From a7abf3f5dc7c43f0b25f1d38f754ffc44da54687 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 21 Aug 2023 12:24:08 +0200 Subject: conntrack: skip ENOENT when -U/-D finds a stale conntrack entry -U and -D commands iterate over the netlink dump and it might try to update/delete an entry which is not in the kernel anymore. Skip ENOENT errors. The -U command uses printf and it continues on error, instead bail out with exit_error(). This problem is present in 1.4.6, this is related to the recent updates to use libmnl in 1.4.7. Signed-off-by: Pablo Neira Ayuso --- src/conntrack.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/conntrack.c b/src/conntrack.c index e1385b2..980f14f 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -1989,10 +1989,14 @@ static int mnl_nfct_delete_cb(const struct nlmsghdr *nlh, void *data) res = nfct_mnl_request(modifier_sock, NFNL_SUBSYS_CTNETLINK, nfct_get_attr_u8(ct, ATTR_ORIG_L3PROTO), IPCTNL_MSG_CT_DELETE, NLM_F_ACK, NULL, ct, NULL); - if (res < 0) + if (res < 0) { + /* the entry has vanish in middle of the delete */ + if (errno == ENOENT) + goto done; exit_error(OTHER_PROBLEM, "Operation failed: %s", err2str(errno, CT_DELETE)); + } if (output_mask & _O_SAVE) { ct_save_snprintf(buf, sizeof(buf), ct, labelmap, NFCT_T_DESTROY); @@ -2188,8 +2192,12 @@ static int mnl_nfct_update_cb(const struct nlmsghdr *nlh, void *data) nfct_get_attr_u8(ct, ATTR_ORIG_L3PROTO), IPCTNL_MSG_CT_NEW, NLM_F_ACK, NULL, tmp, NULL); if (res < 0) { - fprintf(stderr, "Operation failed: %s\n", - err2str(errno, CT_UPDATE)); + /* the entry has vanish in middle of the update */ + if (errno == ENOENT) + goto destroy_ok; + exit_error(OTHER_PROBLEM, + "Operation failed: %s", + err2str(errno, CT_UPDATE)); } res = nfct_mnl_request(modifier_sock, NFNL_SUBSYS_CTNETLINK, -- cgit v1.2.3