RE: Ctnetlink?

RE: Ctnetlink?

[Paul Albert]

>> Will this provide me a command-line interface to remove connections 
>> from ip_conntrack?

>no, but you can easily write one that sends the respective netlink
messages to the 
>ctnetlink core.

That is quite attractive.  Thanks for writing such a piece of code!


>> Is there more documentation on this?

>no.


Is the only way to learn more about this to apply it through the POM and
check out some of the code?  I would like to learn more, but I'm not
sure how to go about this ...

Much thanks,
Paul

Re: Ctnetlink?

[Patrick McHardy]

Paul Albert wrote:

>Is the only way to learn more about this to apply it through the POM and
>check out some of the code?  I would like to learn more, but I'm not
>sure how to go about this ...
>
>Much thanks,
>Paul
>  
>

You can find some incomplete but partial working code at
http://trash.net/~kaber/ctnetlink (ct.tar.gz I believe).
It's a command-line tool I used for testing ctnetlink.
It also includes a ctnetlink monitor. It's probably enough
for a start but beware that ctnetlink interface is not
stable at all and may change any minute ;) Most stuff
that is currently in place will probably stay, but you
never know ..

Best regards,
Patrick

Re: Ctnetlink?

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1554 bytes --]

On Wed, Oct 29, 2003 at 06:10:15PM -0700, Paul Albert wrote:
> Hi all - 
> 
> I'm quite interested in removing some or all of the connection tracking
> entries at various times while iptables is in operation.  My searching
> around the archives had led me to a mysterious piece of code, ctnetlink.
> I can see it listed in the POM, however, the patch link isn't valid.

patch-o-matic is a set of specially-formated patches and the according
software.  just downloading a .patch file wouldn't help anyway.  you
need to download the patch-o-matic suite (either the latest release, or
via anonymous cvs).

> Will this provide me a command-line interface to remove connections from
> ip_conntrack?

no, but you can easily write one that sends the respective netlink
messages to the ctnetlink core.

> Is there more documentation on this?

no.
> 

> From looking through the code, it appears that I could call
> ip_conntrack_cleanup in ip_conntrack_core.c to remove all of the
> entries.  Would this work or is there a better way?

this is inside the kernel.  I suppose you were looking for a way to do
this from a userspace app?

> Thanks much,
> Paul

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Ctnetlink?

[Paul Albert]

Hi all - 

I'm quite interested in removing some or all of the connection tracking
entries at various times while iptables is in operation.  My searching
around the archives had led me to a mysterious piece of code, ctnetlink.
I can see it listed in the POM, however, the patch link isn't valid.

My questions:  

Will this provide me a command-line interface to remove connections from
ip_conntrack?
Is there more documentation on this?

>From looking through the code, it appears that I could call
ip_conntrack_cleanup in ip_conntrack_core.c to remove all of the
entries.  Would this work or is there a better way?

Thanks much,
Paul