* [PATCH 0/9 nf-next] netfilter: replace raw warnings with
@ 2026-06-01 19:30 Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 1/9 nf-next] netfilter: xtables: use DEBUG_NET_WARN_ON_ONCE in packet and control paths Fernando Fernandez Mancera
` (9 more replies)
0 siblings, 10 replies; 14+ messages in thread
From: Fernando Fernandez Mancera @ 2026-06-01 19:30 UTC (permalink / raw)
To: netfilter-devel; +Cc: coreteam, phil, fw, pablo, Fernando Fernandez Mancera
This patch series replaces raw WARN_ON and WARN_ON_ONCE macros with
DEBUG_NET_WARN_ON_ONCE across various netfilter subsystems.
Currently, several internal invariant checks use standard warnings on
packet processing paths or control-plane loops. If triggered, these can
trigger full system panics when panic_on_warn=1 is enabled. In most of
these cases, the condition is already handled gracefully by dropping the
packet, applying a defensive fallback, or returning a proper error code
to userspace via netlink.
By migrating to DEBUG_NET_WARN_ON_ONCE, we preserve full stack trace
diagnostic capability for developers running kernels compiled with
CONFIG_DEBUG_NET=y, while protecting production environments from system
panics.
Fernando Fernandez Mancera (9):
netfilter: xtables: use DEBUG_NET_WARN_ON_ONCE in packet and control
paths
netfilter: nf_tables: use DEBUG_NET_WARN_ON_ONCE in packet and control
paths
netfilter: nfnetlink: use DEBUG_NET_WARN_ON_ONCE for attribute
validation
netfilter: conntrack: use DEBUG_NET_WARN_ON_ONCE on packet paths
netfilter: nat: use DEBUG_NET_WARN_ON_ONCE in core and helper paths
netfilter: tproxy: use DEBUG_NET_WARN_ON_ONCE for protocol fallbacks
netfilter: bpf: use DEBUG_NET_WARN_ON_ONCE for missing BTF structures
netfilter: flowtable: use DEBUG_NET_WARN_ON_ONCE in offload path
netfilter: conncount: use DEBUG_NET_WARN_ON_ONCE on reaching count
limit
net/ipv4/netfilter/ip_tables.c | 6 ++--
net/ipv4/netfilter/iptable_nat.c | 4 ++-
net/ipv4/netfilter/nf_nat_pptp.c | 16 +++++++---
net/ipv4/netfilter/nf_tproxy_ipv4.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 6 ++--
net/ipv6/netfilter/ip6table_nat.c | 4 ++-
net/ipv6/netfilter/nf_tproxy_ipv6.c | 2 +-
net/netfilter/nf_bpf_link.c | 4 ++-
net/netfilter/nf_conncount.c | 3 +-
net/netfilter/nf_conntrack_core.c | 2 +-
net/netfilter/nf_conntrack_extend.c | 3 +-
net/netfilter/nf_conntrack_helper.c | 4 ++-
net/netfilter/nf_conntrack_ovs.c | 2 +-
net/netfilter/nf_conntrack_proto_icmp.c | 3 +-
net/netfilter/nf_conntrack_seqadj.c | 2 +-
net/netfilter/nf_conntrack_sip.c | 5 +++-
net/netfilter/nf_flow_table_core.c | 4 +--
net/netfilter/nf_flow_table_ip.c | 4 +--
net/netfilter/nf_flow_table_offload.c | 4 +--
net/netfilter/nf_nat_core.c | 39 +++++++++++++++++--------
net/netfilter/nf_nat_masquerade.c | 6 ++--
net/netfilter/nf_nat_proto.c | 14 +++++----
net/netfilter/nf_nat_redirect.c | 5 ++--
net/netfilter/nf_tables_api.c | 38 +++++++++++++++++-------
net/netfilter/nf_tables_core.c | 8 +++--
net/netfilter/nf_tables_offload.c | 2 +-
net/netfilter/nf_tables_trace.c | 6 ++--
net/netfilter/nfnetlink.c | 4 ++-
net/netfilter/nfnetlink_cttimeout.c | 3 +-
net/netfilter/nft_ct.c | 2 +-
net/netfilter/nft_ct_fast.c | 2 +-
net/netfilter/nft_exthdr.c | 2 +-
net/netfilter/nft_fib.c | 2 +-
net/netfilter/nft_inner.c | 2 +-
net/netfilter/nft_lookup.c | 2 +-
net/netfilter/nft_masq.c | 2 +-
net/netfilter/nft_meta.c | 10 +++----
net/netfilter/nft_payload.c | 6 ++--
net/netfilter/nft_redir.c | 2 +-
net/netfilter/nft_reject.c | 8 +++--
net/netfilter/nft_rt.c | 2 +-
net/netfilter/nft_set_hash.c | 2 +-
net/netfilter/nft_set_pipapo.c | 2 +-
net/netfilter/nft_set_rbtree.c | 6 ++--
net/netfilter/nft_socket.c | 8 +++--
net/netfilter/nft_tunnel.c | 2 +-
net/netfilter/nft_xfrm.c | 6 ++--
net/netfilter/x_tables.c | 12 ++++++--
net/netfilter/xt_NETMAP.c | 4 ---
net/netfilter/xt_cluster.c | 4 +--
net/netfilter/xt_nat.c | 30 +++++++++----------
net/netfilter/xt_socket.c | 3 +-
52 files changed, 203 insertions(+), 123 deletions(-)
--
2.54.0
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 1/9 nf-next] netfilter: xtables: use DEBUG_NET_WARN_ON_ONCE in packet and control paths
2026-06-01 19:30 [PATCH 0/9 nf-next] netfilter: replace raw warnings with Fernando Fernandez Mancera
@ 2026-06-01 19:30 ` Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 2/9 nf-next] netfilter: nf_tables: " Fernando Fernandez Mancera
` (8 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Fernando Fernandez Mancera @ 2026-06-01 19:30 UTC (permalink / raw)
To: netfilter-devel; +Cc: coreteam, phil, fw, pablo, Fernando Fernandez Mancera
Replace WARN_ON and WARN_ON_ONCE with DEBUG_NET_WARN_ON_ONCE in the
xtables matching and target execution loops. This prevents unnecessary
system panics when panic_on_warn=1 is enabled in production systems.
Also, remove a redundant hook verification macro block in xt_NETMAP.c.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
---
net/ipv4/netfilter/ip_tables.c | 6 +++---
net/ipv4/netfilter/iptable_nat.c | 4 +++-
net/ipv6/netfilter/ip6_tables.c | 6 +++---
net/ipv6/netfilter/ip6table_nat.c | 4 +++-
net/netfilter/x_tables.c | 12 +++++++++---
net/netfilter/xt_NETMAP.c | 4 ----
net/netfilter/xt_cluster.c | 4 ++--
net/netfilter/xt_nat.c | 30 +++++++++++++++---------------
net/netfilter/xt_socket.c | 3 ++-
9 files changed, 40 insertions(+), 33 deletions(-)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index f917a9004a01..99d01b5c7edc 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -254,7 +254,7 @@ ipt_do_table(void *priv,
acpar.hotdrop = false;
acpar.state = state;
- WARN_ON(!(table->valid_hooks & (1 << hook)));
+ DEBUG_NET_WARN_ON_ONCE(!(table->valid_hooks & (1 << hook)));
local_bh_disable();
addend = xt_write_recseq_begin();
private = READ_ONCE(table->private); /* Address dependency. */
@@ -279,7 +279,7 @@ ipt_do_table(void *priv,
const struct xt_entry_match *ematch;
struct xt_counters *counter;
- WARN_ON(!e);
+ DEBUG_NET_WARN_ON_ONCE(!e);
if (!ip_packet_match(ip, indev, outdev,
&e->ip, acpar.fragoff)) {
no_match:
@@ -298,7 +298,7 @@ ipt_do_table(void *priv,
ADD_COUNTER(*counter, skb->len, 1);
t = ipt_get_target_c(e);
- WARN_ON(!t->u.kernel.target);
+ DEBUG_NET_WARN_ON_ONCE(!t->u.kernel.target);
#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
/* The packet is traced: log it */
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index a0df72554025..bb866f076d4d 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -65,8 +65,10 @@ static int ipt_nat_register_lookups(struct net *net)
xt_nat_net = net_generic(net, iptable_nat_net_id);
table = xt_find_table(net, NFPROTO_IPV4, "nat");
- if (WARN_ON_ONCE(!table))
+ if (unlikely(!table)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -ENOENT;
+ }
ops = kmemdup(nf_nat_ipv4_ops, sizeof(nf_nat_ipv4_ops), GFP_KERNEL);
if (!ops)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index ecf79d05a51b..3147326786a5 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -275,7 +275,7 @@ ip6t_do_table(void *priv, struct sk_buff *skb,
acpar.hotdrop = false;
acpar.state = state;
- WARN_ON(!(table->valid_hooks & (1 << hook)));
+ DEBUG_NET_WARN_ON_ONCE(!(table->valid_hooks & (1 << hook)));
local_bh_disable();
addend = xt_write_recseq_begin();
@@ -301,7 +301,7 @@ ip6t_do_table(void *priv, struct sk_buff *skb,
const struct xt_entry_match *ematch;
struct xt_counters *counter;
- WARN_ON(!e);
+ DEBUG_NET_WARN_ON_ONCE(!e);
acpar.thoff = 0;
if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
&acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
@@ -321,7 +321,7 @@ ip6t_do_table(void *priv, struct sk_buff *skb,
ADD_COUNTER(*counter, skb->len, 1);
t = ip6t_get_target_c(e);
- WARN_ON(!t->u.kernel.target);
+ DEBUG_NET_WARN_ON_ONCE(!t->u.kernel.target);
#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
/* The packet is traced: log it */
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index c2394e2c94b5..03ed7a5803d0 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -66,8 +66,10 @@ static int ip6t_nat_register_lookups(struct net *net)
int i, ret;
table = xt_find_table(net, NFPROTO_IPV6, "nat");
- if (WARN_ON_ONCE(!table))
+ if (unlikely(!table)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -ENOENT;
+ }
xt_nat_net = net_generic(net, ip6table_nat_net_id);
ops = kmemdup(nf_nat_ipv6_ops, sizeof(nf_nat_ipv6_ops), GFP_KERNEL);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 4e6708c23922..b8b6e03a6116 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -714,8 +714,10 @@ int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta)
WARN_ON(!mutex_is_locked(&xt[af].compat_mutex));
- if (WARN_ON(!xp->compat_tab))
+ if (unlikely(!xp->compat_tab)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -ENOMEM;
+ }
if (xp->cur >= xp->number)
return -EINVAL;
@@ -769,8 +771,10 @@ int xt_compat_init_offsets(u8 af, unsigned int number)
if (!number || number > (INT_MAX / sizeof(struct compat_delta)))
return -EINVAL;
- if (WARN_ON(xt[af].compat_tab))
+ if (unlikely(xt[af].compat_tab)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -EINVAL;
+ }
mem = sizeof(struct compat_delta) * number;
if (mem > XT_MAX_TABLE_SIZE)
@@ -1973,8 +1977,10 @@ int xt_register_template(const struct xt_table *table,
mutex_lock(&xt[af].mutex);
list_for_each_entry(t, &xt_templates[af], list) {
