[PATCH net 0/7] Netfilter fixes for net

[PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix NAT IPv6 offload in the flowtable.

2) icmpv6 is printed as unknown in /proc/net/nf_conntrack.

3) Use div64_u64() in nft_limit, from Eric Dumazet.

4) Use pre_exit to unregister ebtables and arptables hooks,
   from Florian Westphal.

5) Fix out-of-bound memset in x_tables compat match/target,
   also from Florian.

6) Clone set elements expression to ensure proper initialization.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 9adc89af724f12a03b47099cd943ed54e877cd59:

  net: let skb_orphan_partial wake-up waiters. (2021-03-30 13:57:28 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 4d8f9065830e526c83199186c5f56a6514f457d2:

  netfilter: nftables: clone set element expression template (2021-04-13 00:19:05 +0200)

----------------------------------------------------------------
Eric Dumazet (1):
      netfilter: nft_limit: avoid possible divide error in nft_limit_init

Florian Westphal (3):
      netfilter: bridge: add pre_exit hooks for ebtable unregistration
      netfilter: arp_tables: add pre_exit hook for table unregister
      netfilter: x_tables: fix compat match/target pad out-of-bound write

Pablo Neira Ayuso (3):
      netfilter: flowtable: fix NAT IPv6 offload mangling
      netfilter: conntrack: do not print icmpv6 as unknown via /proc
      netfilter: nftables: clone set element expression template

 include/linux/netfilter_arp/arp_tables.h  |  5 ++--
 include/linux/netfilter_bridge/ebtables.h |  5 ++--
 net/bridge/netfilter/ebtable_broute.c     |  8 +++++-
 net/bridge/netfilter/ebtable_filter.c     |  8 +++++-
 net/bridge/netfilter/ebtable_nat.c        |  8 +++++-
 net/bridge/netfilter/ebtables.c           | 30 ++++++++++++++++++--
 net/ipv4/netfilter/arp_tables.c           | 11 ++++++--
 net/ipv4/netfilter/arptable_filter.c      | 10 ++++++-
 net/ipv4/netfilter/ip_tables.c            |  2 ++
 net/ipv6/netfilter/ip6_tables.c           |  2 ++
 net/netfilter/nf_conntrack_standalone.c   |  1 +
 net/netfilter/nf_flow_table_offload.c     |  6 ++--
 net/netfilter/nf_tables_api.c             | 46 +++++++++++++++++++++++--------
 net/netfilter/nft_limit.c                 |  4 +--
 net/netfilter/x_tables.c                  | 10 ++-----
 15 files changed, 118 insertions(+), 38 deletions(-)

[PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix bogus compilter warning in nfnetlink_queue, from Florian Westphal.

2) Don't run conntrack on vrf with !dflt qdisc, from Nicolas Dichtel.

3) Fix nft_pipapo bucket load in AVX2 lookup routine for six 8-bit
   groups, from Stefano Brivio.

4) Break rule evaluation on malformed TCP options.

5) Use socat instead of nc in selftests/netfilter/nft_zones_many.sh,
   also from Florian

6) Fix KCSAN data-race in conntrack timeout updates, from Eric Dumazet.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 34d8778a943761121f391b7921f79a7adbe1feaf:

  MAINTAINERS: s390/net: add Alexandra and Wenjia as maintainer (2021-11-30 12:20:07 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 802a7dc5cf1bef06f7b290ce76d478138408d6b1:

  netfilter: conntrack: annotate data-races around ct->timeout (2021-12-08 01:29:15 +0100)

----------------------------------------------------------------
Eric Dumazet (1):
      netfilter: conntrack: annotate data-races around ct->timeout

Florian Westphal (2):
      netfilter: nfnetlink_queue: silence bogus compiler warning
      selftests: netfilter: switch zone stress to socat

Nicolas Dichtel (1):
      vrf: don't run conntrack on vrf with !dflt qdisc

Pablo Neira Ayuso (1):
      netfilter: nft_exthdr: break evaluation if setting TCP option fails

Stefano Brivio (2):
      nft_set_pipapo: Fix bucket load in AVX2 lookup routine for six 8-bit groups
      selftests: netfilter: Add correctness test for mac,net set type

 drivers/net/vrf.c                                  |  8 +++---
 include/net/netfilter/nf_conntrack.h               |  6 ++---
 net/netfilter/nf_conntrack_core.c                  |  6 ++---
 net/netfilter/nf_conntrack_netlink.c               |  2 +-
 net/netfilter/nf_flow_table_core.c                 |  4 +--
 net/netfilter/nfnetlink_queue.c                    |  2 +-
 net/netfilter/nft_exthdr.c                         | 11 +++++---
 net/netfilter/nft_set_pipapo_avx2.c                |  2 +-
 tools/testing/selftests/netfilter/conntrack_vrf.sh | 30 +++++++++++++++++++---
 .../selftests/netfilter/nft_concat_range.sh        | 24 ++++++++++++++---
 .../testing/selftests/netfilter/nft_zones_many.sh  | 19 +++++++++-----
 11 files changed, 82 insertions(+), 32 deletions(-)

[PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

This patchset contains Netfilter fixes for net:

1) Reduce number of hardware offload retries from flowtable datapath
   which might hog system with retries, from Felix Fietkau.

2) Skip neighbour lookup for PPPoE device, fill_forward_path() already
   provides this and set on destination address from fill_forward_path for
   PPPoE device, also from Felix.

4) When combining PPPoE on top of a VLAN device, set info->outdev to the
   PPPoE device so software offload works, from Felix.

5) Fix TCP teardown flowtable state, races with conntrack gc might result
   in resetting the state to ESTABLISHED and the time to one day. Joint
   work with Oz Shlomo and Sven Auhagen.

6) Call dst_check() from flowtable datapath to check if dst is stale
   instead of doing it from garbage collector path.

7) Disable register tracking infrastructure, either user-space or
   kernel need to pre-fetch keys inconditionally, otherwise register
   tracking assumes data is already available in register that might
   not well be there, leading to incorrect reductions.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit f3f19f939c11925dadd3f4776f99f8c278a7017b:

  Merge tag 'net-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net (2022-05-12 11:51:45 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 9e539c5b6d9c5b996e45105921ee9dd955c0f535:

  netfilter: nf_tables: disable expression reduction infra (2022-05-18 17:34:26 +0200)

----------------------------------------------------------------
Felix Fietkau (4):
      netfilter: flowtable: fix excessive hw offload attempts after failure
      netfilter: nft_flow_offload: skip dst neigh lookup for ppp devices
      net: fix dev_fill_forward_path with pppoe + bridge
      netfilter: nft_flow_offload: fix offload with pppoe + vlan

Pablo Neira Ayuso (2):
      netfilter: flowtable: fix TCP flow teardown
      netfilter: nf_tables: disable expression reduction infra

Ritaro Takenaka (1):
      netfilter: flowtable: move dst_check to packet path

 drivers/net/ppp/pppoe.c            |  1 +
 include/linux/netdevice.h          |  2 +-
 net/core/dev.c                     |  2 +-
 net/netfilter/nf_flow_table_core.c | 60 +++++++-------------------------------
 net/netfilter/nf_flow_table_ip.c   | 19 ++++++++++++
 net/netfilter/nf_tables_api.c      | 11 +------
 net/netfilter/nft_flow_offload.c   | 28 +++++++++++-------
 7 files changed, 51 insertions(+), 72 deletions(-)

[PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix NAT support for NFPROTO_INET without layer 3 address,
   from Florian Westphal.

