[PATCH net 0/5] Netfilter fixes for net

[PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Add missing netfilter modules description to fix W=1, from Florian Westphal.

2) Fix catch-all element GC with timeout when use with the pipapo set
   backend, this remained broken since I tried to fix it this summer,
   then another attempt to fix it recently.

3) Add missing IPVS modules descriptions to fix W=1, also from Florian.

4) xt_recent allocated a too small buffer to store an IPv4-mapped IPv6
   address which can be parsed by in6_pton(), from Maciej Zenczykowski.
   Broken for many releases.

5) Skip IPv4-mapped IPv6, IPv4-compat IPv6, site/link local scoped IPv6
   addressses to set up IPv6 NAT redirect, also from Florian. This is
   broken since 2012.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-11-08

Thanks.

----------------------------------------------------------------

The following changes since commit d93f9528573e1d419b69ca5ff4130201d05f6b90:

  nfsd: regenerate user space parsers after ynl-gen changes (2023-11-06 09:03:46 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-11-08

for you to fetch changes up to 80abbe8a8263106fe45a4f293b92b5c74cc9cc8a:

  netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses (2023-11-08 16:40:30 +0100)

----------------------------------------------------------------
netfilter pull request 23-11-08

----------------------------------------------------------------
Florian Westphal (3):
      netfilter: add missing module descriptions
      ipvs: add missing module descriptions
      netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses

Maciej Żenczykowski (1):
      netfilter: xt_recent: fix (increase) ipv6 literal buffer length

Pablo Neira Ayuso (1):
      netfilter: nf_tables: remove catchall element in GC sync path

 net/bridge/netfilter/ebtable_broute.c      |  1 +
 net/bridge/netfilter/ebtable_filter.c      |  1 +
 net/bridge/netfilter/ebtable_nat.c         |  1 +
 net/bridge/netfilter/ebtables.c            |  1 +
 net/bridge/netfilter/nf_conntrack_bridge.c |  1 +
 net/ipv4/netfilter/iptable_nat.c           |  1 +
 net/ipv4/netfilter/iptable_raw.c           |  1 +
 net/ipv4/netfilter/nf_defrag_ipv4.c        |  1 +
 net/ipv4/netfilter/nf_reject_ipv4.c        |  1 +
 net/ipv6/netfilter/ip6table_nat.c          |  1 +
 net/ipv6/netfilter/ip6table_raw.c          |  1 +
 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c  |  1 +
 net/ipv6/netfilter/nf_reject_ipv6.c        |  1 +
 net/netfilter/ipvs/ip_vs_core.c            |  1 +
 net/netfilter/ipvs/ip_vs_dh.c              |  1 +
 net/netfilter/ipvs/ip_vs_fo.c              |  1 +
 net/netfilter/ipvs/ip_vs_ftp.c             |  1 +
 net/netfilter/ipvs/ip_vs_lblc.c            |  1 +
 net/netfilter/ipvs/ip_vs_lblcr.c           |  1 +
 net/netfilter/ipvs/ip_vs_lc.c              |  1 +
 net/netfilter/ipvs/ip_vs_nq.c              |  1 +
 net/netfilter/ipvs/ip_vs_ovf.c             |  1 +
 net/netfilter/ipvs/ip_vs_pe_sip.c          |  1 +
 net/netfilter/ipvs/ip_vs_rr.c              |  1 +
 net/netfilter/ipvs/ip_vs_sed.c             |  1 +
 net/netfilter/ipvs/ip_vs_sh.c              |  1 +
 net/netfilter/ipvs/ip_vs_twos.c            |  1 +
 net/netfilter/ipvs/ip_vs_wlc.c             |  1 +
 net/netfilter/ipvs/ip_vs_wrr.c             |  1 +
 net/netfilter/nf_conntrack_broadcast.c     |  1 +
 net/netfilter/nf_conntrack_netlink.c       |  1 +
 net/netfilter/nf_conntrack_proto.c         |  1 +
 net/netfilter/nf_nat_core.c                |  1 +
 net/netfilter/nf_nat_redirect.c            | 27 ++++++++++++++++++++++++++-
 net/netfilter/nf_tables_api.c              | 23 ++++++++++++++++++-----
 net/netfilter/nfnetlink_osf.c              |  1 +
 net/netfilter/nft_chain_nat.c              |  1 +
 net/netfilter/nft_fib.c                    |  1 +
 net/netfilter/nft_fwd_netdev.c             |  1 +
 net/netfilter/xt_recent.c                  |  2 +-
 40 files changed, 82 insertions(+), 7 deletions(-)

[PATCH net 1/5] netfilter: add missing module descriptions

[Pablo Neira Ayuso]

From: Florian Westphal <fw@strlen.de>

W=1 builds warn on missing MODULE_DESCRIPTION, add them.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/bridge/netfilter/ebtable_broute.c      | 1 +
 net/bridge/netfilter/ebtable_filter.c      | 1 +
 net/bridge/netfilter/ebtable_nat.c         | 1 +
 net/bridge/netfilter/ebtables.c            | 1 +
 net/bridge/netfilter/nf_conntrack_bridge.c | 1 +
 net/ipv4/netfilter/iptable_nat.c           | 1 +
 net/ipv4/netfilter/iptable_raw.c           | 1 +
 net/ipv4/netfilter/nf_defrag_ipv4.c        | 1 +
 net/ipv4/netfilter/nf_reject_ipv4.c        | 1 +
 net/ipv6/netfilter/ip6table_nat.c          | 1 +
 net/ipv6/netfilter/ip6table_raw.c          | 1 +
 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c  | 1 +
 net/ipv6/netfilter/nf_reject_ipv6.c        | 1 +
 net/netfilter/nf_conntrack_broadcast.c     | 1 +
 net/netfilter/nf_conntrack_netlink.c       | 1 +
 net/netfilter/nf_conntrack_proto.c         | 1 +
 net/netfilter/nf_nat_core.c                | 1 +
 net/netfilter/nf_tables_api.c              | 1 +
 net/netfilter/nfnetlink_osf.c              | 1 +
 net/netfilter/nft_chain_nat.c              | 1 +
 net/netfilter/nft_fib.c                    | 1 +
 net/netfilter/nft_fwd_netdev.c             | 1 +
 22 files changed, 22 insertions(+)

diff --git a/net/bridge/netfilter/ebtable_broute.c b/net/bridge/netfilter/ebtable_broute.c
index 8f19253024b0..741360219552 100644
--- a/net/bridge/netfilter/ebtable_broute.c
+++ b/net/bridge/netfilter/ebtable_broute.c
@@ -135,3 +135,4 @@ static void __exit ebtable_broute_fini(void)
 module_init(ebtable_broute_init);
 module_exit(ebtable_broute_fini);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Force packets to be routed instead of bridged");
diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c
index 278f324e6752..dacd81b12e62 100644
--- a/net/bridge/netfilter/ebtable_filter.c
+++ b/net/bridge/netfilter/ebtable_filter.c
@@ -116,3 +116,4 @@ static void __exit ebtable_filter_fini(void)
 module_init(ebtable_filter_init);
 module_exit(ebtable_filter_fini);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ebtables legacy filter table");
diff --git a/net/bridge/netfilter/ebtable_nat.c b/net/bridge/netfilter/ebtable_nat.c
index 9066f7f376d5..0f2a8c6118d4 100644
--- a/net/bridge/netfilter/ebtable_nat.c
+++ b/net/bridge/netfilter/ebtable_nat.c
@@ -116,3 +116,4 @@ static void __exit ebtable_nat_fini(void)
 module_init(ebtable_nat_init);
 module_exit(ebtable_nat_fini);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ebtables legacy stateless nat table");
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index aa23479b20b2..99d82676f780 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2595,3 +2595,4 @@ EXPORT_SYMBOL(ebt_do_table);
 module_init(ebtables_init);
 module_exit(ebtables_fini);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ebtables legacy core");
diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
index 71056ee84773..b5c406a6e765 100644
--- a/net/bridge/netfilter/nf_conntrack_bridge.c
+++ b/net/bridge/netfilter/nf_conntrack_bridge.c
@@ -416,3 +416,4 @@ module_exit(nf_conntrack_l3proto_bridge_fini);
 
 MODULE_ALIAS("nf_conntrack-" __stringify(AF_BRIDGE));
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Bridge IPv4 and IPv6 connection tracking");
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index 56f6ecc43451..4d42d0756fd7 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -170,3 +170,4 @@ module_init(iptable_nat_init);
 module_exit(iptable_nat_exit);
 
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("iptables legacy nat table");
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index ca5e5b21587c..0e7f53964d0a 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -108,3 +108,4 @@ static void __exit iptable_raw_fini(void)
 module_init(iptable_raw_init);
 module_exit(iptable_raw_fini);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("iptables legacy raw table");
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index 265b39bc435b..482e733c3375 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -186,3 +186,4 @@ module_init(nf_defrag_init);
 module_exit(nf_defrag_fini);
 
