From: kernel test robot <lkp@intel.com>
To: Nikolaos Gkarlis <nickgarlis@gmail.com>, netfilter-devel@vger.kernel.org
Cc: llvm@lists.linux.dev, oe-kbuild-all@lists.linux.dev,
pablo@netfilter.org, fw@strlen.de,
Nikolaos Gkarlis <nickgarlis@gmail.com>
Subject: Re: [PATCH v2] netfilter: nft_ct: reject ambiguous conntrack expressions in inet tables
Date: Thu, 4 Sep 2025 01:56:58 +0800 [thread overview]
Message-ID: <202509040107.KmDmcM3p-lkp@intel.com> (raw)
In-Reply-To: <20250902215433.75568-1-nickgarlis@gmail.com>
Hi Nikolaos,
kernel test robot noticed the following build errors:
[auto build test ERROR on netfilter-nf/main]
[also build test ERROR on horms-ipvs/master linus/master v6.17-rc4 next-20250903]
[cannot apply to nf-next/master]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Nikolaos-Gkarlis/netfilter-nft_ct-reject-ambiguous-conntrack-expressions-in-inet-tables/20250903-055737
base: https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git main
patch link: https://lore.kernel.org/r/20250902215433.75568-1-nickgarlis%40gmail.com
patch subject: [PATCH v2] netfilter: nft_ct: reject ambiguous conntrack expressions in inet tables
config: hexagon-allmodconfig (https://download.01.org/0day-ci/archive/20250904/202509040107.KmDmcM3p-lkp@intel.com/config)
compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250904/202509040107.KmDmcM3p-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202509040107.KmDmcM3p-lkp@intel.com/
All errors (new ones prefixed by >>):
>> net/netfilter/nft_ct.c:444:4: error: expected expression
444 | const struct nft_expr *curr, *last;
| ^
>> net/netfilter/nft_ct.c:449:27: error: use of undeclared identifier 'curr'
449 | nft_rule_for_each_expr(curr, last, expr->rule) {
| ^
>> net/netfilter/nft_ct.c:449:33: error: use of undeclared identifier 'last'
449 | nft_rule_for_each_expr(curr, last, expr->rule) {
| ^
>> net/netfilter/nft_ct.c:449:27: error: use of undeclared identifier 'curr'
449 | nft_rule_for_each_expr(curr, last, expr->rule) {
| ^
>> net/netfilter/nft_ct.c:449:33: error: use of undeclared identifier 'last'
449 | nft_rule_for_each_expr(curr, last, expr->rule) {
| ^
>> net/netfilter/nft_ct.c:449:27: error: use of undeclared identifier 'curr'
449 | nft_rule_for_each_expr(curr, last, expr->rule) {
| ^
>> net/netfilter/nft_ct.c:449:27: error: use of undeclared identifier 'curr'; did you mean 'err'?
449 | nft_rule_for_each_expr(curr, last, expr->rule) {
| ^~~~
| err
include/net/netfilter/nf_tables.h:1064:30: note: expanded from macro 'nft_rule_for_each_expr'
1064 | (expr) = nft_expr_next(expr))
| ^
net/netfilter/nft_ct.c:389:6: note: 'err' declared here
389 | int err;
| ^
net/netfilter/nft_ct.c:450:9: error: use of undeclared identifier 'curr'; did you mean 'err'?
450 | if (curr == expr)
| ^~~~
| err
net/netfilter/nft_ct.c:389:6: note: 'err' declared here
389 | int err;
| ^
net/netfilter/nft_ct.c:453:9: error: use of undeclared identifier 'curr'
453 | if (curr->ops == &nft_meta_get_ops) {
| ^
net/netfilter/nft_ct.c:454:50: error: use of undeclared identifier 'curr'; did you mean 'err'?
454 | const struct nft_meta *meta = nft_expr_priv(curr);
| ^~~~
| err
net/netfilter/nft_ct.c:389:6: note: 'err' declared here
389 | int err;
| ^
10 errors generated.
vim +444 net/netfilter/nft_ct.c
382
383 static int nft_ct_get_init(const struct nft_ctx *ctx,
384 const struct nft_expr *expr,
385 const struct nlattr * const tb[])
386 {
387 struct nft_ct *priv = nft_expr_priv(expr);
388 unsigned int len;
389 int err;
390
391 priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY]));
392 priv->dir = IP_CT_DIR_MAX;
393 switch (priv->key) {
394 case NFT_CT_DIRECTION:
395 if (tb[NFTA_CT_DIRECTION] != NULL)
396 return -EINVAL;
397 len = sizeof(u8);
398 break;
399 case NFT_CT_STATE:
400 case NFT_CT_STATUS:
401 #ifdef CONFIG_NF_CONNTRACK_MARK
402 case NFT_CT_MARK:
403 #endif
404 #ifdef CONFIG_NF_CONNTRACK_SECMARK
405 case NFT_CT_SECMARK:
406 #endif
407 case NFT_CT_EXPIRATION:
408 if (tb[NFTA_CT_DIRECTION] != NULL)
409 return -EINVAL;
410 len = sizeof(u32);
411 break;
412 #ifdef CONFIG_NF_CONNTRACK_LABELS
413 case NFT_CT_LABELS:
414 if (tb[NFTA_CT_DIRECTION] != NULL)
415 return -EINVAL;
416 len = NF_CT_LABELS_MAX_SIZE;
417 break;
418 #endif
419 case NFT_CT_HELPER:
420 if (tb[NFTA_CT_DIRECTION] != NULL)
421 return -EINVAL;
422 len = NF_CT_HELPER_NAME_LEN;
423 break;
424
425 case NFT_CT_L3PROTOCOL:
426 case NFT_CT_PROTOCOL:
427 /* For compatibility, do not report error if NFTA_CT_DIRECTION
428 * attribute is specified.