- if (WARN_ON_ONCE(strcmp(table->name, t->name) == 0))
+ if (strcmp(table->name, t->name) == 0) {
+ DEBUG_NET_WARN_ON_ONCE(1);
goto out_unlock;
+ }
}
ret = -ENOMEM;
diff --git a/net/netfilter/xt_NETMAP.c b/net/netfilter/xt_NETMAP.c
index cb2ee80d84fa..180d3b2138c3 100644
--- a/net/netfilter/xt_NETMAP.c
+++ b/net/netfilter/xt_NETMAP.c
@@ -74,10 +74,6 @@ netmap_tg4(struct sk_buff *skb, const struct xt_action_param *par)
const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
struct nf_nat_range2 newrange;
- WARN_ON(xt_hooknum(par) != NF_INET_PRE_ROUTING &&
- xt_hooknum(par) != NF_INET_POST_ROUTING &&
- xt_hooknum(par) != NF_INET_LOCAL_OUT &&
- xt_hooknum(par) != NF_INET_LOCAL_IN);
ct = nf_ct_get(skb, &ctinfo);
netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip);
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 908fd5f2c3c8..c2d4feac1888 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -49,7 +49,7 @@ xt_cluster_hash(const struct nf_conn *ct,
hash = xt_cluster_hash_ipv6(nf_ct_orig_ipv6_src(ct), info);
break;
default:
- WARN_ON(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
break;
}
@@ -69,7 +69,7 @@ xt_cluster_is_multicast_addr(const struct sk_buff *skb, u_int8_t family)
is_multicast = ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr);
break;
default:
- WARN_ON(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
break;
}
return is_multicast;
diff --git a/net/netfilter/xt_nat.c b/net/netfilter/xt_nat.c
index b4f7bbc3f3ca..1572092c41f0 100644
--- a/net/netfilter/xt_nat.c
+++ b/net/netfilter/xt_nat.c
@@ -57,9 +57,9 @@ xt_snat_target_v0(struct sk_buff *skb, const struct xt_action_param *par)
struct nf_conn *ct;
ct = nf_ct_get(skb, &ctinfo);
- WARN_ON(!(ct != NULL &&
- (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
- ctinfo == IP_CT_RELATED_REPLY)));
+ DEBUG_NET_WARN_ON_ONCE(!(ct != NULL &&
+ (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
+ ctinfo == IP_CT_RELATED_REPLY)));
xt_nat_convert_range(&range, &mr->range[0]);
return nf_nat_setup_info(ct, &range, NF_NAT_MANIP_SRC);
@@ -74,8 +74,8 @@ xt_dnat_target_v0(struct sk_buff *skb, const struct xt_action_param *par)
struct nf_conn *ct;
ct = nf_ct_get(skb, &ctinfo);
- WARN_ON(!(ct != NULL &&
- (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)));
+ DEBUG_NET_WARN_ON_ONCE(!(ct != NULL &&
+ (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)));
xt_nat_convert_range(&range, &mr->range[0]);
return nf_nat_setup_info(ct, &range, NF_NAT_MANIP_DST);
@@ -90,9 +90,9 @@ xt_snat_target_v1(struct sk_buff *skb, const struct xt_action_param *par)
struct nf_conn *ct;
ct = nf_ct_get(skb, &ctinfo);
- WARN_ON(!(ct != NULL &&
- (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
- ctinfo == IP_CT_RELATED_REPLY)));
+ DEBUG_NET_WARN_ON_ONCE(!(ct != NULL &&
+ (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
+ ctinfo == IP_CT_RELATED_REPLY)));
memcpy(&range, range_v1, sizeof(*range_v1));
memset(&range.base_proto, 0, sizeof(range.base_proto));
@@ -109,8 +109,8 @@ xt_dnat_target_v1(struct sk_buff *skb, const struct xt_action_param *par)
struct nf_conn *ct;
ct = nf_ct_get(skb, &ctinfo);
- WARN_ON(!(ct != NULL &&
- (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)));
+ DEBUG_NET_WARN_ON_ONCE(!(ct != NULL &&
+ (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)));
memcpy(&range, range_v1, sizeof(*range_v1));
memset(&range.base_proto, 0, sizeof(range.base_proto));
@@ -126,9 +126,9 @@ xt_snat_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
struct nf_conn *ct;
ct = nf_ct_get(skb, &ctinfo);
- WARN_ON(!(ct != NULL &&
- (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
- ctinfo == IP_CT_RELATED_REPLY)));
+ DEBUG_NET_WARN_ON_ONCE(!(ct != NULL &&
+ (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
+ ctinfo == IP_CT_RELATED_REPLY)));
return nf_nat_setup_info(ct, range, NF_NAT_MANIP_SRC);
}
@@ -141,8 +141,8 @@ xt_dnat_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
struct nf_conn *ct;
ct = nf_ct_get(skb, &ctinfo);
- WARN_ON(!(ct != NULL &&
- (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)));
+ DEBUG_NET_WARN_ON_ONCE(!(ct != NULL &&
+ (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED)));
return nf_nat_setup_info(ct, range, NF_NAT_MANIP_DST);
}
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 811e53bee408..e3f68b0734d1 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -161,7 +161,8 @@ static int socket_mt_enable_defrag(struct net *net, int family)
return nf_defrag_ipv6_enable(net);
#endif
}
- WARN_ONCE(1, "Unknown family %d\n", family);
+ pr_warn_once("xt_socket: Unknown family %d\n", family);
+ DEBUG_NET_WARN_ON_ONCE(1);
return 0;
}
--
2.54.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 2/9 nf-next] netfilter: nf_tables: use DEBUG_NET_WARN_ON_ONCE in packet and control paths
2026-06-01 19:30 [PATCH 0/9 nf-next] netfilter: replace raw warnings with Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 1/9 nf-next] netfilter: xtables: use DEBUG_NET_WARN_ON_ONCE in packet and control paths Fernando Fernandez Mancera
@ 2026-06-01 19:30 ` Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 3/9 nf-next] netfilter: nfnetlink: use DEBUG_NET_WARN_ON_ONCE for attribute validation Fernando Fernandez Mancera
` (7 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Fernando Fernandez Mancera @ 2026-06-01 19:30 UTC (permalink / raw)
To: netfilter-devel; +Cc: coreteam, phil, fw, pablo, Fernando Fernandez Mancera
Replace raw warning macros with DEBUG_NET_WARN_ON_ONCE across the
nf_tables API, core engine, and expression evaluations. This prevents
unnecessary system panics when panic_on_warn=1 is enabled in production
systems.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
---
net/netfilter/nf_tables_api.c | 38 +++++++++++++++++++++++--------
net/netfilter/nf_tables_core.c | 8 ++++---
net/netfilter/nf_tables_offload.c | 2 +-
net/netfilter/nf_tables_trace.c | 6 +++--
net/netfilter/nft_ct.c | 2 +-
net/netfilter/nft_ct_fast.c | 2 +-
net/netfilter/nft_exthdr.c | 2 +-
net/netfilter/nft_fib.c | 2 +-
net/netfilter/nft_inner.c | 2 +-
net/netfilter/nft_lookup.c | 2 +-
net/netfilter/nft_masq.c | 2 +-
net/netfilter/nft_meta.c | 10 ++++----
net/netfilter/nft_payload.c | 6 ++---
net/netfilter/nft_redir.c | 2 +-
net/netfilter/nft_reject.c | 8 +++++--
net/netfilter/nft_rt.c | 2 +-
net/netfilter/nft_set_hash.c | 2 +-
net/netfilter/nft_set_pipapo.c | 2 +-
net/netfilter/nft_set_rbtree.c | 6 +++--
net/netfilter/nft_socket.c | 8 ++++---
net/netfilter/nft_tunnel.c | 2 +-
net/netfilter/nft_xfrm.c | 6 ++---
22 files changed, 76 insertions(+), 46 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 87387adbca65..4884f7f7aaee 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3378,8 +3378,10 @@ static int nf_tables_delchain(struct sk_buff *skb, const struct nfnl_info *info,
*/
int nft_register_expr(struct nft_expr_type *type)
{
- if (WARN_ON_ONCE(type->maxattr > NFT_EXPR_MAXATTR))
+ if (unlikely(type->maxattr > NFT_EXPR_MAXATTR)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -ENOMEM;
+ }
nfnl_lock(NFNL_SUBSYS_NFTABLES);
if (type->family == NFPROTO_UNSPEC)
@@ -3691,8 +3693,10 @@ int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp)
{
int err;
- if (WARN_ON_ONCE(!src->ops->clone))
+ if (unlikely(!src->ops->clone)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -EINVAL;
+ }
dst->ops = src->ops;
err = src->ops->clone(dst, src, gfp);
@@ -8327,8 +8331,10 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
return 0;
type = nft_obj_type_get(net, objtype, family);
- if (WARN_ON_ONCE(IS_ERR(type)))
+ if (IS_ERR(type)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return PTR_ERR(type);
+ }
nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
@@ -10306,19 +10312,25 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha
prule = (struct nft_rule_dp *)data;
data += offsetof(struct nft_rule_dp, data);
- if (WARN_ON_ONCE(data > data_boundary))
+ if (unlikely(data > data_boundary)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -ENOMEM;
+ }
size = 0;
nft_rule_for_each_expr(expr, last, rule) {
- if (WARN_ON_ONCE(data + size + expr->ops->size > data_boundary))
+ if (unlikely(data + size + expr->ops->size > data_boundary)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -ENOMEM;
+ }
memcpy(data + size, expr, expr->ops->size);
size += expr->ops->size;
}
- if (WARN_ON_ONCE(size >= 1 << 12))
+ if (unlikely(size >= 1 << 12)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -ENOMEM;
+ }
prule->handle = rule->handle;
prule->dlen = size;
@@ -10329,8 +10341,10 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha
chain->blob_next->size += (unsigned long)(data - (void *)prule);
}
- if (WARN_ON_ONCE(data > data_boundary))
+ if (unlikely(data > data_boundary)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -ENOMEM;
+ }
prule = (struct nft_rule_dp *)data;
nft_last_rule(chain, prule);
@@ -11636,8 +11650,10 @@ int nft_parse_register_load(const struct nft_ctx *ctx,
next_register = DIV_ROUND_UP(len, NFT_REG32_SIZE) + reg;
/* Can't happen: nft_validate_register_load() should have failed */
- if (WARN_ON_ONCE(next_register > NFT_REG32_NUM))
+ if (unlikely(next_register > NFT_REG32_NUM)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -EINVAL;
+ }
/* find first register that did not see an earlier store. */
