stevesz@xxxxxxxxxxx a écrit :
I am not sure I understand what the problem is. When the IP address
changes, any existing connections that were using the old IP address are
broken. So new connections have to be established using the new IP
address. New P2P connections should be identified and marked again by
ipp2p and CONNMARK, as the old ones were. Or am I missing something ?
In my firewall config it is allowed for any packet to go out from my local
network to the internet even it is not in the conntrack.
Ok. You could change this behaviour by blocking outgoing packets in the
INVALID state.
So after my IP
has changed and the conntrack table's got flushed, TCP connections continue
traversing through the firewall
Sorry but I still do no see how this is possible. The remote hosts
cannot continue previously established TCP connections ("established"
according to the TCP/IP stack, not Netfilter conntrack) with you if your
apparent IP address changes. They will continue to send traffic to your
old IP address and ignore traffic from your new address. A TCP
connection is defined by the source and destination addresses and ports.
If any of these 4 elements changes, the connection is broken.
My plan is to modify the code, so it would replace the old
addresses with the new one in the conntrack table keeping the port
assignments.
Same remark as above. You cannot change the address of an established
TCP connection.
