[PATCH conntrack-tools] conntrack: introduce --labelmap option to specify connlabel.conf path

[PATCH conntrack-tools] conntrack: introduce --labelmap option to specify connlabel.conf path

[Christoph Heiss]

Enables specifying a path to a connlabel.conf to load instead of the
default one at /etc/xtables/connlabel.conf.

nfct_labelmap_new() already allows supplying a custom path to load
labels from, so it just needs to be passed in there.

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
---
 conntrack.8         |  7 +++++
 include/conntrack.h |  2 +-
 src/conntrack.c     | 62 +++++++++++++++++++++++++++------------------
 3 files changed, 46 insertions(+), 25 deletions(-)

diff --git a/conntrack.8 b/conntrack.8
index 3b6a15b..2b6da25 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -189,6 +189,13 @@ This option is only available in conjunction with "\-L, \-\-dump",
 Match entries whose labels include those specified as arguments.
 Use multiple \-l options to specify multiple labels that need to be set.
 .TP
+.BI "--labelmap " "PATH"
+Specify the path to a connlabel.conf file to load instead of the default one.
+This option is only available in conjunction with "\-L, \-\-dump", "\-E,
+\-\-event", "\-U \-\-update" or "\-D \-\-delete". Must come before any of
+"\-l, \-\-label", "\-\-label\-add" or "\-\-label\-del", otherwise the argument is
+ignored.
+.TP
 .BI "--label-add " "LABEL"
 Specify the conntrack label to add to the selected conntracks.
 This option is only available in conjunction with "\-I, \-\-create",
diff --git a/include/conntrack.h b/include/conntrack.h
index 6dad4a1..317cab6 100644
--- a/include/conntrack.h
+++ b/include/conntrack.h
@@ -78,7 +78,7 @@ enum ct_command {
 };
 
 #define NUMBER_OF_CMD   _CT_BIT_MAX
-#define NUMBER_OF_OPT   29
+#define NUMBER_OF_OPT   30
 
 struct nf_conntrack;
 
diff --git a/src/conntrack.c b/src/conntrack.c
index 2d4e864..9850825 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -249,6 +249,9 @@ enum ct_options {
 
 	CT_OPT_REPL_ZONE_BIT	= 28,
 	CT_OPT_REPL_ZONE	= (1 << CT_OPT_REPL_ZONE_BIT),
+
+	CT_OPT_LABELMAP_BIT	= 29,
+	CT_OPT_LABELMAP		= (1 << CT_OPT_LABELMAP_BIT),
 };
 /* If you add a new option, you have to update NUMBER_OF_OPT in conntrack.h */
 
@@ -288,6 +291,7 @@ static const char *optflags[NUMBER_OF_OPT] = {
 	[CT_OPT_DEL_LABEL_BIT]	= "label-del",
 	[CT_OPT_ORIG_ZONE_BIT]	= "orig-zone",
 	[CT_OPT_REPL_ZONE_BIT]	= "reply-zone",
+	[CT_OPT_LABELMAP_BIT]	= "labelmap",
 };
 
 static struct option original_opts[] = {
@@ -330,6 +334,7 @@ static struct option original_opts[] = {
 	{"any-nat", 2, 0, 'j'},
 	{"zone", 1, 0, 'w'},
 	{"label", 1, 0, 'l'},
+	{"labelmap", 1, 0, 'M'},
 	{"label-add", 1, 0, '<'},
 	{"label-del", 2, 0, '>'},
 	{"orig-zone", 1, 0, '('},
@@ -339,7 +344,7 @@ static struct option original_opts[] = {
 
 static const char *getopt_str = ":LIUDGEFAhVs:d:r:q:"
 				"p:t:u:e:a:z[:]:{:}:m:i:f:o:n::"
-				"g::c:b:C::Sj::w:l:<:>::(:):";
+				"g::c:b:C::Sj::w:l:<:>::(:):M:";
 
