diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-07-30 02:22:58 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-07-30 02:22:58 +0200 |
| commit | 3cd88a6d9c66360dad983578259ab92ba083fca8 (patch) | |
| tree | c373f88f6279a79465d17ad6598550fbdc174e3a /src/internal_bypass.c | |
| parent | 7eb63b5872f07903d952aa5cfd6ad0e7647a066a (diff) | |
| download | conntrack-tools-3cd88a6d9c66360dad983578259ab92ba083fca8.tar.gz conntrack-tools-3cd88a6d9c66360dad983578259ab92ba083fca8.zip | |
conntrackd: implement selective flushing for `-t' and `-F' commands
This patch changes the current behaviour of `-t' and `-F' commands,
that results in flushing the kernel conntrack table. With this patch,
the entries that match the Filter clauses in conntrackd.conf are
ignored.
This fixes the situation in which some local ssh connection to the
firewall is lost during the failover (since `-t' is invoked from the
primary-backup.sh script).
Note that the Filter clause tells what entries have to be ignored,
ie. the entries that do not need to be replicated. It makes sense
not to flush entries that are not replicated (usually traffic to
the local firewall).
Reported-by: Gaurav Sinha <gaurav.sinha@vyatta.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/internal_bypass.c')
| -rw-r--r-- | src/internal_bypass.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/internal_bypass.c b/src/internal_bypass.c index 5c83c21..1194339 100644 --- a/src/internal_bypass.c +++ b/src/internal_bypass.c @@ -67,7 +67,7 @@ static void internal_bypass_ct_dump(int fd, int type) static void internal_bypass_ct_flush(void) { - nl_flush_conntrack_table(STATE(flush)); + nl_flush_conntrack_table_selective(); } struct { |