From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com, fw@strlen.de,
horms@kernel.org
Subject: [PATCH net 00/14] Netfilter fixes for net
Date: Wed, 24 Jun 2026 00:15:33 +0200 [thread overview]
Message-ID: <20260623221548.701545-1-pablo@netfilter.org> (raw)
Hi,
The following patchset contains Netfilter fixes for net:
1) Add a workaround to avoid a possible crash if nf_nat and nft_chain_nat are
compiled built-in and nf_nat fails to register, allowing nft_chain_nat to
access the incorrect pernetns area. This is crash specific of all built-in
compilation. From Matias Krause.
2) Revisit conncount GC optimization for confirmed conntracks, skip GC round
if IPS_ASSURED is set on. This is addressing an issue for corner case
use case scenario involving locally generated traffic. No crash, just a
functionality fix. From Fernando F. Mancera.
3) Validate iph->ihl in flowtable IPIP tunnel support, from Lorenzo Bianconi.
This a sanity check to bounces back malformed IPIP packets to classic
forwarding path.
4) Kdoc fixes for x_tables.h, from Randy Dunlap.
5) Use info->options so nft_synproxy_tcp_options() stays on the same local
snapshot, otherwise eval path can observe inconsistent mix of mss and
timestamps. From Runyu Xiao.
6) Add conntrack_sctp_collision.sh to cover for SCTP INIT collisions.
From Yi Chen.
7) Do not allow NFPROTO_UNSPEC targets if family is NFPROTO_BRIDGE in
nft_compat. This allows to use non-sense targets such as xt_nat leading
to crash. From Florian Westphal.
8) Add a selftest queueing from bridge family. From Florian Westphal.
9) Do not allow to reset a conntrack helper via ctnetlink. This feature
antedates the creation of the conntrack-tools, and it is not used
I don't have a usecase for it, I prefer to remove than fixing it.
10) Add deprecation warning for IPv4 only conntrack helpers for PPTP
and IRC. From Florian Westphal.
11) Store the master tuple in the expectation object and use it,
otherwise SLAB_TYPESAFE_RCU rules allow to display incorrect
master tuple information through ctnetlink.
12) Run expectation eviction when inserting an expectation with no
helper, this is a fix for the nft_ct custom expectation support.
13) Fix nft_ct custom expectation timeouts, userspace provides a
timeout in milliseconds but kernel assumes this comes in seconds.
From Florian Westphal.
14) Cap maximum number of expectations per class to 255 expectations
per master conntrack at helper registration. This is a fix to
restrict the maximum number of expectations per master conntrack
which can be a issue for the new lazy GC expectation approach.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-26-06-23
Thanks.
P.S: Sashiko has been reporting "Failed to apply" with recent patches,
I suspect it relies on the Linus' tree which does not contain
yet the patches that were recently included in the last PR.
If it fails to deliver a report, I can provide a list of list
to the reviews that sashiko provided when patches were posted to
the netfilter-devel mailing list.
