On Sat, Mar 09, 2024 at 12:39:20PM +0100, Florian Westphal wrote:
> Phil Sutter <phil@xxxxxx> wrote:
> > Since kernel commit 8059918a1377 ("netfilter: nft_ct: sanitize layer 3
> > and 4 protocol number in custom expectations"), ct expectations
> > specifying an l3proto which does not match the table family are
> > rejected.
>
> > - l3proto ip
> > + l3proto inet
> > }
>
> This can't be right, the kernel must reject this.
>
> 99993789966a ("netfilter: nft_ct: fix l3num expectations with inet pseudo family")
>
> was supposed to fix this up.
Ah, thanks for the catch! My testing VM currently runs nf-next kernel
which doesn't have that commit. :(
I'll drop this patch from the series.
Cheers, Phil
