<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><span class="vcard"><a class="email" href="mailto:pablo@netfilter.org" title="Pablo Neira Ayuso <pablo@netfilter.org>"> <span class="fn">Pablo Neira Ayuso</span></a>

</span> changed

              <a class="bz_bug_link 

          bz_status_RESOLVED  bz_closed"

   title="RESOLVED FIXED - Changing ICMP conntracks labels does not work"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1622">bug 1622</a>

          <br>

             <table border="1" cellspacing="0" cellpadding="8">

          <tr>

            <th>What</th>

            <th>Removed</th>

            <th>Added</th>

          </tr>

         <tr>

           <td style="text-align:right;">Status</td>

           <td>NEW

           </td>

           <td>RESOLVED

           </td>

         </tr>

         <tr>

           <td style="text-align:right;">CC</td>

           <td>

           </td>

           <td>pablo@netfilter.org

           </td>

         </tr>

         <tr>

           <td style="text-align:right;">Resolution</td>

           <td>---

           </td>

           <td>FIXED

           </td>

         </tr></table>

      <p>

        <div>

            <b><a class="bz_bug_link 

          bz_status_RESOLVED  bz_closed"

   title="RESOLVED FIXED - Changing ICMP conntracks labels does not work"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1622#c1">Comment # 1</a>

              on <a class="bz_bug_link 

          bz_status_RESOLVED  bz_closed"

   title="RESOLVED FIXED - Changing ICMP conntracks labels does not work"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1622">bug 1622</a>

              from <span class="vcard"><a class="email" href="mailto:pablo@netfilter.org" title="Pablo Neira Ayuso <pablo@netfilter.org>"> <span class="fn">Pablo Neira Ayuso</span></a>

</span></b>

        <pre><span class="quote">> 3. Try to add "testlabel" label:</span >

>

<span class="quote">> # conntrack --protonum icmp --update --label-add testlabel

> conntrack v1.4.6 (conntrack-tools): 1 flow entries have been updated.</span >

See:

<a href="https://patchwork.ozlabs.org/project/netfilter-devel/patch/20231011095503.131168-1-pablo@netfilter.org/">https://patchwork.ozlabs.org/project/netfilter-devel/patch/20231011095503.131168-1-pablo@netfilter.org/</a>

You have to set a default conntrack label when the conntrack entry is created

if you plan to update:

# conntrack -U --label-add testlabel --dst 9.9.9.9

icmp     1 28 src=192.168.2.130 dst=9.9.9.9 type=8 code=0 id=56547 src=9.9.9.9

dst=192.168.2.130 type=0 code=0 id=56547 mark=0 use=2 labels=default,testlabel

conntrack v1.4.8 (conntrack-tools): 1 flow entries have been updated.

attempt to update an entry without an initial label is ignored:

# conntrack -L -o label

tcp      6 431836 ESTABLISHED src=34.117.65.55 dst=192.168.2.130 sport=443

dport=36366 src=192.168.2.130 dst=34.117.65.55 sport=36366 dport=443 [ASSURED]

mark=0 use=1

icmp     1 26 src=192.168.2.130 dst=9.9.9.9 type=8 code=0 id=56547 src=9.9.9.9

dst=192.168.2.130 type=0 code=0 id=56547 mark=0 use=1 labels=default,testlabel

conntrack v1.4.8 (conntrack-tools): 2 flow entries have been shown.

Your nftables ruleset should so something like:

table ip x {

        chain y {

                type filter hook input priority 0

                ct state new ct label set "default" counter

        }

}</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>