From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
<netfilter-devel@vger.kernel.org>,
pablo@netfilter.org
Subject: [PATCH net 0/9] netfilter: updates for net
Date: Fri, 3 Jul 2026 14:57:00 +0200 [thread overview]
Message-ID: <20260703125709.16493-1-fw@strlen.de> (raw)
Hi,
The following patchset contains Netfilter fixes for *net*, all
for ancient problems. Patch 7 raised drive-by sashiko findings,
but those are not related to the change itself.
1) Rebuild the nf_nat_sip data pointer to prevent stale access after SKB
reallocation. Restrict UDP mangling to UDP streams to avoid TCP packet
corruption.
2) Prevent undefined behavior in xt_u32 caused by invalid shift counts.
From Wyatt Feng.
3) Use u64 variables to prevent incorrect comparisons on links exceeding
34 Gbps in xt_rateest. From Feng Wu.
4) Cap the number of expectations per master during nfnetlink_cthelper
updates. From Pablo Neira Ayuso.
5) Mark malformed IPv6 extension headers for hotdrop in ip6tables.
From Zhixing Chen.
6) Skip the end element of an open interval during the get command when its
closest match is the interval's start element. Also from Pablo Neira Ayuso.
7) Fix PMTU calculation for GUE/GRE tunnels in IPVS during ICMP fragmentation
error handling. Include additional tunnel header length when computing the
new MTU. From Yizhou Zhao.
8) Reset full ip_vs_seq structures in ip_vs_conn_new. Also from Yizhou Zhao.
9) Reject invalid shift parameters in xt_connmark. Also from Wyatt Feng.
Please, pull these changes from:
The following changes since commit d335dcc6f521571d57117b8deeebc940836e5450:
gue: validate REMCSUM private option length (2026-07-03 09:34:53 +0100)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-26-07-03
for you to fetch changes up to 1b47026fb4b35bac850ad6e8a4ad7fc018e09ebc:
netfilter: xt_connmark: reject invalid shift parameters (2026-07-03 14:45:21 +0200)
----------------------------------------------------------------
netfilter pull request nf-26-07-03
----------------------------------------------------------------
Feng Wu (1):
netfilter: xt_rateest: fix u64 truncation in xt_rateest_mt()
Florian Westphal (1):
netfilter: nf_nat_sip: reload possible stale data pointer
Pablo Neira Ayuso (2):
netfilter: nfnetlink_cthelper: cap to maximum number of expectation
per master on updates
netfilter: nft_set_rbtree: get command skips end element with open
interval
Wyatt Feng (2):
netfilter: xt_u32: reject invalid shift counts
netfilter: xt_connmark: reject invalid shift parameters
Yizhou Zhao (2):
ipvs: fix PMTU for GUE/GRE tunnel ICMP errors
ipvs: reset full ip_vs_seq structs in ip_vs_conn_new
Zhixing Chen (1):
netfilter: ip6tables: mark malformed IPv6 extension headers for hotdrop
net/ipv6/netfilter/ip6t_ah.c | 5 +++++
net/ipv6/netfilter/ip6t_hbh.c | 1 +
net/ipv6/netfilter/ip6t_rt.c | 3 ++-
net/netfilter/ipvs/ip_vs_conn.c | 4 ++--
net/netfilter/ipvs/ip_vs_core.c | 6 +++---
net/netfilter/nf_nat_sip.c | 11 +++++++++++
net/netfilter/nf_tables_api.c | 3 +++
net/netfilter/nfnetlink_cthelper.c | 2 ++
net/netfilter/nft_set_rbtree.c | 8 ++++++--
net/netfilter/xt_connmark.c | 14 ++++++++++++--
net/netfilter/xt_rateest.c | 2 +-
net/netfilter/xt_u32.c | 12 +++++++++++-
12 files changed, 59 insertions(+), 12 deletions(-)
--
2.54.0
next reply other threads:[~2026-07-03 12:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 12:57 Florian Westphal [this message]
2026-07-03 12:57 ` [PATCH net 1/9] netfilter: nf_nat_sip: reload possible stale data pointer Florian Westphal
2026-07-03 12:57 ` [PATCH net 2/9] netfilter: xt_u32: reject invalid shift counts Florian Westphal
2026-07-03 12:57 ` [PATCH net 3/9] netfilter: xt_rateest: fix u64 truncation in xt_rateest_mt() Florian Westphal
2026-07-03 12:57 ` [PATCH net 4/9] netfilter: nfnetlink_cthelper: cap to maximum number of expectation per master on updates Florian Westphal
2026-07-03 12:57 ` [PATCH net 5/9] netfilter: ip6tables: mark malformed IPv6 extension headers for hotdrop Florian Westphal
2026-07-03 12:57 ` [PATCH net 6/9] netfilter: nft_set_rbtree: get command skips end element with open interval Florian Westphal
2026-07-03 12:57 ` [PATCH net 7/9] ipvs: fix PMTU for GUE/GRE tunnel ICMP errors Florian Westphal
2026-07-03 12:57 ` [PATCH net 8/9] ipvs: reset full ip_vs_seq structs in ip_vs_conn_new Florian Westphal
2026-07-03 12:57 ` [PATCH net 9/9] netfilter: xt_connmark: reject invalid shift parameters Florian Westphal
-- strict thread matches above, loose matches on Subject: below --
2026-06-30 4:52 [PATCH net 0/9] netfilter: updates for net Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260703125709.16493-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox