[PATCH net 0/2] netfilter updates for net

[PATCH net 0/2] netfilter updates for net

[Florian Westphal]

Hi,

The following patchset contains Netfilter fixes for *net*:

1) Remove bogus WARN_ON in br_netfilter that came in 6.8.
   This is now more prominent due to
   2d72afb34065 ("netfilter: nf_conntrack: fix crash due to removal of
   uninitialised entry"). From Wang Liang.

2) Better error reporting when a helper module clashes with
   an existing helper name: -EEXIST makes modprobe believe that the
   module is already loaded, so error message is elided.
   from Phil Sutter.

Please, pull these changes from:
The following changes since commit 9448ccd853368582efa9db05db344f8bb9dffe0f:

  net: hv_netvsc: fix loss of early receive events from host during channel open. (2025-08-26 18:15:19 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-08-27

for you to fetch changes up to 54416fd76770bd04fc3c501810e8d673550bab26:

  netfilter: conntrack: helper: Replace -EEXIST by -EBUSY (2025-08-27 11:53:38 +0200)

----------------------------------------------------------------
netfilter pull request nf-25-08-27

----------------------------------------------------------------

Phil Sutter (1):
  netfilter: conntrack: helper: Replace -EEXIST by -EBUSY

Wang Liang (1):
  netfilter: br_netfilter: do not check confirmed bit in
    br_nf_local_in() after confirm

 net/bridge/br_netfilter_hooks.c     | 3 ---
 net/netfilter/nf_conntrack_helper.c | 4 ++--
 2 files changed, 2 insertions(+), 5 deletions(-)

-- 
2.49.1

[PATCH net 1/2] netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm

[Florian Westphal]

From: Wang Liang <wangliang74@huawei.com>

When send a broadcast packet to a tap device, which was added to a bridge,
br_nf_local_in() is called to confirm the conntrack. If another conntrack
with the same hash value is added to the hash table, which can be
triggered by a normal packet to a non-bridge device, the below warning
may happen.

  ------------[ cut here ]------------
  WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200
  CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)
  RIP: 0010:br_nf_local_in+0x168/0x200
  Call Trace:
   <TASK>
   nf_hook_slow+0x3e/0xf0
   br_pass_frame_up+0x103/0x180
   br_handle_frame_finish+0x2de/0x5b0
   br_nf_hook_thresh+0xc0/0x120
   br_nf_pre_routing_finish+0x168/0x3a0
   br_nf_pre_routing+0x237/0x5e0
   br_handle_frame+0x1ec/0x3c0
   __netif_receive_skb_core+0x225/0x1210
   __netif_receive_skb_one_core+0x37/0xa0
   netif_receive_skb+0x36/0x160
   tun_get_user+0xa54/0x10c0
   tun_chr_write_iter+0x65/0xb0
   vfs_write+0x305/0x410
   ksys_write+0x60/0xd0
   do_syscall_64+0xa4/0x260
   entry_SYSCALL_64_after_hwframe+0x77/0x7f
   </TASK>
  ---[ end trace 0000000000000000 ]---

To solve the hash conflict, nf_ct_resolve_clash() try to merge the
conntracks, and update skb->_nfct. However, br_nf_local_in() still use the
old ct from local variable 'nfct' after confirm(), which leads to this
warning.

If confirm() does not insert the conntrack entry and return NF_DROP, the
warning may also occur. There is no need to reserve the WARN_ON_ONCE, just
remove it.

Link: https://lore.kernel.org/netdev/20250820043329.2902014-1-wangliang74@huawei.com/
Fixes: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack")
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Wang Liang <wangliang74@huawei.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/bridge/br_netfilter_hooks.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 94cbe967d1c1..083e2fe96441 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -626,9 +626,6 @@ static unsigned int br_nf_local_in(void *priv,
 		break;
 	}
 
-	ct = container_of(nfct, struct nf_conn, ct_general);
-	WARN_ON_ONCE(!nf_ct_is_confirmed(ct));
-
 	return ret;
 }
 #endif
-- 
2.49.1

[PATCH net 2/2] netfilter: conntrack: helper: Replace -EEXIST by -EBUSY

[Florian Westphal]

From: Phil Sutter <phil@nwl.cc>

The helper registration return value is passed-through by module_init
callbacks which modprobe confuses with the harmless -EEXIST returned
when trying to load an already loaded module.

Make sure modprobe fails so users notice their helper has not been
registered and won't work.

Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_conntrack_helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 4ed5878cb25b..ceb48c3ca0a4 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -368,7 +368,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
 			    (cur->tuple.src.l3num == NFPROTO_UNSPEC ||
 			     cur->tuple.src.l3num == me->tuple.src.l3num) &&
 			    cur->tuple.dst.protonum == me->tuple.dst.protonum) {
-				ret = -EEXIST;
+				ret = -EBUSY;
 				goto out;
 			}
 		}
@@ -379,7 +379,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
 		hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
 			if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple,
 						     &mask)) {
-				ret = -EEXIST;
+				ret = -EBUSY;
 				goto out;
 			}
 		}
-- 
2.49.1

Re: [PATCH net 1/2] netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (main)
by Florian Westphal <fw@strlen.de>:

On Wed, 27 Aug 2025 15:38:59 +0200 you wrote:
> From: Wang Liang <wangliang74@huawei.com>
> 
> When send a broadcast packet to a tap device, which was added to a bridge,
> br_nf_local_in() is called to confirm the conntrack. If another conntrack
> with the same hash value is added to the hash table, which can be
> triggered by a normal packet to a non-bridge device, the below warning
> may happen.
> 
> [...]

Here is the summary with links:
  - [net,1/2] netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm
    https://git.kernel.org/netdev/net/c/479a54ab9208
  - [net,2/2] netfilter: conntrack: helper: Replace -EEXIST by -EBUSY
    https://git.kernel.org/netdev/net/c/54416fd76770

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

[PATCH net 0/2] netfilter: updates for net

[Florian Westphal]

Hi,

The following patchset contains Netfilter fixes for *net*:

1) Fix a silly bug in conntrack selftest, busyloop may get optimized to
   for (;;), reported by Yi Chen.

2) Introduce new NFTA_DEVICE_PREFIX attribute in nftables netlink api,
   re-using old NFTA_DEVICE_NAME led to confusion with different
   kernel/userspace versions.  This refines the wildcard interface
   support added in 6.16 release.  From Phil Sutter.

Please, pull these changes from:
The following changes since commit a6099f263e1f408bcc7913c9df24b0677164fc5d:

  net: ethernet: ti: am65-cpsw-nuss: Fix null pointer dereference for ndev (2025-09-02 14:51:45 +0200)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-25-09-02

for you to fetch changes up to 745d9ca5317a03b55016cdd810e4d2aac57f45df:

  netfilter: nf_tables: Introduce NFTA_DEVICE_PREFIX (2025-09-02 20:52:28 +0200)

----------------------------------------------------------------
netfilter pull request nf-25-09-02

----------------------------------------------------------------
Florian Westphal (1):
      selftests: netfilter: fix udpclash tool hang

Phil Sutter (1):
      netfilter: nf_tables: Introduce NFTA_DEVICE_PREFIX

 include/uapi/linux/netfilter/nf_tables.h           |  2 ++
 net/netfilter/nf_tables_api.c                      | 42 ++++++++++++++++------
 .../selftests/net/netfilter/conntrack_clash.sh     |  2 +-
 .../selftests/net/netfilter/conntrack_resize.sh    |  5 +--
 tools/testing/selftests/net/netfilter/udpclash.c   |  3 +-
 5 files changed, 39 insertions(+), 15 deletions(-)