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("IPv4 defragmentation support");
diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index f33aeab9424f..f01b038fc1cd 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -336,3 +336,4 @@ void nf_send_unreach(struct sk_buff *skb_in, int code, int hook)
 EXPORT_SYMBOL_GPL(nf_send_unreach);
 
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("IPv4 packet rejection core");
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index bf3cb3a13600..52cf104e3478 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -170,3 +170,4 @@ module_init(ip6table_nat_init);
 module_exit(ip6table_nat_exit);
 
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Ip6tables legacy nat table");
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 08861d5d1f4d..fc9f6754028f 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -106,3 +106,4 @@ static void __exit ip6table_raw_fini(void)
 module_init(ip6table_raw_init);
 module_exit(ip6table_raw_fini);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Ip6tables legacy raw table");
diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
index d59b296b4f51..be7817fbc024 100644
--- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
@@ -182,3 +182,4 @@ module_init(nf_defrag_init);
 module_exit(nf_defrag_fini);
 
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("IPv6 defragmentation support");
diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
index 58ccdb08c0fd..d45bc54b7ea5 100644
--- a/net/ipv6/netfilter/nf_reject_ipv6.c
+++ b/net/ipv6/netfilter/nf_reject_ipv6.c
@@ -413,3 +413,4 @@ void nf_send_unreach6(struct net *net, struct sk_buff *skb_in,
 EXPORT_SYMBOL_GPL(nf_send_unreach6);
 
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("IPv6 packet rejection core");
diff --git a/net/netfilter/nf_conntrack_broadcast.c b/net/netfilter/nf_conntrack_broadcast.c
index 9fb9b8031298..cfa0fe0356de 100644
--- a/net/netfilter/nf_conntrack_broadcast.c
+++ b/net/netfilter/nf_conntrack_broadcast.c
@@ -82,3 +82,4 @@ int nf_conntrack_broadcast_help(struct sk_buff *skb,
 EXPORT_SYMBOL_GPL(nf_conntrack_broadcast_help);
 
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Broadcast connection tracking helper");
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 334db22199c1..fb0ae15e96df 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -57,6 +57,7 @@
 #include "nf_internals.h"
 
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("List and change connection tracking table");
 
 struct ctnetlink_list_dump_ctx {
 	struct nf_conn *last;
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index c928ff63b10e..f36727ed91e1 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -699,3 +699,4 @@ MODULE_ALIAS("ip_conntrack");
 MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET));
 MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET6));
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("IPv4 and IPv6 connection tracking");
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index c4e0516a8dfa..c3d7ecbc777c 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -1263,6 +1263,7 @@ static void __exit nf_nat_cleanup(void)
 }
 
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Network address translation core");
 
 module_init(nf_nat_init);
 module_exit(nf_nat_cleanup);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 3c1fd8283bf4..146b7447a969 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -11386,4 +11386,5 @@ module_exit(nf_tables_module_exit);
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_DESCRIPTION("Framework for packet filtering and classification");
 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFTABLES);
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 50723ba08289..c0fc431991e8 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -447,4 +447,5 @@ module_init(nfnl_osf_init);
 module_exit(nfnl_osf_fini);
 
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Passive OS fingerprint matching");
 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_OSF);
diff --git a/net/netfilter/nft_chain_nat.c b/net/netfilter/nft_chain_nat.c
index 98e4946100c5..40e230d8b712 100644
--- a/net/netfilter/nft_chain_nat.c
+++ b/net/netfilter/nft_chain_nat.c
@@ -137,6 +137,7 @@ module_init(nft_chain_nat_init);
 module_exit(nft_chain_nat_exit);
 
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("nftables network address translation support");
 #ifdef CONFIG_NF_TABLES_IPV4
 MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat");
 #endif
diff --git a/net/netfilter/nft_fib.c b/net/netfilter/nft_fib.c
index 04b51f285332..1bfe258018da 100644
--- a/net/netfilter/nft_fib.c
+++ b/net/netfilter/nft_fib.c
@@ -204,4 +204,5 @@ bool nft_fib_reduce(struct nft_regs_track *track,
 EXPORT_SYMBOL_GPL(nft_fib_reduce);
 
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Query routing table from nftables");
 MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c
index a5268e6dd32f..358e742afad7 100644
--- a/net/netfilter/nft_fwd_netdev.c
+++ b/net/netfilter/nft_fwd_netdev.c
@@ -270,4 +270,5 @@ module_exit(nft_fwd_netdev_module_exit);
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
+MODULE_DESCRIPTION("nftables netdev packet forwarding support");
 MODULE_ALIAS_NFT_AF_EXPR(5, "fwd");
-- 
2.30.2

Re: [PATCH net 1/5] netfilter: add missing module descriptions

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Wed,  8 Nov 2023 16:57:58 +0100 you wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> W=1 builds warn on missing MODULE_DESCRIPTION, add them.
> 
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> 
> [...]

Here is the summary with links:
  - [net,1/5] netfilter: add missing module descriptions
    https://git.kernel.org/netdev/net/c/94090b23f3f7
  - [net,2/5] netfilter: nf_tables: remove catchall element in GC sync path
    https://git.kernel.org/netdev/net/c/93995bf4af2c
  - [net,3/5] ipvs: add missing module descriptions
    https://git.kernel.org/netdev/net/c/17cd01e4d1e3
  - [net,4/5] netfilter: xt_recent: fix (increase) ipv6 literal buffer length
    https://git.kernel.org/netdev/net/c/7b308feb4fd2
  - [net,5/5] netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses
    https://git.kernel.org/netdev/net/c/80abbe8a8263

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

[PATCH net 2/5] netfilter: nf_tables: remove catchall element in GC sync path

[Pablo Neira Ayuso]

The expired catchall element is not deactivated and removed from GC sync
path. This path holds mutex so just call nft_setelem_data_deactivate()
and nft_setelem_catchall_remove() before queueing the GC work.

Fixes: 4a9e12ea7e70 ("netfilter: nft_set_pipapo: call nft_trans_gc_queue_sync() in catchall GC")
Reported-by: lonial con <kongln9170@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 146b7447a969..a761ee6796f6 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6520,6 +6520,12 @@ static int nft_setelem_deactivate(const struct net *net,
 	return ret;
 }
 
+static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall)
+{
+	list_del_rcu(&catchall->list);
+	kfree_rcu(catchall, rcu);
+}
+
 static void nft_setelem_catchall_remove(const struct net *net,
 					const struct nft_set *set,
 					struct nft_elem_priv *elem_priv)
@@ -6528,8 +6534,7 @@ static void nft_setelem_catchall_remove(const struct net *net,
 
 	list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
 		if (catchall->elem == elem_priv) {
-			list_del_rcu(&catchall->list);
-			kfree_rcu(catchall, rcu);
+			nft_setelem_catchall_destroy(catchall);
 			break;
 		}
 	}
@@ -9678,11 +9683,12 @@ static struct nft_trans_gc *nft_trans_gc_catchall(struct nft_trans_gc *gc,
 						  unsigned int gc_seq,
 						  bool sync)
 {
-	struct nft_set_elem_catchall *catchall;
+	struct nft_set_elem_catchall *catchall, *next;
 	const struct nft_set *set = gc->set;
+	struct nft_elem_priv *elem_priv;
 	struct nft_set_ext *ext;
 
-	list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
+	list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
 		ext = nft_set_elem_ext(set, catchall->elem);
 
 		if (!nft_set_elem_expired(ext))
@@ -9700,7 +9706,13 @@ static struct nft_trans_gc *nft_trans_gc_catchall(struct nft_trans_gc *gc,
 		if (!gc)
 			return NULL;
 
-		nft_trans_gc_elem_add(gc, catchall->elem);
+		elem_priv = catchall->elem;
+		if (sync) {
+			nft_setelem_data_deactivate(gc->net, gc->set, elem_priv);
+			nft_setelem_catchall_destroy(catchall);
+		}
+
+		nft_trans_gc_elem_add(gc, elem_priv);
 	}
 
 	return gc;
-- 
2.30.2

[PATCH net 3/5] ipvs: add missing module descriptions

[Pablo Neira Ayuso]

From: Florian Westphal <fw@strlen.de>

W=1 builds warn on missing MODULE_DESCRIPTION, add them.

