Hello List, Is there a way to (mis-)use an iptables rule to invalidate the currently established conntrack entry related to an packet being processed? The packet can be identified due to violating connbytes and u32 match criteria. One solution I came up so far to emulate that behaviour was to set a mark/label on the conntrack when the criteria is met the first time and then DROP all packets with that mark/label from here on. But that somehow would bloat the ruleset and keep an useless conntrack entry in memory where just terminating the conntrack would do all of it at once. Another solution might be to modify the conntrack timeout later in the raw table using "-j CT --timeout [policy]" applying a timer value of "-1" and thus hopefully immediately invalidating the conntrack entry. Is there an easier solution to that problem? If no, which one of the two solutions from above seems to be easier to implement and maintain in a stable, riskfree way in the long run? Kind regards, hd