----------------------------------------------------------------
The following changes since commit a986fde914d88af47eb78fd29c5d1af7952c3500:
bnx2x: fix potential memory leak in bnx2x_alloc_mem_bp() (2026-06-22 18:39:12 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-26-06-23
for you to fetch changes up to 397c8300972f6e1486fd1afd99a044648a401cd5:
netfilter: nf_conntrack_helper: cap maximum number of expectation at helper registration (2026-06-23 13:10:48 +0200)
----------------------------------------------------------------
netfilter pull request 26-06-23
----------------------------------------------------------------
Fernando Fernandez Mancera (1):
netfilter: nf_conncount: prevent connlimit drops for early confirmed ct
Florian Westphal (4):
netfilter: nft_compat: ebtables emulation must reject non-bridge targets
selftests: nft_queue.sh: add a bridge queue test
netfilter: conntrack: add deprecation warnings for irc and pptp trackers
netfilter: nft_ct: expectation timeouts are passed in milliseconds
Lorenzo Bianconi (1):
netfilter: flowtable: Validate iph->ihl in nf_flow_ip4_tunnel_proto()
Mathias Krause (1):
netfilter: nf_nat: avoid invalid nat_net pointer use on failed nf_nat_init()
Pablo Neira Ayuso (4):
netfilter: ctnetlink: do not allow to reset helper on existing conntrack
netfilter: nf_conntrack_expect: store master_tuple in expectation
netfilter: nf_conntrack_expect: run expectation eviction with no helper
netfilter: nf_conntrack_helper: cap maximum number of expectation at helper registration
Randy Dunlap (1):
netfilter: x_tables.h: fix all kernel-doc warnings
Runyu Xiao (1):
netfilter: nft_synproxy: stop bypassing the priv->info snapshot
Yi Chen (1):
selftests: netfilter: conntrack_sctp_collision.sh: Introduce SCTP INIT collision test
include/linux/netfilter/x_tables.h | 29 +++++--
include/net/netfilter/nf_conntrack_expect.h | 1 +
include/net/netfilter/nf_conntrack_helper.h | 4 +
net/netfilter/Kconfig | 11 +--
net/netfilter/nf_conncount.c | 11 ++-
net/netfilter/nf_conntrack_broadcast.c | 1 +
net/netfilter/nf_conntrack_expect.c | 12 ++-
net/netfilter/nf_conntrack_helper.c | 9 ++-
net/netfilter/nf_conntrack_irc.c | 2 +
net/netfilter/nf_conntrack_netlink.c | 23 +-----
net/netfilter/nf_conntrack_pptp.c | 2 +
net/netfilter/nf_flow_table_ip.c | 8 +-
net/netfilter/nf_nat_core.c | 10 +++
net/netfilter/nft_compat.c | 24 +++++-
net/netfilter/nft_ct.c | 21 ++++-
net/netfilter/nft_synproxy.c | 9 +--
.../net/netfilter/conntrack_sctp_collision.sh | 89 ++++++++++++++++------
tools/testing/selftests/net/netfilter/nft_queue.sh | 66 ++++++++++++++--
18 files changed, 246 insertions(+), 86 deletions(-)
next reply other threads:[~2026-06-23 22:15 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 22:15 Pablo Neira Ayuso [this message]
2026-06-23 22:15 ` [PATCH net 01/14] netfilter: nf_nat: avoid invalid nat_net pointer use on failed nf_nat_init() Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 02/14] netfilter: nf_conncount: prevent connlimit drops for early confirmed ct Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 03/14] netfilter: flowtable: Validate iph->ihl in nf_flow_ip4_tunnel_proto() Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 04/14] netfilter: x_tables.h: fix all kernel-doc warnings Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 05/14] netfilter: nft_synproxy: stop bypassing the priv->info snapshot Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 06/14] selftests: netfilter: conntrack_sctp_collision.sh: Introduce SCTP INIT collision test Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 07/14] netfilter: nft_compat: ebtables emulation must reject non-bridge targets Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 08/14] selftests: nft_queue.sh: add a bridge queue test Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 09/14] netfilter: ctnetlink: do not allow to reset helper on existing conntrack Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 10/14] netfilter: conntrack: add deprecation warnings for irc and pptp trackers Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 11/14] netfilter: nf_conntrack_expect: store master_tuple in expectation Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 12/14] netfilter: nf_conntrack_expect: run expectation eviction with no helper Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 13/14] netfilter: nft_ct: expectation timeouts are passed in milliseconds Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 14/14] netfilter: nf_conntrack_helper: cap maximum number of expectation at helper registration Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2026-05-01 12:22 [PATCH net 00/14] Netfilter fixes for net Pablo Neira Ayuso
2024-09-24 20:13 Pablo Neira Ayuso
2024-09-26 9:41 ` Paolo Abeni
2024-09-26 10:37 ` Florian Westphal
2024-09-26 10:38 ` Pablo Neira Ayuso
2024-09-26 10:41 ` Florian Westphal
2024-09-26 10:43 ` Paolo Abeni
2024-09-26 10:56 ` Pablo Neira Ayuso
2024-01-17 16:00 Pablo Neira Ayuso
2022-08-24 22:03 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260623221548.701545-1-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox