On 2019-06-25 4:08 a.m., Pablo Neira Ayuso wrote:
As you describe, conntrack is a hashtable and the layer 3 protocol is
part of the hash:
https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_conntrack_core.c#L188
so AF_UNSPEC cannot work.
There is no support for layer 3 wildcard deletion.
So in this case I'd like to propose two options:
1. the patch should be reverted and userspace fixed to properly request
flushing of both AF_INET and AF_INET6 entries in the table when doing a
full flush
2. both this patch as well as the initial patch "netfilter: ctnetlink:
Support L3 protocol-filter on flush" should be reverted and a new
approach should be made to implement that feature.
As it stands right now current kernel versions that are being released
break userspace, which is unfortunate, because it forces me to run
older, vulnerable kernels.
Regards,
Felix