2) Use kfree_rcu(ptr, rcu) variant in nf_tables clean_net path.

3) Use list to collect flowtable hooks to be deleted.

4) Initialize list of hook field in flowtable transaction.

5) Release hooks on error for flowtable updates.

6) Memleak in hardware offload rule commit and abort paths.

7) Early bail out in case device does not support for hardware offload.
   This adds a new interface to net/core/flow_offload.c to check if the
   flow indirect block list is empty.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 0a375c822497ed6ad6b5da0792a12a6f1af10c0b:

  tcp: tcp_rtx_synack() can be called from process context (2022-05-31 21:40:10 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 3a41c64d9c1185a2f3a184015e2a9b78bfc99c71:

  netfilter: nf_tables: bail out early if hardware offload is not supported (2022-06-06 19:19:15 +0200)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nat: really support inet nat without l3 address

Pablo Neira Ayuso (6):
      netfilter: nf_tables: use kfree_rcu(ptr, rcu) to release hooks in clean_net path
      netfilter: nf_tables: delete flowtable hooks via transaction list
      netfilter: nf_tables: always initialize flowtable hook list in transaction
      netfilter: nf_tables: release new hooks on unsupported flowtable flags
      netfilter: nf_tables: memleak flow rule from commit path
      netfilter: nf_tables: bail out early if hardware offload is not supported

 include/net/flow_offload.h                   |  1 +
 include/net/netfilter/nf_tables.h            |  1 -
 include/net/netfilter/nf_tables_offload.h    |  2 +-
 net/core/flow_offload.c                      |  6 ++++
 net/netfilter/nf_tables_api.c                | 54 ++++++++++++----------------
 net/netfilter/nf_tables_offload.c            | 23 +++++++++++-
 net/netfilter/nft_nat.c                      |  3 +-
 tools/testing/selftests/netfilter/nft_nat.sh | 43 ++++++++++++++++++++++
 8 files changed, 98 insertions(+), 35 deletions(-)

[PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Use signed integer in ipv6_skip_exthdr() called from nf_confirm().
   Reported by static analysis tooling, patch from Florian Westphal.

2) Missing set type checks in nf_tables: Validate that set declaration
   matches the an existing set type, otherwise bail out with EEXIST.
   Currently, nf_tables silently accepts the re-declaration with a
   different type but it bails out later with EINVAL when the user adds
   entries to the set. This fix is relatively large because it requires
   two preparation patches that are included in this batch.

3) Do not ignore updates of timeout and gc_interval parameters in
   existing sets.

4) Fix a hang when 0/0 subnets is added to a hash:net,port,net type of
   ipset. Except hash:net,port,net and hash:net,iface, the set types don't
   support 0/0 and the auxiliary functions rely on this fact. So 0/0 needs
   a special handling in hash:net,port,net which was missing (hash:net,iface
   was not affected by this bug), from Jozsef Kadlecsik.

5) When adding/deleting large number of elements in one step in ipset,
   it can take a reasonable amount of time and can result in soft lockup
   errors. This patch is a complete rework of the previous version in order
   to use a smaller internal batch limit and at the same time removing
   the external hard limit to add arbitrary number of elements in one step.
   Also from Jozsef Kadlecsik.

Except for patch #1, which fixes a bug introduced in the previous net-next
development cycle, anything else has been broken for several releases.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 19e72b064fc32cd58f6fc0b1eb64ac2e4f770e76:

  net: fec: check the return value of build_skb() (2022-12-20 11:33:24 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 5e29dc36bd5e2166b834ceb19990d9e68a734d7d:

  netfilter: ipset: Rework long task execution when adding/deleting entries (2023-01-02 15:10:05 +0100)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: conntrack: fix ipv6 exthdr error check

Jozsef Kadlecsik (2):
      netfilter: ipset: fix hash:net,port,net hang with /0 subnet
      netfilter: ipset: Rework long task execution when adding/deleting entries

Pablo Neira Ayuso (4):
      netfilter: nf_tables: consolidate set description
      netfilter: nf_tables: add function to create set stateful expressions
      netfilter: nf_tables: perform type checking for existing sets
      netfilter: nf_tables: honor set timeout and garbage collection updates

 include/linux/netfilter/ipset/ip_set.h       |   2 +-
 include/net/netfilter/nf_tables.h            |  25 ++-
 net/netfilter/ipset/ip_set_core.c            |   7 +-
 net/netfilter/ipset/ip_set_hash_ip.c         |  14 +-
 net/netfilter/ipset/ip_set_hash_ipmark.c     |  13 +-
 net/netfilter/ipset/ip_set_hash_ipport.c     |  13 +-
 net/netfilter/ipset/ip_set_hash_ipportip.c   |  13 +-
 net/netfilter/ipset/ip_set_hash_ipportnet.c  |  13 +-
 net/netfilter/ipset/ip_set_hash_net.c        |  17 +-
 net/netfilter/ipset/ip_set_hash_netiface.c   |  15 +-
 net/netfilter/ipset/ip_set_hash_netnet.c     |  23 +--
 net/netfilter/ipset/ip_set_hash_netport.c    |  19 +-
 net/netfilter/ipset/ip_set_hash_netportnet.c |  40 ++--
 net/netfilter/nf_conntrack_proto.c           |   7 +-
 net/netfilter/nf_tables_api.c                | 261 ++++++++++++++++++---------
 15 files changed, 293 insertions(+), 189 deletions(-)

[PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

Patches #1 and #2 add missing rcu read side lock when iterating over
expression and object type list which could race with module removal.

Patch #3 prevents promisc packet from visiting the bridge/input hook
	 to amend a recent fix to address conntrack confirmation race
	 in br_netfilter and nf_conntrack_bridge.

Patch #4 adds and uses iterate decorator type to fetch the current
	 pipapo set backend datastructure view when netlink dumps the
	 set elements.

Patch #5 fixes removal of duplicate elements in the pipapo set backend.

Patch #6 flowtable validates pppoe header before accessing it.

Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup
         fails and pppoe packets follow classic path.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11

Thanks.

