On 11/21/06, Alexey Toptygin <alexeyt@xxxxxxxxxxxxx> wrote:
On Tue, 21 Nov 2006, Bob Beers wrote:
> Let me try to restate my question:
>
> Is it a common problem that inserting a rule after a (UDP) stream is
> established does not match the rule, even though the exact same
> rule for the exact same stream does match, as long as it is inserted
> before the first packet of the stream arrives?
This is the way it is designed: PREROUTING rules in the nat table are only
checked for packets that haven't already been assigned to a connection. If
you want, you can use the conntrack tool to flush the connection states
after you add a new rule.
Ah, yes, this sounds like what I need. Please excuse my ignorance, but
how does one "use the conntrack tool to flush the connection states
after you add a new rule"? I have read through several tutorials and
the iptables man pages, but did not yet find this particular gem. In
my ideal solution, I would flush only the connection in question, to
avoid any perturbance of other connections.
<after a little googling ...>
I guess you mean this:
<http://www.netfilter.org/projects/conntrack/index.html>
and/or this:
<http://www.netfilter.org/projects/libnetfilter_conntrack/index.html>
I will RTF documentation, now that I see it ...
But, I wonder, is there a shortcut to the behavior I want
through iptables --ctstatus and friends?
Alexey
Thank you all very much for the hints so far.
Bob
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
