warning splat in nftables ct expect

warning splat in nftables ct expect

[Pablo Neira Ayuso]

Hi,

I'm hitting a warning with the custom ct expect infrastructure for
nftables:

[ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack]
[ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack]
[ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00                                                                                                      00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 1                                                                                                     4 e9 eb bf 0f 1f 40 00 0f 1f 44 00
[ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202
[ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887
[ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440
[ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447
[ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440
[ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20
[ 1825.352240] FS:  00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:000000000000000                                                                                                     0
[ 1825.352343] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0
[ 1825.352508] Call Trace:
[ 1825.352544]  nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack]
[ 1825.352641]  nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct]
[ 1825.352716]  nft_do_chain+0x232/0x850 [nf_tables]

nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed
conntrack entry. However, nf_ct_ext_add() can only be called for
!nf_ct_is_confirmed().

I can fix this by adding the nf_ct_is_confirmed() check, but then you
can only create an expectation from the first packet. I guess this is
fine for your usecase, right?

It should be possible to remove this limitation via explicit ct helper
definition in the ruleset, ie. decouple helper definition from the
expectation setup which happens from nft_ct_expect_obj_eval().

Thanks.

Re: warning splat in nftables ct expect

[Stéphane Veyret]

HI,

> I can fix this by adding the nf_ct_is_confirmed() check, but then you
> can only create an expectation from the first packet. I guess this is
> fine for your usecase, right?

Well, I must say that I actually never used the expectations, and
probably will not use it before long. So, of course, you can add the
check.

Thank you.

-- 
Bien cordialement, / Plej kore,

Stéphane Veyret

Re: warning splat in nftables ct expect

[Pablo Neira Ayuso]

On Thu, May 20, 2021 at 08:00:53PM +0200, Stéphane Veyret wrote:
> HI,
> 
> > I can fix this by adding the nf_ct_is_confirmed() check, but then you
> > can only create an expectation from the first packet. I guess this is
> > fine for your usecase, right?
> 
> Well, I must say that I actually never used the expectations, and
> probably will not use it before long. So, of course, you can add the
> check.

No problem. The limitation (only allowing to create the expectation
from the first packet) should be relatively easy to remove by adding
an action to attach a "dummy" helper.

Thanks.