invalid_reg = find_next_zero_bit(ctx->reg_inited, NFT_REG32_NUM, reg);
@@ -11884,8 +11900,10 @@ int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
struct nlattr *tb[NFTA_DATA_MAX + 1];
int err;
- if (WARN_ON_ONCE(!desc->size))
+ if (unlikely(!desc->size)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -EINVAL;
+ }
err = nla_parse_nested_deprecated(tb, NFTA_DATA_MAX, nla,
nft_data_policy, NULL);
@@ -11950,7 +11968,7 @@ int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
break;
default:
err = -EINVAL;
- WARN_ON(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
}
nla_nest_end(skb, nest);
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 8ab186f86dd4..01a72f334dc6 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -314,8 +314,10 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv)
switch (regs.verdict.code) {
case NFT_JUMP:
- if (WARN_ON_ONCE(stackptr >= NFT_JUMP_STACK_SIZE))
- return NF_DROP;
+ if (unlikely(stackptr >= NFT_JUMP_STACK_SIZE)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
+ return NF_DROP_REASON(pkt->skb, SKB_DROP_REASON_NETFILTER_DROP, ELOOP);
+ }
jumpstack[stackptr].rule = nft_rule_next(rule);
stackptr++;
fallthrough;
@@ -326,7 +328,7 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv)
case NFT_RETURN:
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
}
if (stackptr > 0) {
diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index 9101b1703b52..8998a24651ff 100644
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -361,7 +361,7 @@ static int nft_block_setup(struct nft_base_chain *basechain,
err = nft_flow_offload_unbind(bo, basechain);
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
err = -EOPNOTSUPP;
}
diff --git a/net/netfilter/nf_tables_trace.c b/net/netfilter/nf_tables_trace.c
index a88abae5a9de..d85b6a2fb43c 100644
--- a/net/netfilter/nf_tables_trace.c
+++ b/net/netfilter/nf_tables_trace.c
@@ -227,8 +227,10 @@ static const struct nft_chain *nft_trace_get_chain(const struct nft_rule_dp *rul
last = (const struct nft_rule_dp_last *)rule;
- if (WARN_ON_ONCE(!last->chain))
+ if (unlikely(!last->chain)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return &info->basechain->chain;
+ }
return last->chain;
}
@@ -354,7 +356,7 @@ void nft_trace_notify(const struct nft_pktinfo *pkt,
return;
nla_put_failure:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
kfree_skb(skb);
}
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index fa2cc556331c..bdeffc61d02c 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -1136,7 +1136,7 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj,
to_assign = priv->helper6;
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
return;
}
diff --git a/net/netfilter/nft_ct_fast.c b/net/netfilter/nft_ct_fast.c
index e684c8a91848..c509e1c66fa1 100644
--- a/net/netfilter/nft_ct_fast.c
+++ b/net/netfilter/nft_ct_fast.c
@@ -53,7 +53,7 @@ void nft_ct_get_fast_eval(const struct nft_expr *expr,
return;
#endif
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
regs->verdict.code = NFT_BREAK;
break;
}
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index e6a07c0df207..8861b4d191d1 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -298,7 +298,7 @@ static void nft_exthdr_tcp_set_eval(const struct nft_expr *expr,
old.v32, new.v32, false);
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
break;
}
diff --git a/net/netfilter/nft_fib.c b/net/netfilter/nft_fib.c
index 327a5f33659c..1d0d815c8745 100644
--- a/net/netfilter/nft_fib.c
+++ b/net/netfilter/nft_fib.c
@@ -155,7 +155,7 @@ void nft_fib_store_result(void *reg, const struct nft_fib *priv,
strscpy_pad(reg, dev ? dev->name : "", IFNAMSIZ);
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
*dreg = 0;
break;
}
diff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c
index d14ca157910b..97fb4eea2d66 100644
--- a/net/netfilter/nft_inner.c
+++ b/net/netfilter/nft_inner.c
@@ -308,7 +308,7 @@ static void nft_inner_eval(const struct nft_expr *expr, struct nft_regs *regs,
nft_meta_inner_eval((struct nft_expr *)&priv->expr, regs, pkt, &tun_ctx);
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
goto err;
}
nft_inner_save_tun_ctx(pkt, &tun_ctx);
diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
index 9fafe5afc490..ba512e94b402 100644
--- a/net/netfilter/nft_lookup.c
+++ b/net/netfilter/nft_lookup.c
@@ -50,7 +50,7 @@ __nft_set_do_lookup(const struct net *net, const struct nft_set *set,
if (set->ops == &nft_set_rbtree_type.ops)
return nft_rbtree_lookup(net, set, key);
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
#endif
return set->ops->lookup(net, set, key);
}
diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
index 2b01128737a3..841efd981e20 100644
--- a/net/netfilter/nft_masq.c
+++ b/net/netfilter/nft_masq.c
@@ -123,7 +123,7 @@ static void nft_masq_eval(const struct nft_expr *expr,
break;
#endif
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
break;
}
}
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 5b25851381e5..9b5821c64442 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -116,12 +116,12 @@ nft_meta_get_eval_pkttype_lo(const struct nft_pktinfo *pkt,
nft_reg_store8(dest, PACKET_MULTICAST);
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
return false;
}
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
return false;
}
@@ -460,7 +460,7 @@ void nft_meta_get_eval(const struct nft_expr *expr,
nft_meta_get_eval_sdifname(dest, pkt);
break;
default:
- WARN_ON(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
goto err;
}
return;
@@ -506,7 +506,7 @@ void nft_meta_set_eval(const struct nft_expr *expr,
break;
#endif
default:
- WARN_ON(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
}
}
EXPORT_SYMBOL_GPL(nft_meta_set_eval);
@@ -886,7 +886,7 @@ void nft_meta_inner_eval(const struct nft_expr *expr,
nft_reg_store8(dest, tun_ctx->l4proto);
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
goto err;
}
return;
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index 01e13e5255a9..d803aae5cbcd 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -196,7 +196,7 @@ void nft_payload_eval(const struct nft_expr *expr,
goto err;
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
goto err;
}
offset += priv->offset;
@@ -603,7 +603,7 @@ void nft_payload_inner_eval(const struct nft_expr *expr, struct nft_regs *regs,
offset = tun_ctx->inner_thoff;
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
goto err;
}
offset += priv->offset;
@@ -866,7 +866,7 @@ static void nft_payload_set_eval(const struct nft_expr *expr,
goto err;
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
goto err;
}
diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
index 58ae802db8f5..a98aa28180fb 100644
--- a/net/netfilter/nft_redir.c
+++ b/net/netfilter/nft_redir.c
@@ -126,7 +126,7 @@ static void nft_redir_eval(const struct nft_expr *expr,
break;
#endif
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
break;
}
}
diff --git a/net/netfilter/nft_reject.c b/net/netfilter/nft_reject.c
index 196a92c7ea09..e3972e904cf0 100644
--- a/net/netfilter/nft_reject.c
+++ b/net/netfilter/nft_reject.c
@@ -102,8 +102,10 @@ static u8 icmp_code_v4[NFT_REJECT_ICMPX_MAX + 1] = {
int nft_reject_icmp_code(u8 code)
{
- if (WARN_ON_ONCE(code > NFT_REJECT_ICMPX_MAX))
+ if (unlikely(code > NFT_REJECT_ICMPX_MAX)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return ICMP_NET_UNREACH;
+ }
return icmp_code_v4[code];
}
@@ -120,8 +122,10 @@ static u8 icmp_code_v6[NFT_REJECT_ICMPX_MAX + 1] = {
int nft_reject_icmpv6_code(u8 code)
{
- if (WARN_ON_ONCE(code > NFT_REJECT_ICMPX_MAX))
+ if (unlikely(code > NFT_REJECT_ICMPX_MAX)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return ICMPV6_NOROUTE;
+ }
return icmp_code_v6[code];
}
diff --git a/net/netfilter/nft_rt.c b/net/netfilter/nft_rt.c
index e23cd4759851..aeb0094eafd8 100644
--- a/net/netfilter/nft_rt.c
+++ b/net/netfilter/nft_rt.c
@@ -93,7 +93,7 @@ void nft_rt_get_eval(const struct nft_expr *expr,
break;
#endif
default:
- WARN_ON(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
goto err;
}
return;
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
index b0e571c8e3f3..eb4e382119d4 100644
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -385,7 +385,7 @@ static void nft_rhash_walk(const struct nft_ctx *ctx, struct nft_set *set,
break;
default:
iter->err = -EINVAL;
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
break;
}
}
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index 50d4a4f04309..706c78853f24 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -2199,7 +2199,7 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set,
break;
default:
iter->err = -EINVAL;
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
break;
}
}
diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
index b4f0b5fdf1f2..018bbb6df4ce 100644
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -654,8 +654,10 @@ static int nft_array_may_resize(const struct nft_set *set, bool flush)
}
realloc_array:
- if (WARN_ON_ONCE(nelems > new_max_intervals))
+ if (unlikely(nelems > new_max_intervals)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -ENOMEM;
+ }
if (priv->array_next) {
if (max_intervals == new_max_intervals)
@@ -878,7 +880,7 @@ static void nft_rbtree_walk(const struct nft_ctx *ctx,
