Brett Mastbergen <bmastbergen@xxxxxxxxxxxx> wrote: > diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c > index 7b717fad6cdc..418a17d2df31 100644 > --- a/net/netfilter/nft_ct.c > +++ b/net/netfilter/nft_ct.c > @@ -178,6 +178,9 @@ static void nft_ct_get_eval(const struct nft_expr *expr, > return; > } > #endif > + case NFT_CT_ID: > + *dest = nf_ct_get_id(ct); > + return; This should perhaps be if (!nfct_is_confirmed(ct)) goto err; *dest = ... Otherwise we'll need to change nf_ct_get_id() to only consider immutable properties of nf_conn. ctnetlink never generates events until conntrack confirmation, so I think the nfct_is_confirmed() check would be ok. Other than this this looks great.
