diff options
authorPhil Sutter <>2020-03-04 02:43:27 +0100
committerPhil Sutter <>2020-03-06 16:48:28 +0100
commitf56d91bd80f0e86aaad56a32ddc84f373bb80745 (patch)
parentd0446ab11182f6ca2adc486a124895f09a220c6e (diff)
connlabel: Allow numeric labels even if connlabel.conf exists
Existing code is a bit quirky: If no connlabel.conf was found, the local function connlabel_value_parse() is called which tries to interpret given label as a number. If the config exists though, nfct_labelmap_get_bit() is called instead which doesn't care about "undefined" connlabel names. So unless installed connlabel.conf contains entries for all possible numeric labels, rules added by users may stop working if a connlabel.conf is created. Related man page snippet states: "Using a number always overrides connlabel.conf", so try numeric parsing and fall back to nfct only if that failed. Fixes: 51340f7b6a110 ("extensions: libxt_connlabel: use libnetfilter_conntrack") Fixes: 3a3bb480a738a ("extensions: connlabel: Fallback on missing connlabel.conf") Signed-off-by: Phil Sutter <>
1 files changed, 2 insertions, 5 deletions
diff --git a/extensions/libxt_connlabel.c b/extensions/libxt_connlabel.c
index 5a01fe72..565b8c79 100644
--- a/extensions/libxt_connlabel.c
+++ b/extensions/libxt_connlabel.c
@@ -70,18 +70,15 @@ static int connlabel_value_parse(const char *in)
static void connlabel_mt_parse(struct xt_option_call *cb)
struct xt_connlabel_mtinfo *info = cb->data;
- bool have_labelmap = !connlabel_open();
int tmp;
switch (cb->entry->id) {
case O_LABEL:
- if (have_labelmap)
+ tmp = connlabel_value_parse(cb->arg);
+ if (tmp < 0 && !connlabel_open())
tmp = nfct_labelmap_get_bit(map, cb->arg);
- else
- tmp = connlabel_value_parse(cb->arg);
if (tmp < 0)
"label '%s' not found or invalid value",