Skip to content

Commit f057b63

Browse files
Florian Westphalummakynes
Florian Westphal
authored and
ummakynes
committed
netfilter: nf_tables: fix ct untracked match breakage
"ct untracked" no longer works properly due to erroneous NFT_BREAK. We have to check ctinfo enum first. Fixes: d9e7891 ("netfilter: nf_tables: avoid retpoline overhead for some ct expression calls") Reported-by: Rvfg <i@rvf6.com> Link: https://marc.info/?l=netfilter&m=168294996212038&w=2 Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
1 parent 6a34172 commit f057b63

1 file changed

Lines changed: 10 additions & 4 deletions

File tree

net/netfilter/nft_ct_fast.c

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -15,10 +15,6 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr,
1515
unsigned int state;
1616

1717
ct = nf_ct_get(pkt->skb, &ctinfo);
18-
if (!ct) {
19-
regs->verdict.code = NFT_BREAK;
20-
return;
21-
}
2218

2319
switch (priv->key) {
2420
case NFT_CT_STATE:
@@ -30,6 +26,16 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr,
3026
state = NF_CT_STATE_INVALID_BIT;
3127
*dest = state;
3228
return;
29+
default:
30+
break;
31+
}
32+
33+
if (!ct) {
34+
regs->verdict.code = NFT_BREAK;
35+
return;
36+
}
37+
38+
switch (priv->key) {
3339
case NFT_CT_DIRECTION:
3440
nft_reg_store8(dest, CTINFO2DIR(ctinfo));
3541
return;

0 commit comments

Comments
 (0)