break;
default:
iter->err = -EINVAL;
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
break;
}
}
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index a146a45d7531..52d892e04261 100644
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -71,8 +71,10 @@ static noinline int nft_socket_cgroup_subtree_level(void)
if (level > 255)
return -ERANGE;
- if (WARN_ON_ONCE(level < 0))
+ if (unlikely(level < 0)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -EINVAL;
+ }
return level;
}
@@ -97,7 +99,7 @@ static struct sock *nft_socket_do_lookup(const struct nft_pktinfo *pkt)
break;
#endif
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
break;
}
@@ -152,7 +154,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
break;
#endif
default:
- WARN_ON(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
regs->verdict.code = NFT_BREAK;
}
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 0b987bc2132a..b60015140fb1 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -60,7 +60,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
regs->verdict.code = NFT_BREAK;
break;
default:
- WARN_ON(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
regs->verdict.code = NFT_BREAK;
}
}
diff --git a/net/netfilter/nft_xfrm.c b/net/netfilter/nft_xfrm.c
index 65a75d88e5f0..8cec43064319 100644
--- a/net/netfilter/nft_xfrm.c
+++ b/net/netfilter/nft_xfrm.c
@@ -132,7 +132,7 @@ static void nft_xfrm_state_get_key(const struct nft_xfrm *priv,
switch (priv->key) {
case NFT_XFRM_KEY_UNSPEC:
case __NFT_XFRM_KEY_MAX:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
break;
case NFT_XFRM_KEY_DADDR_IP4:
*dest = (__force __u32)state->id.daddr.a4;
@@ -206,7 +206,7 @@ static void nft_xfrm_get_eval(const struct nft_expr *expr,
nft_xfrm_get_eval_out(priv, regs, pkt);
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
regs->verdict.code = NFT_BREAK;
break;
}
@@ -252,7 +252,7 @@ static int nft_xfrm_validate(const struct nft_ctx *ctx, const struct nft_expr *e
(1 << NF_INET_POST_ROUTING);
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
return -EINVAL;
}
--
2.54.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 3/9 nf-next] netfilter: nfnetlink: use DEBUG_NET_WARN_ON_ONCE for attribute validation
2026-06-01 19:30 [PATCH 0/9 nf-next] netfilter: replace raw warnings with Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 1/9 nf-next] netfilter: xtables: use DEBUG_NET_WARN_ON_ONCE in packet and control paths Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 2/9 nf-next] netfilter: nf_tables: " Fernando Fernandez Mancera
@ 2026-06-01 19:30 ` Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 4/9 nf-next] netfilter: conntrack: use DEBUG_NET_WARN_ON_ONCE on packet paths Fernando Fernandez Mancera
` (6 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Fernando Fernandez Mancera @ 2026-06-01 19:30 UTC (permalink / raw)
To: netfilter-devel; +Cc: coreteam, phil, fw, pablo, Fernando Fernandez Mancera
Replace WARN_ON and WARN_ONCE with DEBUG_NET_WARN_ON_ONCE in the
nfnetlink and cttimeout interfaces. These validation failures are
already handled by returning -EINVAL to userspace.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
---
net/netfilter/nfnetlink.c | 4 +++-
net/netfilter/nfnetlink_cttimeout.c | 3 ++-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 47f3ed441f64..8c4c8bfedd64 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -117,8 +117,10 @@ int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n)
/* Sanity-check attr_count size to avoid stack buffer overflow. */
for (cb_id = 0; cb_id < n->cb_count; cb_id++)
- if (WARN_ON(n->cb[cb_id].attr_count > NFNL_MAX_ATTR_COUNT))
+ if (unlikely(n->cb[cb_id].attr_count > NFNL_MAX_ATTR_COUNT)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -EINVAL;
+ }
nfnl_lock(n->subsys_id);
if (table[n->subsys_id].subsys) {
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index dca6826af7de..c33558a02e8e 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -476,7 +476,8 @@ static int cttimeout_default_get(struct sk_buff *skb,
timeouts = &nf_generic_pernet(info->net)->timeout;
break;
default:
- WARN_ONCE(1, "Missing timeouts for proto %d", l4proto->l4proto);
+ pr_warn_once("Missing timeouts for proto %d\n", l4proto->l4proto);
+ DEBUG_NET_WARN_ON_ONCE(1);
break;
}
--
2.54.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 4/9 nf-next] netfilter: conntrack: use DEBUG_NET_WARN_ON_ONCE on packet paths
2026-06-01 19:30 [PATCH 0/9 nf-next] netfilter: replace raw warnings with Fernando Fernandez Mancera
` (2 preceding siblings ...)
2026-06-01 19:30 ` [PATCH 3/9 nf-next] netfilter: nfnetlink: use DEBUG_NET_WARN_ON_ONCE for attribute validation Fernando Fernandez Mancera
@ 2026-06-01 19:30 ` Fernando Fernandez Mancera
2026-06-18 17:11 ` Pablo Neira Ayuso
2026-06-01 19:30 ` [PATCH 5/9 nf-next] netfilter: nat: use DEBUG_NET_WARN_ON_ONCE in core and helper paths Fernando Fernandez Mancera
` (5 subsequent siblings)
9 siblings, 1 reply; 14+ messages in thread
From: Fernando Fernandez Mancera @ 2026-06-01 19:30 UTC (permalink / raw)
To: netfilter-devel; +Cc: coreteam, phil, fw, pablo, Fernando Fernandez Mancera
Replace WARN_ON and WARN_ON_ONCE with DEBUG_NET_WARN_ON_ONCE inside
conntrack confirmation, extension management, helper assignment, and
protocol parsing loops. This prevents unnecessary system panics when
panic_on_warn=1 is enabled in production systems.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
---
net/netfilter/nf_conntrack_core.c | 2 +-
net/netfilter/nf_conntrack_extend.c | 3 ++-
net/netfilter/nf_conntrack_helper.c | 4 +++-
net/netfilter/nf_conntrack_ovs.c | 2 +-
net/netfilter/nf_conntrack_proto_icmp.c | 3 ++-
net/netfilter/nf_conntrack_seqadj.c | 2 +-
net/netfilter/nf_conntrack_sip.c | 5 ++++-
7 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 8ba5b22a1eef..51e2d8ebe756 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1244,7 +1244,7 @@ __nf_conntrack_confirm(struct sk_buff *skb)
* unconfirmed conntrack.
*/
if (unlikely(nf_ct_is_confirmed(ct))) {
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
nf_conntrack_double_unlock(hash, reply_hash);
local_bh_enable();
return NF_DROP;
diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index dd62cc12e775..68169007aea2 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -95,7 +95,8 @@ void *nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
struct nf_ct_ext *new;
/* Conntrack must not be confirmed to avoid races on reallocation. */
- WARN_ON(nf_ct_is_confirmed(ct));
+ if (unlikely(nf_ct_is_confirmed(ct)))
+ DEBUG_NET_WARN_ON_ONCE(1);
/* struct nf_ct_ext uses u8 to store offsets/size */
BUILD_BUG_ON(total_extension_size() > 255u);
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 17e971bd4c74..0a0e41dd4c95 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -198,8 +198,10 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
if (test_bit(IPS_HELPER_BIT, &ct->status))
return 0;
- if (WARN_ON_ONCE(!tmpl))
+ if (unlikely(!tmpl)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return 0;
+ }
help = nfct_help(tmpl);
if (help != NULL) {
diff --git a/net/netfilter/nf_conntrack_ovs.c b/net/netfilter/nf_conntrack_ovs.c
index a6988eeb1579..26f12dd0c1a4 100644
--- a/net/netfilter/nf_conntrack_ovs.c
+++ b/net/netfilter/nf_conntrack_ovs.c
@@ -53,7 +53,7 @@ int nf_ct_helper(struct sk_buff *skb, struct nf_conn *ct,
break;
}
default:
- WARN_ONCE(1, "helper invoked on non-IP family!");
+ DEBUG_NET_WARN_ONCE(1, "helper invoked on non-IP family!");
return NF_DROP;
}
diff --git a/net/netfilter/nf_conntrack_proto_icmp.c b/net/netfilter/nf_conntrack_proto_icmp.c
index 32148a3a8509..0f39cb147c4f 100644
--- a/net/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/netfilter/nf_conntrack_proto_icmp.c
@@ -117,7 +117,8 @@ int nf_conntrack_inet_error(struct nf_conn *tmpl, struct sk_buff *skb,
enum ip_conntrack_dir dir;
struct nf_conn *ct;
- WARN_ON(skb_nfct(skb));
+ if (unlikely(skb_nfct(skb)))
+ DEBUG_NET_WARN_ON_ONCE(1);
zone = nf_ct_zone_tmpl(tmpl, skb, &tmp);
/* Are they talking about one of our connections? */
diff --git a/net/netfilter/nf_conntrack_seqadj.c b/net/netfilter/nf_conntrack_seqadj.c
index 7ab2b25b57bc..2bf49f0b9406 100644
--- a/net/netfilter/nf_conntrack_seqadj.c
+++ b/net/netfilter/nf_conntrack_seqadj.c
@@ -38,7 +38,7 @@ int nf_ct_seqadj_set(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
return 0;
if (unlikely(!seqadj)) {
- WARN_ONCE(1, "Missing nfct_seqadj_ext_add() setup call\n");
+ DEBUG_NET_WARN_ONCE(1, "Missing nfct_seqadj_ext_add() setup call\n");
return 0;
}
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index e69941f1a101..7e9237c810a0 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -599,7 +599,10 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
ret = ct_sip_walk_headers(ct, dptr, dataoff ? *dataoff : 0, datalen,
type, in_header, matchoff, matchlen);
- WARN_ON(ret < 0);
+ if (unlikely(ret < 0)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
+ return -1;
+ }
if (ret == 0)
return ret;
--
2.54.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 5/9 nf-next] netfilter: nat: use DEBUG_NET_WARN_ON_ONCE in core and helper paths
2026-06-01 19:30 [PATCH 0/9 nf-next] netfilter: replace raw warnings with Fernando Fernandez Mancera
` (3 preceding siblings ...)
