Simplest guide to using connlabel

Hello everyone,

Today my post is going to be about an iptables/nftables match called connlabel.

connlabels are similar to connmarks, except labels are bit-based; i.e. all labels may be attached to a flow at the same time. nftables supports 1024 connlabels. This LWN article covers about it. Now, you must be wondering that why am I writing about a match. I have never done this before. Well, this is because connlabel doesn’t come handy like all other matches, you not only need to install nftables and its dependent libraries but much more. Today, my mentor, Pablo Neira Ayuso helped me with getting this module work. I’m going to write the simplest way you can install it.

Requirements Specification

  1. libnfnetlink (Get it here)
  2. libnetfilter_conntrack (Get it here)

How do you install these libraries?

Yes, you guessed it right. Like always,

$ ./configure
$ make
$ sudo make install

Possible errors

Now, it is very likely that (while running configure script) some of you will be encountering errors like:

checking for LIBNFNETLINK... no
configure: error: Package requirements (libnfnetlink >= 0.0.41) were not met:

No package 'libnfnetlink' found

Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.

Alternatively, you may set the environment variables LIBNFNETLINK_CFLAGS
and LIBNFNETLINK_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.

when you already have these things installed. Beginners should make a note here, these are general errors you can get during installation of not only this but any other library/module. This happens because library checks in a configure script need development library.

Say bye-bye to errors

So, what do you do? Simply, install the development library. Development library is nothing but <required_package>-dev.
For example, in this case, it would be libnfnetlink-dev.
Now, first you install libnfnetlink, no errors. Installation complete.

Now, install libnetfilter_conntrack, no errors. Installation complete.

How do you know if it is installed correctly?

  • You do not see messages like
Iptables modules that will not be built: connlabel
  • You see xtables directory under your etc folder which contains a default connlabel.conf file.

If these two things work for you, congrats!

Wasn’t really very tough. And now when I know how to do it, I can almost see everywhere that this was to be done in order to make connlabel work. It looks like manual page of iptables was screaming out loud about doing this. I guess I was deaf. It happens every time!

Anyway, since it works now, I have sent a patch for its translation to nftables.

You can ask about any troubles you face in comments below.

Thanks for reading.