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/ipvs/ip_vs_core.c   | 1 +
 net/netfilter/ipvs/ip_vs_dh.c     | 1 +
 net/netfilter/ipvs/ip_vs_fo.c     | 1 +
 net/netfilter/ipvs/ip_vs_ftp.c    | 1 +
 net/netfilter/ipvs/ip_vs_lblc.c   | 1 +
 net/netfilter/ipvs/ip_vs_lblcr.c  | 1 +
 net/netfilter/ipvs/ip_vs_lc.c     | 1 +
 net/netfilter/ipvs/ip_vs_nq.c     | 1 +
 net/netfilter/ipvs/ip_vs_ovf.c    | 1 +
 net/netfilter/ipvs/ip_vs_pe_sip.c | 1 +
 net/netfilter/ipvs/ip_vs_rr.c     | 1 +
 net/netfilter/ipvs/ip_vs_sed.c    | 1 +
 net/netfilter/ipvs/ip_vs_sh.c     | 1 +
 net/netfilter/ipvs/ip_vs_twos.c   | 1 +
 net/netfilter/ipvs/ip_vs_wlc.c    | 1 +
 net/netfilter/ipvs/ip_vs_wrr.c    | 1 +
 16 files changed, 16 insertions(+)

diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 3230506ae3ff..a2c16b501087 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -2450,3 +2450,4 @@ static void __exit ip_vs_cleanup(void)
 module_init(ip_vs_init);
 module_exit(ip_vs_cleanup);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("IP Virtual Server");
diff --git a/net/netfilter/ipvs/ip_vs_dh.c b/net/netfilter/ipvs/ip_vs_dh.c
index 5e6ec32aff2b..75f4c231f4a0 100644
--- a/net/netfilter/ipvs/ip_vs_dh.c
+++ b/net/netfilter/ipvs/ip_vs_dh.c
@@ -270,3 +270,4 @@ static void __exit ip_vs_dh_cleanup(void)
 module_init(ip_vs_dh_init);
 module_exit(ip_vs_dh_cleanup);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ipvs destination hashing scheduler");
diff --git a/net/netfilter/ipvs/ip_vs_fo.c b/net/netfilter/ipvs/ip_vs_fo.c
index b846cc385279..ab117e5bc34e 100644
--- a/net/netfilter/ipvs/ip_vs_fo.c
+++ b/net/netfilter/ipvs/ip_vs_fo.c
@@ -72,3 +72,4 @@ static void __exit ip_vs_fo_cleanup(void)
 module_init(ip_vs_fo_init);
 module_exit(ip_vs_fo_cleanup);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ipvs weighted failover scheduler");
diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c
index ef1f45e43b63..f53899d12416 100644
--- a/net/netfilter/ipvs/ip_vs_ftp.c
+++ b/net/netfilter/ipvs/ip_vs_ftp.c
@@ -635,3 +635,4 @@ static void __exit ip_vs_ftp_exit(void)
 module_init(ip_vs_ftp_init);
 module_exit(ip_vs_ftp_exit);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ipvs ftp helper");
diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c
index cf78ba4ce5ff..8ceec7a2fa8f 100644
--- a/net/netfilter/ipvs/ip_vs_lblc.c
+++ b/net/netfilter/ipvs/ip_vs_lblc.c
@@ -632,3 +632,4 @@ static void __exit ip_vs_lblc_cleanup(void)
 module_init(ip_vs_lblc_init);
 module_exit(ip_vs_lblc_cleanup);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ipvs locality-based least-connection scheduler");
diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c b/net/netfilter/ipvs/ip_vs_lblcr.c
index 9eddf118b40e..0fb64707213f 100644
--- a/net/netfilter/ipvs/ip_vs_lblcr.c
+++ b/net/netfilter/ipvs/ip_vs_lblcr.c
@@ -817,3 +817,4 @@ static void __exit ip_vs_lblcr_cleanup(void)
 module_init(ip_vs_lblcr_init);
 module_exit(ip_vs_lblcr_cleanup);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ipvs locality-based least-connection with replication scheduler");
diff --git a/net/netfilter/ipvs/ip_vs_lc.c b/net/netfilter/ipvs/ip_vs_lc.c
index 9d34d81fc6f1..c2764505e380 100644
--- a/net/netfilter/ipvs/ip_vs_lc.c
+++ b/net/netfilter/ipvs/ip_vs_lc.c
@@ -86,3 +86,4 @@ static void __exit ip_vs_lc_cleanup(void)
 module_init(ip_vs_lc_init);
 module_exit(ip_vs_lc_cleanup);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ipvs least connection scheduler");
diff --git a/net/netfilter/ipvs/ip_vs_nq.c b/net/netfilter/ipvs/ip_vs_nq.c
index f56862a87518..ed7f5c889b41 100644
--- a/net/netfilter/ipvs/ip_vs_nq.c
+++ b/net/netfilter/ipvs/ip_vs_nq.c
@@ -136,3 +136,4 @@ static void __exit ip_vs_nq_cleanup(void)
 module_init(ip_vs_nq_init);
 module_exit(ip_vs_nq_cleanup);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ipvs never queue scheduler");
diff --git a/net/netfilter/ipvs/ip_vs_ovf.c b/net/netfilter/ipvs/ip_vs_ovf.c
index c03066fdd5ca..c7708b809700 100644
--- a/net/netfilter/ipvs/ip_vs_ovf.c
+++ b/net/netfilter/ipvs/ip_vs_ovf.c
@@ -79,3 +79,4 @@ static void __exit ip_vs_ovf_cleanup(void)
 module_init(ip_vs_ovf_init);
 module_exit(ip_vs_ovf_cleanup);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ipvs overflow connection scheduler");
diff --git a/net/netfilter/ipvs/ip_vs_pe_sip.c b/net/netfilter/ipvs/ip_vs_pe_sip.c
index 0ac6705a61d3..e4ce1d9a63f9 100644
--- a/net/netfilter/ipvs/ip_vs_pe_sip.c
+++ b/net/netfilter/ipvs/ip_vs_pe_sip.c
@@ -185,3 +185,4 @@ static void __exit ip_vs_sip_cleanup(void)
 module_init(ip_vs_sip_init);
 module_exit(ip_vs_sip_cleanup);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ipvs sip helper");
diff --git a/net/netfilter/ipvs/ip_vs_rr.c b/net/netfilter/ipvs/ip_vs_rr.c
index 38495c6f6c7c..6baa34dff9f0 100644
--- a/net/netfilter/ipvs/ip_vs_rr.c
+++ b/net/netfilter/ipvs/ip_vs_rr.c
@@ -122,4 +122,5 @@ static void __exit ip_vs_rr_cleanup(void)
 
 module_init(ip_vs_rr_init);
 module_exit(ip_vs_rr_cleanup);
+MODULE_DESCRIPTION("ipvs round-robin scheduler");
 MODULE_LICENSE("GPL");
diff --git a/net/netfilter/ipvs/ip_vs_sed.c b/net/netfilter/ipvs/ip_vs_sed.c
index 7663288e5358..a46f99a56618 100644
--- a/net/netfilter/ipvs/ip_vs_sed.c
+++ b/net/netfilter/ipvs/ip_vs_sed.c
@@ -137,3 +137,4 @@ static void __exit ip_vs_sed_cleanup(void)
 module_init(ip_vs_sed_init);
 module_exit(ip_vs_sed_cleanup);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ipvs shortest expected delay scheduler");
diff --git a/net/netfilter/ipvs/ip_vs_sh.c b/net/netfilter/ipvs/ip_vs_sh.c
index c2028e412092..92e77d7a6b50 100644
--- a/net/netfilter/ipvs/ip_vs_sh.c
+++ b/net/netfilter/ipvs/ip_vs_sh.c
@@ -376,3 +376,4 @@ static void __exit ip_vs_sh_cleanup(void)
 module_init(ip_vs_sh_init);
 module_exit(ip_vs_sh_cleanup);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ipvs source hashing scheduler");
diff --git a/net/netfilter/ipvs/ip_vs_twos.c b/net/netfilter/ipvs/ip_vs_twos.c
index 3308e4cc740a..8d5419edde50 100644
--- a/net/netfilter/ipvs/ip_vs_twos.c
+++ b/net/netfilter/ipvs/ip_vs_twos.c
@@ -137,3 +137,4 @@ static void __exit ip_vs_twos_cleanup(void)
 module_init(ip_vs_twos_init);
 module_exit(ip_vs_twos_cleanup);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ipvs power of twos choice scheduler");
diff --git a/net/netfilter/ipvs/ip_vs_wlc.c b/net/netfilter/ipvs/ip_vs_wlc.c
index 09f584b564a0..9fa500927c0a 100644
--- a/net/netfilter/ipvs/ip_vs_wlc.c
+++ b/net/netfilter/ipvs/ip_vs_wlc.c
@@ -109,3 +109,4 @@ static void __exit ip_vs_wlc_cleanup(void)
 module_init(ip_vs_wlc_init);
 module_exit(ip_vs_wlc_cleanup);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ipvs weighted least connection scheduler");
diff --git a/net/netfilter/ipvs/ip_vs_wrr.c b/net/netfilter/ipvs/ip_vs_wrr.c
index 1bc7a0789d85..85ce0d04afac 100644
--- a/net/netfilter/ipvs/ip_vs_wrr.c
+++ b/net/netfilter/ipvs/ip_vs_wrr.c
@@ -263,3 +263,4 @@ static void __exit ip_vs_wrr_cleanup(void)
 module_init(ip_vs_wrr_init);
 module_exit(ip_vs_wrr_cleanup);
 MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("ipvs weighted round-robin scheduler");
-- 
2.30.2

