netfilter buglog - May 2012 - [Bug 786] New: facing problem with iptables nat rules and traffic flow scnerios

http://bugzilla.netfilter.org/show_bug.cgi?id=786

           Summary: facing problem with iptables nat rules and traffic
                    flow scnerios
           Product: iptables
           Version: 1.1.2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: blocker
          Priority: P5
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: shrivastavaone at gmail.com
   Estimated Hours: 0.0


I am using iptables for nat
kernel version is 2.6.35+
working on powerpc target

case 1) traffic is already flowing and we apply a rule, that rule will
become effective only when we stop traffic and start again.

case 2) traffic is already flowing and we delete a rule, this rule
will still be effective unless we stop and start traffic again.

observation: /proc/net/ip_conntrack file is updated only after stoping
and starting traffic again.


These two are the limitations i am facing. Is there a way to overcome
these limitations. Please reply

Thanks and Regards,
Rahul Shrivastava

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

http://bugzilla.netfilter.org/show_bug.cgi?id=786

Jan Engelhardt <jengelh at medozas.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |jengelh at medozas.de
         Resolution|                            |WORKSFORME

--- Comment #1 from Jan Engelhardt <jengelh at medozas.de> 2012-06-08
22:12:42 CEST ---
All rule changes in xtables do take effect immediately. You are likely matching
on a property that is running independently of xtables -- in your case,
connection tracking.
Calling `conntrack -F` can clear the list of NFCT entries, however, the effect
depends on your rules, and if ou have them wrong, you will even be terminating
legitimate connections.

-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.