 /* Table of legal combinations of commands and options.  If any of the
  * given commands make an option legal, that option is legal (applies to
@@ -354,27 +359,27 @@ static const char *getopt_str = ":LIUDGEFAhVs:d:r:q:"
 static char commands_v_options[NUMBER_OF_CMD][NUMBER_OF_OPT] =
 /* Well, it's better than "Re: Linux vs FreeBSD" */
 {
-			/* s d r q p t u z e [ ] { } a m i f n g o c b j w l < > ( ) */
-	[CT_LIST_BIT]	= {2,2,2,2,2,0,2,2,0,0,0,2,2,0,2,0,2,2,2,2,2,0,2,2,2,0,0,2,2},
-	[CT_CREATE_BIT]	= {3,3,3,3,1,1,2,0,0,0,0,0,0,2,2,0,0,2,2,0,0,0,0,2,0,2,0,2,2},
-	[CT_UPDATE_BIT]	= {2,2,2,2,2,2,2,0,0,0,0,2,2,0,2,2,2,2,2,2,0,0,0,0,2,2,2,0,0},
-	[CT_DELETE_BIT]	= {2,2,2,2,2,2,2,0,0,0,0,2,2,0,2,2,2,2,2,2,0,0,0,2,2,0,0,2,2},
-	[CT_GET_BIT]	= {3,3,3,3,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,2,0,0,0,0,2,0,0,0,0},
-	[CT_FLUSH_BIT]	= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0},
-	[CT_EVENT_BIT]	= {2,2,2,2,2,0,0,0,2,0,0,2,2,0,2,0,2,2,2,2,2,2,2,2,2,0,0,2,2},
-	[CT_VERSION_BIT]= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-	[CT_HELP_BIT]	= {0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-	[EXP_LIST_BIT]	= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,2,0,0,0,0,0,0,0,0,0},
-	[EXP_CREATE_BIT]= {1,1,2,2,1,1,2,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-	[EXP_DELETE_BIT]= {1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-	[EXP_GET_BIT]	= {1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-	[EXP_FLUSH_BIT]	= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-	[EXP_EVENT_BIT]	= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0},
-	[CT_COUNT_BIT]	= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-	[EXP_COUNT_BIT]	= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-	[CT_STATS_BIT]	= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-	[EXP_STATS_BIT]	= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
-	[CT_ADD_BIT]	= {3,3,3,3,1,1,2,0,0,0,0,0,0,2,2,0,0,2,2,0,0,0,0,2,0,2,0,2,2},
+			/* s d r q p t u z e [ ] { } a m i f n g o c b j w l < > ( ) M */
+	[CT_LIST_BIT]	= {2,2,2,2,2,0,2,2,0,0,0,2,2,0,2,0,2,2,2,2,2,0,2,2,2,0,0,2,2,2},
+	[CT_CREATE_BIT]	= {3,3,3,3,1,1,2,0,0,0,0,0,0,2,2,0,0,2,2,0,0,0,0,2,0,2,0,2,2,0},
+	[CT_UPDATE_BIT]	= {2,2,2,2,2,2,2,0,0,0,0,2,2,0,2,2,2,2,2,2,0,0,0,0,2,2,2,0,0,2},
+	[CT_DELETE_BIT]	= {2,2,2,2,2,2,2,0,0,0,0,2,2,0,2,2,2,2,2,2,0,0,0,2,2,0,0,2,2,2},
+	[CT_GET_BIT]	= {3,3,3,3,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,2,0,0,0,0,2,0,0,0,0,0},
+	[CT_FLUSH_BIT]	= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0},
+	[CT_EVENT_BIT]	= {2,2,2,2,2,0,0,0,2,0,0,2,2,0,2,0,2,2,2,2,2,2,2,2,2,0,0,2,2,2},
+	[CT_VERSION_BIT]= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+	[CT_HELP_BIT]	= {0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+	[EXP_LIST_BIT]	= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,2,0,0,0,0,0,0,0,0,0,0},
+	[EXP_CREATE_BIT]= {1,1,2,2,1,1,2,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+	[EXP_DELETE_BIT]= {1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+	[EXP_GET_BIT]	= {1,1,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+	[EXP_FLUSH_BIT]	= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+	[EXP_EVENT_BIT]	= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0},
+	[CT_COUNT_BIT]	= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+	[EXP_COUNT_BIT]	= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+	[CT_STATS_BIT]	= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+	[EXP_STATS_BIT]	= {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0},
+	[CT_ADD_BIT]	= {3,3,3,3,1,1,2,0,0,0,0,0,0,2,2,0,0,2,2,0,0,0,0,2,0,2,0,2,2,0},
 };
 
 static const int cmd2type[][2] = {
@@ -413,6 +418,7 @@ static const int opt2type[] = {
 	['>']	= CT_OPT_DEL_LABEL,
 	['(']	= CT_OPT_ORIG_ZONE,
 	[')']	= CT_OPT_REPL_ZONE,
+	['M']	= CT_OPT_LABELMAP,
 };
 
 static const int opt2maskopt[] = {
@@ -521,7 +527,8 @@ static const char usage_conntrack_parameters[] =
 	"  -e, --event-mask eventmask\t\tEvent mask, eg. NEW,DESTROY\n"
 	"  -z, --zero \t\t\t\tZero counters while listing\n"
 	"  -o, --output type[,...]\t\tOutput format, eg. xml\n"
-	"  -l, --label label[,...]\t\tconntrack labels\n";
+	"  -l, --label label[,...]\t\tconntrack labels\n"
+	"  --labelmap path\t\t\tconnlabel file to use instead of default\n";
 
 static const char usage_expectation_parameters[] =
 	"Expectation parameters and options:\n"
@@ -566,6 +573,7 @@ static unsigned int addr_valid_flags[ADDR_VALID_FLAGS_MAX] = {
 
 static LIST_HEAD(proto_list);
 
