Not sure if this should be here or in the security section.
I am developing software that dynamically manipulates netfilter/iptables rules (through system() calls of the command strings, I'm not trying to hack the netfilter code). Basically, UDP messages that are sent by an application on, say, port 55555, I have some rules that DNAT that port to some other port calculated from a time and key based algorithm. That port is recalculated every couple of seconds, and the DNAT rule is replaced. The idea here is to have to port number hop periodically.
This all appeared to be working fine, iptables lists showing the DNAT rule changing exactly as expected, until I saw traffic getting through that shouldn't (I'm sending multiple datagrams per second), so I fired up wireshark. What I noticed is this - when the first message goes out, the destination port nicely gets translated to the calculated port. But, after this, when the DNAT rule is dynamically changed, the traffic going across the network (between virtual machines in this experiment) continues to show the first calculated destination port.
I also have noticed that if I stop sending for at least 30 seconds and then restart, the messages start to go out using the port number appropriate for this new time slot. Also, if I stop and restart the sending program, it also picks the first correct DNATed destination port and sticks on that one.
So what appears to be happening here is that there is some persistence to that DNAT first port assignment even though I change the DNAT rule. The persistence appears on both ends, because the recipient is running a parallel algorithm for its DNAT rules that should only be allowing the calculated port but also seems to permit passages on this first calculated port as long as they come no less than 30 seconds apart. After 30 seconds, or after stop and restart of the sending app, the persistence is broken (only to be re-established on the next calculated port number).
I don't understand what is causing this persistence - do "established connections" also apply to UDP traffic? Is there a way to eliminate this persistence, or at least make it a much shorter time?
Here's an example of how I set up the rules (executed programmatically with system()):
iptables -t nat -N dport-dnat
iptables -t nat -A dport-dnat -p udp --dport 55555 -j DNAT --to-destination :51279
iptables -t nat -I OUTPUT -p udp -j dport-dnat
then in accordance with my timers something like this will be executed:
iptables -t nat -R dport-dnat -p udp --dport 55555 -j DNAT --to-destination :52871
I always check status, I'm not getting any errors on the calls.
Thanks for any clues.