On Thu, 26 Nov 2020 01:44:37 +0100 Pablo Neira Ayuso wrote: > > Still worries me this is done in a response to a match. > > > > skb_flow_dissector_init() has a straight up BUG_ON() if the dissector > > did not set the CONTROL or BASIC. It says in the comment that both must > > be initialized. But nft does not call skb_flow_dissector_init()? > > > > Are you 100% sure all cases will set CONTROL and BASIC now? > > Enforcing skb_flow_dissector_init() for software make sense, but in > Netfilter this is used for hardware offload only. > > All drivers in the tree check for: > > if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_CONTROL)) > > before accessing struct flow_match_control. > > I can set it on inconditionally, but the driver will get a value 0x0 > and mask 0x0, which is the same as leaving it unset. Ack, I didn't realize you don't actually ever use the dissector other than for offload.
