rpms/conntrack-tools
5
0
Fork 0
Code Issues Pull Requests Releases Activity
5c26870cd5
conntrack-tools/0001-conntrack-ct-label-update-requires-proper-ruleset.patch
Phil Sutter 5c26870cd5 conntrack-tools-1.4.8-1 
- Rebase to version 1.4.8 + fixes from upstream
2024-06-25 20:56:23 +02:00

54 lines
2.2 KiB
Diff
Raw Blame History

From 0eb05477330b89faacb1f46933e8fc00a3795770 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 11 Oct 2023 11:21:40 +0200
Subject: [PATCH] conntrack: ct label update requires proper ruleset
As of kernel 6.6-rc, your ruleset must use either the 'connlabel' match
in iptables or the 'ct label' statement in nftables to attach labels to
conntrack entries. Update documentation to describe this behaviour.
This patch addresses a corner case scenario: conntrack already contains
entries but ruleset that specifies connlabel did not get loaded yet.
In such case, skip ENOSPC errors for conntracks that have no ct label
extension.
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1622
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 58a5b32b2d5c7b6b755121930b6752e6c714f24f)
---
conntrack.8 | 4 ++++
src/conntrack.c | 5 +++++
2 files changed, 9 insertions(+)
diff --git a/conntrack.8 b/conntrack.8
index 031eaa4e9fefb..3b6a15b5152d5 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -193,6 +193,10 @@ Use multiple \-l options to specify multiple labels that need to be set.
Specify the conntrack label to add to the selected conntracks.
This option is only available in conjunction with "\-I, \-\-create",
"\-A, \-\-add" or "\-U, \-\-update".
+As a rule of thumb, you must use either the 'connlabel' match in your iptables
+ruleset or the 'ct label' statement in your nftables ruleset, this turns on the
+ct label support in the kernel and it allows you to update labels via
+"\-U, \-\-update", otherwise label updates are ignored.
.TP
.BI "--label-del " "[LABEL]"
Specify the conntrack label to delete from the selected conntracks.
diff --git a/src/conntrack.c b/src/conntrack.c
index f9758d78d39b9..c1551cadbdb33 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -2195,6 +2195,11 @@ static int mnl_nfct_update_cb(const struct nlmsghdr *nlh, void *data)
/* the entry has vanish in middle of the update */
if (errno == ENOENT)
goto destroy_ok;
+ else if (cmd->options & (CT_OPT_ADD_LABEL | CT_OPT_DEL_LABEL) &&
+ !nfct_attr_is_set(ct, ATTR_CONNLABELS) &&
+ errno == ENOSPC)
+ goto destroy_ok;
+
exit_error(OTHER_PROBLEM,
"Operation failed: %s",
err2str(errno, CT_UPDATE));
Reference in New Issue View Git Blame Copy Permalink