Package: libnetfilter-conntrack3 Version: 1.0.6-2 Severity: normal Tags: upstream
Dear Maintainer, Attaching a filter to a conntrack handle has no effect when compiled/run on a MIPS machine. I have included the source of a test case demonstrating the issue which prints a summary when the state of an applicable connection changes. The filter applied should ensure the callback is only called for TCP connections. This works as expected on an x64 machine, but on a MIPS machine the filter has no effect, the callback is triggered for all connections. I have tried different filter types other than NFCT_FILTER_L4PROTO with the same outcome. -- System Information: Debian Release: 9.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: mips Kernel: Linux 4.9.0-6-4kc-malta Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libnetfilter-conntrack3 depends on: ii libc6 2.24-11+deb9u3 ii libmnl0 1.0.4-2 ii libnfnetlink0 1.0.1-3 libnetfilter-conntrack3 recommends no packages. libnetfilter-conntrack3 suggests no packages. -- no debconf information
#include <stdio.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> #include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h> static int cb(enum nf_conntrack_msg_type type, struct nf_conntrack *ct, void *data) { char buf[1024]; nfct_snprintf(buf, sizeof(buf), ct, type, NFCT_O_PLAIN, NFCT_OF_TIME); printf("%s\n", buf); return NFCT_CB_CONTINUE; } int main() { struct nfct_handle *h = nfct_open(CONNTRACK, NFCT_ALL_CT_GROUPS); if (!h) { perror("nfct_open"); return 1; } struct nfct_filter *filter = nfct_filter_create(); if (!filter) { perror("nfct_create_filter"); return 1; } nfct_filter_add_attr_u32(filter, NFCT_FILTER_L4PROTO, IPPROTO_TCP); if (nfct_filter_attach(nfct_fd(h), filter) == -1) { perror("nfct_filter_attach"); return 1; } nfct_callback_register(h, NFCT_T_ALL, cb, NULL); nfct_catch(h); nfct_filter_destroy(filter); nfct_close(h); }