Nikolaos Gkarlis <nickgarlis@xxxxxxxxx> wrote: > The kernel accepts netlink messages using the legacy NFT_CT_SRC, > NFT_CT_DST keys in inet tables, creating ambiguous conntrack expressions > that cannot be properly evaluated during packet processing. > > When NFPROTO_INET is used with NFT_CT_SRC, NFT_CT_DST the register size > calculation defaults to IPv6 (16 bytes) regardless of the actual packet > family. > > This causes two issues: > 1. For IPv4 packets, only 4 bytes contain valid address data while 12 > bytes contain uninitialized memory during comparison. > 2. nft userspace cannot properly display these rules ([invalid type]). > > The bug is not reproducible through standard nft commands, which > properly use NFT_CT_SRC_IP(6), NFT_CT_DST_IP(6) keys instead. It breaks nftables .py tests: tests/py/nft-test.py inet/rt.t: OK inet/ct.t: ERROR: line 7: add rule inet test-inet input meta nfproto ipv4 ct original saddr 1.2.3.4: This rule should not have failed. inet/ct.t: OK
