public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-18 22:14:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

netfilter: nf_tables: fix ct untracked match breakage

Browse source 
"ct untracked" no longer works properly due to erroneous NFT_BREAK.
We have to check ctinfo enum first.

Fixes: d9e7891476 ("netfilter: nf_tables: avoid retpoline overhead for some ct expression calls")
Reported-by: Rvfg <i@rvf6.com>
Link: https://marc.info/?l=netfilter&m=168294996212038&w=2
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Florian Westphal 2023-05-03 12:00:18 +02:00 committed by Pablo Neira Ayuso
parent 6a341729fb
commit f057b63bc1
1 changed files with 10 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
net/netfilter/nft_ct_fast.c
View file

@ -15,10 +15,6 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr,
unsigned int state; unsigned int state;
ct = nf_ct_get(pkt->skb, &ctinfo); ct = nf_ct_get(pkt->skb, &ctinfo);
if (!ct) {
regs->verdict.code = NFT_BREAK;
return;
}
switch (priv->key) { switch (priv->key) {
case NFT_CT_STATE: case NFT_CT_STATE:
@ -30,6 +26,16 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr,
state = NF_CT_STATE_INVALID_BIT; state = NF_CT_STATE_INVALID_BIT;
*dest = state; *dest = state;
return; return;
default:
break;
}
if (!ct) {
regs->verdict.code = NFT_BREAK;
return;
}
switch (priv->key) {
case NFT_CT_DIRECTION: case NFT_CT_DIRECTION:
nft_reg_store8(dest, CTINFO2DIR(ctinfo)); nft_reg_store8(dest, CTINFO2DIR(ctinfo));
return; return;