2026-06-01 19:30 ` [PATCH 4/9 nf-next] netfilter: conntrack: use DEBUG_NET_WARN_ON_ONCE on packet paths Fernando Fernandez Mancera
@ 2026-06-01 19:30 ` Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 6/9 nf-next] netfilter: tproxy: use DEBUG_NET_WARN_ON_ONCE for protocol fallbacks Fernando Fernandez Mancera
` (4 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Fernando Fernandez Mancera @ 2026-06-01 19:30 UTC (permalink / raw)
To: netfilter-devel; +Cc: coreteam, phil, fw, pablo, Fernando Fernandez Mancera
Replace WARN_ON and WARN_ON_ONCE with DEBUG_NET_WARN_ON_ONCE across core
NAT setup functions, masquerade, redirect, and helpers. This prevents
unnecessary system panics when panic_on_warn=1 is enabled in production
systems.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
---
net/ipv4/netfilter/nf_nat_pptp.c | 16 +++++++++----
net/netfilter/nf_nat_core.c | 39 +++++++++++++++++++++----------
net/netfilter/nf_nat_masquerade.c | 6 +++--
net/netfilter/nf_nat_proto.c | 14 +++++++----
net/netfilter/nf_nat_redirect.c | 5 ++--
5 files changed, 55 insertions(+), 25 deletions(-)
diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c
index fab357cc8559..f4f7cf0a5aba 100644
--- a/net/ipv4/netfilter/nf_nat_pptp.c
+++ b/net/ipv4/netfilter/nf_nat_pptp.c
@@ -53,8 +53,10 @@ static void pptp_nat_expected(struct nf_conn *ct,
struct nf_conn_nat *nat;
nat = nf_ct_nat_ext_add(ct);
- if (WARN_ON_ONCE(!nat))
+ if (unlikely(!nat)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return;
+ }
nat_pptp_info = &nat->help.nat_pptp_info;
ct_pptp_info = nfct_help_data(master);
@@ -132,8 +134,10 @@ pptp_outbound_pkt(struct sk_buff *skb,
__be16 new_callid;
unsigned int cid_off;
- if (WARN_ON_ONCE(!nat))
+ if (unlikely(!nat)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return NF_DROP;
+ }
nat_pptp_info = &nat->help.nat_pptp_info;
ct_pptp_info = nfct_help_data(ct);
@@ -204,8 +208,10 @@ pptp_exp_gre(struct nf_conntrack_expect *expect_orig,
struct nf_ct_pptp_master *ct_pptp_info;
struct nf_nat_pptp *nat_pptp_info;
- if (WARN_ON_ONCE(!nat))
+ if (unlikely(!nat)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return;
+ }
nat_pptp_info = &nat->help.nat_pptp_info;
ct_pptp_info = nfct_help_data(ct);
@@ -241,8 +247,10 @@ pptp_inbound_pkt(struct sk_buff *skb,
__be16 new_pcid;
unsigned int pcid_off;
- if (WARN_ON_ONCE(!nat))
+ if (unlikely(!nat)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return NF_DROP;
+ }
nat_pptp_info = &nat->help.nat_pptp_info;
new_pcid = nat_pptp_info->pns_call_id;
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 74ec224ce0d6..99ff65e89952 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -366,8 +366,10 @@ nf_nat_used_tuple_harder(const struct nf_conntrack_tuple *tuple,
if (thash->tuple.dst.dir == IP_CT_DIR_ORIGINAL)
goto out;
- if (WARN_ON_ONCE(ct == ignored_conntrack))
+ if (unlikely(ct == ignored_conntrack)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
goto out;
+ }
flags = READ_ONCE(ct->status);
if (!nf_nat_may_kill(ct, flags))
@@ -773,11 +775,13 @@ nf_nat_setup_info(struct nf_conn *ct,
if (nf_ct_is_confirmed(ct))
return NF_ACCEPT;
- WARN_ON(maniptype != NF_NAT_MANIP_SRC &&
- maniptype != NF_NAT_MANIP_DST);
+ if (unlikely(maniptype != NF_NAT_MANIP_SRC && maniptype != NF_NAT_MANIP_DST))
+ DEBUG_NET_WARN_ON_ONCE(1);
- if (WARN_ON(nf_nat_initialized(ct, maniptype)))
+ if (unlikely(nf_nat_initialized(ct, maniptype))) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return NF_DROP;
+ }
/* What we've got will look like inverse of reply. Normally
* this is what is in the conntrack, except for prior
@@ -955,8 +959,8 @@ nf_nat_inet_fn(void *priv, struct sk_buff *skb,
break;
default:
/* ESTABLISHED */
- WARN_ON(ctinfo != IP_CT_ESTABLISHED &&
- ctinfo != IP_CT_ESTABLISHED_REPLY);
+ if (unlikely(ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY))
+ DEBUG_NET_WARN_ON_ONCE(1);
if (nf_nat_oif_changed(state->hook, ctinfo, nat, state->out))
goto oif_changed;
}
@@ -1143,8 +1147,10 @@ nfnetlink_parse_nat_setup(struct nf_conn *ct,
/* Should not happen, restricted to creating new conntracks
* via ctnetlink.
*/
- if (WARN_ON_ONCE(nf_nat_initialized(ct, manip)))
+ if (unlikely(nf_nat_initialized(ct, manip))) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -EEXIST;
+ }
/* No NAT information has been passed, allocate the null-binding */
if (attr == NULL)
@@ -1181,8 +1187,10 @@ int nf_nat_register_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
struct nf_hook_ops *nat_ops;
int i, ret;
- if (WARN_ON_ONCE(pf >= ARRAY_SIZE(nat_net->nat_proto_net)))
+ if (unlikely(pf >= ARRAY_SIZE(nat_net->nat_proto_net))) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -EINVAL;
+ }
nat_proto_net = &nat_net->nat_proto_net[pf];
@@ -1193,8 +1201,10 @@ int nf_nat_register_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
}
}
- if (WARN_ON_ONCE(i == ops_count))
+ if (unlikely(i == ops_count)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -EINVAL;
+ }
mutex_lock(&nf_nat_proto_mutex);
if (!nat_proto_net->nat_hook_ops) {
@@ -1235,7 +1245,8 @@ int nf_nat_register_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
nat_ops = nat_proto_net->nat_hook_ops;
priv = nat_ops[hooknum].priv;
- if (WARN_ON_ONCE(!priv)) {
+ if (unlikely(!priv)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
mutex_unlock(&nf_nat_proto_mutex);
return -EOPNOTSUPP;
}
@@ -1264,8 +1275,10 @@ void nf_nat_unregister_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
nat_proto_net = &nat_net->nat_proto_net[pf];
mutex_lock(&nf_nat_proto_mutex);
- if (WARN_ON(nat_proto_net->users == 0))
+ if (unlikely(nat_proto_net->users == 0)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
goto unlock;
+ }
nat_proto_net->users--;
@@ -1276,8 +1289,10 @@ void nf_nat_unregister_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
break;
}
}
- if (WARN_ON_ONCE(i == ops_count))
+ if (unlikely(i == ops_count)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
goto unlock;
+ }
priv = nat_ops[hooknum].priv;
nf_hook_entries_delete_raw(&priv->entries, ops);
diff --git a/net/netfilter/nf_nat_masquerade.c b/net/netfilter/nf_nat_masquerade.c
index 4de6e0a51701..660961ca4e31 100644
--- a/net/netfilter/nf_nat_masquerade.c
+++ b/net/netfilter/nf_nat_masquerade.c
@@ -36,7 +36,8 @@ nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum,
const struct rtable *rt;
__be32 newsrc, nh;
- WARN_ON(hooknum != NF_INET_POST_ROUTING);
+ if (unlikely(hooknum != NF_INET_POST_ROUTING))
+ DEBUG_NET_WARN_ON_ONCE(1);
ct = nf_ct_get(skb, &ctinfo);
@@ -297,7 +298,8 @@ int nf_nat_masquerade_inet_register_notifiers(void)
int ret = 0;
mutex_lock(&masq_mutex);
- if (WARN_ON_ONCE(masq_refcnt == UINT_MAX)) {
+ if (masq_refcnt == UINT_MAX) {
+ DEBUG_NET_WARN_ON_ONCE(1);
ret = -EOVERFLOW;
goto out_unlock;
}
diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
index 07f51fe75fbe..21a525b2490f 100644
--- a/net/netfilter/nf_nat_proto.c
+++ b/net/netfilter/nf_nat_proto.c
@@ -373,7 +373,7 @@ unsigned int nf_nat_manip_pkt(struct sk_buff *skb, struct nf_conn *ct,
return NF_ACCEPT;
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
break;
}
@@ -491,7 +491,7 @@ void nf_nat_csum_recalc(struct sk_buff *skb,
#endif
}
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
}
int nf_nat_icmp_reply_translation(struct sk_buff *skb,
@@ -509,7 +509,8 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
struct nf_conntrack_tuple target;
unsigned long statusbit;
- WARN_ON(ctinfo != IP_CT_RELATED && ctinfo != IP_CT_RELATED_REPLY);
+ if (unlikely(ctinfo != IP_CT_RELATED && ctinfo != IP_CT_RELATED_REPLY))
+ DEBUG_NET_WARN_ON_ONCE(1);
if (skb_ensure_writable(skb, hdrlen + sizeof(*inside)))
return 0;
@@ -823,7 +824,8 @@ int nf_nat_icmpv6_reply_translation(struct sk_buff *skb,
struct nf_conntrack_tuple target;
unsigned long statusbit;
- WARN_ON(ctinfo != IP_CT_RELATED && ctinfo != IP_CT_RELATED_REPLY);
+ if (unlikely(ctinfo != IP_CT_RELATED && ctinfo != IP_CT_RELATED_REPLY))
+ DEBUG_NET_WARN_ON_ONCE(1);
if (skb_ensure_writable(skb, hdrlen + sizeof(*inside)))
return 0;
