All of lore.kernel.org
 help / color / mirror / Atom feed
* Invalidate conntrack using iptables rule
@ 2021-08-24  8:29 halfdog
  2021-10-09 15:40 ` halfdog
  0 siblings, 1 reply; 2+ messages in thread
From: halfdog @ 2021-08-24  8:29 UTC (permalink / raw)
  To: netfilter

Hello List,

Is there a way to (mis-)use an iptables rule to invalidate the
currently established conntrack entry related to an packet being
processed? The packet can be identified due to violating connbytes
and u32 match criteria.

One solution I came up so far to emulate that behaviour was to
set a mark/label on the conntrack when the criteria is met the
first time and then DROP all packets with that mark/label from
here on. But that somehow would bloat the ruleset and keep an
useless conntrack entry in memory where just terminating the
conntrack would do all of it at once.

Another solution might be to modify the conntrack timeout later
in the raw table using "-j CT --timeout [policy]" applying a
timer value of "-1" and thus hopefully immediately invalidating
the conntrack entry.



Is there an easier solution to that problem? If no, which one
of the two solutions from above seems to be easier to implement
and maintain in a stable, riskfree way in the long run?

Kind regards,
hd


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Invalidate conntrack using iptables rule
  2021-08-24  8:29 Invalidate conntrack using iptables rule halfdog
@ 2021-10-09 15:40 ` halfdog
  0 siblings, 0 replies; 2+ messages in thread
From: halfdog @ 2021-10-09 15:40 UTC (permalink / raw)
  To: netfilter

Hi,

Any comments on this? Without any feedback I would try the policy
timeout -1 method and dig into the kernel code to see if that
should really work without side effects.

hd

halfdog writes:
> Hello List,
>
> Is there a way to (mis-)use an iptables rule to invalidate the
> currently established conntrack entry related to an packet being
> processed? The packet can be identified due to violating connbytes
> and u32 match criteria.
>
> One solution I came up so far to emulate that behaviour was to
> set a mark/label on the conntrack when the criteria is met the
> first time and then DROP all packets with that mark/label from
> here on. But that somehow would bloat the ruleset and keep an
> useless conntrack entry in memory where just terminating the
> conntrack would do all of it at once.
>
> Another solution might be to modify the conntrack timeout later
> in the raw table using "-j CT --timeout [policy]" applying a
> timer value of "-1" and thus hopefully immediately invalidating
> the conntrack entry.
>
>
>
> Is there an easier solution to that problem? If no, which one
> of the two solutions from above seems to be easier to implement
> and maintain in a stable, riskfree way in the long run?
>
> Kind regards,
> hd


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-10-09 15:40 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-24  8:29 Invalidate conntrack using iptables rule halfdog
2021-10-09 15:40 ` halfdog

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.