| Message ID | 1453720548-14413-1-git-send-email-ast@fiberby.dk |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
On Mon, Jan 25, 2016 at 11:15:44AM +0000, Asbjørn Sloth Tønnesen wrote: > This option was already silently allowed by 991fc4ae, > but didn't have any effect. > > This patch adds the check and documents it. Applied, thanks. > Cc: Clemence Faure <clemence.faure@sophos.com> > Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk> > --- > > Notes: > I tried to create a test case, as well but I didn't > seam to be able to get --label-add to work with > create. Cc'ing Florian. I think it would be good to have a test for this label support for conntrack. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Mon, Jan 25, 2016 at 11:15:44AM +0000, Asbjørn Sloth Tønnesen wrote: > > This option was already silently allowed by 991fc4ae, > > but didn't have any effect. > > > > This patch adds the check and documents it. > > Applied, thanks. > > > Cc: Clemence Faure <clemence.faure@sophos.com> > > Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk> > > --- > > > > Notes: > > I tried to create a test case, as well but I didn't > > seam to be able to get --label-add to work with > > create. It only works if a -m connlabel rule exists on the system at the moment. https://patchwork.ozlabs.org/patch/553363/ extends it to nftables. > Cc'ing Florian. I think it would be good to have a test for this label > support for conntrack. Right. We could just add nf_connlabels_get(ctx->net, (len * BITS_PER_BYTE) - 1); When attempting to add a label via ctnetlink and label support isn't active. However, unlike the nft/xtables path this would be one-way: When you have a ruleset that uses -m connlabel, then flush/delete the ruleset the extension will not be added to new conntracks anymore since ->destroy() hook invocation will _put the connlabel extension usage count. For ctnetlink there is no such thing unfortunately (unless we'd add refcnts to the individual conntracks but thats something I don't want to do since it seems ridiculously expensive with no real gain). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/conntrack.8 b/conntrack.8 index a981a76..970c2d7 100644 --- a/conntrack.8 +++ b/conntrack.8 @@ -146,7 +146,7 @@ In "\-\-create" mode, the mask is ignored. .TP .BI "-l, --label " "LABEL" Specify a conntrack label. -This option is only available in conjunction with "\-L, \-\-dump", "\-E, \-\-event", or "\-U \-\-update". +This option is only available in conjunction with "\-L, \-\-dump", "\-E, \-\-event", "\-U \-\-update" or "\-D \-\-delete". Match entries whose labels match at least those specified. Use multiple \-l commands to specify multiple labels that need to be set. Match entries whose labels matches at least those specified as arguments. diff --git a/src/conntrack.c b/src/conntrack.c index 45b8822..b5a0a13 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -1355,6 +1355,9 @@ static int delete_cb(enum nf_conntrack_msg_type type, if (filter_mark(ct)) return NFCT_CB_CONTINUE; + if (filter_label(ct)) + return NFCT_CB_CONTINUE; + if (options & CT_COMPARISON && !nfct_cmp(obj, ct, NFCT_CMP_ALL | NFCT_CMP_MASK)) return NFCT_CB_CONTINUE;
This option was already silently allowed by 991fc4ae, but didn't have any effect. This patch adds the check and documents it. Cc: Clemence Faure <clemence.faure@sophos.com> Signed-off-by: Asbjørn Sloth Tønnesen <ast@fiberby.dk> --- Notes: I tried to create a test case, as well but I didn't seam to be able to get --label-add to work with create. conntrack.8 | 2 +- src/conntrack.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-)