From 3cd88a6d9c66360dad983578259ab92ba083fca8 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 30 Jul 2012 02:22:58 +0200 Subject: conntrackd: implement selective flushing for `-t' and `-F' commands This patch changes the current behaviour of `-t' and `-F' commands, that results in flushing the kernel conntrack table. With this patch, the entries that match the Filter clauses in conntrackd.conf are ignored. This fixes the situation in which some local ssh connection to the firewall is lost during the failover (since `-t' is invoked from the primary-backup.sh script). Note that the Filter clause tells what entries have to be ignored, ie. the entries that do not need to be replicated. It makes sense not to flush entries that are not replicated (usually traffic to the local firewall). Reported-by: Gaurav Sinha Signed-off-by: Pablo Neira Ayuso --- src/sync-mode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/sync-mode.c') diff --git a/src/sync-mode.c b/src/sync-mode.c index 7fb3eba..17f866a 100644 --- a/src/sync-mode.c +++ b/src/sync-mode.c @@ -304,7 +304,7 @@ static void do_reset_cache_alarm(struct alarm_block *a, void *data) * meanwhile the parent process handles events. */ if (fork_process_new(CTD_PROC_FLUSH, CTD_PROC_F_EXCL, NULL, NULL) == 0) { - nl_flush_conntrack_table(STATE(flush)); + nl_flush_conntrack_table_selective(); exit(EXIT_SUCCESS); } /* this is not required if events don't get lost */ -- cgit v1.2.3