netfilter: nf_tables: fix ct untracked match breakage

"ct untracked" no longer works properly due to erroneous NFT_BREAK. We have to check ctinfo enum first. Fixes: d9e7891 ("netfilter: nf_tables: avoid retpoline overhead for some ct expression calls") Reported-by: Rvfg <[email protected]> Link: https://marc.info/?l=netfilter&m=168294996212038&w=2 Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
wafgo · May 3, 2023 · f057b63 · f057b63
1 parent 6a34172
commit f057b63
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/net/netfilter/nft_ct_fast.c b/net/netfilter/nft_ct_fast.c
@@ -15,10 +15,6 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr,
 	unsigned int state;
 
 	ct = nf_ct_get(pkt->skb, &ctinfo);
-	if (!ct) {
-		regs->verdict.code = NFT_BREAK;
-		return;
-	}
 
 	switch (priv->key) {
 	case NFT_CT_STATE:
@@ -30,6 +26,16 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr,
 			state = NF_CT_STATE_INVALID_BIT;
 		*dest = state;
 		return;
+	default:
+		break;
+	}
+
+	if (!ct) {
+		regs->verdict.code = NFT_BREAK;
+		return;
+	}
+
+	switch (priv->key) {
 	case NFT_CT_DIRECTION:
 		nft_reg_store8(dest, CTINFO2DIR(ctinfo));
 		return;