----------------------------------------------------------------

The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d:

  r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11

for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27:

  netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200)

----------------------------------------------------------------
netfilter pull request 24-04-11

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nft_set_pipapo: do not free live element

Pablo Neira Ayuso (4):
      netfilter: br_netfilter: skip conntrack input hook for promisc packets
      netfilter: nft_set_pipapo: walk over current view on netlink dump
      netfilter: flowtable: validate pppoe header
      netfilter: flowtable: incorrect pppoe tuple

Ziyang Xuan (2):
      netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
      netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()

 include/net/netfilter/nf_flow_table.h      | 12 +++++++++++-
 include/net/netfilter/nf_tables.h          | 14 ++++++++++++++
 net/bridge/br_input.c                      | 15 +++++++++++----
 net/bridge/br_netfilter_hooks.c            |  6 ++++++
 net/bridge/br_private.h                    |  1 +
 net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++----
 net/netfilter/nf_flow_table_inet.c         |  3 ++-
 net/netfilter/nf_flow_table_ip.c           | 10 ++++++----
 net/netfilter/nf_tables_api.c              | 22 ++++++++++++++++++----
 net/netfilter/nft_set_pipapo.c             | 19 ++++++++++++-------
 10 files changed, 91 insertions(+), 25 deletions(-)

Re: [PATCH net 0/7] Netfilter fixes for net

[Paolo Abeni]

On Thu, 2024-04-11 at 13:28 +0200, Pablo Neira Ayuso wrote:
> Hi,
> 
> The following patchset contains Netfilter fixes for net:
> 
> Patches #1 and #2 add missing rcu read side lock when iterating over
> expression and object type list which could race with module removal.
> 
> Patch #3 prevents promisc packet from visiting the bridge/input hook
> 	 to amend a recent fix to address conntrack confirmation race
> 	 in br_netfilter and nf_conntrack_bridge.
> 
> Patch #4 adds and uses iterate decorator type to fetch the current
> 	 pipapo set backend datastructure view when netlink dumps the
> 	 set elements.
> 
> Patch #5 fixes removal of duplicate elements in the pipapo set backend.
> 
> Patch #6 flowtable validates pppoe header before accessing it.
> 
> Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup
>          fails and pppoe packets follow classic path.
> 
> Please, pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11
> 
> Thanks.
> 
> ----------------------------------------------------------------
> 
> The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d:
> 
>   r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100)
> 
> are available in the Git repository at:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11
> 
> for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27:
> 
>   netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200)
> 
> ----------------------------------------------------------------
> netfilter pull request 24-04-11
> 
> ----------------------------------------------------------------
> Florian Westphal (1):
>       netfilter: nft_set_pipapo: do not free live element
> 
> Pablo Neira Ayuso (4):
>       netfilter: br_netfilter: skip conntrack input hook for promisc packets
>       netfilter: nft_set_pipapo: walk over current view on netlink dump
>       netfilter: flowtable: validate pppoe header
>       netfilter: flowtable: incorrect pppoe tuple
> 
> Ziyang Xuan (2):
>       netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
>       netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> 
>  include/net/netfilter/nf_flow_table.h      | 12 +++++++++++-
>  include/net/netfilter/nf_tables.h          | 14 ++++++++++++++
>  net/bridge/br_input.c                      | 15 +++++++++++----
>  net/bridge/br_netfilter_hooks.c            |  6 ++++++
>  net/bridge/br_private.h                    |  1 +
>  net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++----
>  net/netfilter/nf_flow_table_inet.c         |  3 ++-
>  net/netfilter/nf_flow_table_ip.c           | 10 ++++++----
>  net/netfilter/nf_tables_api.c              | 22 ++++++++++++++++++----
>  net/netfilter/nft_set_pipapo.c             | 19 ++++++++++++-------
>  10 files changed, 91 insertions(+), 25 deletions(-)

Whoops, I'm finishing testing right now todays PR, I hope it's not a
big issue if this lands later?

Thanks,

Paolo

Re: [PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

On Thu, Apr 11, 2024 at 01:39:30PM +0200, Paolo Abeni wrote:
> On Thu, 2024-04-11 at 13:28 +0200, Pablo Neira Ayuso wrote:
> > Hi,
> > 
> > The following patchset contains Netfilter fixes for net:
> > 
> > Patches #1 and #2 add missing rcu read side lock when iterating over
> > expression and object type list which could race with module removal.
> > 
> > Patch #3 prevents promisc packet from visiting the bridge/input hook
> > 	 to amend a recent fix to address conntrack confirmation race
> > 	 in br_netfilter and nf_conntrack_bridge.
> > 
> > Patch #4 adds and uses iterate decorator type to fetch the current
> > 	 pipapo set backend datastructure view when netlink dumps the
> > 	 set elements.
> > 
> > Patch #5 fixes removal of duplicate elements in the pipapo set backend.
> > 
> > Patch #6 flowtable validates pppoe header before accessing it.
> > 
> > Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup
> >          fails and pppoe packets follow classic path.
> > 
> > Please, pull these changes from:
> > 
> >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11
> > 
> > Thanks.
> > 
> > ----------------------------------------------------------------
> > 
> > The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d:
> > 
> >   r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100)
> > 
> > are available in the Git repository at:
> > 
> >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11
> > 
> > for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27:
> > 
> >   netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200)
> > 
> > ----------------------------------------------------------------
> > netfilter pull request 24-04-11
> > 
> > ----------------------------------------------------------------
> > Florian Westphal (1):
> >       netfilter: nft_set_pipapo: do not free live element
> > 
> > Pablo Neira Ayuso (4):
> >       netfilter: br_netfilter: skip conntrack input hook for promisc packets
> >       netfilter: nft_set_pipapo: walk over current view on netlink dump
> >       netfilter: flowtable: validate pppoe header
> >       netfilter: flowtable: incorrect pppoe tuple
> > 
> > Ziyang Xuan (2):
> >       netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
> >       netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> > 
> >  include/net/netfilter/nf_flow_table.h      | 12 +++++++++++-
> >  include/net/netfilter/nf_tables.h          | 14 ++++++++++++++
> >  net/bridge/br_input.c                      | 15 +++++++++++----
> >  net/bridge/br_netfilter_hooks.c            |  6 ++++++
> >  net/bridge/br_private.h                    |  1 +
> >  net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++----
> >  net/netfilter/nf_flow_table_inet.c         |  3 ++-
> >  net/netfilter/nf_flow_table_ip.c           | 10 ++++++----
> >  net/netfilter/nf_tables_api.c              | 22 ++++++++++++++++++----
> >  net/netfilter/nft_set_pipapo.c             | 19 ++++++++++++-------
> >  10 files changed, 91 insertions(+), 25 deletions(-)
> 
> Whoops, I'm finishing testing right now todays PR, I hope it's not a
> big issue if this lands later?

