Re: [PATCH net] netfilter: ctnetlink: use nf_ct_exp_net() in expectation dump

[Pablo Neira Ayuso]

Hi,

This is nf-next material.

On Mon, May 04, 2026 at 10:11:57PM -0700, Pratham Gupta wrote:
> Commit 02a3231b6d82 ("netfilter: nf_conntrack_expect: store netns and zone in expectation")
> introduced exp->net so RCU-only expectation paths no longer need to
> dereference exp->master for netns lookups.
> 
> Commit 3db5647984de ("netfilter: nf_conntrack_expect: skip expectations in other netns via proc")
> updated the proc path accordingly, but ctnetlink_exp_dump_table() still
> compares against nf_ct_net(exp->master).

There was no check in the /proc path.

> Use nf_ct_exp_net(exp) here as well so the netlink dump path matches
> the rest of the March 2026 expectation netns/RCU cleanup.

yes, this is a leftover, but it is safe to access 

> Fixes: 02a3231b6d82 ("netfilter: nf_conntrack_expect: store netns and zone in expectation")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Pratham Gupta <pratham36gupta@xxxxxxxxx>
> ---
> Tested expectation create/dump/delete on the host and in fresh Ubuntu 24.04
> Docker userspace. Concurrent namespace churn/dump testing did not reproduce
> a cross-netns leak.

What cross-netns leak are you refering? This is simply using the
conntrack netns instead of exp->netns which was added in 02a3231b6d82.

This is nf-next material.

>  net/netfilter/nf_conntrack_netlink.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index eda5fe4a75c8..8ae3f6acc2d2 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -3158,7 +3158,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
>  			if (l3proto && exp->tuple.src.l3num != l3proto)
>  				continue;
>  
> -			if (!net_eq(nf_ct_net(exp->master), net))
> +			if (!net_eq(nf_ct_exp_net(exp), net))
>  				continue;
>  
>  			if (cb->args[1]) {
> -- 
> 2.43.0
>