On Sunday 03 April 2005 03:20, Harold Burchey wrote: > On Sun, 03 Apr 2005 01:38:03 -0500 > To all: I'm fixing this by setting ip_conntrack_udp_timeout_stream to 0 or a very low amount. (Not ip_conntrack_udp_timeout as I said in my original post.) Again, I don't want to do this, because I only want the 'statlessness' to effect these DNS redirection connections. Is there anyway to purge a connection from /proc/net/ip_conntrack from userland? If I could do that, my rule generation engine can handle clearing that out the moment the host changes un/authorized states. > Let's say your existing ethernet device is eth0. Is is possible to > physically add a second ethernet device, say eth1? Then you could route > everything from eth0 to eth1 and put the dummy redirections on eth1. > Then whenever you want to override the dummy redirections you insert > iptables rules on eth0. I sort of see what you are saying and that won't work for me. First, the unit is a commercial product not a single gateway that's I'm building......so I can't really hack my way around this. Next it does dynamic gateway management...sometimes only to ppp devices, which aren't present until the ppp connection is active. Tying rules to 'dummy' devices will be very difficult the manage. With that said some trickery with an ip alias on the loopback (or vlan), may work, but I'd prefer a cleaner solution. Dave
