Re: ip_conntrack

[Rory Irvine <rory@klub.org>]

On Tue, Feb 10, 2004 at 01:12:37PM, Bjoern Schmidt wrote:

> It is possible to clear all ore one entries in /proc/net/ip_conntrack
> without a reboot? I know there is a timeout, but i would like to remove
> them immediately if needed.

As far as I'm aware, you can remove all, but not just one. If you
/really/ need to do that, you're going to need to investigate sending
spoofed RST packets, which can get rather hairy...

All you need to do is remove & reload the ip_conntrack module. Be aware,
though, that there are probably other modules and/or firewall rules that
you'll have to kill off first.

I have a script running from cron that "reaps" the conntrack table if it
has more than 200,000 entries. It looks something like:

---

#!/bin/sh

echo -n "Flushing conntrack table: "
# remove NAT and any stateful firewalling rules.
iptables -F POSTROUTING -t nat
iptables -D INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j REJECT
iptables -D FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j
REJECT

# kill modules that will object to ip_conntrack being removed
rmmod ipt_MASQUERADE
rmmod iptable_nat
rmmod ipt_state

# remove ip_conntrack, thus clearing the /proc/net/ip_conntrack table

echo "done."

rmmod ip_conntrack

echo -n "Restarting nat / stateful firewalling: "

# restart NAT
/etc/init.d/nat start

# echo a suitable value into ip_conntrack_max as soon as the
# ip_conntrack module will have been reloaded

echo "220000" > /proc/sys/net/ipv4/ip_conntrack_max

# reload any other stateful rules
iptables -I FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j REJECT
iptables -I INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j REJECT

echo "done."
---

This takes about 15-20s to run on an 800MHz Pentium 3.

Be aware that, in my example, any connections that do not get entered
onto the conntrack table before the final two rules come up will be
dropped.