[PATCH net 00/13] Netfilter fixes for net

Netdev List
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
	pabeni@redhat.com, edumazet@google.com, fw@strlen.de,
	horms@kernel.org
Subject: [PATCH net 00/13] Netfilter fixes for net
Date: Fri,  8 May 2026 01:44:56 +0200	[thread overview]
Message-ID: <20260507234509.603182-1-pablo@netfilter.org> (raw)

Hi,

The following batch contains Netfilter fixes for net:

1) Allow initial x_tables table replacement without emitting an audit
   log message. Delay the register message until after hooks are wired up
   to avoid unnecessary unregister logs during error unwinding.
 
2) Fix a NULL dereference by allocating hook ops before adding the
   table to the per-netns list. Use `synchronize_rcu()` during error
   unwinding to ensure the table stops processing packets before
   teardown. Defer audit log register message until all operations 
   succeed.
 
3) Refactor xtables to use a single `xt_unregister_table_pre_exit`
   function. Eliminate code duplication by centralizing table
   unregistration logic within the xtables core. ebtables cannot be
   changed due to incompatibility.
 
4) Unregister xtables templates before module removal. This prevents
   a race condition where userspace instantiates a new table after the
   pernet unreg removed the current table.
 
5) Add `xtables_unregister_table_exit` to fully unregister netfilter
   tables during module removal. Unlink the table from dying lists,
   then free hook operations.
 
6) Implement a two-stage removal scheme for ebtables following the
   x_tables pattern. Assign table->ops while holding the ebt mutex to
   prevent exposing partially-filled structures.
 
7) Fix ebtables module initialization race. Register the template last
   in table initialization functions. Prevent table instantiation before
   pernet operations are available.
 
8) Fix a race condition in x_tables module initialization. Ensure
   pernet ops are fully set up before exposing the table to userspace.

9) Fix a race condition in ebtables module initialization, similar to
   previous patch.

10) Restore propagation of helper to expected connection, this is a
    fix-for-recent-fix.

11) Validate that the expectation tuple and mask netlink attributes are
    present when adding expectation via nfqueue, this fixes a possible
    null-ptr-deref.

12) Fix possible rare memleak in the SIP helper in case helper has been
    detached from conntrack entry, from Li Xiasong.

13) Fix refcount leak in nft_ct when creating custom expectation, also
    from Li Xiason.

Patches 1-9 from Florian Westphal.

10) Restore propagation of helper to expected connection, this is a
    fix-for-recent-fix.

11) Check that tuple and mask netlink attributes are set when creating an
    expectation via nfqueue.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-26-05-08

Thanks.

----------------------------------------------------------------

The following changes since commit fcee7d82f27d6a8b1ddc5bbefda59b4e441e9bc0:

  Merge tag 'net-7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net (2026-05-07 10:32:03 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-26-05-08

for you to fetch changes up to 19f94b6fee75b3ef7fbc06f3745b9a771a8a19a4:

  netfilter: nft_ct: fix missing expect put in obj eval (2026-05-08 01:30:17 +0200)

----------------------------------------------------------------
netfilter pull request 26-05-08

----------------------------------------------------------------
Florian Westphal (9):
      netfilter: x_tables: allow initial table replace without emitting audit log message
      netfilter: x_tables: allocate hook ops while under mutex
      netfilter: x_tables: add and use xt_unregister_table_pre_exit
      netfilter: x_tables: unregister the templates first
      netfilter: x_tables: add and use xtables_unregister_table_exit
      netfilter: ebtables: move to two-stage removal scheme
      netfilter: ebtables: close dangling table module init race
      netfilter: x_tables: close dangling table module init race
      netfilter: bridge: eb_tables: close module init race

Li Xiasong (2):
      netfilter: nf_conntrack_sip: get helper before allocating expectation
      netfilter: nft_ct: fix missing expect put in obj eval