@@ -1074,8 +1076,10 @@ int nf_nat_inet_register_fn(struct net *net, const struct nf_hook_ops *ops)
{
int ret;
- if (WARN_ON_ONCE(ops->pf != NFPROTO_INET))
+ if (ops->pf != NFPROTO_INET) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return -EINVAL;
+ }
ret = nf_nat_register_fn(net, NFPROTO_IPV6, ops, nf_nat_ipv6_ops,
ARRAY_SIZE(nf_nat_ipv6_ops));
diff --git a/net/netfilter/nf_nat_redirect.c b/net/netfilter/nf_nat_redirect.c
index 5b37487d9d11..138a805a36af 100644
--- a/net/netfilter/nf_nat_redirect.c
+++ b/net/netfilter/nf_nat_redirect.c
@@ -52,8 +52,9 @@ nf_nat_redirect_ipv4(struct sk_buff *skb, const struct nf_nat_range2 *range,
{
union nf_inet_addr newdst = {};
- WARN_ON(hooknum != NF_INET_PRE_ROUTING &&
- hooknum != NF_INET_LOCAL_OUT);
+ if (unlikely(hooknum != NF_INET_PRE_ROUTING &&
+ hooknum != NF_INET_LOCAL_OUT))
+ DEBUG_NET_WARN_ON_ONCE(1);
/* Local packets: make them go to loopback */
if (hooknum == NF_INET_LOCAL_OUT) {
--
2.54.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 6/9 nf-next] netfilter: tproxy: use DEBUG_NET_WARN_ON_ONCE for protocol fallbacks
2026-06-01 19:30 [PATCH 0/9 nf-next] netfilter: replace raw warnings with Fernando Fernandez Mancera
` (4 preceding siblings ...)
2026-06-01 19:30 ` [PATCH 5/9 nf-next] netfilter: nat: use DEBUG_NET_WARN_ON_ONCE in core and helper paths Fernando Fernandez Mancera
@ 2026-06-01 19:30 ` Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 7/9 nf-next] netfilter: bpf: use DEBUG_NET_WARN_ON_ONCE for missing BTF structures Fernando Fernandez Mancera
` (3 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Fernando Fernandez Mancera @ 2026-06-01 19:30 UTC (permalink / raw)
To: netfilter-devel; +Cc: coreteam, phil, fw, pablo, Fernando Fernandez Mancera
Replace WARN_ON calls with DEBUG_NET_WARN_ON_ONCE in the default switch
blocks of nf_tproxy_get_sock_v4 and v6. Unsupported transport protocols
are already safely handled by returning a NULL socket pointer. This
prevents unnecessary system panics when panic_on_warn=1 is enabled in
production systems.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
---
net/ipv4/netfilter/nf_tproxy_ipv4.c | 2 +-
net/ipv6/netfilter/nf_tproxy_ipv6.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/netfilter/nf_tproxy_ipv4.c b/net/ipv4/netfilter/nf_tproxy_ipv4.c
index 041c3f37f237..5eab7a2dc8ef 100644
--- a/net/ipv4/netfilter/nf_tproxy_ipv4.c
+++ b/net/ipv4/netfilter/nf_tproxy_ipv4.c
@@ -137,7 +137,7 @@ nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
}
break;
default:
- WARN_ON(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
sk = NULL;
}
diff --git a/net/ipv6/netfilter/nf_tproxy_ipv6.c b/net/ipv6/netfilter/nf_tproxy_ipv6.c
index b2f59ed9d7cc..12ec36a6be2e 100644
--- a/net/ipv6/netfilter/nf_tproxy_ipv6.c
+++ b/net/ipv6/netfilter/nf_tproxy_ipv6.c
@@ -136,7 +136,7 @@ nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,
}
break;
default:
- WARN_ON(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
sk = NULL;
}
--
2.54.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 7/9 nf-next] netfilter: bpf: use DEBUG_NET_WARN_ON_ONCE for missing BTF structures
2026-06-01 19:30 [PATCH 0/9 nf-next] netfilter: replace raw warnings with Fernando Fernandez Mancera
` (5 preceding siblings ...)
2026-06-01 19:30 ` [PATCH 6/9 nf-next] netfilter: tproxy: use DEBUG_NET_WARN_ON_ONCE for protocol fallbacks Fernando Fernandez Mancera
@ 2026-06-01 19:30 ` Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 8/9 nf-next] netfilter: flowtable: use DEBUG_NET_WARN_ON_ONCE in offload path Fernando Fernandez Mancera
` (2 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Fernando Fernandez Mancera @ 2026-06-01 19:30 UTC (permalink / raw)
To: netfilter-devel; +Cc: coreteam, phil, fw, pablo, Fernando Fernandez Mancera
Replace WARN_ON_ONCE with DEBUG_NET_WARN_ON_ONCE in nf_ptr_to_btf_id.
The function already returns false when a structure lookup fails, which
causes the BPF verifier to reject the program load and report the error
cleanly to userspace. This prevents unnecessary system panics when
panic_on_warn=1 is enabled in production systems.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
---
net/netfilter/nf_bpf_link.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
index c20031891b86..7a1cd767f236 100644
--- a/net/netfilter/nf_bpf_link.c
+++ b/net/netfilter/nf_bpf_link.c
@@ -280,8 +280,10 @@ static bool nf_ptr_to_btf_id(struct bpf_insn_access_aux *info, const char *name)
return false;
type_id = btf_find_by_name_kind(btf, name, BTF_KIND_STRUCT);
- if (WARN_ON_ONCE(type_id < 0))
+ if (unlikely(type_id < 0)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
return false;
+ }
info->btf = btf;
info->btf_id = type_id;
--
2.54.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 8/9 nf-next] netfilter: flowtable: use DEBUG_NET_WARN_ON_ONCE in offload path
2026-06-01 19:30 [PATCH 0/9 nf-next] netfilter: replace raw warnings with Fernando Fernandez Mancera
` (6 preceding siblings ...)
2026-06-01 19:30 ` [PATCH 7/9 nf-next] netfilter: bpf: use DEBUG_NET_WARN_ON_ONCE for missing BTF structures Fernando Fernandez Mancera
@ 2026-06-01 19:30 ` Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 9/9 nf-next] netfilter: conncount: use DEBUG_NET_WARN_ON_ONCE on reaching count limit Fernando Fernandez Mancera
2026-06-01 19:35 ` [PATCH 0/9 nf-next] netfilter: replace raw warnings with Fernando Fernandez Mancera
9 siblings, 0 replies; 14+ messages in thread
From: Fernando Fernandez Mancera @ 2026-06-01 19:30 UTC (permalink / raw)
To: netfilter-devel; +Cc: coreteam, phil, fw, pablo, Fernando Fernandez Mancera
Replace WARN_ON and WARN_ON_ONCE with DEBUG_NET_WARN_ON_ONCE in the
flowtable core, IP hook, and offload paths. Errors are handled properly
in packet path and in control-plane meaningful errors are returned to
the user. This prevents unnecessary system panics when panic_on_warn=1
is enabled in production systems.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
---
net/netfilter/nf_flow_table_core.c | 4 ++--
net/netfilter/nf_flow_table_ip.c | 4 ++--
net/netfilter/nf_flow_table_offload.c | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 785d8c244a77..6f1a730e3450 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -141,7 +141,7 @@ static int flow_offload_fill_route(struct flow_offload *flow,
flow_tuple->dst_cookie = flow_offload_dst_cookie(flow_tuple);
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
break;
}
flow_tuple->xmit_type = route->tuple[dir].xmit_type;
@@ -534,7 +534,7 @@ static void nf_flow_table_extend_ct_timeout(struct nf_conn *ct)
new_timeout = nf_flow_table_tcp_timeout(ct);
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
break;
}
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 9c05a50d6013..abff543d7e4d 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -906,7 +906,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
xmit.source = tuplehash->tuple.out.h_source;
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
return NF_DROP;
}
xmit.tuple = other_tuple;
@@ -1227,7 +1227,7 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
xmit.source = tuplehash->tuple.out.h_source;
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
return NF_DROP;
}
xmit.tuple = other_tuple;
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index 002ec15d988b..092d428f9170 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -1055,7 +1055,7 @@ static void flow_offload_work_handler(struct work_struct *work)
NF_FLOW_TABLE_STAT_DEC_ATOMIC(net, count_wq_stats);
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
}
clear_bit(NF_FLOW_HW_PENDING, &offload->flow->flags);
@@ -1180,7 +1180,7 @@ static int nf_flow_table_block_setup(struct nf_flowtable *flowtable,
}
break;
default:
- WARN_ON_ONCE(1);
+ DEBUG_NET_WARN_ON_ONCE(1);
err = -EOPNOTSUPP;
}
up_write(&flowtable->flow_block_lock);
--
2.54.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 9/9 nf-next] netfilter: conncount: use DEBUG_NET_WARN_ON_ONCE on reaching count limit
2026-06-01 19:30 [PATCH 0/9 nf-next] netfilter: replace raw warnings with Fernando Fernandez Mancera
` (7 preceding siblings ...)
