Re: [PATCH v3 1/1] nft_ct: Added nfct_seqadj_ext_add() for NAT'ed conntrack.

Next message: David Hildenbrand: "Re: [RFC v2 PATCH 1/3] Documentation: add guidelines for writing testable code specifications"
Previous message: Th&#xE9;o Lebrun: "[PATCH net-next 12/12] MIPS: mobileye: eyeq5-epm: add two Cadence GEM Ethernet PHYs"
In reply to: Andrii Melnychenko: "Re: [PATCH v3 1/1] nft_ct: Added nfct_seqadj_ext_add() for NAT'ed conntrack."
Next in thread: Pablo Neira Ayuso: "Re: [PATCH v3 1/1] nft_ct: Added nfct_seqadj_ext_add() for NAT'ed conntrack."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Florian Westphal

Date: Tue Oct 21 2025 - 12:34:13 EST

Andrii Melnychenko <a.melnychenko@xxxxxxx> wrote:
> Hi all,
>
> > I think this needs something like this:
> >
> > if (!nfct_seqadj_ext_add(ct))
> > regs->verdict.code = NF_DROP;
>
> Okay - I'll update it. I'm planning a proper test.
>
> Apparently, I need to provide a simple test FTP server/client, not
> fully functional,
> but sufficient to "trigger" nf_conntrack_ftp.

Argh, I forgot we do have an ftp test case in the nftables repo, even
with NAT.

tests/shell/testcases/packetpath/nat_ftp

in nftables.git repo from git.netfilter.org.

So it would be easier to extend that instead of a new kselftest for the
kernel.

>From a short glance I guess it works because the address rewrite doesn't
need to expand the packet, else this should have failed and found this
bug...