[Bug 1622] Changing ICMP conntracks labels does not work

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Wed Oct 11 11:57:36 CEST 2023 

https://bugzilla.netfilter.org/show_bug.cgi?id=1622

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |pablo at netfilter.org
         Resolution|---                         |FIXED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
> 3. Try to add "testlabel" label:
>
> # conntrack --protonum icmp --update --label-add testlabel
> conntrack v1.4.6 (conntrack-tools): 1 flow entries have been updated.

See:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20231011095503.131168-1-pablo@netfilter.org/

You have to set a default conntrack label when the conntrack entry is created
if you plan to update:

# conntrack -U --label-add testlabel --dst 9.9.9.9
icmp     1 28 src=192.168.2.130 dst=9.9.9.9 type=8 code=0 id=56547 src=9.9.9.9
dst=192.168.2.130 type=0 code=0 id=56547 mark=0 use=2 labels=default,testlabel
conntrack v1.4.8 (conntrack-tools): 1 flow entries have been updated.

attempt to update an entry without an initial label is ignored:

# conntrack -L -o label
tcp      6 431836 ESTABLISHED src=34.117.65.55 dst=192.168.2.130 sport=443
dport=36366 src=192.168.2.130 dst=34.117.65.55 sport=36366 dport=443 [ASSURED]
mark=0 use=1
icmp     1 26 src=192.168.2.130 dst=9.9.9.9 type=8 code=0 id=56547 src=9.9.9.9
dst=192.168.2.130 type=0 code=0 id=56547 mark=0 use=1 labels=default,testlabel
conntrack v1.4.8 (conntrack-tools): 2 flow entries have been shown.

Your nftables ruleset should so something like:

table ip x {
        chain y {
                type filter hook input priority 0

                ct state new ct label set "default" counter
        }
}

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231011/e73ef6c2/attachment.html>

More information about the netfilter-buglog mailing list