Apologies, I am working at full steam here, I could not deliver any sooner.

Re: [PATCH net 0/7] Netfilter fixes for net

[Paolo Abeni]

On Thu, 2024-04-11 at 13:42 +0200, Pablo Neira Ayuso wrote:
> On Thu, Apr 11, 2024 at 01:39:30PM +0200, Paolo Abeni wrote:
> > On Thu, 2024-04-11 at 13:28 +0200, Pablo Neira Ayuso wrote:
> > > Hi,
> > > 
> > > The following patchset contains Netfilter fixes for net:
> > > 
> > > Patches #1 and #2 add missing rcu read side lock when iterating over
> > > expression and object type list which could race with module removal.
> > > 
> > > Patch #3 prevents promisc packet from visiting the bridge/input hook
> > > 	 to amend a recent fix to address conntrack confirmation race
> > > 	 in br_netfilter and nf_conntrack_bridge.
> > > 
> > > Patch #4 adds and uses iterate decorator type to fetch the current
> > > 	 pipapo set backend datastructure view when netlink dumps the
> > > 	 set elements.
> > > 
> > > Patch #5 fixes removal of duplicate elements in the pipapo set backend.
> > > 
> > > Patch #6 flowtable validates pppoe header before accessing it.
> > > 
> > > Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup
> > >          fails and pppoe packets follow classic path.
> > > 
> > > Please, pull these changes from:
> > > 
> > >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11
> > > 
> > > Thanks.
> > > 
> > > ----------------------------------------------------------------
> > > 
> > > The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d:
> > > 
> > >   r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100)
> > > 
> > > are available in the Git repository at:
> > > 
> > >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11
> > > 
> > > for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27:
> > > 
> > >   netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200)
> > > 
> > > ----------------------------------------------------------------
> > > netfilter pull request 24-04-11
> > > 
> > > ----------------------------------------------------------------
> > > Florian Westphal (1):
> > >       netfilter: nft_set_pipapo: do not free live element
> > > 
> > > Pablo Neira Ayuso (4):
> > >       netfilter: br_netfilter: skip conntrack input hook for promisc packets
> > >       netfilter: nft_set_pipapo: walk over current view on netlink dump
> > >       netfilter: flowtable: validate pppoe header
> > >       netfilter: flowtable: incorrect pppoe tuple
> > > 
> > > Ziyang Xuan (2):
> > >       netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
> > >       netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> > > 
> > >  include/net/netfilter/nf_flow_table.h      | 12 +++++++++++-
> > >  include/net/netfilter/nf_tables.h          | 14 ++++++++++++++
> > >  net/bridge/br_input.c                      | 15 +++++++++++----
> > >  net/bridge/br_netfilter_hooks.c            |  6 ++++++
> > >  net/bridge/br_private.h                    |  1 +
> > >  net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++----
> > >  net/netfilter/nf_flow_table_inet.c         |  3 ++-
> > >  net/netfilter/nf_flow_table_ip.c           | 10 ++++++----
> > >  net/netfilter/nf_tables_api.c              | 22 ++++++++++++++++++----
> > >  net/netfilter/nft_set_pipapo.c             | 19 ++++++++++++-------
> > >  10 files changed, 91 insertions(+), 25 deletions(-)
> > 
> > Whoops, I'm finishing testing right now todays PR, I hope it's not a
> > big issue if this lands later?
> 
> Apologies, I am working at full steam here, I could not deliver any sooner.

I'm sorry, I was likely unclear, the above was just a question (not a
complain): do you have strong preference for these fixes to land into
today's PR? (the answer is unclear to me)

Thanks!

Paolo

Re: [PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

On Thu, Apr 11, 2024 at 01:58:37PM +0200, Paolo Abeni wrote:
> On Thu, 2024-04-11 at 13:42 +0200, Pablo Neira Ayuso wrote:
> > On Thu, Apr 11, 2024 at 01:39:30PM +0200, Paolo Abeni wrote:
> > > On Thu, 2024-04-11 at 13:28 +0200, Pablo Neira Ayuso wrote:
> > > > Hi,
> > > > 
> > > > The following patchset contains Netfilter fixes for net:
> > > > 
> > > > Patches #1 and #2 add missing rcu read side lock when iterating over
> > > > expression and object type list which could race with module removal.
> > > > 
> > > > Patch #3 prevents promisc packet from visiting the bridge/input hook
> > > > 	 to amend a recent fix to address conntrack confirmation race
> > > > 	 in br_netfilter and nf_conntrack_bridge.
> > > > 
> > > > Patch #4 adds and uses iterate decorator type to fetch the current
> > > > 	 pipapo set backend datastructure view when netlink dumps the
> > > > 	 set elements.
> > > > 
> > > > Patch #5 fixes removal of duplicate elements in the pipapo set backend.
> > > > 
> > > > Patch #6 flowtable validates pppoe header before accessing it.
> > > > 
> > > > Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup
> > > >          fails and pppoe packets follow classic path.
> > > > 
> > > > Please, pull these changes from:
> > > > 
> > > >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11
> > > > 
> > > > Thanks.
> > > > 
> > > > ----------------------------------------------------------------
> > > > 
> > > > The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d:
> > > > 
> > > >   r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100)
> > > > 
> > > > are available in the Git repository at:
> > > > 
> > > >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11
> > > > 
> > > > for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27:
> > > > 
> > > >   netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200)
> > > > 
> > > > ----------------------------------------------------------------
> > > > netfilter pull request 24-04-11
> > > > 
> > > > ----------------------------------------------------------------
> > > > Florian Westphal (1):
> > > >       netfilter: nft_set_pipapo: do not free live element
> > > > 
> > > > Pablo Neira Ayuso (4):
> > > >       netfilter: br_netfilter: skip conntrack input hook for promisc packets
> > > >       netfilter: nft_set_pipapo: walk over current view on netlink dump
> > > >       netfilter: flowtable: validate pppoe header
> > > >       netfilter: flowtable: incorrect pppoe tuple
> > > > 
> > > > Ziyang Xuan (2):
> > > >       netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
> > > >       netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> > > > 
> > > >  include/net/netfilter/nf_flow_table.h      | 12 +++++++++++-
> > > >  include/net/netfilter/nf_tables.h          | 14 ++++++++++++++
> > > >  net/bridge/br_input.c                      | 15 +++++++++++----
> > > >  net/bridge/br_netfilter_hooks.c            |  6 ++++++
> > > >  net/bridge/br_private.h                    |  1 +
> > > >  net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++----
> > > >  net/netfilter/nf_flow_table_inet.c         |  3 ++-
> > > >  net/netfilter/nf_flow_table_ip.c           | 10 ++++++----
> > > >  net/netfilter/nf_tables_api.c              | 22 ++++++++++++++++++----
> > > >  net/netfilter/nft_set_pipapo.c             | 19 ++++++++++++-------
> > > >  10 files changed, 91 insertions(+), 25 deletions(-)
> > > 
> > > Whoops, I'm finishing testing right now todays PR, I hope it's not a
> > > big issue if this lands later?
> > 
> > Apologies, I am working at full steam here, I could not deliver any sooner.
> 
> I'm sorry, I was likely unclear, the above was just a question (not a
> complain): do you have strong preference for these fixes to land into
> today's PR? (the answer is unclear to me)

No problem Paolo, I can miss this flight, it is OK.

[PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following batch contains Netfilter fixes for net:

1) Three patches to enhance conntrack selftests for resize and clash
   resolution, from Florian Westphal.

2) Expand nft_concat_range.sh selftest to improve coverage from error
   path, from Florian Westphal.

3) Hide clash bit to userspace from netlink dumps until there is a
   good reason to expose, from Florian Westphal.

4) Revert notification for device registration/unregistration for
   nftables basechains and flowtables, we decided to go for a better
   way to handle this through the nfnetlink_hook infrastructure which
   will come via nf-next, patch from Phil Sutter.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-07-17

Thanks.

----------------------------------------------------------------

The following changes since commit 7727ec1523d7973defa1dff8f9c0aad288d04008:

  net: emaclite: Fix missing pointer increment in aligned_read() (2025-07-11 16:37:06 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-25-07-17

for you to fetch changes up to 2d72afb340657f03f7261e9243b44457a9228ac7:

  netfilter: nf_conntrack: fix crash due to removal of uninitialised entry (2025-07-17 11:23:33 +0200)

----------------------------------------------------------------
netfilter pull request 25-07-17

----------------------------------------------------------------
Florian Westphal (6):
      selftests: netfilter: conntrack_resize.sh: extend resize test
      selftests: netfilter: add conntrack clash resolution test case
      selftests: netfilter: conntrack_resize.sh: also use udpclash tool
      selftests: netfilter: nft_concat_range.sh: send packets to empty set
      netfilter: nf_tables: hide clash bit from userspace
      netfilter: nf_conntrack: fix crash due to removal of uninitialised entry

Phil Sutter (1):
      Revert "netfilter: nf_tables: Add notifications for hook changes"

 include/net/netfilter/nf_conntrack.h               |  15 +-
 include/net/netfilter/nf_tables.h                  |   5 -
 include/uapi/linux/netfilter/nf_tables.h           |  10 --
 include/uapi/linux/netfilter/nfnetlink.h           |   2 -
 net/netfilter/nf_conntrack_core.c                  |  26 ++-
 net/netfilter/nf_tables_api.c                      |  59 -------
 net/netfilter/nf_tables_trace.c                    |   3 +
 net/netfilter/nfnetlink.c                          |   1 -
 net/netfilter/nft_chain_filter.c                   |   2 -
 tools/testing/selftests/net/netfilter/.gitignore   |   1 +
 tools/testing/selftests/net/netfilter/Makefile     |   3 +
 .../selftests/net/netfilter/conntrack_clash.sh     | 175 +++++++++++++++++++++
 .../selftests/net/netfilter/conntrack_resize.sh    |  97 +++++++++++-
 .../selftests/net/netfilter/nft_concat_range.sh    |   3 +
 tools/testing/selftests/net/netfilter/udpclash.c   | 158 +++++++++++++++++++
 15 files changed, 468 insertions(+), 92 deletions(-)
 create mode 100755 tools/testing/selftests/net/netfilter/conntrack_clash.sh
 create mode 100644 tools/testing/selftests/net/netfilter/udpclash.c

[PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Reinstantiate Florian Westphal as a Netfilter maintainer.

2) Depend on both NETFILTER_XTABLES and NETFILTER_XTABLES_LEGACY,
   from Arnd Bergmann.

3) Use id to annotate last conntrack/expectation visited to resume
   netlink dump, patches from Florian Westphal.

4) Fix bogus element in nft_pipapo avx2 lookup, introduced in
   the last nf-next batch of updates, also from Florian.

5) Return 0 instead of recycling ret variable in
   nf_conntrack_log_invalid_sysctl(), introduced in the last
   nf-next batch of updates, from Dan Carpenter.

6) Fix WARN_ON_ONCE triggered by syzbot with larger cgroup level
   in nft_socket.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-08-07

Thanks.

----------------------------------------------------------------

The following changes since commit d942fe13f72bec92f6c689fbd74c5ec38228c16a:

  net: ti: icssg-prueth: Fix skb handling for XDP_PASS (2025-08-05 18:03:33 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-25-08-07

for you to fetch changes up to 1dee968d22eaeb3eede70df513ab3f8dd1712e3e:

  netfilter: nft_socket: remove WARN_ON_ONCE with huge level value (2025-08-07 13:19:26 +0200)

----------------------------------------------------------------
netfilter pull request 25-08-07

----------------------------------------------------------------
Arnd Bergmann (1):
      netfilter: add back NETFILTER_XTABLES dependencies

Dan Carpenter (1):
      netfilter: conntrack: clean up returns in nf_conntrack_log_invalid_sysctl()

Florian Westphal (4):
      MAINTAINERS: resurrect my netfilter maintainer entry
      netfilter: ctnetlink: fix refcount leak on table dump
      netfilter: ctnetlink: remove refcounting in expectation dumpers
      netfilter: nft_set_pipapo: don't return bogus extension pointer

Pablo Neira Ayuso (1):
      netfilter: nft_socket: remove WARN_ON_ONCE with huge level value

 MAINTAINERS                             |  1 +
 net/bridge/netfilter/Kconfig            |  1 +
 net/ipv4/netfilter/Kconfig              |  3 ++
 net/ipv6/netfilter/Kconfig              |  1 +
 net/netfilter/nf_conntrack_netlink.c    | 65 +++++++++++++++------------------
 net/netfilter/nf_conntrack_standalone.c |  6 +--
 net/netfilter/nft_set_pipapo_avx2.c     | 12 +++---
 net/netfilter/nft_socket.c              |  2 +-
 8 files changed, 46 insertions(+), 45 deletions(-)

[PATCH net 1/7] MAINTAINERS: resurrect my netfilter maintainer entry

[Pablo Neira Ayuso]

From: Florian Westphal <fw@strlen.de>

This reverts commit b5048d27872a9734d142540ea23c3e897e47e05c.
Its been more than a year, hope my motivation lasts a bit longer than
last time :-)

