From: kernel test robot <lkp@intel.com>
To: Nikolaos Gkarlis <nickgarlis@gmail.com>, netfilter-devel@vger.kernel.org
Cc: llvm@lists.linux.dev, oe-kbuild-all@lists.linux.dev,
pablo@netfilter.org, fw@strlen.de,
Nikolaos Gkarlis <nickgarlis@gmail.com>
Subject: Re: [PATCH v2] netfilter: nft_ct: reject ambiguous conntrack expressions in inet tables
Date: Thu, 4 Sep 2025 01:56:58 +0800 [thread overview]
Message-ID: <202509040107.KmDmcM3p-lkp@intel.com> (raw)
In-Reply-To: <20250902215433.75568-1-nickgarlis@gmail.com>
Hi Nikolaos,
kernel test robot noticed the following build errors:
[auto build test ERROR on netfilter-nf/main]
[also build test ERROR on horms-ipvs/master linus/master v6.17-rc4 next-20250903]
[cannot apply to nf-next/master]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Nikolaos-Gkarlis/netfilter-nft_ct-reject-ambiguous-conntrack-expressions-in-inet-tables/20250903-055737
base: https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git main
patch link: https://lore.kernel.org/r/20250902215433.75568-1-nickgarlis%40gmail.com
patch subject: [PATCH v2] netfilter: nft_ct: reject ambiguous conntrack expressions in inet tables
config: hexagon-allmodconfig (https://download.01.org/0day-ci/archive/20250904/202509040107.KmDmcM3p-lkp@intel.com/config)
compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250904/202509040107.KmDmcM3p-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202509040107.KmDmcM3p-lkp@intel.com/
All errors (new ones prefixed by >>):
>> net/netfilter/nft_ct.c:444:4: error: expected expression
444 | const struct nft_expr *curr, *last;
| ^
>> net/netfilter/nft_ct.c:449:27: error: use of undeclared identifier 'curr'
449 | nft_rule_for_each_expr(curr, last, expr->rule) {
| ^
>> net/netfilter/nft_ct.c:449:33: error: use of undeclared identifier 'last'
449 | nft_rule_for_each_expr(curr, last, expr->rule) {
| ^
>> net/netfilter/nft_ct.c:449:27: error: use of undeclared identifier 'curr'
449 | nft_rule_for_each_expr(curr, last, expr->rule) {
| ^
>> net/netfilter/nft_ct.c:449:33: error: use of undeclared identifier 'last'
449 | nft_rule_for_each_expr(curr, last, expr->rule) {
| ^
>> net/netfilter/nft_ct.c:449:27: error: use of undeclared identifier 'curr'
449 | nft_rule_for_each_expr(curr, last, expr->rule) {
| ^
>> net/netfilter/nft_ct.c:449:27: error: use of undeclared identifier 'curr'; did you mean 'err'?
449 | nft_rule_for_each_expr(curr, last, expr->rule) {
| ^~~~
| err
include/net/netfilter/nf_tables.h:1064:30: note: expanded from macro 'nft_rule_for_each_expr'
1064 | (expr) = nft_expr_next(expr))
| ^
net/netfilter/nft_ct.c:389:6: note: 'err' declared here
389 | int err;
| ^
net/netfilter/nft_ct.c:450:9: error: use of undeclared identifier 'curr'; did you mean 'err'?
450 | if (curr == expr)
| ^~~~
| err
net/netfilter/nft_ct.c:389:6: note: 'err' declared here
389 | int err;
| ^
net/netfilter/nft_ct.c:453:9: error: use of undeclared identifier 'curr'
453 | if (curr->ops == &nft_meta_get_ops) {
| ^
net/netfilter/nft_ct.c:454:50: error: use of undeclared identifier 'curr'; did you mean 'err'?
454 | const struct nft_meta *meta = nft_expr_priv(curr);
| ^~~~
| err
net/netfilter/nft_ct.c:389:6: note: 'err' declared here
389 | int err;
| ^
10 errors generated.
vim +444 net/netfilter/nft_ct.c
382
383 static int nft_ct_get_init(const struct nft_ctx *ctx,
384 const struct nft_expr *expr,
385 const struct nlattr * const tb[])
386 {
387 struct nft_ct *priv = nft_expr_priv(expr);
388 unsigned int len;
389 int err;
390
391 priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY]));
392 priv->dir = IP_CT_DIR_MAX;
393 switch (priv->key) {
394 case NFT_CT_DIRECTION:
395 if (tb[NFTA_CT_DIRECTION] != NULL)
396 return -EINVAL;
397 len = sizeof(u8);
398 break;
399 case NFT_CT_STATE:
400 case NFT_CT_STATUS:
401 #ifdef CONFIG_NF_CONNTRACK_MARK
402 case NFT_CT_MARK:
403 #endif
404 #ifdef CONFIG_NF_CONNTRACK_SECMARK
405 case NFT_CT_SECMARK:
406 #endif
407 case NFT_CT_EXPIRATION:
408 if (tb[NFTA_CT_DIRECTION] != NULL)
409 return -EINVAL;
410 len = sizeof(u32);
411 break;
412 #ifdef CONFIG_NF_CONNTRACK_LABELS
413 case NFT_CT_LABELS:
414 if (tb[NFTA_CT_DIRECTION] != NULL)
415 return -EINVAL;
416 len = NF_CT_LABELS_MAX_SIZE;
417 break;
418 #endif
419 case NFT_CT_HELPER:
420 if (tb[NFTA_CT_DIRECTION] != NULL)
421 return -EINVAL;
422 len = NF_CT_HELPER_NAME_LEN;
423 break;
424
425 case NFT_CT_L3PROTOCOL:
426 case NFT_CT_PROTOCOL:
427 /* For compatibility, do not report error if NFTA_CT_DIRECTION
428 * attribute is specified.
