Re: Fwd: question about using conntrack to change the mark

Tony He <huangya90@xxxxxxxxx> · Mon, 21 Aug 2023 19:26:54 +0800

Hi Pablo,

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> 于2023年8月21日周一 18:29写道：
>
> On Mon, Aug 21, 2023 at 03:44:54PM +0800, Tony He wrote:
> > Hi,
> >
> > I am using Openwrt. The version is:
> > root@OpenWrt:/# cat /etc/openwrt_release
> > DISTRIB_ID='OpenWrt'
> > DISTRIB_RELEASE='23.05.0-rc2'
> > DISTRIB_REVISION='r23228-cd17d8df2a'
> > DISTRIB_TARGET='ipq806x/generic'
> > DISTRIB_ARCH='arm_cortex-a15_neon-vfpv4'
> > DISTRIB_DESCRIPTION='OpenWrt 23.05.0-rc2 r23228-cd17d8df2a'
> > DISTRIB_TAINTS=''
> >
> > And kernel is:
> > root@OpenWrt:/# uname -a
> > Linux OpenWrt 5.15.118 #0 SMP Mon Jun 26 11:20:39 2023 armv7l GNU/Linux
> >
> >
> > Seems that I can not use command " conntrack -U -p tcp -m 1" to change the mark.
> > root@OpenWrt:/# conntrack  -L  -p tcp |grep mark=0 |wc -l
> > conntrack v1.4.7 (conntrack-tools): 302 flow entries have been shown.
> > 302
> > root@OpenWrt:/# conntrack -U -p tcp -m 1
> > Operation failed: Not supported
> > conntrack v1.4.7 (conntrack-tools): Operation failed: Not supported
>
> Please, try this patch:
>
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821101751.4083-1-pablo@xxxxxxxxxxxxx/
This patch works when the conntrack sessions are not many. When there are about
300 sessions, another error "No buffer space available" is reported.

Works when sessions are not many:
root@OpenWrt:~# ./conntrack -L -p tcp |wc -l
conntrack v1.4.7 (conntrack-tools): 204 flow entries have been shown.
204
root@OpenWrt:~# ./conntrack -U -p tcp -m 1
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58130
dport=80 packets=11 bytes=742 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58130 packets=12 bytes=19626 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58858
dport=80 packets=10 bytes=654 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58858 packets=9 bytes=15765 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59750
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59750 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59644
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59644 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58312
dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58312 packets=12 bytes=23161 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57910
dport=80 packets=11 bytes=754 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=57910 packets=13 bytes=22574 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58276
dport=80 packets=11 bytes=778 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58276 packets=12 bytes=19626 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59336
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59336 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59238
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59238 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59514
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59514 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59104
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59104 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58170
dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58170 packets=12 bytes=19626 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58502
dport=80 packets=9 bytes=554 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58502 packets=8 bytes=11369 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59744
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59744 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58556
dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58556 packets=12 bytes=18817 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59464
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59464 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59232
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59232 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58806
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58806 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59716
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59716 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59550
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59550 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59240
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59240 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57942
dport=80 packets=9 bytes=578 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=57942 packets=11 bytes=16678 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58292
dport=80 packets=10 bytes=642 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58292 packets=10 bytes=15817 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59190
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59190 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57876
dport=80 packets=10 bytes=618 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=57876 packets=11 bytes=15230 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59540
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59540 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58626
dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58626 packets=11 bytes=18765 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59016
dport=80 packets=8 bytes=514 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59016 packets=7 bytes=12126 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59630
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59630 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58584
dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58584 packets=11 bytes=17317 [ASSURED] mark=1 use=2
tcp      6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58458
dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58458 packets=11 bytes=17317 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59604
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59604 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59252
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59252 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59598
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59598 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58810
dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58810 packets=3 bytes=172 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58196
dport=80 packets=11 bytes=750 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58196 packets=11 bytes=17317 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57922
dport=80 packets=13 bytes=870 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=57922 packets=12 bytes=16730 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58844
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58844 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57944
dport=80 packets=12 bytes=798 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=57944 packets=13 bytes=19039 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59192
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59192 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58236
dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58236 packets=9 bytes=14317 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59350
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59350 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58450
dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58450 packets=9 bytes=14317 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58992
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58992 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59570
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59570 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57916
dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=57916 packets=15 bytes=28470 [ASSURED] mark=1 use=2
tcp      6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58716
dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58716 packets=9 bytes=14317 [ASSURED] mark=1 use=2
tcp      6 110 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58652
dport=80 packets=13 bytes=874 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58652 packets=11 bytes=15869 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59266
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59266 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=57852
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=57852 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59280
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59280 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 111 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58476
dport=80 packets=11 bytes=746 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58476 packets=9 bytes=12869 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59296
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59296 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58028
dport=80 packets=10 bytes=650 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58028 packets=12 bytes=15921 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59396
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59396 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58404
dport=80 packets=10 bytes=674 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58404 packets=14 bytes=21817 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59704
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59704 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58316
dport=80 packets=11 bytes=778 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58316 packets=13 bytes=21126 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58432
dport=80 packets=9 bytes=566 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58432 packets=10 bytes=15817 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59410
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59410 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58188
dport=80 packets=11 bytes=726 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58188 packets=13 bytes=15973 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58392
dport=80 packets=9 bytes=590 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58392 packets=11 bytes=18126 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59114
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59114 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58890
dport=80 packets=11 bytes=734 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58890 packets=11 bytes=18126 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58548
dport=80 packets=9 bytes=590 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58548 packets=9 bytes=12869 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59068
dport=80 packets=11 bytes=762 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59068 packets=11 bytes=18765 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=58358
dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=58358 packets=11 bytes=21661 [ASSURED] mark=1 use=2
tcp      6 99 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=59020
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=59020 packets=7 bytes=11317 [ASSURED] mark=1 use=2
conntrack v1.4.7 (conntrack-tools): 203 flow entries have been updated.

