mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-26 12:26:11 +00:00
f057b63bc1
"ct untracked" no longer works properly due to erroneous NFT_BREAK.
We have to check ctinfo enum first.
Fixes: d9e7891476
("netfilter: nf_tables: avoid retpoline overhead for some ct expression calls")
Reported-by: Rvfg <i@rvf6.com>
Link: https://marc.info/?l=netfilter&m=168294996212038&w=2
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
62 lines
1.3 KiB
C
62 lines
1.3 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
#if IS_ENABLED(CONFIG_NFT_CT)
|
|
#include <linux/netfilter/nf_tables.h>
|
|
#include <net/netfilter/nf_tables_core.h>
|
|
#include <net/netfilter/nf_conntrack.h>
|
|
|
|
void nft_ct_get_fast_eval(const struct nft_expr *expr,
|
|
struct nft_regs *regs,
|
|
const struct nft_pktinfo *pkt)
|
|
{
|
|
const struct nft_ct *priv = nft_expr_priv(expr);
|
|
u32 *dest = ®s->data[priv->dreg];
|
|
enum ip_conntrack_info ctinfo;
|
|
const struct nf_conn *ct;
|
|
unsigned int state;
|
|
|
|
ct = nf_ct_get(pkt->skb, &ctinfo);
|
|
|
|
switch (priv->key) {
|
|
case NFT_CT_STATE:
|
|
if (ct)
|
|
state = NF_CT_STATE_BIT(ctinfo);
|
|
else if (ctinfo == IP_CT_UNTRACKED)
|
|
state = NF_CT_STATE_UNTRACKED_BIT;
|
|
else
|
|
state = NF_CT_STATE_INVALID_BIT;
|
|
*dest = state;
|
|
return;
|
|
default:
|
|
break;
|
|
}
|
|
|
|
if (!ct) {
|
|
regs->verdict.code = NFT_BREAK;
|
|
return;
|
|
}
|
|
|
|
switch (priv->key) {
|
|
case NFT_CT_DIRECTION:
|
|
nft_reg_store8(dest, CTINFO2DIR(ctinfo));
|
|
return;
|
|
case NFT_CT_STATUS:
|
|
*dest = ct->status;
|
|
return;
|
|
#ifdef CONFIG_NF_CONNTRACK_MARK
|
|
case NFT_CT_MARK:
|
|
*dest = ct->mark;
|
|
return;
|
|
#endif
|
|
#ifdef CONFIG_NF_CONNTRACK_SECMARK
|
|
case NFT_CT_SECMARK:
|
|
*dest = ct->secmark;
|
|
return;
|
|
#endif
|
|
default:
|
|
WARN_ON_ONCE(1);
|
|
regs->verdict.code = NFT_BREAK;
|
|
break;
|
|
}
|
|
}
|
|
EXPORT_SYMBOL_GPL(nft_ct_get_fast_eval);
|
|
#endif
|