I have a firewall application that creates/deletes iptable (netfilter) rules dynamically in response to client requests.
In other words, a client negotiates with my application and I agree to open a route from that client to a device behind the firewall. At a certain time later my application closes that route by removing the rule.
The problem is that TCP connections persist, so even though I remove the rule, the client (if already connected to the target device) can continue to use that connection.
I use 'cutter' to terminate the connection, and that works most of the time, however the connection remains listed in /proc/net/ip_conntrack, and that confuses my 'cutter' invocation if the same client opens the same route too soon.
I've set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_{close,close_wait} to 0, and that doesn't seem to help.
I'm thinking that calling nfct_delete_conntrack() directly is my solution, however I'm not certain, and I'm also having trouble understanding how to fill in the arguments (and where to get the id required by the last argument).
Does anyone have a suggestion? Is 'cutter' the best tool to cut the connection? Is there a better way to force cut entries out of conntrack? Is there an example of nfct_delete_conntrack()?
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
