Understanding conntrack: Delete and manual readd of same entry possible?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi list,

The failure to conduct a simple test with conntrack makes me believe, that I misunderstood some part of the concept.

The testcase:

* Create one forwarded tcp connection via iptables-firewall and leave it open
* Delete the conntrack entry of this connection
* Readd the same conntrack entry with conntrack -I
* Verify, that old and new entry looked the same (conntrack -L)
* Send one more byte over the still open tcp connection

The expected result:
* TCP flow continues without creating a new conntrack entry, using the one added manually
* ACCEPT via ESTABLISHED rule because of valid conntrack entry

The actual result:
* Conntrack code seems to believe, that packets do not belong to conntrack entry
* Conntrack code does not create new conntrack entry
* Conntrack code cannot update conntrack-entry even when packet is accepted.

Can someone enlighten me, if manual entry creation is possible?

Thanks, Roman
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux