Netdev List
 help / color / mirror / Atom feed
* [PATCH net 0/9] netfilter: updates for net
@ 2026-07-03 12:57 Florian Westphal
  2026-07-03 12:57 ` [PATCH net 1/9] netfilter: nf_nat_sip: reload possible stale data pointer Florian Westphal
                   ` (8 more replies)
  0 siblings, 9 replies; 11+ messages in thread
From: Florian Westphal @ 2026-07-03 12:57 UTC (permalink / raw)
  To: netdev
  Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
	netfilter-devel, pablo

Hi,

The following patchset contains Netfilter fixes for *net*, all
for ancient problems.  Patch 7 raised drive-by sashiko findings,
but those are not related to the change itself.

1) Rebuild the nf_nat_sip data pointer to prevent stale access after SKB
reallocation. Restrict UDP mangling to UDP streams to avoid TCP packet
corruption.

2) Prevent undefined behavior in xt_u32 caused by invalid shift counts.
From Wyatt Feng.

3) Use u64 variables to prevent incorrect comparisons on links exceeding
34 Gbps in xt_rateest.  From Feng Wu.

4) Cap the number of expectations per master during nfnetlink_cthelper
updates. From Pablo Neira Ayuso.

5) Mark malformed IPv6 extension headers for hotdrop in ip6tables.
From Zhixing Chen.

6) Skip the end element of an open interval during the get command when its
closest match is the interval's start element. Also from Pablo Neira Ayuso.

7) Fix PMTU calculation for GUE/GRE tunnels in IPVS during ICMP fragmentation
error handling. Include additional tunnel header length when computing the
new MTU. From Yizhou Zhao.

8) Reset full ip_vs_seq structures in ip_vs_conn_new. Also from Yizhou Zhao.

9) Reject invalid shift parameters in xt_connmark. Also from Wyatt Feng.

Please, pull these changes from:
The following changes since commit d335dcc6f521571d57117b8deeebc940836e5450:

  gue: validate REMCSUM private option length (2026-07-03 09:34:53 +0100)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-26-07-03

for you to fetch changes up to 1b47026fb4b35bac850ad6e8a4ad7fc018e09ebc:

  netfilter: xt_connmark: reject invalid shift parameters (2026-07-03 14:45:21 +0200)

----------------------------------------------------------------
netfilter pull request nf-26-07-03

----------------------------------------------------------------

Feng Wu (1):
  netfilter: xt_rateest: fix u64 truncation in xt_rateest_mt()

Florian Westphal (1):
  netfilter: nf_nat_sip: reload possible stale data pointer

Pablo Neira Ayuso (2):
  netfilter: nfnetlink_cthelper: cap to maximum number of expectation
    per master on updates
  netfilter: nft_set_rbtree: get command skips end element with open
    interval

Wyatt Feng (2):
  netfilter: xt_u32: reject invalid shift counts
  netfilter: xt_connmark: reject invalid shift parameters

Yizhou Zhao (2):
  ipvs: fix PMTU for GUE/GRE tunnel ICMP errors
  ipvs: reset full ip_vs_seq structs in ip_vs_conn_new

Zhixing Chen (1):
  netfilter: ip6tables: mark malformed IPv6 extension headers for hotdrop

 net/ipv6/netfilter/ip6t_ah.c       |  5 +++++
 net/ipv6/netfilter/ip6t_hbh.c      |  1 +
 net/ipv6/netfilter/ip6t_rt.c       |  3 ++-
 net/netfilter/ipvs/ip_vs_conn.c    |  4 ++--
 net/netfilter/ipvs/ip_vs_core.c    |  6 +++---
 net/netfilter/nf_nat_sip.c         | 11 +++++++++++
 net/netfilter/nf_tables_api.c      |  3 +++
 net/netfilter/nfnetlink_cthelper.c |  2 ++
 net/netfilter/nft_set_rbtree.c     |  8 ++++++--
 net/netfilter/xt_connmark.c        | 14 ++++++++++++--
 net/netfilter/xt_rateest.c         |  2 +-
 net/netfilter/xt_u32.c             | 12 +++++++++++-
 12 files changed, 59 insertions(+), 12 deletions(-)

-- 
2.54.0


^ permalink raw reply	[flat|nested] 11+ messages in thread
* [PATCH net 0/9] netfilter: updates for net
@ 2026-06-30  4:52 Florian Westphal
  0 siblings, 0 replies; 11+ messages in thread
From: Florian Westphal @ 2026-06-30  4:52 UTC (permalink / raw)
  To: netdev
  Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
	netfilter-devel, pablo

Hi,

The following patchset contains Netfilter fixes for *net*.
Due to bug volume the plan is to make a second *net* pull request
this Friday.

1) Zero nf_conntrack_expect at allocation to prevent uninitialized data
leaks to userspace. Add missing exp->dir initialization.

2) Prevent out-of-bounds writes in nft_set_pipapo caused by inconsistent
clones during allocation failures.  Fail operations if the clone enters an
error state.  This was a day-0 bug.

3) Fix use-after-free race between ipset dump and array resizing. Protect
array pointer access with rcu_read_lock().  From Xiang Mei. Bug existed
since v4.20.

4) Validate skb_dst() exists before access in nf_conntrack_sip.
This Prevent crash when called from tc ingress or openvswitch.
From Pablo Neira Ayuso.  Bug added in 4.3 when ovs gained support
for conntrack helpers.

5) Cap the maximum number of expectations to NF_CT_EXPECT_MAX_CNT during
userspace helper policy updates.  Also from Pablo.

6) Prevent NULL pointer dereference in nft_fib on netdev egress hooks. Add
nft_fib_netdev_validate() to restrict fib expressions to appropriate
netdev hooks. Restrict nft_fib_validate() to IPv4, IPv6, and INET
protocols.  From Theodor Arsenij Larionov-Trichkine.
Bug was exposed in v5.16 when egress hooks got added.

7) Restrict nfnetlink_queue writes to network headers. Validate IP/IPv6
header length and disable extension headers or IP option modifications.
Disable bridge modification for now, its unlikely anyone is using this.

8) Restrict arbitrary writes to link-layer and network headers in nftables.
Prevent link-layer modifications from spilling into network headers.
Prevent writes to IP version and length fields.

9) Restrict L3 checksum update offset to IPv4. Else csum offset can be
used to munge arbitrary header offsets, rendering the previous change moot.

These three patches are follow-ups to a 7.1 change that disabled
header rewrite ability in unprivileged network namespaces.
unprivileged netns support is not yet enabled again here.

Please, pull these changes from:
The following changes since commit 1398b1014909618f65ff6bcebcb2ee5ccd44fdc0:

  MAINTAINERS: Update Jason Wang's email address (2026-06-29 19:09:00 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-26-06-30

for you to fetch changes up to e2c4a0c805f7be21c8288e8562145a6691e11559:

  netfilter: nftables: restrict checkum update offset (2026-06-30 06:37:12 +0200)

----------------------------------------------------------------
netfilter pull request nf-26-06-30
----------------------------------------------------------------

Florian Westphal (5):
  netfilter: nf_conntrack_expect: zero at allocation time
  netfilter: nft_set_pipapo: don't leak bad clone into future transaction
  netfilter: nfnetlink_queue: restrict writes to network header
  netfilter: nftables: restrict linklayer and network header writes
  netfilter: nftables: restrict checkum update offset

Pablo Neira Ayuso (2):
  netfilter: nf_conntrack_sip: validate skb_dst() before accessing it
  netfilter: nfnetlink_cthelper: cap to maximum number of expectation per master

Theodor Arsenij Larionov-Trichkine (1):
  netfilter: nft_fib: reject fib expression on the netdev egress hook

Xiang Mei (1):
  netfilter: ipset: fix race between dump and ip_set_list resize

 net/netfilter/ipset/ip_set_core.c    |   8 +-
 net/netfilter/nf_conntrack_expect.c  |   3 +-
 net/netfilter/nf_conntrack_netlink.c |  11 +-
 net/netfilter/nf_conntrack_sip.c     |   7 +-
 net/netfilter/nfnetlink_cthelper.c   |   2 +
 net/netfilter/nfnetlink_queue.c      | 170 +++++++++++++++++
 net/netfilter/nft_fib.c              |   9 +
 net/netfilter/nft_fib_netdev.c       |  29 ++-
 net/netfilter/nft_payload.c          | 270 +++++++++++++++++++++++++++
 net/netfilter/nft_set_pipapo.c       |  34 +++-
 net/netfilter/nft_set_pipapo.h       |   8 +
 11 files changed, 531 insertions(+), 20 deletions(-)

-- 
2.53.0

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2026-07-03 12:57 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-03 12:57 [PATCH net 0/9] netfilter: updates for net Florian Westphal
2026-07-03 12:57 ` [PATCH net 1/9] netfilter: nf_nat_sip: reload possible stale data pointer Florian Westphal
2026-07-03 12:57 ` [PATCH net 2/9] netfilter: xt_u32: reject invalid shift counts Florian Westphal
2026-07-03 12:57 ` [PATCH net 3/9] netfilter: xt_rateest: fix u64 truncation in xt_rateest_mt() Florian Westphal
2026-07-03 12:57 ` [PATCH net 4/9] netfilter: nfnetlink_cthelper: cap to maximum number of expectation per master on updates Florian Westphal
2026-07-03 12:57 ` [PATCH net 5/9] netfilter: ip6tables: mark malformed IPv6 extension headers for hotdrop Florian Westphal
2026-07-03 12:57 ` [PATCH net 6/9] netfilter: nft_set_rbtree: get command skips end element with open interval Florian Westphal
2026-07-03 12:57 ` [PATCH net 7/9] ipvs: fix PMTU for GUE/GRE tunnel ICMP errors Florian Westphal
2026-07-03 12:57 ` [PATCH net 8/9] ipvs: reset full ip_vs_seq structs in ip_vs_conn_new Florian Westphal
2026-07-03 12:57 ` [PATCH net 9/9] netfilter: xt_connmark: reject invalid shift parameters Florian Westphal
  -- strict thread matches above, loose matches on Subject: below --
2026-06-30  4:52 [PATCH net 0/9] netfilter: updates for net Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox