Otherwise, this assigns the NULL helper. Bail out from control plane path
if the kernel does not provide this helper.
Fixes: 1a64edf54f55 ("netfilter: nft_ct: add helper set support")
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
net/netfilter/nft_ct.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 715a154f243c..6f7e49752bfa 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -1077,6 +1077,8 @@ static int nft_ct_helper_obj_init(const struct nft_ctx *ctx,
help4 = nf_conntrack_helper_try_module_get(name, family,
priv->l4proto);
+ if (!help4)
+ return -ENOENT;
break;
case NFPROTO_IPV6:
if (ctx->family == NFPROTO_IPV4)
@@ -1084,6 +1086,8 @@ static int nft_ct_helper_obj_init(const struct nft_ctx *ctx,
help6 = nf_conntrack_helper_try_module_get(name, family,
priv->l4proto);
+ if (!help6)
+ return -ENOENT;
break;
case NFPROTO_NETDEV:
case NFPROTO_BRIDGE:
@@ -1092,15 +1096,14 @@ static int nft_ct_helper_obj_init(const struct nft_ctx *ctx,
priv->l4proto);
help6 = nf_conntrack_helper_try_module_get(name, NFPROTO_IPV6,
priv->l4proto);
+ /* && is intentional; only error if INET found neither ipv4 or ipv6 */
+ if (!help4 && !help6)
+ return -ENOENT;
break;
default:
return -EAFNOSUPPORT;
}
- /* && is intentional; only error if INET found neither ipv4 or ipv6 */
- if (!help4 && !help6)
- return -ENOENT;
-
priv->helper4 = help4;
priv->helper6 = help6;
--
2.30.2
