Delete specific conntrack entries?
The solution is given here.
I've got a similar task — to delete specific conntrack entries related to UDP connections going to specific Internet host and being SNAT'ed, so I created the following script:
#!/bin/sh
set -e -u
HUB=AAA.BBB.CCC.DDD # target host's IP address
value()
{
echo ${1#*=}
}
/usr/sbin/conntrack -L conntrack -p udp -d $HUB |
while read proto _ _ src dst sport dport _; do
/usr/sbin/conntrack -D conntrack \
--proto `value $proto` \
--orig-src `value $src` \
--orig-dst `value $dst` \
--sport `value $sport` \
--dport `value $dport`
done
Related videos on Youtube
Zrin
Updated on September 18, 2022Comments
-
Zrin almost 2 years
in a multi-ISP configuration, I'm routing and NATing specific traffic, e.g. VoIP, through specific interface - to a distinct provider. When one of the interfaces (or routes) becomes unavailable, all connections that were using it have to be dropped, and subsequent traffic has to be routed through the still working connection. Upon change in the status, I'm resetting and loading appropriate iptables and routing entries (it is "shorewall restart" - I'm using shorewall).
The problem is - the still present conntrack entries cause that the old (and now wrong) external address is still being used for NAT for those connections! After 'conntrack -D', the NAT works as expected again.
I'd like to delete only the conntrack entries belonging to the old external address or to solve the problem in a way that wouldn't affect connections through other interfaces.
E.g. - I'd like to delete all conntrack entries having reverse connection destination
dst=old.ext.ip.adr
, likeudp 17 164 src=192.168.158.3 dst=213.208.5.40 sport=5060 dport=5060 packets=178 bytes=104509 src=213.208.5.40 dst=old.ext.ip.adr sport=5060 dport=5060 packets=234 bytes=127268 [ASSURED] mark=256 secmark=0 use=2
What i've already tried:
# conntrack -D -r 212.108.43.143 ^C (nothing happens, it just hangs) # conntrack -D -r 213.208.5.40 -d 212.108.43.143 Operation failed: such conntrack doesn't exist
Thank you in advance! Best regards, Zrin
-
Zrin about 12 yearsIt seems that conntrack does not accept --src-nat with -D (?) Do I understand correctly, that --src-nat would need the internal ip address as parameter?
# conntrack -D --src-nat ... conntrack v0.9.6: Illegal option '--src-nat' with this command Try 'conntrack -h' or 'conntrack --help' for more information.