[PATCH net 4/5] netfilter: xt_recent: fix (increase) ipv6 literal buffer length

[Pablo Neira Ayuso]

From: Maciej Żenczykowski <zenczykowski@gmail.com>

in6_pton() supports 'low-32-bit dot-decimal representation'
(this is useful with DNS64/NAT64 networks for example):

  # echo +aaaa:bbbb:cccc:dddd:eeee:ffff:1.2.3.4 > /proc/self/net/xt_recent/DEFAULT
  # cat /proc/self/net/xt_recent/DEFAULT
  src=aaaa:bbbb:cccc:dddd:eeee:ffff:0102:0304 ttl: 0 last_seen: 9733848829 oldest_pkt: 1 9733848829

but the provided buffer is too short:

  # echo +aaaa:bbbb:cccc:dddd:eeee:ffff:255.255.255.255 > /proc/self/net/xt_recent/DEFAULT
  -bash: echo: write error: Invalid argument

Fixes: 079aa88fe717 ("netfilter: xt_recent: IPv6 support")
Signed-off-by: Maciej Żenczykowski <zenczykowski@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_recent.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 7ddb9a78e3fc..ef93e0d3bee0 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -561,7 +561,7 @@ recent_mt_proc_write(struct file *file, const char __user *input,
 {
 	struct recent_table *t = pde_data(file_inode(file));
 	struct recent_entry *e;
-	char buf[sizeof("+b335:1d35:1e55:dead:c0de:1715:5afe:c0de")];
+	char buf[sizeof("+b335:1d35:1e55:dead:c0de:1715:255.255.255.255")];
 	const char *c = buf;
 	union nf_inet_addr addr = {};
 	u_int16_t family;
-- 
2.30.2

[PATCH net 5/5] netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses

[Pablo Neira Ayuso]

From: Florian Westphal <fw@strlen.de>

The ipv6 redirect target was derived from the ipv4 one, i.e. its
identical to a 'dnat' with the first (primary) address assigned to the
network interface.  The code has been moved around to make it usable
from nf_tables too, but its still the same as it was back when this
was added in 2012.

IPv6, however, has different types of addresses, if the 'wrong' address
comes first the redirection does not work.

In Daniels case, the addresses are:
  inet6 ::ffff:192 ...
  inet6 2a01: ...

... so the function attempts to redirect to the mapped address.

Add more checks before the address is deemed correct:
1. If the packets' daddr is scoped, search for a scoped address too
2. skip tentative addresses
3. skip mapped addresses

Use the first address that appears to match our needs.

Reported-by: Daniel Huhardeaux <tech@tootai.net>
Closes: https://lore.kernel.org/netfilter/71be06b8-6aa0-4cf9-9e0b-e2839b01b22f@tootai.net/
Fixes: 115e23ac78f8 ("netfilter: ip6tables: add REDIRECT target")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_nat_redirect.c | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_nat_redirect.c b/net/netfilter/nf_nat_redirect.c
index 6616ba5d0b04..5b37487d9d11 100644
--- a/net/netfilter/nf_nat_redirect.c
+++ b/net/netfilter/nf_nat_redirect.c
@@ -80,6 +80,26 @@ EXPORT_SYMBOL_GPL(nf_nat_redirect_ipv4);
 
 static const struct in6_addr loopback_addr = IN6ADDR_LOOPBACK_INIT;
 
+static bool nf_nat_redirect_ipv6_usable(const struct inet6_ifaddr *ifa, unsigned int scope)
+{
+	unsigned int ifa_addr_type = ipv6_addr_type(&ifa->addr);
+
+	if (ifa_addr_type & IPV6_ADDR_MAPPED)
+		return false;
+
+	if ((ifa->flags & IFA_F_TENTATIVE) && (!(ifa->flags & IFA_F_OPTIMISTIC)))
+		return false;
+
+	if (scope) {
+		unsigned int ifa_scope = ifa_addr_type & IPV6_ADDR_SCOPE_MASK;
+
+		if (!(scope & ifa_scope))
+			return false;
+	}
+
+	return true;
+}
+
 unsigned int
 nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range,
 		     unsigned int hooknum)
@@ -89,14 +109,19 @@ nf_nat_redirect_ipv6(struct sk_buff *skb, const struct nf_nat_range2 *range,
 	if (hooknum == NF_INET_LOCAL_OUT) {
 		newdst.in6 = loopback_addr;
 	} else {
+		unsigned int scope = ipv6_addr_scope(&ipv6_hdr(skb)->daddr);
 		struct inet6_dev *idev;
-		struct inet6_ifaddr *ifa;
 		bool addr = false;
 
 		idev = __in6_dev_get(skb->dev);
 		if (idev != NULL) {
+			const struct inet6_ifaddr *ifa;
+
 			read_lock_bh(&idev->lock);
 			list_for_each_entry(ifa, &idev->addr_list, if_list) {
+				if (!nf_nat_redirect_ipv6_usable(ifa, scope))
+					continue;
+
 				newdst.in6 = ifa->addr;
 				addr = true;
 				break;
-- 
2.30.2

[PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Zero out the remainder in nft_pipapo AVX2 implementation, otherwise
   next lookup could bogusly report a mismatch. This is followed by two
   patches to update nft_pipapo selftests to cover for the previous bug.
   From Florian Westphal.

2) Check for reverse tuple too in case of esoteric NAT collisions for
   UDP traffic and extend selftest coverage. Also from Florian.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-06-05

Thanks.

----------------------------------------------------------------

The following changes since commit 12c331b29c7397ac3b03584e12902990693bc248:

  gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO (2025-06-04 12:06:13 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-25-06-05

for you to fetch changes up to 3c3c3248496a3a1848ec5d923f2eee0edf60226e:

  selftests: netfilter: nft_nat.sh: add test for reverse clash with nat (2025-06-05 10:50:05 +0200)

----------------------------------------------------------------
netfilter pull request 25-06-05

----------------------------------------------------------------
Florian Westphal (5):
      netfilter: nf_set_pipapo_avx2: fix initial map fill
      selftests: netfilter: nft_concat_range.sh: prefer per element counters for testing
      selftests: netfilter: nft_concat_range.sh: add datapath check for map fill bug
      netfilter: nf_nat: also check reverse tuple to obtain clashing entry
      selftests: netfilter: nft_nat.sh: add test for reverse clash with nat

 net/netfilter/nf_nat_core.c                        |  12 ++-
 net/netfilter/nft_set_pipapo_avx2.c                |  21 ++++-
 .../selftests/net/netfilter/nft_concat_range.sh    | 102 ++++++++++++++++++---
 tools/testing/selftests/net/netfilter/nft_nat.sh   |  81 +++++++++++++++-
 4 files changed, 193 insertions(+), 23 deletions(-)

[PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

Patch #1 fixes the suspicious RCU usage warning that resulted from the
	 recent fix for the race between namespace cleanup and gc in
	 ipset left out checking the pernet exit phase when calling
	 rcu_dereference_protected(), from Jozsef Kadlecsik.

Patch #2 fixes incorrect input and output netdevice in SRv6 prerouting
	 hooks, from Jianguo Wu.

Patch #3 moves nf_hooks_lwtunnel sysctl toggle to the netfilter core.
	 The connection tracking system is loaded on-demand, this
	 ensures availability of this knob regardless.

Patch #4-#5 adds selftests for SRv6 netfilter hooks also from Jianguo Wu.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-06-19

Thanks.

----------------------------------------------------------------

The following changes since commit a8763466669d21b570b26160d0a5e0a2ee529d22:

  selftests: openvswitch: Set value to nla flags. (2024-06-19 13:10:53 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-06-19

for you to fetch changes up to 221200ffeb065c6bbd196760c168b42305961655:

  selftests: add selftest for the SRv6 End.DX6 behavior with netfilter (2024-06-19 18:42:10 +0200)

----------------------------------------------------------------
netfilter pull request 24-06-19

----------------------------------------------------------------
Jianguo Wu (4):
      seg6: fix parameter passing when calling NF_HOOK() in End.DX4 and End.DX6 behaviors
      netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core
      selftests: add selftest for the SRv6 End.DX4 behavior with netfilter
      selftests: add selftest for the SRv6 End.DX6 behavior with netfilter

Jozsef Kadlecsik (1):
      netfilter: ipset: Fix suspicious rcu_dereference_protected()

 include/net/netns/netfilter.h                      |   3 +
 net/ipv6/seg6_local.c                              |   8 +-
 net/netfilter/core.c                               |  13 +-
 net/netfilter/ipset/ip_set_core.c                  |  11 +-
 net/netfilter/nf_conntrack_standalone.c            |  15 -
 net/netfilter/nf_hooks_lwtunnel.c                  |  67 ++++
 net/netfilter/nf_internals.h                       |   6 +
 tools/testing/selftests/net/Makefile               |   2 +
 tools/testing/selftests/net/config                 |   2 +
 .../selftests/net/srv6_end_dx4_netfilter_test.sh   | 335 ++++++++++++++++++++
 .../selftests/net/srv6_end_dx6_netfilter_test.sh   | 340 +++++++++++++++++++++
 11 files changed, 776 insertions(+), 26 deletions(-)
 create mode 100755 tools/testing/selftests/net/srv6_end_dx4_netfilter_test.sh
 create mode 100755 tools/testing/selftests/net/srv6_end_dx6_netfilter_test.sh

[PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains fixes for net:

Patch #1 disallows anonymous sets with timeout, except for dynamic sets.
         Anonymous sets with timeouts using the pipapo set backend makes
         no sense from userspace perspective.

Patch #2 rejects constant sets with timeout which has no practical usecase.
         This kind of set, once bound, contains elements that expire but
         no new elements can be added.

Patch #3 restores custom conntrack expectations with NFPROTO_INET,
         from Florian Westphal.

Patch #4 marks rhashtable anonymous set with timeout as dead from the
         commit path to avoid that async GC collects these elements. Rules
         that refers to the anonymous set get released with no mutex held
         from the commit path.

Patch #5 fixes a UBSAN shift overflow in H.323 conntrack helper,
         from Lena Wang.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-03-07

Thanks.

----------------------------------------------------------------

The following changes since commit c055fc00c07be1f0df7375ab0036cebd1106ed38:

  net/rds: fix WARNING in rds_conn_connect_if_down (2024-03-06 11:58:42 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-03-07

for you to fetch changes up to 767146637efc528b5e3d31297df115e85a2fd362:

  netfilter: nf_conntrack_h323: Add protection for bmp length out of range (2024-03-07 03:10:35 +0100)

----------------------------------------------------------------
netfilter pull request 24-03-07

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nft_ct: fix l3num expectations with inet pseudo family

Lena Wang (1):
      netfilter: nf_conntrack_h323: Add protection for bmp length out of range

Pablo Neira Ayuso (3):
      netfilter: nf_tables: disallow anonymous set with timeout flag
      netfilter: nf_tables: reject constant set with timeout
      netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout

 net/netfilter/nf_conntrack_h323_asn1.c |  4 ++++
 net/netfilter/nf_tables_api.c          |  7 +++++++
 net/netfilter/nft_ct.c                 | 11 +++++------
 3 files changed, 16 insertions(+), 6 deletions(-)

[PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) If user requests to wake up a table and hook fails, restore the
   dormant flag from the error path, from Florian Westphal.

2) Reset dst after transferring it to the flow object, otherwise dst
   gets released twice from the error path.

3) Release dst in case the flowtable selects a direct xmit path, eg.
   transmission to bridge port. Otherwise, dst is memleaked.

4) Register basechain and flowtable hooks at the end of the command.
   Error path releases these datastructure without waiting for the
   rcu grace period.

5) Use kzalloc() to initialize struct nft_hook to fix a KMSAN report
   on access to hook type, also from Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-02-22

Thanks.

----------------------------------------------------------------

The following changes since commit 40b9385dd8e6a0515e1c9cd06a277483556b7286:

  enic: Avoid false positive under FORTIFY_SOURCE (2024-02-19 10:57:27 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-02-22

for you to fetch changes up to 195e5f88c2e48330ba5483e0bad2de3b3fad484f:

  netfilter: nf_tables: use kzalloc for hook allocation (2024-02-22 00:15:58 +0100)

----------------------------------------------------------------
netfilter pull request 24-02-22

----------------------------------------------------------------
Florian Westphal (2):
      netfilter: nf_tables: set dormant flag on hook register failure
      netfilter: nf_tables: use kzalloc for hook allocation

Pablo Neira Ayuso (3):
      netfilter: nft_flow_offload: reset dst in route object after setting up flow
      netfilter: nft_flow_offload: release dst in case direct xmit path is used
      netfilter: nf_tables: register hooks last when adding new chain/flowtable

 include/net/netfilter/nf_flow_table.h |  2 +-
 net/netfilter/nf_flow_table_core.c    | 17 ++++++--
 net/netfilter/nf_tables_api.c         | 81 ++++++++++++++++++-----------------
 3 files changed, 57 insertions(+), 43 deletions(-)

[PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix mangling of TCP options with non-linear skbuff, from Xiao Liang.

2) OOB read in xt_sctp due to missing sanitization of array length field.
   From Wander Lairson Costa.

3) OOB read in xt_u32 due to missing sanitization of array length field.
   Also from Wander Lairson Costa.

All of them above, always broken for several releases.

4) Missing audit log for set element reset command, from Phil Sutter.

5) Missing audit log for rule reset command, also from Phil.

These audit log support are missing in 6.5.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-08-31

Thanks.

----------------------------------------------------------------

The following changes since commit bd6c11bc43c496cddfc6cf603b5d45365606dbd5:

  Merge tag 'net-next-6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next (2023-08-29 11:33:01 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-08-31

for you to fetch changes up to ea078ae9108e25fc881c84369f7c03931d22e555:

  netfilter: nf_tables: Audit log rule reset (2023-08-31 01:29:28 +0200)

----------------------------------------------------------------
netfilter pull request 23-08-31

----------------------------------------------------------------
Phil Sutter (2):
      netfilter: nf_tables: Audit log setelem reset
      netfilter: nf_tables: Audit log rule reset

Wander Lairson Costa (2):
      netfilter: xt_sctp: validate the flag_info count
      netfilter: xt_u32: validate user space input

Xiao Liang (1):
      netfilter: nft_exthdr: Fix non-linear header modification

 include/linux/audit.h         |  2 ++
 kernel/auditsc.c              |  2 ++
 net/netfilter/nf_tables_api.c | 49 ++++++++++++++++++++++++++++++++++++++++---
 net/netfilter/nft_exthdr.c    | 20 +++++++-----------
 net/netfilter/xt_sctp.c       |  2 ++
 net/netfilter/xt_u32.c        | 21 +++++++++++++++++++
 6 files changed, 81 insertions(+), 15 deletions(-)

[PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net.

The existing attempt to resolve races between control plane and GC work
is error prone, as reported by Bien Pham <phamnnb@sea.com>, some places
forgot to call nft_set_elem_mark_busy(), leading to double-deactivation
of elements.

This series contains the following patches:

1) Do not skip expired elements during walk otherwise elements might
   never decrement the reference counter on data, leading to memleak.

2) Add a GC transaction API to replace the former attempt to deal with
   races between control plane and GC. GC worker sets on NFT_SET_ELEM_DEAD_BIT
   on elements and it creates a GC transaction to remove the expired
   elements, GC transaction could abort in case of interference with
   control plane and retried later (GC async). Set backends such as
   rbtree and pipapo also perform GC from control plane (GC sync), in
   such case, element deactivation and removal is safe because mutex
   is held then collected elements are released via call_rcu().

3) Adapt existing set backends to use the GC transaction API.

4) Update rhash set backend to set on _DEAD bit to report deleted
   elements from datapath for GC.

5) Remove old GC batch API and the NFT_SET_ELEM_BUSY_BIT.

Florian Westphal (1):
  netfilter: nf_tables: don't skip expired elements during walk

Pablo Neira Ayuso (4):
  netfilter: nf_tables: GC transaction API to avoid race with control plane
  netfilter: nf_tables: adapt set backend to use GC transaction API
  netfilter: nft_set_hash: mark set element as dead when deleting from packet path
  netfilter: nf_tables: remove busy mark and gc batch API

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-08-10

Thanks.

----------------------------------------------------------------

The following changes since commit c5ccff70501d92db445a135fa49cf9bc6b98c444:

  Merge branch 'net-sched-bind-logic-fixes-for-cls_fw-cls_u32-and-cls_route' (2023-07-31 20:10:39 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-08-10

for you to fetch changes up to a2dd0233cbc4d8a0abb5f64487487ffc9265beb5:

  netfilter: nf_tables: remove busy mark and gc batch API (2023-08-10 08:25:27 +0200)

----------------------------------------------------------------
netfilter pull request 23-08-10

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nf_tables: don't skip expired elements during walk

Pablo Neira Ayuso (4):
      netfilter: nf_tables: GC transaction API to avoid race with control plane
      netfilter: nf_tables: adapt set backend to use GC transaction API
      netfilter: nft_set_hash: mark set element as dead when deleting from packet path
      netfilter: nf_tables: remove busy mark and gc batch API

 include/net/netfilter/nf_tables.h | 120 ++++++---------
 net/netfilter/nf_tables_api.c     | 307 ++++++++++++++++++++++++++++++--------
 net/netfilter/nft_set_hash.c      |  85 +++++++----
 net/netfilter/nft_set_pipapo.c    |  66 +++++---
 net/netfilter/nft_set_rbtree.c    | 146 ++++++++++--------
 5 files changed, 476 insertions(+), 248 deletions(-)

Re: [PATCH net 0/5] Netfilter fixes for net

[Greg KH]

On Thu, Aug 10, 2023 at 09:08:25AM +0200, Pablo Neira Ayuso wrote:
> Hi,
> 
> The following patchset contains Netfilter fixes for net.
> 
> The existing attempt to resolve races between control plane and GC work
> is error prone, as reported by Bien Pham <phamnnb@sea.com>, some places
> forgot to call nft_set_elem_mark_busy(), leading to double-deactivation
> of elements.
> 
> This series contains the following patches:
> 
> 1) Do not skip expired elements during walk otherwise elements might
>    never decrement the reference counter on data, leading to memleak.
> 
> 2) Add a GC transaction API to replace the former attempt to deal with
>    races between control plane and GC. GC worker sets on NFT_SET_ELEM_DEAD_BIT
>    on elements and it creates a GC transaction to remove the expired
>    elements, GC transaction could abort in case of interference with
>    control plane and retried later (GC async). Set backends such as
>    rbtree and pipapo also perform GC from control plane (GC sync), in
>    such case, element deactivation and removal is safe because mutex
>    is held then collected elements are released via call_rcu().
> 
> 3) Adapt existing set backends to use the GC transaction API.
> 
> 4) Update rhash set backend to set on _DEAD bit to report deleted
>    elements from datapath for GC.
> 
> 5) Remove old GC batch API and the NFT_SET_ELEM_BUSY_BIT.
> 
> Florian Westphal (1):
>   netfilter: nf_tables: don't skip expired elements during walk
> 
> Pablo Neira Ayuso (4):
>   netfilter: nf_tables: GC transaction API to avoid race with control plane
>   netfilter: nf_tables: adapt set backend to use GC transaction API
>   netfilter: nft_set_hash: mark set element as dead when deleting from packet path
>   netfilter: nf_tables: remove busy mark and gc batch API
> 
> Please, pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-08-10
> 
> Thanks.
> 
> ----------------------------------------------------------------
> 
> The following changes since commit c5ccff70501d92db445a135fa49cf9bc6b98c444:
> 
>   Merge branch 'net-sched-bind-logic-fixes-for-cls_fw-cls_u32-and-cls_route' (2023-07-31 20:10:39 -0700)
> 
> are available in the Git repository at:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-08-10
> 
> for you to fetch changes up to a2dd0233cbc4d8a0abb5f64487487ffc9265beb5:
> 
>   netfilter: nf_tables: remove busy mark and gc batch API (2023-08-10 08:25:27 +0200)
> 
> ----------------------------------------------------------------
> netfilter pull request 23-08-10
> 
> ----------------------------------------------------------------
> Florian Westphal (1):
>       netfilter: nf_tables: don't skip expired elements during walk
> 
> Pablo Neira Ayuso (4):
>       netfilter: nf_tables: GC transaction API to avoid race with control plane
>       netfilter: nf_tables: adapt set backend to use GC transaction API
>       netfilter: nft_set_hash: mark set element as dead when deleting from packet path
>       netfilter: nf_tables: remove busy mark and gc batch API
> 
>  include/net/netfilter/nf_tables.h | 120 ++++++---------
>  net/netfilter/nf_tables_api.c     | 307 ++++++++++++++++++++++++++++++--------
>  net/netfilter/nft_set_hash.c      |  85 +++++++----
>  net/netfilter/nft_set_pipapo.c    |  66 +++++---
>  net/netfilter/nft_set_rbtree.c    | 146 ++++++++++--------
>  5 files changed, 476 insertions(+), 248 deletions(-)

<formletter>

This is not the correct way to submit patches for inclusion in the
stable kernel tree.  Please read:
    https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.

</formletter>

Re: [PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

On Thu, Aug 10, 2023 at 09:49:11AM +0200, Greg KH wrote:
> On Thu, Aug 10, 2023 at 09:08:25AM +0200, Pablo Neira Ayuso wrote:
> > Hi,
> > 
> > The following patchset contains Netfilter fixes for net.
> > 
> > The existing attempt to resolve races between control plane and GC work
> > is error prone, as reported by Bien Pham <phamnnb@sea.com>, some places
> > forgot to call nft_set_elem_mark_busy(), leading to double-deactivation
> > of elements.
> > 
> > This series contains the following patches:
> > 
> > 1) Do not skip expired elements during walk otherwise elements might
> >    never decrement the reference counter on data, leading to memleak.
> > 
> > 2) Add a GC transaction API to replace the former attempt to deal with
> >    races between control plane and GC. GC worker sets on NFT_SET_ELEM_DEAD_BIT
> >    on elements and it creates a GC transaction to remove the expired
> >    elements, GC transaction could abort in case of interference with
> >    control plane and retried later (GC async). Set backends such as
> >    rbtree and pipapo also perform GC from control plane (GC sync), in
> >    such case, element deactivation and removal is safe because mutex
> >    is held then collected elements are released via call_rcu().
> > 
> > 3) Adapt existing set backends to use the GC transaction API.
> > 
> > 4) Update rhash set backend to set on _DEAD bit to report deleted
> >    elements from datapath for GC.
> > 
> > 5) Remove old GC batch API and the NFT_SET_ELEM_BUSY_BIT.
> > 
> > Florian Westphal (1):
> >   netfilter: nf_tables: don't skip expired elements during walk
> > 
> > Pablo Neira Ayuso (4):
> >   netfilter: nf_tables: GC transaction API to avoid race with control plane
> >   netfilter: nf_tables: adapt set backend to use GC transaction API
> >   netfilter: nft_set_hash: mark set element as dead when deleting from packet path
> >   netfilter: nf_tables: remove busy mark and gc batch API
> > 
> > Please, pull these changes from:
> > 
> >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-08-10
> > 
> > Thanks.
> > 
> > ----------------------------------------------------------------
> > 
> > The following changes since commit c5ccff70501d92db445a135fa49cf9bc6b98c444:
> > 
> >   Merge branch 'net-sched-bind-logic-fixes-for-cls_fw-cls_u32-and-cls_route' (2023-07-31 20:10:39 -0700)
> > 
> > are available in the Git repository at:
> > 
> >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-08-10
> > 
> > for you to fetch changes up to a2dd0233cbc4d8a0abb5f64487487ffc9265beb5:
> > 
> >   netfilter: nf_tables: remove busy mark and gc batch API (2023-08-10 08:25:27 +0200)
> > 
> > ----------------------------------------------------------------
> > netfilter pull request 23-08-10
> > 
> > ----------------------------------------------------------------
> > Florian Westphal (1):
> >       netfilter: nf_tables: don't skip expired elements during walk
> > 
> > Pablo Neira Ayuso (4):
> >       netfilter: nf_tables: GC transaction API to avoid race with control plane
> >       netfilter: nf_tables: adapt set backend to use GC transaction API
> >       netfilter: nft_set_hash: mark set element as dead when deleting from packet path
> >       netfilter: nf_tables: remove busy mark and gc batch API
> > 
> >  include/net/netfilter/nf_tables.h | 120 ++++++---------
> >  net/netfilter/nf_tables_api.c     | 307 ++++++++++++++++++++++++++++++--------
> >  net/netfilter/nft_set_hash.c      |  85 +++++++----
> >  net/netfilter/nft_set_pipapo.c    |  66 +++++---
> >  net/netfilter/nft_set_rbtree.c    | 146 ++++++++++--------
> >  5 files changed, 476 insertions(+), 248 deletions(-)
> 
> <formletter>
> 
> This is not the correct way to submit patches for inclusion in the
> stable kernel tree.  Please read:
>     https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
> for how to do this properly.

I will re-submit this once this hit upstream.

Thanks.

Re: [PATCH net 0/5] Netfilter fixes for net

[Jakub Kicinski]

We've got some new kdoc warnings here:

net/netfilter/nft_set_pipapo.c:1557: warning: Function parameter or member '_set' not described in 'pipapo_gc'
net/netfilter/nft_set_pipapo.c:1557: warning: Excess function parameter 'set' description in 'pipapo_gc'
include/net/netfilter/nf_tables.h:577: warning: Function parameter or member 'dead' not described in 'nft_set'

Don't think Linus will care enough to complain but it'd be good to get
those cleaned up.

[PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Missing nul-check in basechain hook netlink dump path, from Gavrilov Ilia.

2) Fix bitwise register tracking, from Jeremy Sowden.

3) Null pointer dereference when accessing conntrack helper,
   from Tijs Van Buggenhout.

4) Add schedule point to ipset's call_ad, from Kuniyuki Iwashima.

5) Incorrect boundary check when building chain blob.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-06-07

Thanks.

