[PATCH net 0/1] Netfilter fixes for net

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix syn-retransmits until initiator gives up when connection is re-used
   due to rst marked as invalid, from Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 1f3bd64ad921f051254591fbed04fd30b306cde6:

  net: stmmac: fix invalid call to mdiobus_get_phy() (2023-01-17 13:33:19 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to c410cb974f2ba562920ecb8492ee66945dcf88af:

  netfilter: conntrack: handle tcp challenge acks during connection reuse (2023-01-17 23:00:06 +0100)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: conntrack: handle tcp challenge acks during connection reuse

 net/netfilter/nf_conntrack_proto_tcp.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix syn-retransmits until initiator gives up when connection is re-used
   due to rst marked as invalid, from Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 1f3bd64ad921f051254591fbed04fd30b306cde6:

  net: stmmac: fix invalid call to mdiobus_get_phy() (2023-01-17 13:33:19 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to c410cb974f2ba562920ecb8492ee66945dcf88af:

  netfilter: conntrack: handle tcp challenge acks during connection reuse (2023-01-17 23:00:06 +0100)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: conntrack: handle tcp challenge acks during connection reuse

 net/netfilter/nf_conntrack_proto_tcp.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains one Netfilter fix:

1) Restore 'ct state untracked' matching with CONFIG_RETPOLINE=y,
   from Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 6a341729fb31b4c5df9f74f24b4b1c98410c9b87:

  af_packet: Don't send zero-byte data in packet_sendmsg_spkt(). (2023-05-03 09:20:18 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-05-03

for you to fetch changes up to f057b63bc11d86a98176de31b437e46789f44d8f:

  netfilter: nf_tables: fix ct untracked match breakage (2023-05-03 13:49:08 +0200)

----------------------------------------------------------------
netfilter pull request 23-05-03

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nf_tables: fix ct untracked match breakage

 net/netfilter/nft_ct_fast.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following batch contains a oneliner patch to inconditionally flush
workqueue containing stale objects to be released, syzbot managed to
trigger UaF. Patch from Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-07-04

Thanks.

----------------------------------------------------------------

The following changes since commit 8905a2c7d39b921b8a62bcf80da0f8c45ec0e764:

  Merge branch 'net-txgbe-fix-msi-and-intx-interrupts' (2024-07-02 16:07:07 +0200)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-07-04

for you to fetch changes up to 9f6958ba2e902f9820c594869bd710ba74b7c4c0:

  netfilter: nf_tables: unconditionally flush pending work before notifier (2024-07-04 00:28:27 +0200)

----------------------------------------------------------------
netfilter pull request 24-07-04

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nf_tables: unconditionally flush pending work before notifier

 net/netfilter/nf_tables_api.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains a Netfilter fix for net:

Patch #1 if FPU is busy, then pipapo set backend falls back to standard
         set element lookup. Moreover, disable bh while at this.
	 From Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-07-24

Thanks.

----------------------------------------------------------------

The following changes since commit 3ba359c0cd6eb5ea772125a7aededb4a2d516684:

  net: bonding: correctly annotate RCU in bond_should_notify_peers() (2024-07-23 15:13:12 +0200)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-07-24

for you to fetch changes up to a16909ae9982e931841c456061cb57fbaec9c59e:

  netfilter: nft_set_pipapo_avx2: disable softinterrupts (2024-07-24 10:01:59 +0200)

----------------------------------------------------------------
netfilter pull request 24-07-24

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nft_set_pipapo_avx2: disable softinterrupts

 net/netfilter/nft_set_pipapo_avx2.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following series contains one fix:

syzkaller managed to triger UaF due to missing reference on netns in
bpf infrastructure, from Florian Westphal.

Florian Westphal (1):
  netfilter: bpf: must hold reference on net namespace

 net/netfilter/nf_bpf_link.c | 4 ++++
 1 file changed, 4 insertions(+)

-- 
2.30.2

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-10-17

Thanks.

----------------------------------------------------------------

The following changes since commit cb560795c8c2ceca1d36a95f0d1b2eafc4074e37:

  Merge branch 'mlx5-misc-fixes-2024-10-15' (2024-10-17 12:14:11 +0200)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-10-17

for you to fetch changes up to 1230fe7ad3974f7bf6c78901473e039b34d4fb1f:

  netfilter: bpf: must hold reference on net namespace (2024-10-17 13:58:57 +0200)

----------------------------------------------------------------
netfilter pull request 24-10-17

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: bpf: must hold reference on net namespace

 net/netfilter/nf_bpf_link.c | 4 ++++
 1 file changed, 4 insertions(+)

Re: [PATCH net 0/1] Netfilter fixes for net

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Thu, 17 Oct 2024 14:34:12 +0200 you wrote:
> Hi,
> 
> The following series contains one fix:
> 
> syzkaller managed to triger UaF due to missing reference on netns in
> bpf infrastructure, from Florian Westphal.
> 
> [...]

Here is the summary with links:
  - [net,1/1] netfilter: bpf: must hold reference on net namespace
    https://git.kernel.org/netdev/net/c/1230fe7ad397

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following batch contains one Netfilter fix for net:

1) Fix unaligned atomic read on struct nft_set_ext in nft_set_hash
   backend that causes an alignment failure splat on aarch64. This
   is related to a recent fix and it has been reported via the
   regressions mailing list.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-12-25

Thanks.