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 MAINTAINERS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/MAINTAINERS b/MAINTAINERS
index b968bc6959d1..cd9415702b28 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -17313,6 +17313,7 @@ F:	drivers/net/ethernet/neterion/
 NETFILTER
 M:	Pablo Neira Ayuso <pablo@netfilter.org>
 M:	Jozsef Kadlecsik <kadlec@netfilter.org>
+M:	Florian Westphal <fw@strlen.de>
 L:	netfilter-devel@vger.kernel.org
 L:	coreteam@netfilter.org
 S:	Maintained
-- 
2.30.2

[PATCH net 2/7] netfilter: add back NETFILTER_XTABLES dependencies

[Pablo Neira Ayuso]

From: Arnd Bergmann <arnd@arndb.de>

Some Kconfig symbols were changed to depend on the 'bool' symbol
NETFILTER_XTABLES_LEGACY, which means they can now be set to built-in
when the xtables code itself is in a loadable module:

x86_64-linux-ld: vmlinux.o: in function `arpt_unregister_table_pre_exit':
(.text+0x1831987): undefined reference to `xt_find_table'
x86_64-linux-ld: vmlinux.o: in function `get_info.constprop.0':
arp_tables.c:(.text+0x1831aab): undefined reference to `xt_request_find_table_lock'
x86_64-linux-ld: arp_tables.c:(.text+0x1831bea): undefined reference to `xt_table_unlock'
x86_64-linux-ld: vmlinux.o: in function `do_arpt_get_ctl':
arp_tables.c:(.text+0x183205d): undefined reference to `xt_find_table_lock'
x86_64-linux-ld: arp_tables.c:(.text+0x18320c1): undefined reference to `xt_table_unlock'
x86_64-linux-ld: arp_tables.c:(.text+0x183219a): undefined reference to `xt_recseq'

Change these to depend on both NETFILTER_XTABLES and
NETFILTER_XTABLES_LEGACY.

Fixes: 9fce66583f06 ("netfilter: Exclude LEGACY TABLES on PREEMPT_RT.")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Florian Westphal <fw@strlen.de>
Tested-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/bridge/netfilter/Kconfig | 1 +
 net/ipv4/netfilter/Kconfig   | 3 +++
 net/ipv6/netfilter/Kconfig   | 1 +
 3 files changed, 5 insertions(+)

diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 60f28e4fb5c0..4fd5a6ea26b4 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -43,6 +43,7 @@ config NF_CONNTRACK_BRIDGE
 config BRIDGE_NF_EBTABLES_LEGACY
 	tristate "Legacy EBTABLES support"
 	depends on BRIDGE && NETFILTER_XTABLES_LEGACY
+	depends on NETFILTER_XTABLES
 	default	n
 	help
 	 Legacy ebtables packet/frame classifier.
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 2c438b140e88..7dc9772fe2d8 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -14,6 +14,7 @@ config NF_DEFRAG_IPV4
 config IP_NF_IPTABLES_LEGACY
 	tristate "Legacy IP tables support"
 	depends on NETFILTER_XTABLES_LEGACY
+	depends on NETFILTER_XTABLES
 	default	m if NETFILTER_XTABLES_LEGACY
 	help
 	  iptables is a legacy packet classifier.
@@ -326,6 +327,7 @@ endif # IP_NF_IPTABLES
 config IP_NF_ARPTABLES
 	tristate "Legacy ARPTABLES support"
 	depends on NETFILTER_XTABLES_LEGACY
+	depends on NETFILTER_XTABLES
 	default	n
 	help
 	  arptables is a legacy packet classifier.
@@ -343,6 +345,7 @@ config IP_NF_ARPFILTER
 	select IP_NF_ARPTABLES
 	select NETFILTER_FAMILY_ARP
 	depends on NETFILTER_XTABLES_LEGACY
+	depends on NETFILTER_XTABLES
 	help
 	  ARP packet filtering defines a table `filter', which has a series of
 	  rules for simple ARP packet filtering at local input and
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 276860f65baa..81daf82ddc2d 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -10,6 +10,7 @@ menu "IPv6: Netfilter Configuration"
 config IP6_NF_IPTABLES_LEGACY
 	tristate "Legacy IP6 tables support"
 	depends on INET && IPV6 && NETFILTER_XTABLES_LEGACY
+	depends on NETFILTER_XTABLES
 	default	m if NETFILTER_XTABLES_LEGACY
 	help
 	  ip6tables is a legacy packet classifier.
-- 
2.30.2

[PATCH net 3/7] netfilter: ctnetlink: fix refcount leak on table dump

[Pablo Neira Ayuso]

From: Florian Westphal <fw@strlen.de>

There is a reference count leak in ctnetlink_dump_table():
      if (res < 0) {
                nf_conntrack_get(&ct->ct_general); // HERE
                cb->args[1] = (unsigned long)ct;
                ...

While its very unlikely, its possible that ct == last.
If this happens, then the refcount of ct was already incremented.
This 2nd increment is never undone.

This prevents the conntrack object from being released, which in turn
keeps prevents cnet->count from dropping back to 0.

This will then block the netns dismantle (or conntrack rmmod) as
nf_conntrack_cleanup_net_list() will wait forever.

This can be reproduced by running conntrack_resize.sh selftest in a loop.
It takes ~20 minutes for me on a preemptible kernel on average before
I see a runaway kworker spinning in nf_conntrack_cleanup_net_list.

One fix would to change this to:
        if (res < 0) {
		if (ct != last)
	                nf_conntrack_get(&ct->ct_general);

But this reference counting isn't needed in the first place.
We can just store a cookie value instead.

A followup patch will do the same for ctnetlink_exp_dump_table,
it looks to me as if this has the same problem and like
ctnetlink_dump_table, we only need a 'skip hint', not the actual
object so we can apply the same cookie strategy there as well.

Fixes: d205dc40798d ("[NETFILTER]: ctnetlink: fix deadlock in table dumping")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_netlink.c | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 486d52b45fe5..f403acd82437 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -884,8 +884,6 @@ ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item)
 
 static int ctnetlink_done(struct netlink_callback *cb)
 {
-	if (cb->args[1])
-		nf_ct_put((struct nf_conn *)cb->args[1]);
 	kfree(cb->data);
 	return 0;
 }
@@ -1208,19 +1206,26 @@ static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
 	return 0;
 }
 
+static unsigned long ctnetlink_get_id(const struct nf_conn *ct)
+{
+	unsigned long id = nf_ct_get_id(ct);
+
+	return id ? id : 1;
+}
+
 static int
 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
 {
 	unsigned int flags = cb->data ? NLM_F_DUMP_FILTERED : 0;
 	struct net *net = sock_net(skb->sk);
-	struct nf_conn *ct, *last;
+	unsigned long last_id = cb->args[1];
 	struct nf_conntrack_tuple_hash *h;
 	struct hlist_nulls_node *n;
 	struct nf_conn *nf_ct_evict[8];
+	struct nf_conn *ct;
 	int res, i;
 	spinlock_t *lockp;
 
