Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Tue, Apr 26, 2016 at 11:59:53AM +0200, Florian Westphal wrote: > > diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c > > index 25998fa..4ef41a8 100644 > > --- a/net/netfilter/nft_ct.c > > +++ b/net/netfilter/nft_ct.c > > @@ -198,9 +198,22 @@ static void nft_ct_set_eval(const struct nft_expr *expr, > > } > > break; > > #endif > > +#ifdef CONFIG_NF_CONNTRACK_LABELS > > + case NFT_CT_LABELS: > > + if (nf_connlabels_replace(ct, > > + ®s->data[priv->sreg], > > + ®s->data[priv->sreg], > > + NF_CT_LABELS_MAX_SIZE / sizeof(u32))) > > + goto err; > > + break; > > +#endif > > default: > > break; > > } > > + > > + return; > > +err: > > + regs->verdict.code = NFT_BREAK; > > This will trigger a warning when CONFIG_NF_CONNTRACK_LABELS is > disabled (the err: label will be unused). > > I have fixed this here with: Thanks, fix looks good! > But still I'm unsure we should stop evaluating the rule. How can we > reach this error situation? It happens when you hit a conntrack that doesn't have the connlabel extension attached because it predates the nft label set rule. I don't mind changing this to not break and continue with evaluation (i followed what xt_connlabel does but we don't need to follow that example). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
