[PATCH net 00/10] netfilter: updates for net

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	<netfilter-devel@vger.kernel.org>,
	pablo@netfilter.org
Subject: [PATCH net 00/10] netfilter: updates for net
Date: Tue, 17 Feb 2026 17:32:23 +0100	[thread overview]
Message-ID: <20260217163233.31455-1-fw@strlen.de> (raw)

Hi,

The following patchset contains Netfilter fixes for *net*:

1) Add missing __rcu annotations to NAT helper hook pointers in Amanda, FTP,
   IRC, SNMP and TFTP helpers.  From Sun Jian.

2-4):
 - Add global spinlock to serialize nft_counter fetch+reset operations.
 - Use atomic64_xchg() for nft_quota reset instead of read+subtract pattern.
   Note AI review detects a race in this change but it isn't new. The
   'racing' bit only exists to prevent constant stream of 'quota expired'
   notifications.
 - Revert commit_mutex usage in nf_tables reset path, it caused
   circular lock dependency.  All from Brian Witte.

5) Fix uninitialized l3num value in nf_conntrack_h323 helper.

6) Fix musl libc compatibility in netfilter_bridge.h UAPI header. This
   change isn't nice (UAPI headers should not include libc headers), but
   as-is musl builds may fail due to redefinition of struct ethhdr.

7) Fix protocol checksum validation in IPVS for IPv6 with extension headers,
   from Julian Anastasov.

8) Fix device reference leak in IPVS when netdev goes down. Also from
   Julian.

9) Remove WARN_ON_ONCE when accessing forward path array, this can
   trigger with sufficiently long forward paths.  From Pablo Neira Ayuso.

10) Fix use-after-free in nf_tables_addchain() error path, from Inseo An.

Please, pull these changes from:
The following changes since commit 77c5e3fdd2793f478e6fdae55c9ea85b21d06f8f:

  Merge branch 'selftests-forwarding-fix-br_netfilter-related-test-failures' (2026-02-17 13:34:41 +0100)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-26-02-17

for you to fetch changes up to 71e99ee20fc3f662555118cf1159443250647533:

  netfilter: nf_tables: fix use-after-free in nf_tables_addchain() (2026-02-17 15:04:20 +0100)

----------------------------------------------------------------
netfilter pull request nf-26-02-17

----------------------------------------------------------------
Brian Witte (3):
  netfilter: nft_counter: serialize reset with spinlock
  netfilter: nft_quota: use atomic64_xchg for reset
  netfilter: nf_tables: revert commit_mutex usage in reset path

Florian Westphal (1):
  netfilter: nf_conntrack_h323: don't pass uninitialised l3num value

Inseo An (1):
  netfilter: nf_tables: fix use-after-free in nf_tables_addchain()

Julian Anastasov (2):
  ipvs: skip ipv6 extension headers for csum checks
  ipvs: do not keep dest_dst if dev is going down

Pablo Neira Ayuso (1):
  net: remove WARN_ON_ONCE when accessing forward path array

Phil Sutter (1):
  include: uapi: netfilter_bridge.h: Cover for musl libc

Sun Jian (1):
  netfilter: annotate NAT helper hook pointers with __rcu

 include/linux/netfilter/nf_conntrack_amanda.h |   2 +-
 include/linux/netfilter/nf_conntrack_ftp.h    |   2 +-
 include/linux/netfilter/nf_conntrack_irc.h    |   2 +-
 include/linux/netfilter/nf_conntrack_snmp.h   |   2 +-
 include/linux/netfilter/nf_conntrack_tftp.h   |   2 +-
 include/uapi/linux/netfilter_bridge.h         |   4 +
 net/core/dev.c                                |   2 +-
 net/netfilter/ipvs/ip_vs_proto_sctp.c         |  18 +-
 net/netfilter/ipvs/ip_vs_proto_tcp.c          |  21 +-
 net/netfilter/ipvs/ip_vs_proto_udp.c          |  20 +-
 net/netfilter/ipvs/ip_vs_xmit.c               |  46 +++-
 net/netfilter/nf_conntrack_amanda.c           |  14 +-
 net/netfilter/nf_conntrack_ftp.c              |  14 +-
 net/netfilter/nf_conntrack_h323_main.c        |  10 +-
 net/netfilter/nf_conntrack_irc.c              |  13 +-
 net/netfilter/nf_conntrack_snmp.c             |   8 +-
 net/netfilter/nf_conntrack_tftp.c             |   7 +-
 net/netfilter/nf_tables_api.c                 | 249 +++---------------
 net/netfilter/nft_counter.c                   |  20 +-
 net/netfilter/nft_quota.c                     |  13 +-
 20 files changed, 166 insertions(+), 303 deletions(-)

-- 
2.52.0

next             reply	other threads:[~2026-02-17 16:32 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-17 16:32 Florian Westphal [this message]
2026-02-17 16:32 ` [PATCH net 01/10] netfilter: annotate NAT helper hook pointers with __rcu Florian Westphal
2026-02-19  1:20   ` patchwork-bot+netdevbpf
2026-02-17 16:32 ` [PATCH net 02/10] netfilter: nft_counter: serialize reset with spinlock Florian Westphal
2026-02-17 16:32 ` [PATCH net 03/10] netfilter: nft_quota: use atomic64_xchg for reset Florian Westphal
2026-02-17 16:32 ` [PATCH net 04/10] netfilter: nf_tables: revert commit_mutex usage in reset path Florian Westphal
2026-02-17 16:32 ` [PATCH net 05/10] netfilter: nf_conntrack_h323: don't pass uninitialised l3num value Florian Westphal
2026-02-17 16:32 ` [PATCH net 06/10] include: uapi: netfilter_bridge.h: Cover for musl libc Florian Westphal
2026-02-17 16:32 ` [PATCH net 07/10] ipvs: skip ipv6 extension headers for csum checks Florian Westphal
2026-02-17 16:32 ` [PATCH net 08/10] ipvs: do not keep dest_dst if dev is going down Florian Westphal
2026-02-17 16:32 ` [PATCH net 09/10] net: remove WARN_ON_ONCE when accessing forward path array Florian Westphal
2026-02-17 16:32 ` [PATCH net 10/10] netfilter: nf_tables: fix use-after-free in nf_tables_addchain() Florian Westphal
  -- strict thread matches above, loose matches on Subject: below --
2026-03-09 21:08 [PATCH net 00/10] netfilter: updates for net Florian Westphal
2026-03-10 10:56 ` Pablo Neira Ayuso
2026-03-10 12:33   ` Florian Westphal
2026-03-10 12:41     ` Pablo Neira Ayuso
2026-03-10 12:48       ` Florian Westphal
2026-03-10 13:02 ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260217163233.31455-1-fw@strlen.de \
    --to=fw@strlen.de \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox