Hi,
On Wed, Mar 04, 2020 at 09:16:51AM +0100, Florian Westphal wrote:
> Phil Sutter <phil@xxxxxx> wrote:
> > Existing code is a bit quirky: If no connlabel.conf was found, the local
> > function connlabel_value_parse() is called which tries to interpret
> > given label as a number. If the config exists though,
> > nfct_labelmap_get_bit() is called instead which doesn't care about
> > "undefined" connlabel names. So unless installed connlabel.conf contains
> > entries for all possible numeric labels, rules added by users may stop
> > working if a connlabel.conf is created. Fix this by falling back to
> > connlabel_value_parse() function also if connlabel_open() returned 0 but
> > nfct_labelmap_get_bit() returned an error.
>
> Acked-by: Florian Westphal <fw@xxxxxxxxx>
When checking whether documentation needs an update, I stumbled upon the
following sentences:
"Instead of a name (which will be translated to a number, see EXAMPLE
below), a number may be used instead. Using a number always overrides
connlabel.conf."
So actually I should change the code to try numeric parsing first and
only then fall back to nfct_labelmap_get_bit(). Commit 51340f7b6a110
("extensions: libxt_connlabel: use libnetfilter_conntrack") broke this
in 2013. I'll send a v2.
Thanks, Phil
