Hi there,
On Fri, 4 Jan 2008, Hal Moroff wrote:
> I have a firewall application that creates/deletes iptable
> (netfilter) rules dynamically in response to client requests
> ... later my application closes that route by removing the rule.
> The problem is that TCP connections persist, so even though I remove
> the rule, the client (if already connected to the target device) can
> continue to use that connection. I use 'cutter' to terminate the
> connection, and that works most of the time, however the connection
> remains listed in /proc/net/ip_conntrack ... I've set
> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_{close,close_wait}
> to 0, and that doesn't seem to help.
Try setting 'ip_conntrack_tcp_timeout_established'?
See for example
http://lists.netfilter.org/pipermail/netfilter/2005-May/060160.html
--
73,
Ged.
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
