On Mon, Jun 24, 2019 at 11:02:40PM -0400, Felix Kaechele wrote: > On 2019-06-24 7:58 p.m., Pablo Neira Ayuso wrote: > > Could you give a try to this patch? > > Hi there, > > unfortunately the patch didn't work for me. > > I did some deeper digging and it seems that nf_conntrack_find_get within > ctnetlink_del_conntrack will not find the entry if the address family for > the delete query is AF_UNSPEC (due to nfmsg->version being 0) but the > conntrack entry was initially created with AF_INET as the address family. I > believe the tuples will have different hashes in this case and my guess is > that this is not accounted for in the code, i.e. that AF_UNSPEC should match > both AF_INET and AF_INET6. At the moment it seems to match none instead. As you describe, conntrack is a hashtable and the layer 3 protocol is part of the hash: https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_conntrack_core.c#L188 so AF_UNSPEC cannot work. There is no support for layer 3 wildcard deletion.
