Re: [PATCH net] net_sched: act_ct: drop all packets when not attached to ingress

[Paolo Abeni <pabeni@redhat.com>]

On 2/18/26 7:44 PM, Jamal Hadi Salim wrote:
> On Wed, Feb 18, 2026 at 1:31 PM Jamal Hadi Salim <jhs@mojatatu.com> wrote:
>> On Wed, Feb 18, 2026 at 11:15 AM Ilya Maximets <i.maximets@ovn.org> wrote:
>>> From a user's perspective I'd prefer if RTM_NEWTFILTER just fails when
>>> it contains TCA_ACT_KIND "ct" with TC_H_MIN_EGRESS.  This is clear
>>> for the application that makes a request and for the user if they make
>>> the request manually with 'tc filter ...'.
> 
>> The challenge is actions could be created as a standalone i.e "tc
>> actions add action ct..." then later bound via tc filter. Don't forget
>> actions can also be shared by multiple filters (which could be a mix
>> of egress/ingress)...
>
> Actually, looking closely at the code - this is doable. Let's see if a
> patch can be cooked.

I discussed a bit the topic with Davide, it looks like the thing you
mentioned above could be handled. The problematic part is AFAICS the
additional indirection level added by (possibly shared) blocks. AFAICS
whatever check we do at ct_init() time, shared block could later
circumvent it - unless act_ct is always forbidden for shared blocks.

TL;DR: I think admission check at init time can be implemented only in a
quite (too much?) restrictive way.

/P