----------------------------------------------------------------

The following changes since commit 9025944fddfed5966c8f102f1fe921ab3aee2c12:

  net: fec: add dma_wmb to ensure correct descriptor values (2023-05-19 09:17:53 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-06-07

for you to fetch changes up to 08e42a0d3ad30f276f9597b591f975971a1b0fcf:

  netfilter: nf_tables: out-of-bound check in chain blob (2023-06-07 00:43:44 +0200)

----------------------------------------------------------------
netfilter pull request 23-06-07

----------------------------------------------------------------
Gavrilov Ilia (1):
      netfilter: nf_tables: Add null check for nla_nest_start_noflag() in nft_dump_basechain_hook()

Jeremy Sowden (1):
      netfilter: nft_bitwise: fix register tracking

Kuniyuki Iwashima (1):
      netfilter: ipset: Add schedule point in call_ad().

Pablo Neira Ayuso (1):
      netfilter: nf_tables: out-of-bound check in chain blob

Tijs Van Buggenhout (1):
      netfilter: conntrack: fix NULL pointer dereference in nf_confirm_cthelper

 net/netfilter/ipset/ip_set_core.c | 8 ++++++++
 net/netfilter/nf_conntrack_core.c | 3 +++
 net/netfilter/nf_tables_api.c     | 4 +++-
 net/netfilter/nft_bitwise.c       | 2 +-
 4 files changed, 15 insertions(+), 2 deletions(-)

[PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Unbreak br_netfilter physdev match support, from Florian Westphal.

2) Use GFP_KERNEL_ACCOUNT for stateful/policy objects, from Chen Aotian.

3) Use IS_ENABLED() in nf_reset_trace(), from Florian Westphal.

4) Fix validation of catch-all set element.

5) Tighten requirements for catch-all set elements.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 24e3fce00c0b557491ff596c0682a29dee6fe848:

  net: stmmac: Add queue reset into stmmac_xdp_open() function (2023-04-05 19:02:56 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to d4eb7e39929a3b1ff30fb751b4859fc2410702a0:

  netfilter: nf_tables: tighten netlink attribute requirements for catch-all elements (2023-04-18 09:30:21 +0200)

----------------------------------------------------------------
Chen Aotian (1):
      netfilter: nf_tables: Modify nla_memdup's flag to GFP_KERNEL_ACCOUNT

Florian Westphal (2):
      netfilter: br_netfilter: fix recent physdev match breakage
      netfilter: nf_tables: fix ifdef to also consider nf_tables=m

Pablo Neira Ayuso (2):
      netfilter: nf_tables: validate catch-all set elements
      netfilter: nf_tables: tighten netlink attribute requirements for catch-all elements

 include/linux/skbuff.h            |  5 +--
 include/net/netfilter/nf_tables.h |  4 +++
 net/bridge/br_netfilter_hooks.c   | 17 ++++++----
 net/netfilter/nf_tables_api.c     | 69 ++++++++++++++++++++++++++++++++++-----
 net/netfilter/nft_lookup.c        | 36 +++-----------------
 5 files changed, 83 insertions(+), 48 deletions(-)

[PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Use get_random_u32() instead of prandom_u32_state() in nft_meta
   and nft_numgen, from Florian Westphal.

2) Incorrect list head in nfnetlink_cttimeout in recent update coming
   from previous development cycle. Also from Florian.

3) Incorrect path to pktgen scripts for nft_concat_range.sh selftest.
   From Jie2x Zhou.

4) Two fixes for the for nft_fwd and nft_dup egress support, from Florian.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit f5826c8c9d57210a17031af5527056eefdc2b7eb:

  net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure (2022-06-07 20:49:58 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to fcd53c51d03709bc429822086f1e9b3e88904284:

  netfilter: nf_dup_netdev: add and use recursion counter (2022-06-21 10:50:41 +0200)

----------------------------------------------------------------
Florian Westphal (4):
      netfilter: use get_random_u32 instead of prandom
      netfilter: cttimeout: fix slab-out-of-bounds read typo in cttimeout_net_exit
      netfilter: nf_dup_netdev: do not push mac header a second time
      netfilter: nf_dup_netdev: add and use recursion counter

Jie2x Zhou (1):
      selftests: netfilter: correct PKTGEN_SCRIPT_PATHS in nft_concat_range.sh

 net/netfilter/nf_dup_netdev.c                      | 25 ++++++++++++++++++----
 net/netfilter/nfnetlink_cttimeout.c                |  2 +-
 net/netfilter/nft_meta.c                           | 13 ++---------
 net/netfilter/nft_numgen.c                         | 12 +++--------
 .../selftests/netfilter/nft_concat_range.sh        |  2 +-
 5 files changed, 28 insertions(+), 26 deletions(-)

[PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

1) Missing proper sanitization for nft_set_desc_concat_parse().

2) Missing mutex in nf_tables pre_exit path.

3) Possible double hook unregistration from clean_net path.

4) Missing FLOWI_FLAG_ANYSRC flag in flowtable route lookup.
   Fix incorrect source and destination address in case of NAT.
   Patch from wenxu.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 09e545f7381459c015b6fa0cd0ac6f010ef8cc25:

  xen/netback: fix incorrect usage of RING_HAS_UNCONSUMED_REQUESTS() (2022-05-31 12:22:22 +0200)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 97629b237a8cb7ac655c3969b8d5e57300ff6598:

  netfilter: flowtable: fix nft_flow_route source address for nat case (2022-05-31 23:32:53 +0200)

----------------------------------------------------------------
Pablo Neira Ayuso (3):
      netfilter: nf_tables: sanitize nft_set_desc_concat_parse()
      netfilter: nf_tables: hold mutex on netns pre_exit path
      netfilter: nf_tables: double hook unregistration in netns path

wenxu (2):
      netfilter: flowtable: fix missing FLOWI_FLAG_ANYSRC flag
      netfilter: flowtable: fix nft_flow_route source address for nat case

 net/netfilter/nf_tables_api.c    | 75 +++++++++++++++++++++++++++++++---------
 net/netfilter/nft_flow_offload.c |  6 ++--
 2 files changed, 62 insertions(+), 19 deletions(-)

[PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Incorrect helper module alias in netbios_ns, from Florian Westphal.

2) Remove unused variable in nf_tables.

3) Uninitialized last expression in nf_tables register tracking.

4) Memleak in nft_connlimit after moving stateful data out of the
   expression data area.

5) Bogus invalid stats update when NF_REPEAT is returned, from Florian.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 7d6019b602de660bfc6a542a68630006ace83b90:

  Revert "net: vertexcom: default to disabled on kbuild" (2022-01-10 21:11:07 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 830af2eba40327abec64325a5b08b1e85c37a2e0:

  netfilter: conntrack: don't increment invalid counter on NF_REPEAT (2022-01-16 00:55:27 +0100)

----------------------------------------------------------------
Florian Westphal (2):
      netfilter: nf_conntrack_netbios_ns: fix helper module alias
      netfilter: conntrack: don't increment invalid counter on NF_REPEAT

Pablo Neira Ayuso (3):
      netfilter: nf_tables: remove unused variable
      netfilter: nf_tables: set last expression in register tracking area
      netfilter: nft_connlimit: memleak if nf_ct_netns_get() fails

 net/netfilter/nf_conntrack_core.c       |  8 +++++---
 net/netfilter/nf_conntrack_netbios_ns.c |  5 +++--
 net/netfilter/nf_tables_api.c           |  4 +---
 net/netfilter/nft_connlimit.c           | 11 ++++++++++-
 4 files changed, 19 insertions(+), 9 deletions(-)

[PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Move back the defrag users fields to the global netns_nf area.
   Kernel fails to boot if conntrack is builtin and kernel is booted
   with: nf_conntrack.enable_hooks=1. From Florian Westphal.

2) Rule event notification is missing relevant context such as
   the position handle and the NLM_F_APPEND flag.

3) Rule replacement is expanded to add + delete using the existing
   rule handle, reverse order of this operation so it makes sense
   from rule notification standpoint.

4) Remove superfluous check in the dynamic set extension which
   disallow update commands on a set without timeout.

5) Propagate to userspace the NLM_F_CREATE and NLM_F_EXCL flags
   from the rule notification path.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 3b1b6e82fb5e08e2cb355d7b2ee8644ec289de66:

  net: phy: enhance GPY115 loopback disable function (2021-09-27 13:49:38 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 3d3b30175a51cf027201670af3e2e5b05447b985:

  netfilter: nf_tables: honor NLM_F_CREATE and NLM_F_EXCL in event notification (2021-09-28 13:04:56 +0200)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: conntrack: fix boot failure with nf_conntrack.enable_hooks=1

Pablo Neira Ayuso (4):
      netfilter: nf_tables: add position handle in event notification
      netfilter: nf_tables: reverse order in rule replacement expansion
      netfilter: nft_dynset: relax superfluous check on set updates
      netfilter: nf_tables: honor NLM_F_CREATE and NLM_F_EXCL in event notification

 include/net/netfilter/ipv6/nf_defrag_ipv6.h |  1 -
 include/net/netfilter/nf_tables.h           |  2 +-
 include/net/netns/netfilter.h               |  6 ++
 net/ipv4/netfilter/nf_defrag_ipv4.c         | 30 +++-------
 net/ipv6/netfilter/nf_conntrack_reasm.c     |  2 +-
 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c   | 25 +++-----
 net/netfilter/nf_tables_api.c               | 91 ++++++++++++++++++++---------
 net/netfilter/nft_dynset.c                  | 11 +---
 net/netfilter/nft_quota.c                   |  2 +-
 9 files changed, 92 insertions(+), 78 deletions(-)

[PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Protect nft_ct template with global mutex, from Pavel Skripkin.

