[iptables PATCH] connlabel: Allow numeric labels even if connlabel.conf exists

[iptables PATCH] connlabel: Allow numeric labels even if connlabel.conf exists

[Phil Sutter]

Existing code is a bit quirky: If no connlabel.conf was found, the local
function connlabel_value_parse() is called which tries to interpret
given label as a number. If the config exists though,
nfct_labelmap_get_bit() is called instead which doesn't care about
"undefined" connlabel names. So unless installed connlabel.conf contains
entries for all possible numeric labels, rules added by users may stop
working if a connlabel.conf is created. Fix this by falling back to
connlabel_value_parse() function also if connlabel_open() returned 0 but
nfct_labelmap_get_bit() returned an error.

Fixes: 3a3bb480a738a ("extensions: connlabel: Fallback on missing connlabel.conf")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 extensions/libxt_connlabel.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c
index 5a01fe7237bd8..1fc92f42cd969 100644
--- a/extensions/libxt_connlabel.c
+++ b/extensions/libxt_connlabel.c
@@ -71,7 +71,7 @@ static void connlabel_mt_parse(struct xt_option_call *cb)
 {
 	struct xt_connlabel_mtinfo *info = cb->data;
 	bool have_labelmap = !connlabel_open();
-	int tmp;
+	int tmp = -1;
 
 	xtables_option_parse(cb);
 
@@ -79,7 +79,7 @@ static void connlabel_mt_parse(struct xt_option_call *cb)
 	case O_LABEL:
 		if (have_labelmap)
 			tmp = nfct_labelmap_get_bit(map, cb->arg);
-		else
+		if (tmp < 0)
 			tmp = connlabel_value_parse(cb->arg);
 
 		if (tmp < 0)
-- 
2.25.1

Re: [iptables PATCH] connlabel: Allow numeric labels even if connlabel.conf exists

[Florian Westphal]

Phil Sutter <phil@nwl.cc> wrote:
> Existing code is a bit quirky: If no connlabel.conf was found, the local
> function connlabel_value_parse() is called which tries to interpret
> given label as a number. If the config exists though,
> nfct_labelmap_get_bit() is called instead which doesn't care about
> "undefined" connlabel names. So unless installed connlabel.conf contains
> entries for all possible numeric labels, rules added by users may stop
> working if a connlabel.conf is created. Fix this by falling back to
> connlabel_value_parse() function also if connlabel_open() returned 0 but
> nfct_labelmap_get_bit() returned an error.

Acked-by: Florian Westphal <fw@strlen.de>

Re: [iptables PATCH] connlabel: Allow numeric labels even if connlabel.conf exists

[Phil Sutter]

Hi,

On Wed, Mar 04, 2020 at 09:16:51AM +0100, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > Existing code is a bit quirky: If no connlabel.conf was found, the local
> > function connlabel_value_parse() is called which tries to interpret
> > given label as a number. If the config exists though,
> > nfct_labelmap_get_bit() is called instead which doesn't care about
> > "undefined" connlabel names. So unless installed connlabel.conf contains
> > entries for all possible numeric labels, rules added by users may stop
> > working if a connlabel.conf is created. Fix this by falling back to
> > connlabel_value_parse() function also if connlabel_open() returned 0 but
> > nfct_labelmap_get_bit() returned an error.
> 
> Acked-by: Florian Westphal <fw@strlen.de>

When checking whether documentation needs an update, I stumbled upon the
following sentences:

"Instead of a name (which will be translated to a number, see EXAMPLE
below), a number may be used instead.  Using a number always overrides
connlabel.conf."

So actually I should change the code to try numeric parsing first and
only then fall back to nfct_labelmap_get_bit(). Commit 51340f7b6a110
("extensions: libxt_connlabel: use libnetfilter_conntrack") broke this
in 2013. I'll send a v2.

Thanks, Phil