netfilter: nf_tables: fix ct untracked match breakage

"ct untracked" no longer works properly due to erroneous NFT_BREAK.
We have to check ctinfo enum first.

Fixes: d9e789147605 ("netfilter: nf_tables: avoid retpoline overhead for some ct expression calls")
Reported-by: Rvfg <i@rvf6.com>
Link: https://marc.info/?l=netfilter&m=168294996212038&w=2
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nft_ct_fast.c b/net/netfilter/nft_ct_fast.c
index 89983b0613fa3948c02410518cb8b83d60d145e4..e684c8a9184877fe16be47e0aacc89056a41982c 100644 (file)
--- a/net/netfilter/nft_ct_fast.c
+++ b/net/netfilter/nft_ct_fast.c
@@ -15,10 +15,6 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr,
        unsigned int state;
 
        ct = nf_ct_get(pkt->skb, &ctinfo);
-       if (!ct) {
-               regs->verdict.code = NFT_BREAK;
-               return;
-       }
 
        switch (priv->key) {
        case NFT_CT_STATE:
@@ -30,6 +26,16 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr,
                        state = NF_CT_STATE_INVALID_BIT;
                *dest = state;
                return;
+       default:
+               break;
+       }
+
+       if (!ct) {
+               regs->verdict.code = NFT_BREAK;
+               return;
+       }
+
+       switch (priv->key) {
        case NFT_CT_DIRECTION:
                nft_reg_store8(dest, CTINFO2DIR(ctinfo));
                return;