-	last = (struct nf_conn *)cb->args[1];
 	i = 0;
 
 	local_bh_disable();
@@ -1257,7 +1262,7 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
 				continue;
 
 			if (cb->args[1]) {
-				if (ct != last)
+				if (ctnetlink_get_id(ct) != last_id)
 					continue;
 				cb->args[1] = 0;
 			}
@@ -1270,8 +1275,7 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
 					    NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
 					    ct, true, flags);
 			if (res < 0) {
-				nf_conntrack_get(&ct->ct_general);
-				cb->args[1] = (unsigned long)ct;
+				cb->args[1] = ctnetlink_get_id(ct);
 				spin_unlock(lockp);
 				goto out;
 			}
@@ -1284,12 +1288,10 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
 	}
 out:
 	local_bh_enable();
-	if (last) {
+	if (last_id) {
 		/* nf ct hash resize happened, now clear the leftover. */
-		if ((struct nf_conn *)cb->args[1] == last)
+		if (cb->args[1] == last_id)
 			cb->args[1] = 0;
-
-		nf_ct_put(last);
 	}
 
 	while (i) {
-- 
2.30.2

[PATCH net 4/7] netfilter: ctnetlink: remove refcounting in expectation dumpers

[Pablo Neira Ayuso]

From: Florian Westphal <fw@strlen.de>

Same pattern as previous patch: do not keep the expectation object
alive via refcount, only store a cookie value and then use that
as the skip hint for dump resumption.

AFAICS this has the same issue as the one resolved in the conntrack
dumper, when we do
  if (!refcount_inc_not_zero(&exp->use))

to increment the refcount, there is a chance that exp == last, which
causes a double-increment of the refcount and subsequent memory leak.

Fixes: cf6994c2b981 ("[NETFILTER]: nf_conntrack_netlink: sync expectation dumping with conntrack table dumping")
Fixes: e844a928431f ("netfilter: ctnetlink: allow to dump expectation per master conntrack")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_netlink.c | 41 ++++++++++++----------------
 1 file changed, 17 insertions(+), 24 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index f403acd82437..50fd6809380f 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -3170,23 +3170,27 @@ ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item)
 	return 0;
 }
 #endif
-static int ctnetlink_exp_done(struct netlink_callback *cb)
+
+static unsigned long ctnetlink_exp_id(const struct nf_conntrack_expect *exp)
 {
-	if (cb->args[1])
-		nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
-	return 0;
+	unsigned long id = (unsigned long)exp;
+
+	id += nf_ct_get_id(exp->master);
+	id += exp->class;
+
+	return id ? id : 1;
 }
 
 static int
 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
 {
 	struct net *net = sock_net(skb->sk);
-	struct nf_conntrack_expect *exp, *last;
 	struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
 	u_int8_t l3proto = nfmsg->nfgen_family;
+	unsigned long last_id = cb->args[1];
+	struct nf_conntrack_expect *exp;
 
 	rcu_read_lock();
-	last = (struct nf_conntrack_expect *)cb->args[1];
 	for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
 restart:
 		hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]],
@@ -3198,7 +3202,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
 				continue;
 
 			if (cb->args[1]) {
-				if (exp != last)
+				if (ctnetlink_exp_id(exp) != last_id)
 					continue;
 				cb->args[1] = 0;
 			}
@@ -3207,9 +3211,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
 						    cb->nlh->nlmsg_seq,
 						    IPCTNL_MSG_EXP_NEW,
 						    exp) < 0) {
-				if (!refcount_inc_not_zero(&exp->use))
-					continue;
-				cb->args[1] = (unsigned long)exp;
+				cb->args[1] = ctnetlink_exp_id(exp);
 				goto out;
 			}
 		}
@@ -3220,32 +3222,30 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
 	}
 out:
 	rcu_read_unlock();
-	if (last)
-		nf_ct_expect_put(last);
-
 	return skb->len;
 }
 
 static int
 ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
 {
-	struct nf_conntrack_expect *exp, *last;
 	struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
 	struct nf_conn *ct = cb->data;
 	struct nf_conn_help *help = nfct_help(ct);
 	u_int8_t l3proto = nfmsg->nfgen_family;
+	unsigned long last_id = cb->args[1];
+	struct nf_conntrack_expect *exp;
 
 	if (cb->args[0])
 		return 0;
 
 	rcu_read_lock();
-	last = (struct nf_conntrack_expect *)cb->args[1];
+
 restart:
 	hlist_for_each_entry_rcu(exp, &help->expectations, lnode) {
 		if (l3proto && exp->tuple.src.l3num != l3proto)
 			continue;
 		if (cb->args[1]) {
-			if (exp != last)
+			if (ctnetlink_exp_id(exp) != last_id)
 				continue;
 			cb->args[1] = 0;
 		}
@@ -3253,9 +3253,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
 					    cb->nlh->nlmsg_seq,
 					    IPCTNL_MSG_EXP_NEW,
 					    exp) < 0) {
-			if (!refcount_inc_not_zero(&exp->use))
-				continue;
-			cb->args[1] = (unsigned long)exp;
+			cb->args[1] = ctnetlink_exp_id(exp);
 			goto out;
 		}
 	}
@@ -3266,9 +3264,6 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
 	cb->args[0] = 1;
 out:
 	rcu_read_unlock();
-	if (last)
-		nf_ct_expect_put(last);
-
 	return skb->len;
 }
 
@@ -3287,7 +3282,6 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
 	struct nf_conntrack_zone zone;
 	struct netlink_dump_control c = {
 		.dump = ctnetlink_exp_ct_dump_table,
-		.done = ctnetlink_exp_done,
 	};
 
 	err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
@@ -3337,7 +3331,6 @@ static int ctnetlink_get_expect(struct sk_buff *skb,
 		else {
 			struct netlink_dump_control c = {
 				.dump = ctnetlink_exp_dump_table,
-				.done = ctnetlink_exp_done,
 			};
 			return netlink_dump_start(info->sk, skb, info->nlh, &c);
 		}
-- 
2.30.2

[PATCH net 5/7] netfilter: nft_set_pipapo: don't return bogus extension pointer

[Pablo Neira Ayuso]

From: Florian Westphal <fw@strlen.de>

Dan Carpenter says:
Commit 17a20e09f086 ("netfilter: nft_set: remove one argument from
lookup and update functions") [..] leads to the following Smatch
static checker warning:

 net/netfilter/nft_set_pipapo_avx2.c:1269 nft_pipapo_avx2_lookup()
 error: uninitialized symbol 'ext'.

Fix this by initing ext to NULL and set it only once we've found
a match.

