Clear conntrack tables

dragon2611 · April 1, 2021, 4:37am

Can we get an option on outbound policy to flush the connection tracking tables on apply?

It appears changing the outbound policy doesn’t apply to existing established sessions/flows at least that appeared to be the case with a sit tunnel on 8.1.2b01 where i’d changed a rule that should have moved that traffic to a different speedfusion subtunnel (Top of outbound policy and set to enforced)

Sometimes this also happens after a reboot if the subtunnel hasn’t come up quick enough as well (Traffic appears to end up on sub tunnel 1 with that peer)

Rick-DC · April 1, 2021, 4:59am

Is that still the situation when this parameter is checked, I wonder?

dragon2611 · April 1, 2021, 5:44am

That option isn’t available on a “Enforced” rule it seems.

Rick-DC · April 1, 2021, 6:08am

Oooops – u r right!

Steve · April 8, 2021, 2:29am

When creating a new Enforced / Priority outbound policy rule, the affected conntracks will be cleared automatically, this should not require a flush manually.

For the checkbox “Terminate Sessions on Connection Recovery”, this doesn’t apply to Enforced rules because when the connection is unavailable (either the WAN is down or SpeedFusion connection is not connected yet), the packets will be dropped so no new conntrack will be created for those packets, there no need to “terminate sessions on connection recovery”.

Rick-DC · April 8, 2021, 2:32am

It’s good to have a reminder now and then.

dragon2611 · April 8, 2021, 2:57am

What about when changing an existing one rather than creating a new one?

Jonathan_Pitts · April 8, 2021, 6:58am

@Steve +1 for me too, I was troubleshooting changing the tunnel traffic and forcing it to tunnel 2 which worked, but then when trying to force it back editing the same rule and doing tunnel 1 it didn’t work.

Steve · April 12, 2021, 3:13am

It should work the same way when you modify an existing outbound policy rule (Enforce / Priority).

Could you share the exact steps to reproduce the problem? The details of outbound policy rule, and which fields are being changed, etc.

Just one thing in my mind, if your outbound policy rule is matching Source MAC Address, then it won’t apply the same, because conntrack doesn’t have MAC address information so we can’t clear the related conntracks when you modify the outbound policy rule in this case.

dragon2611 · April 12, 2021, 4:26am

It’s a sit tunnel going over the speedfusion tunnel, I’d changed the enforce rule from one sub-tunnel to another one on the same peer but the traffic didn’t move.

Enforce rule is based on the IPv4 endpoint for the V6 tunnel server, I’m wondering if it’s better to move the IPv6 tunnel outside of speedfusion or use something other than SIT, but then I’d have to handle the bonding/failover some other way.