429 */
430 len = sizeof(u8);
431 break;
432 case NFT_CT_SRC:
433 case NFT_CT_DST:
434 if (tb[NFTA_CT_DIRECTION] == NULL)
435 return -EINVAL;
436
437 switch (ctx->family) {
438 case NFPROTO_IPV4:
439 len = sizeof_field(struct nf_conntrack_tuple,
440 src.u3.ip);
441 break;
442 case NFPROTO_IPV6:
443 case NFPROTO_INET:
> 444 const struct nft_expr *curr, *last;
445 bool meta_nfproto = false;
446 if (!expr->rule)
447 return -EINVAL;
448
> 449 nft_rule_for_each_expr(curr, last, expr->rule) {
450 if (curr == expr)
451 break;
452
453 if (curr->ops == &nft_meta_get_ops) {
454 const struct nft_meta *meta = nft_expr_priv(curr);
455 if (meta->key == NFT_META_NFPROTO) {
456 meta_nfproto = true;
457 break;
458 }
459 }
460 }
461 if (!meta_nfproto)
462 return -EINVAL;
463
464 len = sizeof_field(struct nf_conntrack_tuple,
465 src.u3.ip6);
466 break;
467 default:
468 return -EAFNOSUPPORT;
469 }
470 break;
471 case NFT_CT_SRC_IP:
472 case NFT_CT_DST_IP:
473 if (tb[NFTA_CT_DIRECTION] == NULL)
474 return -EINVAL;
475
476 len = sizeof_field(struct nf_conntrack_tuple, src.u3.ip);
477 break;
478 case NFT_CT_SRC_IP6:
479 case NFT_CT_DST_IP6:
480 if (tb[NFTA_CT_DIRECTION] == NULL)
481 return -EINVAL;
482
483 len = sizeof_field(struct nf_conntrack_tuple, src.u3.ip6);
484 break;
485 case NFT_CT_PROTO_SRC:
486 case NFT_CT_PROTO_DST:
487 if (tb[NFTA_CT_DIRECTION] == NULL)
488 return -EINVAL;
489 len = sizeof_field(struct nf_conntrack_tuple, src.u.all);
490 break;
491 case NFT_CT_BYTES:
492 case NFT_CT_PKTS:
493 case NFT_CT_AVGPKT:
494 len = sizeof(u64);
495 break;
496 #ifdef CONFIG_NF_CONNTRACK_ZONES
497 case NFT_CT_ZONE:
498 len = sizeof(u16);
499 break;
500 #endif
501 case NFT_CT_ID:
502 if (tb[NFTA_CT_DIRECTION])
503 return -EINVAL;
504
505 len = sizeof(u32);
506 break;
507 default:
508 return -EOPNOTSUPP;
509 }
510
511 if (tb[NFTA_CT_DIRECTION] != NULL) {
512 priv->dir = nla_get_u8(tb[NFTA_CT_DIRECTION]);
513 switch (priv->dir) {
514 case IP_CT_DIR_ORIGINAL:
515 case IP_CT_DIR_REPLY:
516 break;
517 default:
518 return -EINVAL;
519 }
520 }
521
522 priv->len = len;
523 err = nft_parse_register_store(ctx, tb[NFTA_CT_DREG], &priv->dreg, NULL,
524 NFT_DATA_VALUE, len);
525 if (err < 0)
526 return err;
527
528 err = nf_ct_netns_get(ctx->net, ctx->family);
529 if (err < 0)
530 return err;
531
532 if (priv->key == NFT_CT_BYTES ||
533 priv->key == NFT_CT_PKTS ||
534 priv->key == NFT_CT_AVGPKT)
535 nf_ct_set_acct(ctx->net, true);
536
537 return 0;
538 }
539
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
prev parent reply other threads:[~2025-09-03 17:58 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-29 6:50 [PATCH] netfilter: nft_ct: reject ambiguous conntrack expressions in inet tables Nikolaos Gkarlis
2025-08-29 15:08 ` Florian Westphal
2025-08-29 21:59 ` Nick Garlis
2025-09-02 21:54 ` [PATCH v2] " Nikolaos Gkarlis
2025-09-02 22:21 ` Florian Westphal
2025-09-03 9:12 ` Nick Garlis
2025-09-03 10:13 ` Florian Westphal
2025-09-03 10:34 ` Pablo Neira Ayuso
2025-09-03 11:51 ` Nikolaos Gkarlis
2025-09-03 10:31 ` Pablo Neira Ayuso
2025-09-03 13:18 ` kernel test robot
2025-09-03 17:47 ` [syzbot ci] " syzbot ci
2025-09-03 17:56 ` kernel test robot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202509040107.KmDmcM3p-lkp@intel.com \
--to=lkp@intel.com \
--cc=fw@strlen.de \
--cc=llvm@lists.linux.dev \
--cc=netfilter-devel@vger.kernel.org \
--cc=nickgarlis@gmail.com \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).