Hi, I’m trying to match a conntrack table entry based on the reply 5 tuple with conntrack -G. My setup is as follows: two terminals, one running "nc -l 1024" and the other "nc 127.0.0.1 1024". I’m running “conntrack -L --src 127.0.0.1 --dst 127.0.0.1 --protonum tcp --dport 1024” to find the connection, then, I’m trying to match them with “conntrack -G”: original direction: “conntrack -G --src 127.0.0.1 --dst 127.0.0.1 --protonum tcp --sport <ephemeral-port-from-list-output> --dport 1024” matches the connection reply direction: “conntrack -G --reply-src 127.0.0.1 --reply-dst 127.0.0.1 --protonum tcp --sport 1024 --dport <ephemeral-port-from-list-output>” returns “conntrack v1.4.4 (conntrack-tools): Operation failed: invalid parameters” I think that: 1. conntrack-tools is missing the --reply-sport --reply-dport flags, which have different ENUM values (ATTR_REPL_PORT_SRC != ATTR_ORIG_PORT_SRC) 2. there seems to be a bug with libnetfilter_conntrack implementation of __build_conntrack (conntrack/api.c) that assumes ORIG direction (makes sure ATTR_ORIG_L3PROTO exists, calls nfnl_fill_hdr based on orig l3protonum) Given the above two points, I couldn’t test a IPCTNL_MSG_CT_GET query on the reply flow. I tried both with the conntrack-tools package and by modifying the nfct-mnl-get.c example in libnetfilter_conntrack. Am I missing something here? Thanks, Omri -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
