Managing cached connections

I'm developing a script to failover different links when one of them fails. After some tests I could see some strange behavior. After changing the routing table, flushing the route cache, removing the NAT rule and creating a new one to satisfy the new link, the packets were going out through the new interface(specified in the new route) but using the translated IP address of the old NAT rule.

After some research I found out that linux kernel keeps a kind of cache for all connections, maybe just the NATed ones?!

The nice thing is you can see this table:

cat /proc/net/ip_conntrack

The netfilter team also developed a tool to manage this table, flush, list, delete, add entries, etc.
It's called conntrack-tools. It's a replacement for the /proc interface. What you will need is to compile and install the following:


libnfnetlink
libnetfilter_conntrack
conntrack-tools

You can download all the sources from:
http://conntrack-tools.netfilter.org/downloads.html

After installed you can call the conntrack binary.
I.e.:

conntrack -L -d x.x.x.x

The above command list all entries with x.x.x.x destination IP.

conntrack -F

The above command flushes the whole table. That's exactly what I have to do in order in my fail-over scripts.

conntrack -L -m 11

If you're using the MARK target in any iptables rule you can check out if the packets are being marked correctly with the above command. This command list all the connections with mark=11(-j MARK --set-mark 11)

References:

http://linux.derkeiler.com/Mailing-Lists/Debian/2005-08/3411.html
http://lists.netfilter.org/pipermail/netfilter-devel/2002-October/009530.html
http://mailman.ds9a.nl/pipermail/lartc/2003q1/007249.html
http://linux.die.net/man/8/conntrack
http://www.mail-archive.com/netfilter-devel@lists.samba.org/msg01394.html
http://conntrack-tools.netfilter.org/downloads.html