If your ruleset does not use the 'connlabel' match in iptables or the 'ct label' statement in nftables, it is not possible to attach labels later because conntrack extensions are created by the time the new entry is created. As a rule of thumb, you have to set an initial label if you plan to update it later on. Worst case scenario: conntrack already contains entries but ruleset that specifies connlabel is not yet loaded. In such case, skip ENOSPC errors for conntracks that have no initial label (this is assuming a scenario with conntracks with and _without_ labels is possible, and the conntrack command line tool is used to update all entries regardless they have or not an initial label, e.g. conntrack -U --label-add "testlabel"). # conntrack -U --label-add testlabel --dst 9.9.9.9 icmp 1 13 src=192.168.2.130 dst=9.9.9.9 type=8 code=0 id=50997 src=9.9.9.9 dst=192.168.2.130 type=0 code=0 id=50997 mark=0 use=2 labels=default,testlabel conntrack v1.4.8 (conntrack-tools): 1 flow entries have been updated. # conntrack -C 8 In the example above, note 7 conntracks which had no label are skipped. Update manpage to document this behaviour. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1622 Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- v3: - fix incorrect check for ENOSPC and missing connlabel. - revamp document to provide a "rule of thumb". conntrack.8 | 3 +++ src/conntrack.c | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/conntrack.8 b/conntrack.8 index 031eaa4e9fef..1d92b69f0a40 100644 --- a/conntrack.8 +++ b/conntrack.8 @@ -193,6 +193,9 @@ Use multiple \-l options to specify multiple labels that need to be set. Specify the conntrack label to add to the selected conntracks. This option is only available in conjunction with "\-I, \-\-create", "\-A, \-\-add" or "\-U, \-\-update". +As a rule of thumb, you must set a default label for conntracks initially if you +plan to update it later, either via ruleset or "\-I,\-\-create" and "\-A,\-\-add". +"\-U, \-\-update" on conntracks with no initial label will be ignored. .TP .BI "--label-del " "[LABEL]" Specify the conntrack label to delete from the selected conntracks. diff --git a/src/conntrack.c b/src/conntrack.c index f9758d78d39b..c1551cadbdb3 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -2195,6 +2195,11 @@ static int mnl_nfct_update_cb(const struct nlmsghdr *nlh, void *data) /* the entry has vanish in middle of the update */ if (errno == ENOENT) goto destroy_ok; + else if (cmd->options & (CT_OPT_ADD_LABEL | CT_OPT_DEL_LABEL) && + !nfct_attr_is_set(ct, ATTR_CONNLABELS) && + errno == ENOSPC) + goto destroy_ok; + exit_error(OTHER_PROBLEM, "Operation failed: %s", err2str(errno, CT_UPDATE)); -- 2.30.2
