It's impossible to query conntrack entries (GET message, but with no flags because of a Linux ABI issue) based on reply tuple using libnl and nfnl_ct_build_message. That's because even if we don't set any orig (repy == 0) field in a nfnl_ct, nfnl_ct_build_message will build the tuple with ORIG anyway, and then add the REPLY fields. And then the kernel will check if ORIG is present, and match only on this orig, even if it's missing tuple fields and reply has all fields.
It should be possible to build the tuple only with reply, only with orig, or both, and only fallback with an orig tuple when no field is specified (e.g a dump request).
thom311
commented
2 years ago
Hi,
It's impossible to query conntrack entries (GET message, but with no flags because of a Linux ABI issue) based on reply tuple using libnl and nfnl_ct_build_message. That's because even if we don't set any orig (repy == 0) field in a
nfnl_ct,nfnl_ct_build_messagewill build the tuple with ORIG anyway, and then add the REPLY fields. And then the kernel will check if ORIG is present, and match only on this orig, even if it's missing tuple fields and reply has all fields.It should be possible to build the tuple only with reply, only with orig, or both, and only fallback with an orig tuple when no field is specified (e.g a dump request).