----------------------------------------------------------------

The following changes since commit b3a69c559899b00ca106767c873680b0adf5882c:

  Merge branch 'mlx5-misc-fixes-2024-12-20' (2024-12-23 10:54:07 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-12-25

for you to fetch changes up to 542ed8145e6f9392e3d0a86a0e9027d2ffd183e4:

  netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext (2024-12-25 00:27:49 +0100)

----------------------------------------------------------------
netfilter pull request 24-12-25

----------------------------------------------------------------
Pablo Neira Ayuso (1):
      netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext

 include/net/netfilter/nf_tables.h | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following batch contains one Netfilter fix:

1) Reject mismatching sum of field_len with set key length which allows
   to create a set without inconsistent pipapo rule width and set key
   length.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-01-30

Thanks.

----------------------------------------------------------------

The following changes since commit 0a5b8fff01bde1b9908f00004c676f2e2459333b:

  selftests: net: Adapt ethtool mq tests to fix in qdisc graft (2025-01-15 09:28:51 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-25-01-30

for you to fetch changes up to 1b9335a8000fb70742f7db10af314104b6ace220:

  netfilter: nf_tables: reject mismatching sum of field_len with set key length (2025-01-30 12:26:11 +0100)

----------------------------------------------------------------
netfilter pull request 25-01-30

----------------------------------------------------------------
Pablo Neira Ayuso (1):
      netfilter: nf_tables: reject mismatching sum of field_len with set key length

 net/netfilter/nf_tables_api.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following batch contains one revert for:

1) Revert flowtable entry teardown cycle when skbuff exceeds mtu to
   deal with DF flag unset scenarios. This is reverts a patch coming
   in the previous merge window (available in 6.14-rc releases).

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-02-13

Thanks.

----------------------------------------------------------------

The following changes since commit e589adf5b70c07b1ab974d077046fdbf583b2f36:

  iavf: Fix a locking bug in an error path (2025-02-11 18:02:04 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-25-02-13

for you to fetch changes up to cf56aa8dd26328a9af4ffe7fb0bd8fcfa9407112:

  Revert "netfilter: flowtable: teardown flow if cached mtu is stale" (2025-02-12 10:35:20 +0100)

----------------------------------------------------------------
netfilter pull request 25-02-13

----------------------------------------------------------------
Pablo Neira Ayuso (1):
      Revert "netfilter: flowtable: teardown flow if cached mtu is stale"

 net/netfilter/nf_flow_table_ip.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

[PATCH net 1/1] Revert "netfilter: flowtable: teardown flow if cached mtu is stale"

[Pablo Neira Ayuso]

This reverts commit b8baac3b9c5cc4b261454ff87d75ae8306016ffd.

IPv4 packets with no DF flag set on result in frequent flow entry
teardown cycles, this is visible in the network topology that is used in
the nft_flowtable.sh test.

nft_flowtable.sh test ocassionally fails reporting that the dscp_fwd
test sees no packets going through the flowtable path.

Fixes: b8baac3b9c5c ("netfilter: flowtable: teardown flow if cached mtu is stale")
Reported-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_flow_table_ip.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 97c6eb8847a0..8cd4cf7ae211 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -381,10 +381,8 @@ static int nf_flow_offload_forward(struct nf_flowtable_ctx *ctx,
 	flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
 
 	mtu = flow->tuplehash[dir].tuple.mtu + ctx->offset;
-	if (unlikely(nf_flow_exceeds_mtu(skb, mtu))) {
-		flow_offload_teardown(flow);
+	if (unlikely(nf_flow_exceeds_mtu(skb, mtu)))
 		return 0;
-	}
 
 	iph = (struct iphdr *)(skb_network_header(skb) + ctx->offset);
 	thoff = (iph->ihl * 4) + ctx->offset;
@@ -662,10 +660,8 @@ static int nf_flow_offload_ipv6_forward(struct nf_flowtable_ctx *ctx,
 	flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
 
 	mtu = flow->tuplehash[dir].tuple.mtu + ctx->offset;
-	if (unlikely(nf_flow_exceeds_mtu(skb, mtu))) {
-		flow_offload_teardown(flow);
+	if (unlikely(nf_flow_exceeds_mtu(skb, mtu)))
 		return 0;
-	}
 
 	ip6h = (struct ipv6hdr *)(skb_network_header(skb) + ctx->offset);
 	thoff = sizeof(*ip6h) + ctx->offset;
-- 
2.30.2

Re: [PATCH net 1/1] Revert "netfilter: flowtable: teardown flow if cached mtu is stale"

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Thu, 13 Feb 2025 11:05:02 +0100 you wrote:
> This reverts commit b8baac3b9c5cc4b261454ff87d75ae8306016ffd.
> 
> IPv4 packets with no DF flag set on result in frequent flow entry
> teardown cycles, this is visible in the network topology that is used in
> the nft_flowtable.sh test.
> 
> nft_flowtable.sh test ocassionally fails reporting that the dscp_fwd
> test sees no packets going through the flowtable path.
> 
> [...]

Here is the summary with links:
  - [net,1/1] Revert "netfilter: flowtable: teardown flow if cached mtu is stale"
    https://git.kernel.org/netdev/net/c/cf56aa8dd263

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html