Pablo Neira Ayuso (2):
      netfilter: nf_conntrack_expect: restore helper propagation via expectation
      netfilter: ctnetlink: check tuple and mask in expectations created via nfqueue

 include/linux/netfilter/x_tables.h          |   4 +-
 include/linux/netfilter_arp/arp_tables.h    |   1 -
 include/linux/netfilter_ipv4/ip_tables.h    |   1 -
 include/linux/netfilter_ipv6/ip6_tables.h   |   1 -
 include/net/netfilter/nf_conntrack_expect.h |   5 +-
 net/bridge/netfilter/ebtable_broute.c       |  14 +--
 net/bridge/netfilter/ebtable_filter.c       |  14 +--
 net/bridge/netfilter/ebtable_nat.c          |  12 +-
 net/bridge/netfilter/ebtables.c             |  71 ++++++-----
 net/ipv4/netfilter/arp_tables.c             |  53 ++-------
 net/ipv4/netfilter/arptable_filter.c        |  27 +++--
 net/ipv4/netfilter/ip_tables.c              |  59 ++--------
 net/ipv4/netfilter/iptable_filter.c         |  27 +++--
 net/ipv4/netfilter/iptable_mangle.c         |  29 ++---
 net/ipv4/netfilter/iptable_nat.c            |   6 +-
 net/ipv4/netfilter/iptable_raw.c            |  26 ++--
 net/ipv4/netfilter/iptable_security.c       |  27 +++--
 net/ipv6/netfilter/ip6_tables.c             |  56 ++-------
 net/ipv6/netfilter/ip6table_filter.c        |  26 ++--
 net/ipv6/netfilter/ip6table_mangle.c        |  27 +++--
 net/ipv6/netfilter/ip6table_nat.c           |   6 +-
 net/ipv6/netfilter/ip6table_raw.c           |  24 ++--
 net/ipv6/netfilter/ip6table_security.c      |  27 +++--
 net/netfilter/nf_conntrack_broadcast.c      |   1 +
 net/netfilter/nf_conntrack_core.c           |   7 +-
 net/netfilter/nf_conntrack_expect.c         |   1 +
 net/netfilter/nf_conntrack_h323_main.c      |  12 +-
 net/netfilter/nf_conntrack_helper.c         |   5 +
 net/netfilter/nf_conntrack_netlink.c        |  21 +++-
 net/netfilter/nf_conntrack_sip.c            |  10 +-
 net/netfilter/nft_ct.c                      |   2 +
 net/netfilter/x_tables.c                    | 177 +++++++++++++++++++++++-----
 32 files changed, 415 insertions(+), 364 deletions(-)

next             reply	other threads:[~2026-05-07 23:45 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-07 23:44 Pablo Neira Ayuso [this message]
2026-05-07 23:44 ` [PATCH net 01/13] netfilter: x_tables: allow initial table replace without emitting audit log message Pablo Neira Ayuso
2026-05-09  1:40   ` patchwork-bot+netdevbpf
2026-05-07 23:44 ` [PATCH net 02/13] netfilter: x_tables: allocate hook ops while under mutex Pablo Neira Ayuso
2026-05-07 23:44 ` [PATCH net 03/13] netfilter: x_tables: add and use xt_unregister_table_pre_exit Pablo Neira Ayuso
2026-05-07 23:45 ` [PATCH net 04/13] netfilter: x_tables: unregister the templates first Pablo Neira Ayuso
2026-05-07 23:45 ` [PATCH net 05/13] netfilter: x_tables: add and use xtables_unregister_table_exit Pablo Neira Ayuso
2026-05-07 23:45 ` [PATCH net 06/13] netfilter: ebtables: move to two-stage removal scheme Pablo Neira Ayuso
2026-05-07 23:45 ` [PATCH net 07/13] netfilter: ebtables: close dangling table module init race Pablo Neira Ayuso
2026-05-07 23:45 ` [PATCH net 08/13] netfilter: x_tables: " Pablo Neira Ayuso
2026-05-07 23:45 ` [PATCH net 09/13] netfilter: bridge: eb_tables: close " Pablo Neira Ayuso
2026-05-07 23:45 ` [PATCH net 10/13] netfilter: nf_conntrack_expect: restore helper propagation via expectation Pablo Neira Ayuso
2026-05-07 23:45 ` [PATCH net 11/13] netfilter: ctnetlink: check tuple and mask in expectations created via nfqueue Pablo Neira Ayuso
2026-05-07 23:45 ` [PATCH net 12/13] netfilter: nf_conntrack_sip: get helper before allocating expectation Pablo Neira Ayuso
2026-05-07 23:45 ` [PATCH net 13/13] netfilter: nft_ct: fix missing expect put in obj eval Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260507234509.603182-1-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=fw@strlen.de \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox