[Bug 1622] Changing ICMP conntracks labels does not work

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Wed Oct 11 12:09:31 CEST 2023 

https://bugzilla.netfilter.org/show_bug.cgi?id=1622

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Pablo Neira Ayuso from comment #1)
> > 3. Try to add "testlabel" label:
> >
> > # conntrack --protonum icmp --update --label-add testlabel
> > conntrack v1.4.6 (conntrack-tools): 1 flow entries have been updated.
> 
> See:
> 
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20231011095503.
> 131168-1-pablo at netfilter.org/
> 
> You have to set a default conntrack label when the conntrack entry is
> created if you plan to update:
> 
> # conntrack -U --label-add testlabel --dst 9.9.9.9
> icmp     1 28 src=192.168.2.130 dst=9.9.9.9 type=8 code=0 id=56547
> src=9.9.9.9 dst=192.168.2.130 type=0 code=0 id=56547 mark=0 use=2
> labels=default,testlabel
> conntrack v1.4.8 (conntrack-tools): 1 flow entries have been updated.
> 
> attempt to update an entry without an initial label is ignored:
> 
> # conntrack -L -o label
> tcp      6 431836 ESTABLISHED src=34.117.65.55 dst=192.168.2.130 sport=443
> dport=36366 src=192.168.2.130 dst=34.117.65.55 sport=36366 dport=443
> [ASSURED] mark=0 use=1
> icmp     1 26 src=192.168.2.130 dst=9.9.9.9 type=8 code=0 id=56547
> src=9.9.9.9 dst=192.168.2.130 type=0 code=0 id=56547 mark=0 use=1
> labels=default,testlabel
> conntrack v1.4.8 (conntrack-tools): 2 flow entries have been shown.
> 
> Your nftables ruleset should so something like:
> 
> table ip x {
>         chain y {
>                 type filter hook input priority 0
> 
>                 ct state new ct label set "default" counter
>         }
> }

My connlabel.conf for this test contains, BTW:

0 default
1 testlabel

so you have to define such default label.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231011/dfeb74c1/attachment.html>

More information about the netfilter-buglog mailing list