429 */
430 len = sizeof(u8);
431 break;
432 case NFT_CT_SRC:
433 case NFT_CT_DST:
434 if (tb[NFTA_CT_DIRECTION] == NULL)
435 return -EINVAL;
436
437 switch (ctx->family) {
438 case NFPROTO_IPV4:
439 len = sizeof_field(struct nf_conntrack_tuple,
440 src.u3.ip);
441 break;
442 case NFPROTO_IPV6:
443 case NFPROTO_INET:
> 444 const struct nft_expr *curr, *last;
445 bool meta_nfproto = false;
446 if (!expr->rule)
447 return -EINVAL;
448
> 449 nft_rule_for_each_expr(curr, last, expr->rule) {
450 if (curr == expr)
451 break;
452
453 if (curr->ops == &nft_meta_get_ops) {
454 const struct nft_meta *meta = nft_expr_priv(curr);
455 if (meta->key == NFT_META_NFPROTO) {
456 meta_nfproto = true;
457 break;
458 }
459 }
460 }
461 if (!meta_nfproto)
462 return -EINVAL;
463
464 len = sizeof_field(struct nf_conntrack_tuple,
465 src.u3.ip6);
466 break;
467 default:
468 return -EAFNOSUPPORT;
469 }
470 break;
471 case NFT_CT_SRC_IP:
472 case NFT_CT_DST_IP:
473 if (tb[NFTA_CT_DIRECTION] == NULL)
474 return -EINVAL;
475
476 len = sizeof_field(struct nf_conntrack_tuple, src.u3.ip);
477 break;
478 case NFT_CT_SRC_IP6:
479 case NFT_CT_DST_IP6:
480 if (tb[NFTA_CT_DIRECTION] == NULL)
481 return -EINVAL;
482
483 len = sizeof_field(struct nf_conntrack_tuple, src.u3.ip6);
484 break;
485 case NFT_CT_PROTO_SRC:
486 case NFT_CT_PROTO_DST:
487 if (tb[NFTA_CT_DIRECTION] == NULL)
488 return -EINVAL;
489 len = sizeof_field(struct nf_conntrack_tuple, src.u.all);
490 break;
491 case NFT_CT_BYTES:
492 case NFT_CT_PKTS:
493 case NFT_CT_AVGPKT:
494 len = sizeof(u64);
495 break;
496 #ifdef CONFIG_NF_CONNTRACK_ZONES
497 case NFT_CT_ZONE:
498 len = sizeof(u16);
499 break;
500 #endif
501 case NFT_CT_ID:
502 if (tb[NFTA_CT_DIRECTION])
503 return -EINVAL;
504
505 len = sizeof(u32);
506 break;
507 default:
508 return -EOPNOTSUPP;
509 }
510
511 if (tb[NFTA_CT_DIRECTION] != NULL) {
512 priv->dir = nla_get_u8(tb[NFTA_CT_DIRECTION]);
513 switch (priv->dir) {
514 case IP_CT_DIR_ORIGINAL:
515 case IP_CT_DIR_REPLY:
516 break;
517 default:
518 return -EINVAL;
519 }
520 }
521
522 priv->len = len;
523 err = nft_parse_register_store(ctx, tb[NFTA_CT_DREG], &priv->dreg, NULL,
524 NFT_DATA_VALUE, len);
525 if (err < 0)
526 return err;
527
528 err = nf_ct_netns_get(ctx->net, ctx->family);
529 if (err < 0)
530 return err;
531
532 if (priv->key == NFT_CT_BYTES ||
533 priv->key == NFT_CT_PKTS ||
534 priv->key == NFT_CT_AVGPKT)
535 nf_ct_set_acct(ctx->net, true);
536
537 return 0;
538 }
539
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
prev parent reply other threads:[~2025-09-03 17:58 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-29 6:50 [PATCH] netfilter: nft_ct: reject ambiguous conntrack expressions in inet tables Nikolaos Gkarlis
2025-08-29 15:08 ` Florian Westphal
2025-08-29 21:59 ` Nick Garlis
2025-09-02 21:54 ` [PATCH v2] " Nikolaos Gkarlis
2025-09-02 22:21 ` Florian Westphal
2025-09-03 9:12 ` Nick Garlis
2025-09-03 10:13 ` Florian Westphal
2025-09-03 10:34 ` Pablo Neira Ayuso
2025-09-03 11:51 ` Nikolaos Gkarlis
2025-09-03 10:31 ` Pablo Neira Ayuso
2025-09-03 13:18 ` kernel test robot
2025-09-03 17:47 ` [syzbot ci] " syzbot ci
2025-09-03 17:56 ` kernel test robot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202509040107.KmDmcM3p-lkp@intel.com \
--to=lkp@intel.com \
--cc=fw@strlen.de \
--cc=llvm@lists.linux.dev \
--cc=netfilter-devel@vger.kernel.org \
--cc=nickgarlis@gmail.com \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.