2026-06-01 19:30 ` [PATCH 8/9 nf-next] netfilter: flowtable: use DEBUG_NET_WARN_ON_ONCE in offload path Fernando Fernandez Mancera
@ 2026-06-01 19:30 ` Fernando Fernandez Mancera
2026-06-01 19:35 ` [PATCH 0/9 nf-next] netfilter: replace raw warnings with Fernando Fernandez Mancera
9 siblings, 0 replies; 14+ messages in thread
From: Fernando Fernandez Mancera @ 2026-06-01 19:30 UTC (permalink / raw)
To: netfilter-devel; +Cc: coreteam, phil, fw, pablo, Fernando Fernandez Mancera
Replace WARN_ON_ONCE with DEBUG_NET_WARN_ON_ONCE in __nf_conncount_add.
The function handles count limit breaches safely by returning
-EOVERFLOW, so a production backtrace is not needed. This prevents
unnecessary system panics when panic_on_warn=1 is enabled in production
systems.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
---
net/netfilter/nf_conncount.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index ab28b47395bd..7d970a87234c 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -246,7 +246,8 @@ static int __nf_conncount_add(struct net *net,
list->last_gc_count = list->count;
add_new_node:
- if (WARN_ON_ONCE(list->count > INT_MAX)) {
+ if (unlikely(list->count > INT_MAX)) {
+ DEBUG_NET_WARN_ON_ONCE(1);
err = -EOVERFLOW;
goto out_put;
}
--
2.54.0
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH 0/9 nf-next] netfilter: replace raw warnings with
2026-06-01 19:30 [PATCH 0/9 nf-next] netfilter: replace raw warnings with Fernando Fernandez Mancera
` (8 preceding siblings ...)
2026-06-01 19:30 ` [PATCH 9/9 nf-next] netfilter: conncount: use DEBUG_NET_WARN_ON_ONCE on reaching count limit Fernando Fernandez Mancera
@ 2026-06-01 19:35 ` Fernando Fernandez Mancera
9 siblings, 0 replies; 14+ messages in thread
From: Fernando Fernandez Mancera @ 2026-06-01 19:35 UTC (permalink / raw)
To: netfilter-devel; +Cc: coreteam, phil, fw, pablo
On 6/1/26 9:30 PM, Fernando Fernandez Mancera wrote:
> This patch series replaces raw WARN_ON and WARN_ON_ONCE macros with
> DEBUG_NET_WARN_ON_ONCE across various netfilter subsystems.
>
> Currently, several internal invariant checks use standard warnings on
> packet processing paths or control-plane loops. If triggered, these can
> trigger full system panics when panic_on_warn=1 is enabled. In most of
> these cases, the condition is already handled gracefully by dropping the
> packet, applying a defensive fallback, or returning a proper error code
> to userspace via netlink.
>
> By migrating to DEBUG_NET_WARN_ON_ONCE, we preserve full stack trace
> diagnostic capability for developers running kernels compiled with
> CONFIG_DEBUG_NET=y, while protecting production environments from system
> panics.
>
And of course, the tile is not formatted properly for the cover letter.
It should be:
"netfilter: replace raw warnings with network debug macros"
*sigh*
Thanks,
Fernando.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 4/9 nf-next] netfilter: conntrack: use DEBUG_NET_WARN_ON_ONCE on packet paths
2026-06-01 19:30 ` [PATCH 4/9 nf-next] netfilter: conntrack: use DEBUG_NET_WARN_ON_ONCE on packet paths Fernando Fernandez Mancera
@ 2026-06-18 17:11 ` Pablo Neira Ayuso
2026-06-18 17:32 ` Florian Westphal
0 siblings, 1 reply; 14+ messages in thread
From: Pablo Neira Ayuso @ 2026-06-18 17:11 UTC (permalink / raw)
To: Fernando Fernandez Mancera; +Cc: netfilter-devel, coreteam, phil, fw
Hi Fernando,
I'm a making a bit more in-depth review for this specific patch.
I think, in general about this series, it would be good to avoid,
things like:
DEBUG_NET_WARN_ON_ONCE(blah);
func(blah->info, ...);
but it might not be trivial in all cases, sometimes it is simply
better to remove in that case.
The patch in this series for nf_tables (already upstream) always
follow the idiom:
if (cond) {
DEBUG_NET_WARN_ON_ONCE(1);
terminal statament (ie. return, break...)
}
I will try to provide you with hints on what to do in other patches in
this series to speed up inclusion.
Now comments on this specific patch, see below.
On Mon, Jun 01, 2026 at 09:30:44PM +0200, Fernando Fernandez Mancera wrote:
> Replace WARN_ON and WARN_ON_ONCE with DEBUG_NET_WARN_ON_ONCE inside
> conntrack confirmation, extension management, helper assignment, and
> protocol parsing loops. This prevents unnecessary system panics when
> panic_on_warn=1 is enabled in production systems.
>
> Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
> ---
> net/netfilter/nf_conntrack_core.c | 2 +-
> net/netfilter/nf_conntrack_extend.c | 3 ++-
> net/netfilter/nf_conntrack_helper.c | 4 +++-
> net/netfilter/nf_conntrack_ovs.c | 2 +-
> net/netfilter/nf_conntrack_proto_icmp.c | 3 ++-
> net/netfilter/nf_conntrack_seqadj.c | 2 +-
> net/netfilter/nf_conntrack_sip.c | 5 ++++-
> 7 files changed, 14 insertions(+), 7 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
> index 8ba5b22a1eef..51e2d8ebe756 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -1244,7 +1244,7 @@ __nf_conntrack_confirm(struct sk_buff *skb)
> * unconfirmed conntrack.
> */
> if (unlikely(nf_ct_is_confirmed(ct))) {
> - WARN_ON_ONCE(1);
> + DEBUG_NET_WARN_ON_ONCE(1);
> nf_conntrack_double_unlock(hash, reply_hash);
> local_bh_enable();
> return NF_DROP;
OK, explicit drop, fine. Keep it.
> diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
> index dd62cc12e775..68169007aea2 100644
> --- a/net/netfilter/nf_conntrack_extend.c
> +++ b/net/netfilter/nf_conntrack_extend.c
> @@ -95,7 +95,8 @@ void *nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
> struct nf_ct_ext *new;
>
> /* Conntrack must not be confirmed to avoid races on reallocation. */
> - WARN_ON(nf_ct_is_confirmed(ct));
> + if (unlikely(nf_ct_is_confirmed(ct)))
> + DEBUG_NET_WARN_ON_ONCE(1);
Keep it, but return NULL here. It provide good context, extensions can
only be added with a unconfirmed conntrack.
> /* struct nf_ct_ext uses u8 to store offsets/size */
> BUILD_BUG_ON(total_extension_size() > 255u);
> diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
> index 17e971bd4c74..0a0e41dd4c95 100644
> --- a/net/netfilter/nf_conntrack_helper.c
> +++ b/net/netfilter/nf_conntrack_helper.c
> @@ -198,8 +198,10 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
> if (test_bit(IPS_HELPER_BIT, &ct->status))
> return 0;
>
> - if (WARN_ON_ONCE(!tmpl))
> + if (unlikely(!tmpl)) {
> + DEBUG_NET_WARN_ON_ONCE(1);
> return 0;
> + }
Useless for netfilter:
if (!exp && tmpl)
__nf_ct_try_assign_helper(ct, tmpl, GFP_ATOMIC);
_BUT_ it can catch bugs in other existing users, eg. net/sched/act_ct.c
if (!nf_ct_is_confirmed(ct) && commit && p->helper && !nfct_help(ct)) {
err = __nf_ct_try_assign_helper(ct, p->tmpl, GFP_ATOMIC);
keep it.
it is also fine that there is a branch and return (to skip it).
> help = nfct_help(tmpl);
> if (help != NULL) {
> diff --git a/net/netfilter/nf_conntrack_ovs.c b/net/netfilter/nf_conntrack_ovs.c
> index a6988eeb1579..26f12dd0c1a4 100644
> --- a/net/netfilter/nf_conntrack_ovs.c
> +++ b/net/netfilter/nf_conntrack_ovs.c
> @@ -53,7 +53,7 @@ int nf_ct_helper(struct sk_buff *skb, struct nf_conn *ct,
> break;
> }
> default:
> - WARN_ONCE(1, "helper invoked on non-IP family!");
> + DEBUG_NET_WARN_ONCE(1, "helper invoked on non-IP family!");
> return NF_DROP;
OK, this is in a branch with an explicit action (drop packet) LGTm.
> }
>
> diff --git a/net/netfilter/nf_conntrack_proto_icmp.c b/net/netfilter/nf_conntrack_proto_icmp.c
> index 32148a3a8509..0f39cb147c4f 100644
> --- a/net/netfilter/nf_conntrack_proto_icmp.c
> +++ b/net/netfilter/nf_conntrack_proto_icmp.c
> @@ -117,7 +117,8 @@ int nf_conntrack_inet_error(struct nf_conn *tmpl, struct sk_buff *skb,
> enum ip_conntrack_dir dir;
> struct nf_conn *ct;
>
> - WARN_ON(skb_nfct(skb));
> + if (unlikely(skb_nfct(skb)))
> + DEBUG_NET_WARN_ON_ONCE(1);
nf_conntrack_in
[ reset skb->nfct ]
nf_conntrack_handle_icmp
nf_conntrack_icmpv4_error
nf_conntrack_inet_error
There is nf_conntrack_inet_error() which performs the ct lookup.
