Captive DNS REDIRECT problems. Need a stateless/fast timeout udp connection.

Dave Cinege dcinege-mlists-dated-1112996463.b4727a at psychosis.com
Sun Apr 3 23:40:57 CEST 2005


On Sunday 03 April 2005 03:20, Harold Burchey wrote:
> On Sun, 03 Apr 2005 01:38:03 -0500
>

To all: I'm fixing this by setting ip_conntrack_udp_timeout_stream to 0 or a 
very low amount. (Not ip_conntrack_udp_timeout as I said in my original 
post.) Again, I don't want to do this, because I only want the 'statlessness'
to effect these DNS redirection connections. 

Is there anyway to purge a connection from /proc/net/ip_conntrack from 
userland? If I could do that, my rule generation engine can handle clearing 
that out the moment the host changes un/authorized states. 

> Let's say your existing ethernet device is eth0. Is is possible to
> physically add a second ethernet device, say eth1? Then you could route
> everything from eth0 to eth1 and put the dummy redirections on eth1.
> Then whenever you want to override the dummy redirections you insert
> iptables rules on eth0.

I sort of see what you are saying and that won't work for me. First, the unit 
is a commercial product not a single gateway that's I'm building......so I 
can't really hack my way around this. Next it does dynamic gateway 
management...sometimes only to ppp devices, which aren't present until the 
ppp connection is active. Tying rules to 'dummy' devices will be very 
difficult the manage. With that said some trickery with an ip alias on the 
loopback (or vlan), may work, but I'd prefer a cleaner solution. 

Dave





More information about the netfilter mailing list