added support for global level conntrack flushing on interface state change. Default configuration is to disable this feature.

6 files changed, 25 insertions, 1 deletions

diff --git a/scripts/vyatta-wanloadbalance.pl b/scripts/vyatta-wanloadbalance.pl
index 56d4bc4..c287ddd 100644
--- a/scripts/vyatta-wanloadbalance.pl
+++ b/scripts/vyatta-wanloadbalance.pl
@@ -29,6 +29,10 @@ sub write_health {
 	print FILE_LCK "disable-source-nat\n";
     }
 
+    if ($config->exists("load-balancing wan flush-connections")) {
+	print FILE_LCK "flush-conntrack\n";
+    }
+
     $config->setLevel("load-balancing wan interface-health");
     my @eths = $config->listNodes();
     
diff --git a/src/lbdata.hh b/src/lbdata.hh
index 25f0f80..03e617f 100644
--- a/src/lbdata.hh
+++ b/src/lbdata.hh
@@ -116,7 +116,7 @@ class LBData {
   typedef map<string,LBHealth>::iterator InterfaceHealthIter;
   typedef map<string,LBHealth>::const_iterator InterfaceHealthConstIter;
 
-  LBData() : _disable_source_nat(false) {}
+  LBData() : _disable_source_nat(false),_flush_conntrack(false) {}
 
   bool
   error() {return false;}
@@ -140,6 +140,7 @@ class LBData {
   InterfaceHealthColl _iface_health_coll;
 
   bool _disable_source_nat;
+  bool _flush_conntrack;
 };
 
 #endif //__LBDATA_HH__
diff --git a/src/lbdatafactory.cc b/src/lbdatafactory.cc
index 87ce746..ebe63d0 100644
--- a/src/lbdatafactory.cc
+++ b/src/lbdatafactory.cc
@@ -123,6 +123,9 @@ LBDataFactory::process(const vector<string> &path, int depth, const string &key,
   if (path[0] == "disable-source-nat") {
     process_disablesourcenat(l_key,l_value);
   }
+  else if (path[0] == "flush-conntrack") {
+    process_flushconntrack(l_key,l_value);
+  }
   else if (path[0] == "health") {
     if (l_key == "interface") {
       process_health(l_key,l_value);
@@ -166,6 +169,12 @@ LBDataFactory::process_disablesourcenat(const string &key, const string &value)
 }
 
 void
+LBDataFactory::process_flushconntrack(const string &key, const string &value)
+{
+  _lb_data._flush_conntrack = true;
+}
+
+void
 LBDataFactory::process_health(const string &key, const string &value) 
 {
   if (value.empty() == false) {
diff --git a/src/lbdatafactory.hh b/src/lbdatafactory.hh
index 1ba6b58..6d2211c 100644
--- a/src/lbdatafactory.hh
+++ b/src/lbdatafactory.hh
@@ -44,6 +44,9 @@ private:
   process_disablesourcenat(const string &key, const string &value);
 
   void
+  process_flushconntrack(const string &key, const string &value);
+
+  void
   process_health(const string &key, const string &value);
 
   void
diff --git a/src/lbdecision.cc b/src/lbdecision.cc
index 6c22943..70f9a8e 100644
--- a/src/lbdecision.cc
+++ b/src/lbdecision.cc
@@ -246,6 +246,12 @@ LBDecision::run(LBData &lb_data)
   //then if we do, flush all
   execute("iptables -t mangle -F PREROUTING", stdout);
 
+  //new request, bug 4112. flush conntrack tables if configured
+  if (lb_data._flush_conntrack == true) {
+    execute("conntrack -F", stdout);
+    execute("conntrack -F expect", stdout);
+  }
+
   //and compute the new set and apply
   LBData::LBRuleIter iter = lb_data._lb_rule_coll.begin();
   while (iter != lb_data._lb_rule_coll.end()) {
diff --git a/templates/load-balancing/wan/flush-connections/node.def b/templates/load-balancing/wan/flush-connections/node.def
new file mode 100644
index 0000000..8798b0e
--- /dev/null
+++ b/templates/load-balancing/wan/flush-connections/node.def
@@ -0,0 +1 @@
+help: Set to flush connection tracking tables on connection state change.