On Tue, Jun 25, 2019 at 07:33:05AM -0400, Felix Kaechele wrote: > On 2019-06-25 4:08 a.m., Pablo Neira Ayuso wrote: > > As you describe, conntrack is a hashtable and the layer 3 protocol is > > part of the hash: > > > > https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_conntrack_core.c#L188 > > > > so AF_UNSPEC cannot work. > > > > There is no support for layer 3 wildcard deletion. > > So in this case I'd like to propose two options: > > 1. the patch should be reverted and userspace fixed to properly request > flushing of both AF_INET and AF_INET6 entries in the table when doing a full > flush > > 2. both this patch as well as the initial patch "netfilter: ctnetlink: > Support L3 protocol-filter on flush" should be reverted and a new approach > should be made to implement that feature. > > As it stands right now current kernel versions that are being released break > userspace, which is unfortunate, because it forces me to run older, > vulnerable kernels. Your usecase has never ever worked. You cannot delete entries via AF_UNSPEC, you're just mixing things up.
