Josh Cepek wrote: > noa levy wrote: >> Thank you again for your response. Suppose I do want drop existing >> connections, but I don't want to add the "drop" rule above the "allow >> established" rule, for performance reasons. Does netfilter provide any >> API for flushing the conntrack table (all of it or specific entries)? > > Not easily, and not without disrupting other active connections. If > conntrack support is compiled in as modules you can unload and reload > them, but this requires that no iptables rules reference the conntrack > module (ie: you must delete such rules first.) Once unloaded, the > kernel will forget the maintained state table, but this also has the > side-effect of breaking any active sessions that were in an ESTABLISHED > state when you deleted the rules and reset the state table. > > AFAIK there is no way to manually flush the conntrack state table or > remove specific entries. This is no longer true as we have the conntrack-tools. -- "Los honestos son inadaptados sociales" -- Les Luthiers -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
