[PATCH conntrack,v6] conntrack: ct label update requires proper ruleset

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH conntrack,v6] conntrack: ct label update requires proper ruleset
@ 2023-10-12 20:48 Pablo Neira Ayuso
  0 siblings, 0 replies; only message in thread
From: Pablo Neira Ayuso @ 2023-10-12 20:48 UTC (permalink / raw)
  To: netfilter-devel; +Cc: fw

As of kernel 6.6-rc, your ruleset must use either the 'connlabel' match
in iptables or the 'ct label' statement in nftables to attach labels to
conntrack entries. Update documentation to describe this behaviour.

This patch addresses a corner case scenario: conntrack already contains
entries but ruleset that specifies connlabel did not get loaded yet.
In such case, skip ENOSPC errors for conntracks that have ct label
extension.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1622
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v6: fix patch subject, it was still referring to misconception.

 conntrack.8     | 4 ++++
 src/conntrack.c | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/conntrack.8 b/conntrack.8
index 031eaa4e9fef..3b6a15b5152d 100644
--- a/conntrack.8
+++ b/conntrack.8
@@ -193,6 +193,10 @@ Use multiple \-l options to specify multiple labels that need to be set.
 Specify the conntrack label to add to the selected conntracks.
 This option is only available in conjunction with "\-I, \-\-create",
 "\-A, \-\-add" or "\-U, \-\-update".
+As a rule of thumb, you must use either the 'connlabel' match in your iptables
+ruleset or the 'ct label' statement in your nftables ruleset, this turns on the
+ct label support in the kernel and it allows you to update labels via
+"\-U, \-\-update", otherwise label updates are ignored.
 .TP
 .BI "--label-del " "[LABEL]"
 Specify the conntrack label to delete from the selected conntracks.
diff --git a/src/conntrack.c b/src/conntrack.c
index f9758d78d39b..c1551cadbdb3 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -2195,6 +2195,11 @@ static int mnl_nfct_update_cb(const struct nlmsghdr *nlh, void *data)
 		/* the entry has vanish in middle of the update */
 		if (errno == ENOENT)
 			goto destroy_ok;
+		else if (cmd->options & (CT_OPT_ADD_LABEL | CT_OPT_DEL_LABEL) &&
+			 !nfct_attr_is_set(ct, ATTR_CONNLABELS) &&
+			 errno == ENOSPC)
+			goto destroy_ok;
+
 		exit_error(OTHER_PROBLEM,
 			   "Operation failed: %s",
 			   err2str(errno, CT_UPDATE));
-- 
2.30.2


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2023-10-12 20:48 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-12 20:48 [PATCH conntrack,v6] conntrack: ct label update requires proper ruleset Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).