conntrack: ct label update requires proper rulesetHEADmaster

As of kernel 6.6-rc, your ruleset must use either the 'connlabel' match
in iptables or the 'ct label' statement in nftables to attach labels to
conntrack entries. Update documentation to describe this behaviour.

This patch addresses a corner case scenario: conntrack already contains
entries but ruleset that specifies connlabel did not get loaded yet.
In such case, skip ENOSPC errors for conntracks that have no ct label
extension.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1622
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

0 files changed, 0 insertions, 0 deletions