Many conntions:
root@OpenWrt:~# ./conntrack -L -p tcp |wc -l
conntrack v1.4.7 (conntrack-tools): 313 flow entries have been shown.
313
root@OpenWrt:~# ./conntrack -U -p tcp -m 1
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44998
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44998 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45460
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45460 packets=8 bytes=11369 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46376
dport=80 packets=10 bytes=670 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46376 packets=8 bytes=15713 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44002
dport=80 packets=11 bytes=694 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44002 packets=12 bytes=18178 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44250
dport=80 packets=10 bytes=630 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44250 packets=11 bytes=20213 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44056
dport=80 packets=11 bytes=750 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44056 packets=11 bytes=18765 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44642
dport=80 packets=10 bytes=650 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44642 packets=11 bytes=19574 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45632
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45632 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 97 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43932
dport=80 packets=11 bytes=714 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43932 packets=16 bytes=24178 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45228
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45228 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 97 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44246
dport=80 packets=11 bytes=778 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44246 packets=13 bytes=21765 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45010
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45010 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46366
dport=80 packets=11 bytes=738 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46366 packets=10 bytes=19522 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44192
dport=80 packets=10 bytes=654 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44192 packets=12 bytes=19626 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44964
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44964 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45686
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45686 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46008
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46008 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45666
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45666 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46262
dport=80 packets=12 bytes=834 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46262 packets=12 bytes=21074 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45560
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45560 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44124
dport=80 packets=12 bytes=818 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44124 packets=11 bytes=18765 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44816
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44816 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45022
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45022 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43922
dport=80 packets=10 bytes=690 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43922 packets=12 bytes=21074 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44154
dport=80 packets=10 bytes=654 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44154 packets=9 bytes=12869 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46130
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46130 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44908
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44908 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 97 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43858
dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43858 packets=11 bytes=20213 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45680
dport=80 packets=11 bytes=706 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45680 packets=10 bytes=17265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45078
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45078 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 98 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44360
dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44360 packets=10 bytes=14369 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46050
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46050 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45752
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45752 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44164
dport=80 packets=13 bytes=930 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44164 packets=15 bytes=23317 [ASSURED] mark=1 use=2
tcp      6 97 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43914
dport=80 packets=12 bytes=830 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43914 packets=13 bytes=18869 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46330
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46330 packets=8 bytes=11369 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45120
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45120 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44584
dport=80 packets=10 bytes=630 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44584 packets=10 bytes=15178 [ASSURED] mark=1 use=2
tcp      6 98 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44476
dport=80 packets=11 bytes=738 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44476 packets=11 bytes=15869 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45546
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45546 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46278
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46278 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43790
dport=80 packets=10 bytes=690 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43790 packets=14 bytes=22626 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44984
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44984 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44968
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44968 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44560
dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44560 packets=2 bytes=112 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43758
dport=80 packets=11 bytes=746 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43758 packets=15 bytes=27022 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44798
dport=80 packets=12 bytes=806 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44798 packets=10 bytes=18713 [ASSURED] mark=1 use=2
tcp      6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46422
dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46422 packets=2 bytes=112 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46206
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46206 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44432
dport=80 packets=11 bytes=730 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44432 packets=10 bytes=15817 [ASSURED] mark=1 use=2
tcp      6 97 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43948
dport=80 packets=9 bytes=566 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43948 packets=10 bytes=14539 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44906
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44906 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 98 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44274
dport=80 packets=10 bytes=666 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44274 packets=9 bytes=14317 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45172
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45172 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46194
dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46194 packets=3 bytes=172 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45454
dport=80 packets=6 bytes=398 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45454 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 101 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44614
dport=80 packets=4 bytes=216 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44614 packets=3 bytes=172 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43906
dport=80 packets=11 bytes=742 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43906 packets=11 bytes=18765 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44680
dport=80 packets=11 bytes=734 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44680 packets=10 bytes=18074 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45690
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45690 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44726
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44726 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45094
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45094 packets=7 bytes=11317 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43844
dport=80 packets=8 bytes=526 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43844 packets=8 bytes=14265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=46344
dport=80 packets=9 bytes=602 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=46344 packets=8 bytes=12817 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45712
dport=80 packets=8 bytes=502 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45712 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44682
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44682 packets=6 bytes=11265 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=43918
dport=80 packets=11 bytes=762 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=43918 packets=13 bytes=21765 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=44048
dport=80 packets=10 bytes=682 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=44048 packets=12 bytes=19626 [ASSURED] mark=1 use=2
tcp      6 96 TIME_WAIT src=192.168.1.30 dst=10.40.9.83 sport=45714
dport=80 packets=7 bytes=450 src=10.40.9.83 dst=10.40.9.165 sport=80
dport=45714 packets=6 bytes=11265 [ASSURED] mark=1 use=2
conntrack v1.4.7 (conntrack-tools): Operation failed: No buffer space available

>
> > I need to add option "-f ipv4", but not all entries can be updated
> > successfully. "Protocol error" is reported.
>
> EPROTO means netlink sequence numbers are not fine, which might refer
> to another userspace bug.
>
> I made another patch, error handling was not robust in the -U case (no
> exit_error was used, instead printf).
>
> Also try this patch on of the previous patch.
>
> https://patchwork.ozlabs.org/project/netfilter-devel/patch/20230821102739.4893-1-pablo@xxxxxxxxxxxxx/
I will test this patch after above issue is fixed.
>
> Thanks for reporting.

Tony