Re: [PATCH] netfilter: nft_ct: Add ct id support

Florian Westphal Tue, 23 Apr 2019 13:47:38 -0700

Brett Mastbergen <bmastber...@untangle.com> wrote:
> diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
> index 7b717fad6cdc..418a17d2df31 100644
> --- a/net/netfilter/nft_ct.c
> +++ b/net/netfilter/nft_ct.c
> @@ -178,6 +178,9 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
>               return;
>       }
>  #endif
> +     case NFT_CT_ID:
> +             *dest = nf_ct_get_id(ct);
> +             return;


This should perhaps be

if (!nfct_is_confirmed(ct))
        goto err;
*dest = ...

Otherwise we'll need to change nf_ct_get_id() to only
consider immutable properties of nf_conn.

ctnetlink never generates events until conntrack confirmation,
so I think the nfct_is_confirmed() check would be ok.

Other than this this looks great.

Re: [PATCH] netfilter: nft_ct: Add ct id support

Reply via email to