+static char *labelmap_path;
 static struct nfct_labelmap *labelmap;
 static int filter_family;
 
@@ -2756,7 +2764,7 @@ static void labelmap_init(void)
 {
 	if (labelmap)
 		return;
-	labelmap = nfct_labelmap_new(NULL);
+	labelmap = nfct_labelmap_new(labelmap_path);
 	if (!labelmap)
 		perror("nfct_labelmap_new");
 }
@@ -3212,6 +3220,10 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[])
 			socketbuffersize = atol(optarg);
 			options |= CT_OPT_BUFFERSIZE;
 			break;
+		case 'M':
+			labelmap_path = strdup(optarg);
+			options |= CT_OPT_LABELMAP;
+			break;
 		case ':':
 			exit_error(PARAMETER_PROBLEM,
 				   "option `%s' requires an "
@@ -3676,6 +3688,8 @@ try_proc:
 	free_tmpl_objects(&cmd->tmpl);
 	if (labelmap)
 		nfct_labelmap_destroy(labelmap);
+	if (labelmap_path)
+		free(labelmap_path);
 
 	return EXIT_SUCCESS;
 }
-- 
2.49.0

Re: [PATCH conntrack-tools] conntrack: introduce --labelmap option to specify connlabel.conf path

[Florian Westphal]

Christoph Heiss <c.heiss@proxmox.com> wrote:
> Enables specifying a path to a connlabel.conf to load instead of the
> default one at /etc/xtables/connlabel.conf.
> 
> nfct_labelmap_new() already allows supplying a custom path to load
> labels from, so it just needs to be passed in there.

Makes sense, patch looks good to me.

>  3 files changed, 46 insertions(+), 25 deletions(-)
> 
> diff --git a/conntrack.8 b/conntrack.8
> index 3b6a15b..2b6da25 100644
> --- a/conntrack.8
> +++ b/conntrack.8
> @@ -189,6 +189,13 @@ This option is only available in conjunction with "\-L, \-\-dump",
>  Match entries whose labels include those specified as arguments.
>  Use multiple \-l options to specify multiple labels that need to be set.
>  .TP
> +.BI "--labelmap " "PATH"
> +Specify the path to a connlabel.conf file to load instead of the default one.
> +This option is only available in conjunction with "\-L, \-\-dump", "\-E,
> +\-\-event", "\-U \-\-update" or "\-D \-\-delete". Must come before any of
> +"\-l, \-\-label", "\-\-label\-add" or "\-\-label\-del", otherwise the argument is
> +ignored.
> +.TP
>  .BI "--label-add " "LABEL"
>  Specify the conntrack label to add to the selected conntracks.
>  This option is only available in conjunction with "\-I, \-\-create",
> diff --git a/include/conntrack.h b/include/conntrack.h
> index 6dad4a1..317cab6 100644
> --- a/include/conntrack.h
> +++ b/include/conntrack.h
> @@ -78,7 +78,7 @@ enum ct_command {
>  };
>  
>  #define NUMBER_OF_CMD   _CT_BIT_MAX
> -#define NUMBER_OF_OPT   29
> +#define NUMBER_OF_OPT   30
>  
>  struct nf_conntrack;
>  
> diff --git a/src/conntrack.c b/src/conntrack.c
> index 2d4e864..9850825 100644
> --- a/src/conntrack.c
> +++ b/src/conntrack.c
> @@ -249,6 +249,9 @@ enum ct_options {
>  
>  	CT_OPT_REPL_ZONE_BIT	= 28,
>  	CT_OPT_REPL_ZONE	= (1 << CT_OPT_REPL_ZONE_BIT),
> +
> +	CT_OPT_LABELMAP_BIT	= 29,
> +	CT_OPT_LABELMAP		= (1 << CT_OPT_LABELMAP_BIT),

Why is this needed?

> +static char *labelmap_path;
>  static struct nfct_labelmap *labelmap;
>  static int filter_family;
>  
> @@ -2756,7 +2764,7 @@ static void labelmap_init(void)
>  {
>  	if (labelmap)
>  		return;
> -	labelmap = nfct_labelmap_new(NULL);
> +	labelmap = nfct_labelmap_new(labelmap_path);
>  	if (!labelmap)
>  		perror("nfct_labelmap_new");
>  }
> @@ -3212,6 +3220,10 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[])
>  			socketbuffersize = atol(optarg);
>  			options |= CT_OPT_BUFFERSIZE;
>  			break;
> +		case 'M':
> +			labelmap_path = strdup(optarg);

Should this exit() if labelmap_path != NULL?

