From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: monok8s authors <monok8s@localhost>
Date: Mon, 11 May 2026 00:00:00 +0000
Subject: [PATCH] cmm: ignore conntracks without fastpath metadata

CMM receives conntrack notifications for the whole system conntrack table.
On a Kubernetes node, many entries are unrelated to Comcerto/NXP fastpath:
loopback traffic, local control-plane traffic, Cilium traffic, broadcast,
multicast, and ordinary slow-path flows.

Those entries do not necessarily carry the private fastpath attributes CMM
expects. Treat them as non-fastpathable instead of trying to process them.

---
 cmm/src/ffcontrol.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/cmm/src/ffcontrol.c b/cmm/src/ffcontrol.c
--- a/cmm/src/ffcontrol.c
+++ b/cmm/src/ffcontrol.c
@@ -75,6 +75,25 @@
 	return 1;
 }
 
+/*****************************************************************
+* cmmFcHasFastpathAttrs()
+*
+* CMM receives all conntrack notifications, including entries that
+* never passed through the Comcerto/NXP fastpath hooks. Those entries
+* do not have the private fastpath attributes needed below. Treat them
+* as ordinary slow-path conntracks and ignore them.
+******************************************************************/
+static int cmmFcHasFastpathAttrs(struct nf_conntrack *ct)
+{
+	if (!nfct_attr_is_set(ct, ATTR_ORIG_COMCERTO_FP_IIF))
+		return 0;
+
+	if (!nfct_attr_is_set(ct, ATTR_ORIG_COMCERTO_FP_IFINDEX))
+		return 0;
+
+	return 1;
+}
+
 /*****************************************************************
 * cmmIsConntrack4Allowed()
 *
@@ -92,6 +111,12 @@
 	sAddr = nfct_get_attr_u32(ct, ATTR_ORIG_IPV4_SRC);
 	dAddr = nfct_get_attr_u32(ct, ATTR_REPL_IPV4_SRC);
 
+	if (!cmmFcHasFastpathAttrs(ct)) {
+		cmm_print(DEBUG_INFO, "%s: conntrack has no fastpath metadata, ignored\n",
+			  __func__);
+		goto refused;
+	}
+
 	 /* Multicast connections are not forwarded */
 	 if (MULTICAST(dAddr)) {
 		cmm_print(DEBUG_WARNING, "%s: conntrack multicast dst:%s:%x src:%s:%x\n", __func__,
@@ -197,6 +222,12 @@
 	Saddr = nfct_get_attr(ct, ATTR_ORIG_IPV6_SRC);
 	SaddrReply = nfct_get_attr(ct, ATTR_REPL_IPV6_SRC);
 
+	if (!Saddr || !SaddrReply || !cmmFcHasFastpathAttrs(ct)) {
+		cmm_print(DEBUG_INFO, "%s: conntrack has no fastpath metadata, ignored\n",
+			  __func__);
+		goto refused;
+	}
+
 	if ((SaddrReply[0] & ntohl(0xff000000)) == ntohl(0xff000000))
 	{
 		goto refused;
-- 
2.45.0