thom311
commented
2 years ago Merged. Thank you for the patch!!
Closed anisse closed 2 years ago
thom311
commented
2 years ago Merged. Thank you for the patch!!
It's impossible to query conntrack entries (GET message, but with no flags because of a Linux ABI issue) based on reply tuple using libnl and nfnl_ct_build_message. That's because even if we don't set any orig (repy == 0) field in a nfnl_ct, nfnl_ct_build_message will build the tuple with ORIG anyway, and then add the REPLY fields. And then the kernel will check if ORIG is present, and match only on this orig, even if it's missing tuple fields and reply has all fields.
Fix this by building the query only with reply, only with orig, or both, and only fallback with an orig tuple when no field is specified (e.g a dump request).
Fixes #281