> +	if (labelmap_path)
> +		free(labelmap_path);

free(NULL) is ok, so no need for the conditional.

Patch looks fine, but I think it would be good to have a preparation
patch that moves all labelmap_init() calls from do_parse() to into
do_command_ct().

Then the option ordering would not matter anymore.

Re: [PATCH conntrack-tools] conntrack: introduce --labelmap option to specify connlabel.conf path

[Christoph Heiss]

Thanks for the review!

On Fri Jun 13, 2025 at 2:18 PM CEST, Florian Westphal wrote:
> Christoph Heiss <c.heiss@proxmox.com> wrote:
>> Enables specifying a path to a connlabel.conf to load instead of the
>> default one at /etc/xtables/connlabel.conf.
>>
>> nfct_labelmap_new() already allows supplying a custom path to load
>> labels from, so it just needs to be passed in there.
>
> Makes sense, patch looks good to me.
>
>>  3 files changed, 46 insertions(+), 25 deletions(-)
>> [..]
>> diff --git a/src/conntrack.c b/src/conntrack.c
>> index 2d4e864..9850825 100644
>> --- a/src/conntrack.c
>> +++ b/src/conntrack.c
>> @@ -249,6 +249,9 @@ enum ct_options {
>>
>>  	CT_OPT_REPL_ZONE_BIT	= 28,
>>  	CT_OPT_REPL_ZONE	= (1 << CT_OPT_REPL_ZONE_BIT),
>> +
>> +	CT_OPT_LABELMAP_BIT	= 29,
>> +	CT_OPT_LABELMAP		= (1 << CT_OPT_LABELMAP_BIT),
>
> Why is this needed?

Honestly, the option parsing is quite convoluted.

But it's used for indexing into `optflags`, which in turned is used by
generic_opt_check().

As `--labelmap` can only be used with `--label{-add,-del}` and thus
`-L`, `-E`, `-U` and `-D`, this is appropriately reflected in
`commands_v_options`.

Based on that, generic_opt_check() will then throw an error/abort if
`--labelmap` is used with any other command, e.g.:

  conntrack v1.4.8 (conntrack-tools): Illegal option `--labelmap' with this command
  Try `conntrack -h' or 'conntrack --help' for more information.

At least what I got after tracing quite a bit through the code.

>> [..]
>> @@ -3212,6 +3220,10 @@ static void do_parse(struct ct_cmd *ct_cmd, int argc, char *argv[])
>>  			socketbuffersize = atol(optarg);
>>  			options |= CT_OPT_BUFFERSIZE;
>>  			break;
>> +		case 'M':
>> +			labelmap_path = strdup(optarg);
>
> Should this exit() if labelmap_path != NULL?

Don't have a strong preference on this, but probably makes sense to
abort in case the user ever specifies the option multiple times. I'll
add that.

>
>> +	if (labelmap_path)
>> +		free(labelmap_path);
>
> free(NULL) is ok, so no need for the conditional.

Ack.

>
> Patch looks fine, but I think it would be good to have a preparation
> patch that moves all labelmap_init() calls from do_parse() to into
> do_command_ct().
>
> Then the option ordering would not matter anymore.

Can do that. Will just entail a bit more refactoring around the
--label{-add,-del} option parsing, as that relies on an already
initialized labelmap.

Re: [PATCH conntrack-tools] conntrack: introduce --labelmap option to specify connlabel.conf path

[Florian Westphal]

Christoph Heiss <c.heiss@proxmox.com> wrote:
> But it's used for indexing into `optflags`, which in turned is used by
> generic_opt_check().
> 
> As `--labelmap` can only be used with `--label{-add,-del}` and thus
> `-L`, `-E`, `-U` and `-D`, this is appropriately reflected in
> `commands_v_options`.
> 
> Based on that, generic_opt_check() will then throw an error/abort if
> `--labelmap` is used with any other command, e.g.:
> 
>   conntrack v1.4.8 (conntrack-tools): Illegal option `--labelmap' with this command
>   Try `conntrack -h' or 'conntrack --help' for more information.

Makes sense, thanks.

> > Should this exit() if labelmap_path != NULL?
> 
> Don't have a strong preference on this, but probably makes sense to
> abort in case the user ever specifies the option multiple times. I'll
> add that.

Thanks!

> Can do that. Will just entail a bit more refactoring around the
> --label{-add,-del} option parsing, as that relies on an already
> initialized labelmap.

Right, if this becomes too convoluted then another alternative
is to error out if the --labelmap option is seen but the initalisation
was already done with an error message indicating that the labelmap
option must come first.