On 2019-06-24 7:58 p.m., Pablo Neira Ayuso wrote:
Could you give a try to this patch?
Hi there,
unfortunately the patch didn't work for me.
I did some deeper digging and it seems that nf_conntrack_find_get within
ctnetlink_del_conntrack will not find the entry if the address family
for the delete query is AF_UNSPEC (due to nfmsg->version being 0) but
the conntrack entry was initially created with AF_INET as the address
family. I believe the tuples will have different hashes in this case and
my guess is that this is not accounted for in the code, i.e. that
AF_UNSPEC should match both AF_INET and AF_INET6. At the moment it seems
to match none instead.
I could be wrong though, I'm not that familiar with the netfilter code.
Regards,
Felix
