[PATCH conntrack] conntrack: do not allow to update offload status bits

[PATCH conntrack] conntrack: do not allow to update offload status bits

[Pablo Neira Ayuso]

libnetfilter_conntrack already prints these new offload status bits,
which is sufficient. Revert the status parser changes that allow to set
on these bits from ctnetlink since this is not supported.

Fixes: de12e29bf35b ("conntrack: support for IPS_OFFLOAD")
Fixes: 2317c0de6080 ("conntrack: add support for the IPS_HW_OFFLOAD flag")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/conntrack.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/conntrack.c b/src/conntrack.c
index af54240dfa23..cf260423377f 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -1119,8 +1119,8 @@ static struct parse_parameter {
 	size_t  size;
 	unsigned int value[8];
 } parse_array[PARSE_MAX] = {
-	{ {"ASSURED", "SEEN_REPLY", "UNSET", "FIXED_TIMEOUT", "EXPECTED", "OFFLOAD", "HW_OFFLOAD"}, 7,
-	  { IPS_ASSURED, IPS_SEEN_REPLY, 0, IPS_FIXED_TIMEOUT, IPS_EXPECTED, IPS_OFFLOAD, IPS_HW_OFFLOAD} },
+	{ {"ASSURED", "SEEN_REPLY", "UNSET", "FIXED_TIMEOUT", "EXPECTED"}, 5,
+	  { IPS_ASSURED, IPS_SEEN_REPLY, 0, IPS_FIXED_TIMEOUT, IPS_EXPECTED } },
 	{ {"ALL", "NEW", "UPDATES", "DESTROY"}, 4,
 	  { CT_EVENT_F_ALL, CT_EVENT_F_NEW, CT_EVENT_F_UPD, CT_EVENT_F_DEL } },
 	{ {"xml", "extended", "timestamp", "id", "ktimestamp", "labels", "userspace", "save"}, 8,
-- 
2.20.1

Re: [PATCH conntrack] conntrack: do not allow to update offload status bits

[Pablo Neira Ayuso]

On Mon, Nov 02, 2020 at 02:49:38PM +0100, Pablo Neira Ayuso wrote:
> libnetfilter_conntrack already prints these new offload status bits,
> which is sufficient. Revert the status parser changes that allow to set
> on these bits from ctnetlink since this is not supported.

Scratch this.

Parser is still useful for the filter, ie.

conntrack -L --status OFFLOAD

I'll explore a patch to disallow updating these bits from -U instead.