntrack doesn't exist. I can
> delete TCP and UDP just fine, but not ICMP. And just for clarity, yes, I'm
> attempting to delete it before it expires (this is easy to check by keeping
> iptstate running in a window).
>
> Am I doing something wrong, or can you not delete ICMP states?
I think you have to specify --icmp-id as well, otherwise the tuple is
incomplete.
More information about the netfilter-devel
mailing list