[PATCH net 0/9] netfilter: updates for net

[Florian Westphal <fw@strlen.de>]

Hi,

The following patchset contains Netfilter fixes for *net*.
Due to bug volume the plan is to make a second *net* pull request
this Friday.

1) Zero nf_conntrack_expect at allocation to prevent uninitialized data
leaks to userspace. Add missing exp->dir initialization.

2) Prevent out-of-bounds writes in nft_set_pipapo caused by inconsistent
clones during allocation failures.  Fail operations if the clone enters an
error state.  This was a day-0 bug.

3) Fix use-after-free race between ipset dump and array resizing. Protect
array pointer access with rcu_read_lock().  From Xiang Mei. Bug existed
since v4.20.

4) Validate skb_dst() exists before access in nf_conntrack_sip.
This Prevent crash when called from tc ingress or openvswitch.
From Pablo Neira Ayuso.  Bug added in 4.3 when ovs gained support
for conntrack helpers.

5) Cap the maximum number of expectations to NF_CT_EXPECT_MAX_CNT during
userspace helper policy updates.  Also from Pablo.

6) Prevent NULL pointer dereference in nft_fib on netdev egress hooks. Add
nft_fib_netdev_validate() to restrict fib expressions to appropriate
netdev hooks. Restrict nft_fib_validate() to IPv4, IPv6, and INET
protocols.  From Theodor Arsenij Larionov-Trichkine.
Bug was exposed in v5.16 when egress hooks got added.

7) Restrict nfnetlink_queue writes to network headers. Validate IP/IPv6
header length and disable extension headers or IP option modifications.
Disable bridge modification for now, its unlikely anyone is using this.

8) Restrict arbitrary writes to link-layer and network headers in nftables.
Prevent link-layer modifications from spilling into network headers.
Prevent writes to IP version and length fields.

9) Restrict L3 checksum update offset to IPv4. Else csum offset can be
used to munge arbitrary header offsets, rendering the previous change moot.

These three patches are follow-ups to a 7.1 change that disabled
header rewrite ability in unprivileged network namespaces.
unprivileged netns support is not yet enabled again here.

Please, pull these changes from:
The following changes since commit 1398b1014909618f65ff6bcebcb2ee5ccd44fdc0:

  MAINTAINERS: Update Jason Wang's email address (2026-06-29 19:09:00 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-26-06-30

for you to fetch changes up to e2c4a0c805f7be21c8288e8562145a6691e11559:

  netfilter: nftables: restrict checkum update offset (2026-06-30 06:37:12 +0200)

----------------------------------------------------------------
netfilter pull request nf-26-06-30
----------------------------------------------------------------

Florian Westphal (5):
  netfilter: nf_conntrack_expect: zero at allocation time
  netfilter: nft_set_pipapo: don't leak bad clone into future transaction
  netfilter: nfnetlink_queue: restrict writes to network header
  netfilter: nftables: restrict linklayer and network header writes
  netfilter: nftables: restrict checkum update offset

Pablo Neira Ayuso (2):
  netfilter: nf_conntrack_sip: validate skb_dst() before accessing it
  netfilter: nfnetlink_cthelper: cap to maximum number of expectation per master

Theodor Arsenij Larionov-Trichkine (1):
  netfilter: nft_fib: reject fib expression on the netdev egress hook

Xiang Mei (1):
  netfilter: ipset: fix race between dump and ip_set_list resize

 net/netfilter/ipset/ip_set_core.c    |   8 +-
 net/netfilter/nf_conntrack_expect.c  |   3 +-
 net/netfilter/nf_conntrack_netlink.c |  11 +-
 net/netfilter/nf_conntrack_sip.c     |   7 +-
 net/netfilter/nfnetlink_cthelper.c   |   2 +
 net/netfilter/nfnetlink_queue.c      | 170 +++++++++++++++++
 net/netfilter/nft_fib.c              |   9 +
 net/netfilter/nft_fib_netdev.c       |  29 ++-
 net/netfilter/nft_payload.c          | 270 +++++++++++++++++++++++++++
 net/netfilter/nft_set_pipapo.c       |  34 +++-
 net/netfilter/nft_set_pipapo.h       |   8 +
 11 files changed, 531 insertions(+), 20 deletions(-)

-- 
2.53.0