From 6bb04b945b3186ea54d5ba3cca1d19c044068c78 Mon Sep 17 00:00:00 2001
From: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Date: Fri, 24 Jun 2022 17:01:26 +0200
Subject: conntrack: fix -o save dump for unknown protocols

Make sure the protocol (-p) option is included in the -o save
ct entry dumps for L4 protocols unknown to the conntrack tool.

Do not use getprotobynumber for unknown protocols to ensure
"-o save" data incompatibility between hosts having different
/etc/protocols contents.

Include testcases covering the issue.

Signed-off-by: Mikhail Sennikovsky <mikhail.sennikovskii@ionos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/conntrack.c                     |  9 +++++++++
 tests/conntrack/testsuite/09dumpopt | 26 ++++++++++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/src/conntrack.c b/src/conntrack.c
index e381543..d49ac1a 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -800,6 +800,7 @@ static int ct_save_snprintf(char *buf, size_t len,
 	struct ctproto_handler *cur;
 	uint8_t l3proto, l4proto;
 	int tuple_attrs[4] = {};
+	bool l4proto_set;
 	unsigned i;
 	int ret;
 
@@ -860,6 +861,7 @@ static int ct_save_snprintf(char *buf, size_t len,
 
 	l4proto = nfct_get_attr_u8(ct, ATTR_L4PROTO);
 
+	l4proto_set = false;
 	/* is it in the list of supported protocol? */
 	list_for_each_entry(cur, &proto_list, head) {
 		if (cur->protonum != l4proto)
@@ -870,9 +872,16 @@ static int ct_save_snprintf(char *buf, size_t len,
 
 		ret = ct_snprintf_opts(buf + offset, len, ct, cur->print_opts);
 		BUFFER_SIZE(ret, size, len, offset);
+
+		l4proto_set = true;
 		break;
 	}
 
+	if (!l4proto_set) {
+		ret = snprintf(buf + offset, len, "-p %d ", l4proto);
+		BUFFER_SIZE(ret, size, len, offset);
+	}
+
 	/* skip trailing space, if any */
 	for (; size && buf[size-1] == ' '; --size)
 		buf[size-1] = '\0';
diff --git a/tests/conntrack/testsuite/09dumpopt b/tests/conntrack/testsuite/09dumpopt
index 447590b..c1e0e6e 100644
--- a/tests/conntrack/testsuite/09dumpopt
+++ b/tests/conntrack/testsuite/09dumpopt
@@ -145,3 +145,29 @@
 -D -w 11 -u SEEN_REPLY -s 1.1.1.1 -d 2.2.2.2 -r 2.2.2.2 -q 1.1.1.1 -p icmp --icmp-type 8 --icmp-code 0 --icmp-id 1226 ; OK
 # clean up after yourself
 -D -w 10 ; OK
+# Cover protocols unknown to the conntrack tool
+# Create a conntrack entries
+# IGMP
+-I -w 10 -t 59 -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 2 ;
+# Some fency protocol
+-I -w 10 -t 59 -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 200 ;
+# Some fency protocol with IPv6
+-I -w 10 -t 59 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p 200 ;
+-R - ; OK
+# copy to zone 11
+-L -w 10 -o save ; |s/-w 10/-w 11/g
+-R - ; OK
+# Delete stuff in zone 10, should succeed
+# IGMP
+-D -w 10 -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 2 ; OK
+# Some fency protocol
+-D -w 10  -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 200 ; OK
+# Some fency protocol with IPv6
+-D -w 10 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p 200 ; OK
+# Delete stuff in zone 11, should succeed
+# IGMP
+-D -w 11 -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 2 ; OK
+# Some fency protocol
+-D -w 11  -s 0.0.0.0 -d 224.0.0.22 -r 224.0.0.22 -q 0.0.0.0 -p 200 ; OK
+# Some fency protocol with IPv6
+-D -w 11 -s 2001:DB8::1.1.1.1 -d 2001:DB8::2.2.2.2 -p 200 ; OK
-- 
cgit v1.2.3