On Thu, Jan 26, 2017 at 02:49:43PM -0800, Kevin Cernekee wrote: > The libnetfilter_conntrack userland library always sets IPS_CONFIRMED > when building a CTA_STATUS attribute. If this toggles the bit from > 0->1, the parser will return an error. On Linux 4.4+ this will cause any > NFQA_EXP attribute in the packet to be ignored. This breaks conntrackd's > userland helpers because they operate on unconfirmed connections. > > Instead of returning -EBUSY if the user program asks to modify an > unchangeable bit, simply ignore the change. > > Also, fix the logic so that user programs are allowed to clear > the bits that they are allowed to change. Applied, thanks Kevin. I have manually fixed here this compilation warning, btw: net/netfilter/nf_conntrack_netlink.c:1449:1: warning: ‘ctnetlink_update_status’ defined but not used [-Wunused-function] ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[]) ^ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