Fixes: 17a20e09f086 ("netfilter: nft_set: remove one argument from lookup and update functions")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/netfilter-devel/aJBzc3V5wk-yPOnH@stanley.mountain/
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nft_set_pipapo_avx2.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
index db5d367e43c4..2f090e253caf 100644
--- a/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1150,12 +1150,12 @@ nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,
 		       const u32 *key)
 {
 	struct nft_pipapo *priv = nft_set_priv(set);
+	const struct nft_set_ext *ext = NULL;
 	struct nft_pipapo_scratch *scratch;
 	u8 genmask = nft_genmask_cur(net);
 	const struct nft_pipapo_match *m;
 	const struct nft_pipapo_field *f;
 	const u8 *rp = (const u8 *)key;
-	const struct nft_set_ext *ext;
 	unsigned long *res, *fill;
 	bool map_index;
 	int i;
@@ -1246,13 +1246,13 @@ nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,
 			goto out;
 
 		if (last) {
-			ext = &f->mt[ret].e->ext;
-			if (unlikely(nft_set_elem_expired(ext) ||
-				     !nft_set_elem_active(ext, genmask))) {
-				ext = NULL;
+			const struct nft_set_ext *e = &f->mt[ret].e->ext;
+
+			if (unlikely(nft_set_elem_expired(e) ||
+				     !nft_set_elem_active(e, genmask)))
 				goto next_match;
-			}
 
+			ext = e;
 			goto out;
 		}
 
-- 
2.30.2

[PATCH net 6/7] netfilter: conntrack: clean up returns in nf_conntrack_log_invalid_sysctl()

[Pablo Neira Ayuso]

From: Dan Carpenter <dan.carpenter@linaro.org>

Smatch complains that these look like error paths with missing error
codes, especially the one where we return if nf_log_is_registered() is
true:

    net/netfilter/nf_conntrack_standalone.c:575 nf_conntrack_log_invalid_sysctl()
    warn: missing error code? 'ret'

In fact, all these return zero deliberately.  Change them to return a
literal instead which helps readability as well as silencing the warning.

Fixes: e89a68046687 ("netfilter: load nf_log_syslog on enabling nf_conntrack_log_invalid")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Acked-by: Lance Yang <lance.yang@linux.dev>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_standalone.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 9b8b10a85233..1f14ef0436c6 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -567,16 +567,16 @@ nf_conntrack_log_invalid_sysctl(const struct ctl_table *table, int write,
 		return ret;
 
 	if (*(u8 *)table->data == 0)
-		return ret;
+		return 0;
 
 	/* Load nf_log_syslog only if no logger is currently registered */
 	for (i = 0; i < NFPROTO_NUMPROTO; i++) {
 		if (nf_log_is_registered(i))
-			return ret;
+			return 0;
 	}
 	request_module("%s", "nf_log_syslog");
 
-	return ret;
+	return 0;
 }
 
 static struct ctl_table_header *nf_ct_netfilter_header;
-- 
2.30.2

[PATCH net 7/7] netfilter: nft_socket: remove WARN_ON_ONCE with huge level value

[Pablo Neira Ayuso]

syzbot managed to reach this WARN_ON_ONCE by passing a huge level
value, remove it.

  WARNING: CPU: 0 PID: 5853 at net/netfilter/nft_socket.c:220 nft_socket_init+0x2f4/0x3d0 net/netfilter/nft_socket.c:220

Reported-by: syzbot+a225fea35d7baf8dbdc3@syzkaller.appspotmail.com
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nft_socket.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
index 35d0409b0095..36affbb697c2 100644
--- a/net/netfilter/nft_socket.c
+++ b/net/netfilter/nft_socket.c
@@ -217,7 +217,7 @@ static int nft_socket_init(const struct nft_ctx *ctx,
 
 		level += err;
 		/* Implies a giant cgroup tree */
-		if (WARN_ON_ONCE(level > 255))
+		if (level > 255)
 			return -EOPNOTSUPP;
 
 		priv->level = level;
-- 
2.30.2

Re: [PATCH net 1/7] MAINTAINERS: resurrect my netfilter maintainer entry

[Eric Dumazet]

On Thu, Aug 7, 2025 at 4:29 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> From: Florian Westphal <fw@strlen.de>
>
> This reverts commit b5048d27872a9734d142540ea23c3e897e47e05c.
> Its been more than a year, hope my motivation lasts a bit longer than
> last time :-)
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Oh very nice, welcome back Florian !

Re: [PATCH net 1/7] MAINTAINERS: resurrect my netfilter maintainer entry

[Simon Horman]

On Thu, Aug 07, 2025 at 04:35:52AM -0700, Eric Dumazet wrote:
> On Thu, Aug 7, 2025 at 4:29 AM Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >
> > From: Florian Westphal <fw@strlen.de>
> >
> > This reverts commit b5048d27872a9734d142540ea23c3e897e47e05c.
> > Its been more than a year, hope my motivation lasts a bit longer than
> > last time :-)
> >
> > Signed-off-by: Florian Westphal <fw@strlen.de>
> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> 
> Oh very nice, welcome back Florian !

Yes, very nice indeed. Welcome back Florian !

Re: [PATCH net 1/7] MAINTAINERS: resurrect my netfilter maintainer entry

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Thu,  7 Aug 2025 13:29:42 +0200 you wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> This reverts commit b5048d27872a9734d142540ea23c3e897e47e05c.
> Its been more than a year, hope my motivation lasts a bit longer than
> last time :-)
> 
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> 
> [...]

Here is the summary with links:
  - [net,1/7] MAINTAINERS: resurrect my netfilter maintainer entry
    https://git.kernel.org/netdev/net/c/f752adfaf5f7
  - [net,2/7] netfilter: add back NETFILTER_XTABLES dependencies
    https://git.kernel.org/netdev/net/c/25a8b88f000c
  - [net,3/7] netfilter: ctnetlink: fix refcount leak on table dump
    https://git.kernel.org/netdev/net/c/de788b2e6227
  - [net,4/7] netfilter: ctnetlink: remove refcounting in expectation dumpers
    https://git.kernel.org/netdev/net/c/1492e3dcb2be
  - [net,5/7] netfilter: nft_set_pipapo: don't return bogus extension pointer
    https://git.kernel.org/netdev/net/c/c8a7c2c60818
  - [net,6/7] netfilter: conntrack: clean up returns in nf_conntrack_log_invalid_sysctl()
    https://git.kernel.org/netdev/net/c/f54186df806f
  - [net,7/7] netfilter: nft_socket: remove WARN_ON_ONCE with huge level value
    https://git.kernel.org/netdev/net/c/1dee968d22ea

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCH net 1/7] MAINTAINERS: resurrect my netfilter maintainer entry

[Antonio Ojea]

> From: Florian Westphal <fw@strlen.de>
>
> This reverts commit b5048d27872a9734d142540ea23c3e897e47e05c.
> Its been more than a year, hope my motivation lasts a bit longer than
> last time :-)

This is fantastic news !