On 2018.08.23 14:36 Florian Westphal wrote: > Doug Smythies <dsmythies@xxxxxxxxx> wrote: >> Could you try conntrack -F after removing your ruleset? >> >> ad1d697 + this patch: >> >> O.K. that eliminates the 1 minute wait, and the other ssh connections >> drop right away when I try to use them, after ruleset is loaded again. >> The ssh session I ran the commands from is fine, usually. >> I've tried it multiple ways and with / without nf_conntrack_tcp_be_liberal > > Then > > https://patchwork.ozlabs.org/patch/961105/ > > should resolve all issues. No, that V2 patch seems to just makes things as they were with my original escalation e-mail. i.e. any activity on any ssh session after the iptables rules have been cleared and that session will be dropped after the rules are re-started. As before: echo 1 | sudo tee /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal fixes the issue. The conntrack flush thing makes it such that the ssh sessions are considered NEW, and thus dropped via that path. That is, except the ssh session that the commands were executed on. ... Doug
