Commit f057b63b authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: nf_tables: fix ct untracked match breakage 



"ct untracked" no longer works properly due to erroneous NFT_BREAK.
We have to check ctinfo enum first.

Fixes: d9e78914 ("netfilter: nf_tables: avoid retpoline overhead for some ct expression calls")
Reported-by: default avatarRvfg <i@rvf6.com>
Link: https://marc.info/?l=netfilter&m=168294996212038&w=2


Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 6a341729

net/netfilter/nft_ct_fast.c

+10 −4
Original line number Diff line number Diff line
@@ -15,10 +15,6 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr, 
	unsigned int state;



	ct = nf_ct_get(pkt->skb, &ctinfo);

	if (!ct) {

		regs->verdict.code = NFT_BREAK;

		return;

	}



	switch (priv->key) {

	case NFT_CT_STATE:
@@ -30,6 +26,16 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr, 
			state = NF_CT_STATE_INVALID_BIT;

		*dest = state;

		return;

	default:

		break;

	}



	if (!ct) {

		regs->verdict.code = NFT_BREAK;

		return;

	}



	switch (priv->key) {

	case NFT_CT_DIRECTION:

		nft_reg_store8(dest, CTINFO2DIR(ctinfo));

		return;