Delete specific conntrack entries?
in a multi-ISP configuration, I'm routing and NATing specific traffic, e.g. VoIP, through specific interface - to a distinct provider. When one of the interfaces (or routes) becomes unavailable, all connections that were using it have to be dropped, and subsequent traffic has to be routed through the still working connection. Upon change in the status, I'm resetting and loading appropriate iptables and routing entries (it is "shorewall restart" - I'm using shorewall).
The problem is - the still present conntrack entries cause that the old (and now wrong) external address is still being used for NAT for those connections! After 'conntrack -D', the NAT works as expected again.
I'd like to delete only the conntrack entries belonging to the old external address or to solve the problem in a way that wouldn't affect connections through other interfaces.
E.g. - I'd like to delete all conntrack entries having reverse connection destination dst=old.ext.ip.adr, like
udp 17 164 src=192.168.158.3 dst=213.208.5.40 sport=5060 dport=5060 packets=178 bytes=104509 src=213.208.5.40 dst=old.ext.ip.adr sport=5060 dport=5060 packets=234 bytes=127268 [ASSURED] mark=256 secmark=0 use=2
What i've already tried:
# conntrack -D -r 212.108.43.143
^C (nothing happens, it just hangs)
# conntrack -D -r 213.208.5.40 -d 212.108.43.143
Operation failed: such conntrack doesn't exist
Thank you in advance! Best regards, Zrin
The solution is given here.
I've got a similar task — to delete specific conntrack entries related to UDP connections going to specific Internet host and being SNAT'ed, so I created the following script:
#!/bin/sh
set -e -u
HUB=AAA.BBB.CCC.DDD # target host's IP address
value()
{
echo ${1#*=}
}
/usr/sbin/conntrack -L conntrack -p udp -d $HUB |
while read proto _ _ src dst sport dport _; do
/usr/sbin/conntrack -D conntrack \
--proto `value $proto` \
--orig-src `value $src` \
--orig-dst `value $dst` \
--sport `value $sport` \
--dport `value $dport`
done