From 6bb04b945b3186ea54d5ba3cca1d19c044068c78 Mon Sep 17 00:00:00 2001 From: Mikhail Sennikovsky Date: Fri, 24 Jun 2022 17:01:26 +0200 Subject: conntrack: fix -o save dump for unknown protocols Make sure the protocol (-p) option is included in the -o save ct entry dumps for L4 protocols unknown to the conntrack tool. Do not use getprotobynumber for unknown protocols to ensure "-o save" data incompatibility between hosts having different /etc/protocols contents. Include testcases covering the issue. Signed-off-by: Mikhail Sennikovsky Signed-off-by: Pablo Neira Ayuso --- src/conntrack.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'src') diff --git a/src/conntrack.c b/src/conntrack.c index e381543..d49ac1a 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -800,6 +800,7 @@ static int ct_save_snprintf(char *buf, size_t len, struct ctproto_handler *cur; uint8_t l3proto, l4proto; int tuple_attrs[4] = {}; + bool l4proto_set; unsigned i; int ret; @@ -860,6 +861,7 @@ static int ct_save_snprintf(char *buf, size_t len, l4proto = nfct_get_attr_u8(ct, ATTR_L4PROTO); + l4proto_set = false; /* is it in the list of supported protocol? */ list_for_each_entry(cur, &proto_list, head) { if (cur->protonum != l4proto) @@ -870,9 +872,16 @@ static int ct_save_snprintf(char *buf, size_t len, ret = ct_snprintf_opts(buf + offset, len, ct, cur->print_opts); BUFFER_SIZE(ret, size, len, offset); + + l4proto_set = true; break; } + if (!l4proto_set) { + ret = snprintf(buf + offset, len, "-p %d ", l4proto); + BUFFER_SIZE(ret, size, len, offset); + } + /* skip trailing space, if any */ for (; size && buf[size-1] == ' '; --size) buf[size-1] = '\0'; -- cgit v1.2.3