2) Two recent commits switched inet rt and nexthop exception hashes
   from jhash to siphash. If those two spots are problematic then
   conntrack is affected as well, so switch voer to siphash too.
   While at it, add a hard upper limit on chain lengths and reject
   insertion if this is hit. Patches from Florian Westphal.

3) Fix use-after-scope in nf_socket_ipv6 reported by KASAN,
   from Benjamin Hesmans.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 519133debcc19f5c834e7e28480b60bdc234fe02:

  net: bridge: fix memleak in br_add_if() (2021-08-10 13:25:14 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 730affed24bffcd1eebd5903171960f5ff9f1f22:

  netfilter: socket: icmp6: fix use-after-scope (2021-09-03 18:25:31 +0200)

----------------------------------------------------------------
Benjamin Hesmans (1):
      netfilter: socket: icmp6: fix use-after-scope

Florian Westphal (3):
      netfilter: conntrack: sanitize table size default settings
      netfilter: conntrack: switch to siphash
      netfilter: refuse insertion if chain has grown too large

Pavel Skripkin (1):
      netfilter: nft_ct: protect nft_ct_pcpu_template_refcnt with mutex

 Documentation/networking/nf_conntrack-sysctl.rst   |  13 ++-
 include/linux/netfilter/nf_conntrack_common.h      |   1 +
 include/uapi/linux/netfilter/nfnetlink_conntrack.h |   1 +
 net/ipv6/netfilter/nf_socket_ipv6.c                |   4 +-
 net/netfilter/nf_conntrack_core.c                  | 103 ++++++++++++++-------
 net/netfilter/nf_conntrack_expect.c                |  25 +++--
 net/netfilter/nf_conntrack_netlink.c               |   4 +-
 net/netfilter/nf_conntrack_standalone.c            |   4 +-
 net/netfilter/nf_nat_core.c                        |  18 +++-
 net/netfilter/nft_ct.c                             |   9 +-
 10 files changed, 123 insertions(+), 59 deletions(-)

[PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix insufficient validation of IPSET_ATTR_IPADDR_IPV6 reported
   by syzbot.

2) Remove spurious reports on nf_tables when lockdep gets disabled,
   from Florian Westphal.

3) Fix memleak in the error path of error path of
   ip_vs_control_net_init(), from Wang Hai.

4) Fix missing control data in flow dissector, otherwise IP address
   matching in hardware offload infra does not work.

5) Fix hardware offload match on prefix IP address when userspace
   does not send a bitwise expression to represent the prefix.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks Jakub.

----------------------------------------------------------------

The following changes since commit 90cf87d16bd566cff40c2bc8e32e6d4cd3af23f0:

  enetc: Let the hardware auto-advance the taprio base-time of 0 (2020-11-25 12:36:27 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to a5d45bc0dc50f9dd83703510e9804d813a9cac32:

  netfilter: nftables_offload: build mask based from the matching bytes (2020-11-27 12:10:47 +0100)

----------------------------------------------------------------
Eric Dumazet (1):
      netfilter: ipset: prevent uninit-value in hash_ip6_add

Florian Westphal (1):
      netfilter: nf_tables: avoid false-postive lockdep splat

Pablo Neira Ayuso (2):
      netfilter: nftables_offload: set address type in control dissector
      netfilter: nftables_offload: build mask based from the matching bytes

Wang Hai (1):
      ipvs: fix possible memory leak in ip_vs_control_net_init

 include/net/netfilter/nf_tables_offload.h |  7 ++++
 net/netfilter/ipset/ip_set_core.c         |  3 +-
 net/netfilter/ipvs/ip_vs_ctl.c            | 31 +++++++++++---
 net/netfilter/nf_tables_api.c             |  3 +-
 net/netfilter/nf_tables_offload.c         | 17 ++++++++
 net/netfilter/nft_cmp.c                   |  8 ++--
 net/netfilter/nft_meta.c                  | 16 +++----
 net/netfilter/nft_payload.c               | 70 +++++++++++++++++++++++--------
 8 files changed, 117 insertions(+), 38 deletions(-)

Re: [PATCH net 0/5] Netfilter fixes for net

[Jakub Kicinski]

On Fri, 27 Nov 2020 20:03:08 +0100 Pablo Neira Ayuso wrote:
> 1) Fix insufficient validation of IPSET_ATTR_IPADDR_IPV6 reported
>    by syzbot.
> 
> 2) Remove spurious reports on nf_tables when lockdep gets disabled,
>    from Florian Westphal.
> 
> 3) Fix memleak in the error path of error path of
>    ip_vs_control_net_init(), from Wang Hai.
> 
> 4) Fix missing control data in flow dissector, otherwise IP address
>    matching in hardware offload infra does not work.
> 
> 5) Fix hardware offload match on prefix IP address when userspace
>    does not send a bitwise expression to represent the prefix.
> 
> Please, pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks!

[PATCH net 0/5] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Incorrect netlink report logic in flowtable and genID.

2) Add a selftest to check that wireguard passes the right sk
   to ip_route_me_harder, from Jason A. Donenfeld.

3) Pass the actual sk to ip_route_me_harder(), also from Jason.

4) Missing expression validation of updates via nft --check.

5) Update byte and packet counters regardless of whether they
   match, from Stefano Brivio.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 07e0887302450a62f51dba72df6afb5fabb23d1c:

  Merge tag 'fallthrough-fixes-clang-5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux (2020-10-29 13:02:52 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 7d10e62c2ff8e084c136c94d32d9a94de4d31248:

  netfilter: ipset: Update byte and packet counters regardless of whether they match (2020-10-31 11:11:11 +0100)

----------------------------------------------------------------
Jason A. Donenfeld (2):
      wireguard: selftests: check that route_me_harder packets use the right sk
      netfilter: use actual socket sk rather than skb sk when routing harder

Pablo Neira Ayuso (2):
      netfilter: nftables: fix netlink report logic in flowtable and genid
      netfilter: nf_tables: missing validation from the abort path

Stefano Brivio (1):
      netfilter: ipset: Update byte and packet counters regardless of whether they match

 include/linux/netfilter/nfnetlink.h                |  9 ++++++++-
 include/linux/netfilter_ipv4.h                     |  2 +-
 include/linux/netfilter_ipv6.h                     | 10 +++++-----
 net/ipv4/netfilter.c                               |  8 +++++---
 net/ipv4/netfilter/iptable_mangle.c                |  2 +-
 net/ipv4/netfilter/nf_reject_ipv4.c                |  2 +-
 net/ipv6/netfilter.c                               |  6 +++---
 net/ipv6/netfilter/ip6table_mangle.c               |  2 +-
 net/netfilter/ipset/ip_set_core.c                  |  3 ++-
 net/netfilter/ipvs/ip_vs_core.c                    |  4 ++--
 net/netfilter/nf_nat_proto.c                       |  4 ++--
 net/netfilter/nf_synproxy_core.c                   |  2 +-
 net/netfilter/nf_tables_api.c                      | 19 ++++++++++++-------
 net/netfilter/nfnetlink.c                          | 22 ++++++++++++++++++----
 net/netfilter/nft_chain_route.c                    |  4 ++--
 net/netfilter/utils.c                              |  4 ++--
 tools/testing/selftests/wireguard/netns.sh         |  8 ++++++++
 .../testing/selftests/wireguard/qemu/kernel.config |  2 ++
 18 files changed, 76 insertions(+), 37 deletions(-)

Re: [PATCH net 0/5] Netfilter fixes for net

[Jakub Kicinski]

On Sat, 31 Oct 2020 19:14:32 +0100 Pablo Neira Ayuso wrote:
> Hi,
> 
> The following patchset contains Netfilter fixes for net:
> 
> 1) Incorrect netlink report logic in flowtable and genID.
> 
> 2) Add a selftest to check that wireguard passes the right sk
>    to ip_route_me_harder, from Jason A. Donenfeld.
> 
> 3) Pass the actual sk to ip_route_me_harder(), also from Jason.
> 
> 4) Missing expression validation of updates via nft --check.
> 
> 5) Update byte and packet counters regardless of whether they
>    match, from Stefano Brivio.

Pulled, thanks Pablo!