On Thu, May 05, 2016 at 03:51:22PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > But still I'm unsure we should stop evaluating the rule. How can we > > reach this error situation? > > It happens when you hit a conntrack that doesn't have the connlabel > extension attached because it predates the nft label set rule. > > I don't mind changing this to not break and continue with evaluation > (i followed what xt_connlabel does but we don't need to follow that > example). OK, then I'm going to simplify this to make it look like: +#ifdef CONFIG_NF_CONNTRACK_LABELS + case NFT_CT_LABELS: + nf_connlabels_replace(ct, + ®s->data[priv->sreg], + ®s->data[priv->sreg], + NF_CT_LABELS_MAX_SIZE / sizeof(u32)); + break; +#endif -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