There is resolve_normal_ct() too, but these two are coming later.
[ ... snippet that resets skb->nfct ... ]
unsigned int
nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state)
{
enum ip_conntrack_info ctinfo;
struct nf_conn *ct, *tmpl;
u_int8_t protonum;
int dataoff, ret;
tmpl = nf_ct_get(skb, &ctinfo);
if (tmpl || ctinfo == IP_CT_UNTRACKED) {
/* Previously seen (loopback or untracked)? Ignore. */
if ((tmpl && !nf_ct_is_template(tmpl)) ||
ctinfo == IP_CT_UNTRACKED)
return NF_ACCEPT;
skb->_nfct = 0; <--------- this is reset here.
}
[ end of snippet ]
I don't remember to have seen this WARN_ON, so remove it.
> zone = nf_ct_zone_tmpl(tmpl, skb, &tmp);
>
> /* Are they talking about one of our connections? */
> diff --git a/net/netfilter/nf_conntrack_seqadj.c b/net/netfilter/nf_conntrack_seqadj.c
> index 7ab2b25b57bc..2bf49f0b9406 100644
> --- a/net/netfilter/nf_conntrack_seqadj.c
> +++ b/net/netfilter/nf_conntrack_seqadj.c
> @@ -38,7 +38,7 @@ int nf_ct_seqadj_set(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
> return 0;
>
> if (unlikely(!seqadj)) {
> - WARN_ONCE(1, "Missing nfct_seqadj_ext_add() setup call\n");
> + DEBUG_NET_WARN_ONCE(1, "Missing nfct_seqadj_ext_add() setup call\n");
This WARN_ONCE is now gone in the nf.git/nf-next.git.
> return 0;
> }
>
> diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
> index e69941f1a101..7e9237c810a0 100644
> --- a/net/netfilter/nf_conntrack_sip.c
> +++ b/net/netfilter/nf_conntrack_sip.c
> @@ -599,7 +599,10 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
>
> ret = ct_sip_walk_headers(ct, dptr, dataoff ? *dataoff : 0, datalen,
> type, in_header, matchoff, matchlen);
> - WARN_ON(ret < 0);
> + if (unlikely(ret < 0)) {
> + DEBUG_NET_WARN_ON_ONCE(1);
> + return -1;
> + }
ct_sip_walk_headers() can never return < 0. This WARN_ON can be
removed.
> if (ret == 0)
> return ret;
Thanks.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 4/9 nf-next] netfilter: conntrack: use DEBUG_NET_WARN_ON_ONCE on packet paths
2026-06-18 17:11 ` Pablo Neira Ayuso
@ 2026-06-18 17:32 ` Florian Westphal
2026-06-18 18:15 ` Pablo Neira Ayuso
0 siblings, 1 reply; 14+ messages in thread
From: Florian Westphal @ 2026-06-18 17:32 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Fernando Fernandez Mancera, netfilter-devel, coreteam, phil
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > diff --git a/net/netfilter/nf_conntrack_proto_icmp.c b/net/netfilter/nf_conntrack_proto_icmp.c
> > index 32148a3a8509..0f39cb147c4f 100644
> > --- a/net/netfilter/nf_conntrack_proto_icmp.c
> > +++ b/net/netfilter/nf_conntrack_proto_icmp.c
> > @@ -117,7 +117,8 @@ int nf_conntrack_inet_error(struct nf_conn *tmpl, struct sk_buff *skb,
> > enum ip_conntrack_dir dir;
> > struct nf_conn *ct;
> >
> > - WARN_ON(skb_nfct(skb));
> > + if (unlikely(skb_nfct(skb)))
> > + DEBUG_NET_WARN_ON_ONCE(1);
Should be
DEBUG_NET_WARN_ON_ONCE(skb_nfct(skb)));
?
> nf_conntrack_in
> [ reset skb->nfct ]
> nf_conntrack_handle_icmp
> nf_conntrack_icmpv4_error
> nf_conntrack_inet_error
>
> There is nf_conntrack_inet_error() which performs the ct lookup.
> There is resolve_normal_ct() too, but these two are coming later.
>
> [ ... snippet that resets skb->nfct ... ]
> unsigned int
> nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state)
> {
> enum ip_conntrack_info ctinfo;
> struct nf_conn *ct, *tmpl;
> u_int8_t protonum;
> int dataoff, ret;
>
> tmpl = nf_ct_get(skb, &ctinfo);
> if (tmpl || ctinfo == IP_CT_UNTRACKED) {
> /* Previously seen (loopback or untracked)? Ignore. */
> if ((tmpl && !nf_ct_is_template(tmpl)) ||
> ctinfo == IP_CT_UNTRACKED)
> return NF_ACCEPT;
> skb->_nfct = 0; <--------- this is reset here.
> }
> [ end of snippet ]
>
> I don't remember to have seen this WARN_ON, so remove it.
I would keep the DEBUG_NET_WARN_ON_ONCE(), else this gives a
refcount leak.
Or, move it closer to the end:
191 /* Update skb to refer to this connection */
HERE.
192 nf_ct_set(skb, ct, ctinfo);
193 return NF_ACCEPT;
194 }
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 4/9 nf-next] netfilter: conntrack: use DEBUG_NET_WARN_ON_ONCE on packet paths
2026-06-18 17:32 ` Florian Westphal
@ 2026-06-18 18:15 ` Pablo Neira Ayuso
0 siblings, 0 replies; 14+ messages in thread
From: Pablo Neira Ayuso @ 2026-06-18 18:15 UTC (permalink / raw)
To: Florian Westphal
Cc: Fernando Fernandez Mancera, netfilter-devel, coreteam, phil
On Thu, Jun 18, 2026 at 07:32:50PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > diff --git a/net/netfilter/nf_conntrack_proto_icmp.c b/net/netfilter/nf_conntrack_proto_icmp.c
> > > index 32148a3a8509..0f39cb147c4f 100644
> > > --- a/net/netfilter/nf_conntrack_proto_icmp.c
> > > +++ b/net/netfilter/nf_conntrack_proto_icmp.c
> > > @@ -117,7 +117,8 @@ int nf_conntrack_inet_error(struct nf_conn *tmpl, struct sk_buff *skb,
> > > enum ip_conntrack_dir dir;
> > > struct nf_conn *ct;
> > >
> > > - WARN_ON(skb_nfct(skb));
> > > + if (unlikely(skb_nfct(skb)))
> > > + DEBUG_NET_WARN_ON_ONCE(1);
>
> Should be
> DEBUG_NET_WARN_ON_ONCE(skb_nfct(skb)));
> ?
>
> > nf_conntrack_in
> > [ reset skb->nfct ]
> > nf_conntrack_handle_icmp
> > nf_conntrack_icmpv4_error
> > nf_conntrack_inet_error
> >
> > There is nf_conntrack_inet_error() which performs the ct lookup.
> > There is resolve_normal_ct() too, but these two are coming later.
> >
> > [ ... snippet that resets skb->nfct ... ]
> > unsigned int
> > nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state)
> > {
> > enum ip_conntrack_info ctinfo;
> > struct nf_conn *ct, *tmpl;
> > u_int8_t protonum;
> > int dataoff, ret;
> >
> > tmpl = nf_ct_get(skb, &ctinfo);
> > if (tmpl || ctinfo == IP_CT_UNTRACKED) {
> > /* Previously seen (loopback or untracked)? Ignore. */
> > if ((tmpl && !nf_ct_is_template(tmpl)) ||
> > ctinfo == IP_CT_UNTRACKED)
> > return NF_ACCEPT;
> > skb->_nfct = 0; <--------- this is reset here.
> > }
> > [ end of snippet ]
> >
> > I don't remember to have seen this WARN_ON, so remove it.
>
> I would keep the DEBUG_NET_WARN_ON_ONCE(), else this gives a
> refcount leak.
>
> Or, move it closer to the end:
>
> 191 /* Update skb to refer to this connection */
> HERE.
> 192 nf_ct_set(skb, ct, ctinfo);
> 193 return NF_ACCEPT;
> 194 }
OK, let's keep it around. Thanks.
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2026-06-18 18:15 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-01 19:30 [PATCH 0/9 nf-next] netfilter: replace raw warnings with Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 1/9 nf-next] netfilter: xtables: use DEBUG_NET_WARN_ON_ONCE in packet and control paths Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 2/9 nf-next] netfilter: nf_tables: " Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 3/9 nf-next] netfilter: nfnetlink: use DEBUG_NET_WARN_ON_ONCE for attribute validation Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 4/9 nf-next] netfilter: conntrack: use DEBUG_NET_WARN_ON_ONCE on packet paths Fernando Fernandez Mancera
2026-06-18 17:11 ` Pablo Neira Ayuso
2026-06-18 17:32 ` Florian Westphal
2026-06-18 18:15 ` Pablo Neira Ayuso
2026-06-01 19:30 ` [PATCH 5/9 nf-next] netfilter: nat: use DEBUG_NET_WARN_ON_ONCE in core and helper paths Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 6/9 nf-next] netfilter: tproxy: use DEBUG_NET_WARN_ON_ONCE for protocol fallbacks Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 7/9 nf-next] netfilter: bpf: use DEBUG_NET_WARN_ON_ONCE for missing BTF structures Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 8/9 nf-next] netfilter: flowtable: use DEBUG_NET_WARN_ON_ONCE in offload path Fernando Fernandez Mancera
2026-06-01 19:30 ` [PATCH 9/9 nf-next] netfilter: conncount: use DEBUG_NET_WARN_ON_ONCE on reaching count limit Fernando Fernandez Mancera
2026-06-01 19:35 ` [PATCH 0/9 nf-next] netfilter: replace raw warnings with Fernando Fernandez Mancera
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.