Existing code is a bit quirky: If no connlabel.conf was found, the local function connlabel_value_parse() is called which tries to interpret given label as a number. If the config exists though, nfct_labelmap_get_bit() is called instead which doesn't care about "undefined" connlabel names. So unless installed connlabel.conf contains entries for all possible numeric labels, rules added by users may stop working if a connlabel.conf is created. Related man page snippet states: "Using a number always overrides connlabel.conf", so try numeric parsing and fall back to nfct only if that failed. Fixes: 51340f7b6a110 ("extensions: libxt_connlabel: use libnetfilter_conntrack") Fixes: 3a3bb480a738a ("extensions: connlabel: Fallback on missing connlabel.conf") Signed-off-by: Phil Sutter <phil@xxxxxx> --- Changes since v1: - Prefer numeric parsing over labelmap. --- extensions/libxt_connlabel.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c index 5a01fe7237bd8..565b8c796b017 100644 --- a/extensions/libxt_connlabel.c +++ b/extensions/libxt_connlabel.c @@ -70,18 +70,15 @@ static int connlabel_value_parse(const char *in) static void connlabel_mt_parse(struct xt_option_call *cb) { struct xt_connlabel_mtinfo *info = cb->data; - bool have_labelmap = !connlabel_open(); int tmp; xtables_option_parse(cb); switch (cb->entry->id) { case O_LABEL: - if (have_labelmap) + tmp = connlabel_value_parse(cb->arg); + if (tmp < 0 && !connlabel_open()) tmp = nfct_labelmap_get_bit(map, cb->arg); - else - tmp = connlabel_value_parse(cb->arg); - if (tmp < 0) xtables_error(PARAMETER_PROBLEM, "label '%s' not found or invalid value", -- 2.25.1