Brett Mastbergen <[email protected]> wrote:
> diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
> index 7b717fad6cdc..418a17d2df31 100644
> --- a/net/netfilter/nft_ct.c
> +++ b/net/netfilter/nft_ct.c
> @@ -178,6 +178,9 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
> return;
> }
> #endif
> + case NFT_CT_ID:
> + *dest = nf_ct_get_id(ct);
> + return;
This should perhaps be
if (!nfct_is_confirmed(ct))
goto err;
*dest = ...
Otherwise we'll need to change nf_ct_get_id() to only
consider immutable properties of nf_conn.
ctnetlink never generates events until conntrack confirmation,
so I think the nfct_is_confirmed() check would be ok.
Other than this this looks great.
