* [PATCH nf] netfilter: nft_ct: Remove confirmation check for NFT_CT_ID
@ 2020-12-08 21:39 Brett Mastbergen
2020-12-08 22:09 ` Florian Westphal
2020-12-09 9:31 ` Pablo Neira Ayuso
0 siblings, 2 replies; 3+ messages in thread
From: Brett Mastbergen @ 2020-12-08 21:39 UTC (permalink / raw)
To: netfilter-devel
Since commit 656c8e9cc1ba ("netfilter: conntrack: Use consistent ct id
hash calculation") the ct id will not change from initialization to
confirmation. Removing the confirmation check allows for things like
adding an element to a 'typeof ct id' set in prerouting upon reception
of the first packet of a new connection, and then being able to
reference that set consistently both before and after the connection
is confirmed.
Signed-off-by: Brett Mastbergen <brett.mastbergen@gmail.com>
---
net/netfilter/nft_ct.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 322bd674963e..a1b0aac46e9e 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -177,8 +177,6 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
}
#endif
case NFT_CT_ID:
- if (!nf_ct_is_confirmed(ct))
- goto err;
*dest = nf_ct_get_id(ct);
return;
default:
--
2.20.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH nf] netfilter: nft_ct: Remove confirmation check for NFT_CT_ID 2020-12-08 21:39 [PATCH nf] netfilter: nft_ct: Remove confirmation check for NFT_CT_ID Brett Mastbergen @ 2020-12-08 22:09 ` Florian Westphal 2020-12-09 9:31 ` Pablo Neira Ayuso 1 sibling, 0 replies; 3+ messages in thread From: Florian Westphal @ 2020-12-08 22:09 UTC (permalink / raw) To: Brett Mastbergen; +Cc: netfilter-devel Brett Mastbergen <brett.mastbergen@gmail.com> wrote: > Since commit 656c8e9cc1ba ("netfilter: conntrack: Use consistent ct id > hash calculation") the ct id will not change from initialization to > confirmation. Removing the confirmation check allows for things like > adding an element to a 'typeof ct id' set in prerouting upon reception > of the first packet of a new connection, and then being able to > reference that set consistently both before and after the connection > is confirmed. Acked-by: Florian Westphal <fw@strlen.de> ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH nf] netfilter: nft_ct: Remove confirmation check for NFT_CT_ID 2020-12-08 21:39 [PATCH nf] netfilter: nft_ct: Remove confirmation check for NFT_CT_ID Brett Mastbergen 2020-12-08 22:09 ` Florian Westphal @ 2020-12-09 9:31 ` Pablo Neira Ayuso 1 sibling, 0 replies; 3+ messages in thread From: Pablo Neira Ayuso @ 2020-12-09 9:31 UTC (permalink / raw) To: Brett Mastbergen; +Cc: netfilter-devel On Tue, Dec 08, 2020 at 04:39:24PM -0500, Brett Mastbergen wrote: > Since commit 656c8e9cc1ba ("netfilter: conntrack: Use consistent ct id > hash calculation") the ct id will not change from initialization to > confirmation. Removing the confirmation check allows for things like > adding an element to a 'typeof ct id' set in prerouting upon reception > of the first packet of a new connection, and then being able to > reference that set consistently both before and after the connection > is confirmed. Applied, thanks. ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-12-09 9:32 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-12-08 21:39 [PATCH nf] netfilter: nft_ct: Remove confirmation check for NFT_CT_ID Brett Mastbergen 2020-12-08 22:09 ` Florian Westphal 2020-12-09 9:31 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).