On May 10 2007 16:10, ??? wrote: >We have some problems with nat. >We want to relay "udp packet" from a host to other host using SNAT, DNAT. > >iptables -t nat -A PREROUTING -p udp -d PACKET.RELAY.HOST.IP --dport 10000 >-j DNAT --to-destination TO.OTHER.HOST.IP:10000 >iptables -t nat -A POSTROUTING -p udp -d TO.OTHER.HOST.IP --dport 10000 -j >SNAT --to-source PACKET.RELAY.HOST.IP:10000 > >It works well. But after removing the rules, packet still transferred. I can >find the conntrack entry in /proc/net/stat/ip_conntrack. >We know libnfnetlink & libnetfilter_conntrack with kernel 2.6 can delete >conntrack entries from userspace. But we use Redhat linux 2.4.21-32.EL. >How can I delete specified conntrack entry in kernel 2.4 without kernel code >?? I suppose that the reason that "conntrack" (the userspace tool to monitor/delete conntrack entries) was written is because there was no prior way to do it from userland. (In short: you are toast with 2.4) Or wait for the UDP connection tracking timeout to happen. Jan --
