From: Fernando Fernandez Mancera <fmancera@suse.de>
To: netfilter-devel@vger.kernel.org
Cc: coreteam@netfilter.org, phil@nwl.cc, fw@strlen.de,
pablo@netfilter.org,
Fernando Fernandez Mancera <fmancera@suse.de>
Subject: [PATCH 4/9 nf-next] netfilter: conntrack: use DEBUG_NET_WARN_ON_ONCE on packet paths
Date: Mon, 1 Jun 2026 21:30:44 +0200 [thread overview]
Message-ID: <20260601193049.8131-5-fmancera@suse.de> (raw)
In-Reply-To: <20260601193049.8131-1-fmancera@suse.de>
Replace WARN_ON and WARN_ON_ONCE with DEBUG_NET_WARN_ON_ONCE inside
conntrack confirmation, extension management, helper assignment, and
protocol parsing loops. This prevents unnecessary system panics when
panic_on_warn=1 is enabled in production systems.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
---
net/netfilter/nf_conntrack_core.c | 2 +-
net/netfilter/nf_conntrack_extend.c | 3 ++-
net/netfilter/nf_conntrack_helper.c | 4 +++-
net/netfilter/nf_conntrack_ovs.c | 2 +-
net/netfilter/nf_conntrack_proto_icmp.c | 3 ++-
net/netfilter/nf_conntrack_seqadj.c | 2 +-
net/netfilter/nf_conntrack_sip.c | 5 ++++-
7 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 8ba5b22a1eef..51e2d8ebe756 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1244,7 +1244,7 @@ __nf_conntrack_confirm(struct sk_buff *skb)
* unconfirmed conntrack.
*/
if (unlikely(nf_ct_is_confirmed(ct))) {
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
nf_conntrack_double_unlock(hash, reply_hash);
local_bh_enable();
return NF_DROP;
diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index dd62cc12e775..68169007aea2 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -95,7 +95,8 @@ void *nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
struct nf_ct_ext *new;
/* Conntrack must not be confirmed to avoid races on reallocation. */
- WARN_ON(nf_ct_is_confirmed(ct));
+ if (unlikely(nf_ct_is_confirmed(ct)))
+ DEBUG_NET_WARN_ON_ONCE(1);
/* struct nf_ct_ext uses u8 to store offsets/size */
BUILD_BUG_ON(total_extension_size() > 255u);
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 17e971bd4c74..0a0e41dd4c95 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -198,8 +198,10 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
if (test_bit(IPS_HELPER_BIT, &ct->status))
return 0;
- if (WARN_ON_ONCE(!tmpl))
+ if (unlikely(!tmpl)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return 0;
+ }
help = nfct_help(tmpl);
if (help != NULL) {
diff --git a/net/netfilter/nf_conntrack_ovs.c b/net/netfilter/nf_conntrack_ovs.c
index a6988eeb1579..26f12dd0c1a4 100644
--- a/net/netfilter/nf_conntrack_ovs.c
+++ b/net/netfilter/nf_conntrack_ovs.c
@@ -53,7 +53,7 @@ int nf_ct_helper(struct sk_buff *skb, struct nf_conn *ct,
break;
}
default:
- WARN_ONCE(1, "helper invoked on non-IP family!");
+ DEBUG_NET_WARN_ONCE(1, "helper invoked on non-IP family!");
return NF_DROP;
}
diff --git a/net/netfilter/nf_conntrack_proto_icmp.c b/net/netfilter/nf_conntrack_proto_icmp.c
index 32148a3a8509..0f39cb147c4f 100644
--- a/net/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/netfilter/nf_conntrack_proto_icmp.c
@@ -117,7 +117,8 @@ int nf_conntrack_inet_error(struct nf_conn *tmpl, struct sk_buff *skb,
enum ip_conntrack_dir dir;
struct nf_conn *ct;
- WARN_ON(skb_nfct(skb));
+ if (unlikely(skb_nfct(skb)))
+ DEBUG_NET_WARN_ON_ONCE(1);
zone = nf_ct_zone_tmpl(tmpl, skb, &tmp);
/* Are they talking about one of our connections? */
diff --git a/net/netfilter/nf_conntrack_seqadj.c b/net/netfilter/nf_conntrack_seqadj.c
index 7ab2b25b57bc..2bf49f0b9406 100644
--- a/net/netfilter/nf_conntrack_seqadj.c
+++ b/net/netfilter/nf_conntrack_seqadj.c
@@ -38,7 +38,7 @@ int nf_ct_seqadj_set(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
return 0;
if (unlikely(!seqadj)) {
- WARN_ONCE(1, "Missing nfct_seqadj_ext_add() setup call\n");
+ DEBUG_NET_WARN_ONCE(1, "Missing nfct_seqadj_ext_add() setup call\n");
return 0;
}
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index e69941f1a101..7e9237c810a0 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -599,7 +599,10 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
ret = ct_sip_walk_headers(ct, dptr, dataoff ? *dataoff : 0, datalen,
type, in_header, matchoff, matchlen);
- WARN_ON(ret < 0);
+ if (unlikely(ret < 0)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
+ return -1;
+ }
if (ret == 0)
return ret;
--
2.54.0
next prev parent reply other threads:[~2026-06-01 19:31 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-01 19:30 [PATCH 0/9 nf-next] netfilter: replace raw warnings with Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 1/9 nf-next] netfilter: xtables: use DEBUG_NET_WARN_ON_ONCE in packet and control paths Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 2/9 nf-next] netfilter: nf_tables: " Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 3/9 nf-next] netfilter: nfnetlink: use DEBUG_NET_WARN_ON_ONCE for attribute validation Fernando Fernandez Mancera
2026-06-01 19:30 ` Fernando Fernandez Mancera [this message]
2026-06-18 17:11 ` [PATCH 4/9 nf-next] netfilter: conntrack: use DEBUG_NET_WARN_ON_ONCE on packet paths Pablo Neira Ayuso
2026-06-18 17:32 ` Florian Westphal
2026-06-18 18:15 ` Pablo Neira Ayuso
2026-06-18 20:32 ` Fernando Fernandez Mancera
2026-06-18 20:38 ` Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 5/9 nf-next] netfilter: nat: use DEBUG_NET_WARN_ON_ONCE in core and helper paths Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 6/9 nf-next] netfilter: tproxy: use DEBUG_NET_WARN_ON_ONCE for protocol fallbacks Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 7/9 nf-next] netfilter: bpf: use DEBUG_NET_WARN_ON_ONCE for missing BTF structures Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 8/9 nf-next] netfilter: flowtable: use DEBUG_NET_WARN_ON_ONCE in offload path Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 9/9 nf-next] netfilter: conncount: use DEBUG_NET_WARN_ON_ONCE on reaching count limit Fernando Fernandez Mancera
2026-06-01 19:35 ` [PATCH 0/9 nf-next] netfilter: replace raw warnings with Fernando Fernandez Mancera
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260601193049.8131-5-fmancera@suse.de \
--to=fmancera@suse.de \
--cc=coreteam@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.