| To: | "Alexey Toptygin" <alexeyt@freeshell.org> |
|---|---|
| Subject: | Re: [LARTC] Re: iptables rule not matching after stream begins |
| From: | "Bob Beers" <bob.beers@gmail.com> |
| Date: | Tue, 21 Nov 2006 11:05:23 -0500 |
| Cc: | lartc@mailman.ds9a.nl |
| Delivered-to: | sp-com-lists@consult.net |
| Delivered-to: | lartc-list@securepoint.com |
| Delivered-to: | lartc@outpost.ds9a.nl |
| Domainkey-signature: | a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=DYSlulU7lr5gxSCyVjQ5LmiCuDG/xTE77N7FATKANJkMo6a/Fi4xEVv4kKs4lC5AAY8hYS0pTK/xpTFSQ+vVftUG6chG5eafvlnH+ThYboC9ior7/wRsHuivQFO56bmLjt0zI9WFUQDaehpGfn6JAD9RWp19IJdpMBJeNXeKW20= |
| In-reply-to: | <Pine.NEB.4.64.0611211522490.21238@ukato.freeshell.org> |
| List-archive: | <http://mailman.ds9a.nl/pipermail/lartc> |
| List-help: | <mailto:lartc-request@mailman.ds9a.nl?subject=help> |
| List-id: | "Mailinglist of the Linux Advanced Routing & Traffic Control project" <lartc.mailman.ds9a.nl> |
| List-post: | <mailto:lartc@mailman.ds9a.nl> |
| List-subscribe: | <http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=subscribe> |
| List-unsubscribe: | <http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=unsubscribe> |
| References: | <4f6ba3b0611200730j337ad29xc69dd63b205060c4@mail.gmail.com> <4f6ba3b0611201646k750995d3oe0cd605890b7f2a7@mail.gmail.com> <Pine.LNX.4.64.0611201955340.31315@becky16.halibutdepot.org> <4f6ba3b0611210610t62b24e7es9cc9ece120581d1d@mail.gmail.com> <Pine.NEB.4.64.0611211522490.21238@ukato.freeshell.org> |
| Sender: | lartc-bounces@mailman.ds9a.nl |
On 11/21/06, Alexey Toptygin <alexeyt@freeshell.org> wrote: On Tue, 21 Nov 2006, Bob Beers wrote: > Let me try to restate my question: > > Is it a common problem that inserting a rule after a (UDP) stream is > established does not match the rule, even though the exact same > rule for the exact same stream does match, as long as it is inserted > before the first packet of the stream arrives? This is the way it is designed: PREROUTING rules in the nat table are only checked for packets that haven't already been assigned to a connection. If you want, you can use the conntrack tool to flush the connection states after you add a new rule. Ah, yes, this sounds like what I need. Please excuse my ignorance, but how does one "use the conntrack tool to flush the connection states after you add a new rule"? I have read through several tutorials and the iptables man pages, but did not yet find this particular gem. In my ideal solution, I would flush only the connection in question, to avoid any perturbance of other connections. <after a little googling ...> I guess you mean this: <http://www.netfilter.org/projects/conntrack/index.html> and/or this: <http://www.netfilter.org/projects/libnetfilter_conntrack/index.html> I will RTF documentation, now that I see it ... But, I wonder, is there a shortcut to the behavior I want through iptables --ctstatus and friends? Thank you all very much for the hints so far. Bob _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [LARTC] Re: iptables rule not matching after stream begins, Alexey Toptygin |
|---|---|
| Next by Date: | Re: [LARTC] Re: iptables rule not matching after stream begins, Alexey Toptygin |
| Previous by Thread: | Re: [LARTC] Re: iptables rule not matching after stream begins, Alexey Toptygin |
| Next by Thread: | Re: [LARTC] Re: iptables rule not matching after stream begins, Alexey Toptygin |
| Indexes: | [Date] [Thread] [Top] [All Lists] |