On 01/03/2012 13:39, jonetsu wrote:
What is there to do to be able to stop pings as soon as the firewall is set up while keeping the now-observed icmp conntrack timeout ? Is it possible to selectively flush only the ICMP connection tracking table ?
Regarding the second question, you might be able to do that if you assign a distinct conntrack zone for ICMP traffic (via the CT target). You should then be able to run conntrack -D -w <zone-id> but I haven't personally tried it. Not particularly elegant but it doesn't appear to be possible to use -D with -p icmp alone.
Cheers, --Kerin -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
