bugzilla-daemon at netfilter.org
2023-Oct-11 10:09 UTC
[Bug 1622] Changing ICMP conntracks labels does not work
https://bugzilla.netfilter.org/show_bug.cgi?id=1622 --- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Pablo Neira Ayuso from comment #1)> > 3. Try to add "testlabel" label: > > > > # conntrack --protonum icmp --update --label-add testlabel > > conntrack v1.4.6 (conntrack-tools): 1 flow entries have been updated. > > See: > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20231011095503. > 131168-1-pablo at netfilter.org/ > > You have to set a default conntrack label when the conntrack entry is > created if you plan to update: > > # conntrack -U --label-add testlabel --dst 9.9.9.9 > icmp 1 28 src=192.168.2.130 dst=9.9.9.9 type=8 code=0 id=56547 > src=9.9.9.9 dst=192.168.2.130 type=0 code=0 id=56547 mark=0 use=2 > labels=default,testlabel > conntrack v1.4.8 (conntrack-tools): 1 flow entries have been updated. > > attempt to update an entry without an initial label is ignored: > > # conntrack -L -o label > tcp 6 431836 ESTABLISHED src=34.117.65.55 dst=192.168.2.130 sport=443 > dport=36366 src=192.168.2.130 dst=34.117.65.55 sport=36366 dport=443 > [ASSURED] mark=0 use=1 > icmp 1 26 src=192.168.2.130 dst=9.9.9.9 type=8 code=0 id=56547 > src=9.9.9.9 dst=192.168.2.130 type=0 code=0 id=56547 mark=0 use=1 > labels=default,testlabel > conntrack v1.4.8 (conntrack-tools): 2 flow entries have been shown. > > Your nftables ruleset should so something like: > > table ip x { > chain y { > type filter hook input priority 0 > > ct state new ct label set "default" counter > } > }My connlabel.conf for this test contains, BTW: 0 default 1 testlabel so you have to define such default label. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231011/dfeb74c1/attachment.html>