Le 09/10/2018 à 01:01, Pablo Neira Ayuso a écrit :
> From: Kristian Evensen <kristian.evensen@xxxxxxxxx>
>
> The same connection mark can be set on flows belonging to different
> address families. This commit adds support for filtering on the L3
> protocol when flushing connection track entries. If no protocol is
> specified, then all L3 protocols match.
>
> In order to avoid code duplication and a redundant check, the protocol
> comparison in ctnetlink_dump_table() has been removed. Instead, a filter
> is created if the GET-message triggering the dump contains an address
> family. ctnetlink_filter_match() is then used to compare the L3
> protocols.
>
> Signed-off-by: Kristian Evensen <kristian.evensen@xxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
[snip] continue;
> @@ -1213,12 +1219,12 @@ static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data)
>
> static int ctnetlink_flush_conntrack(struct net *net,
> const struct nlattr * const cda[],
> - u32 portid, int report)
> + u32 portid, int report, u8 family)
> {
> struct ctnetlink_filter *filter = NULL;
>
> - if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
> - filter = ctnetlink_alloc_filter(cda);
> + if (family || (cda[CTA_MARK] && cda[CTA_MARK_MASK])) {
Since this patch, there is a regression with 'conntrack -F', it does not flush
anymore ipv6 conntrack entries.
In fact, the conntrack tool set by default the family to AF_INET and forbid to
set the family to something else (the '-f' option is not allowed for the command
'flush').
Any idea to fix this (without changing the conntrack tool) is welcomed.
Regards,
Nicolas
> + filter = ctnetlink_alloc_filter(cda, family);
> if (IS_ERR(filter))
> return PTR_ERR(filter);
> }
> @@ -1257,7 +1263,7 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
> else {
> return ctnetlink_flush_conntrack(net, cda,
> NETLINK_CB(skb).portid,
> - nlmsg_report(nlh));
> + nlmsg_report(nlh), u3);
> }
>
> if (err < 0)
>
