[PATCH net 0/2] netfilter updates for net

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net 0/2] netfilter updates for net
@ 2025-08-27 13:38 Florian Westphal
  2025-08-27 13:38 ` [PATCH net 1/2] netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm Florian Westphal
  2025-08-27 13:39 ` [PATCH net 2/2] netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Florian Westphal
  0 siblings, 2 replies; 5+ messages in thread
From: Florian Westphal @ 2025-08-27 13:38 UTC (permalink / raw)
  To: netdev
  Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
	netfilter-devel, pablo

Hi,

The following patchset contains Netfilter fixes for *net*:

1) Remove bogus WARN_ON in br_netfilter that came in 6.8.
   This is now more prominent due to
   2d72afb34065 ("netfilter: nf_conntrack: fix crash due to removal of
   uninitialised entry"). From Wang Liang.

2) Better error reporting when a helper module clashes with
   an existing helper name: -EEXIST makes modprobe believe that the
   module is already loaded, so error message is elided.
   from Phil Sutter.

Please, pull these changes from:
The following changes since commit 9448ccd853368582efa9db05db344f8bb9dffe0f:

  net: hv_netvsc: fix loss of early receive events from host during channel open. (2025-08-26 18:15:19 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-08-27

for you to fetch changes up to 54416fd76770bd04fc3c501810e8d673550bab26:

  netfilter: conntrack: helper: Replace -EEXIST by -EBUSY (2025-08-27 11:53:38 +0200)

----------------------------------------------------------------
netfilter pull request nf-25-08-27

----------------------------------------------------------------

Phil Sutter (1):
  netfilter: conntrack: helper: Replace -EEXIST by -EBUSY

Wang Liang (1):
  netfilter: br_netfilter: do not check confirmed bit in
    br_nf_local_in() after confirm

 net/bridge/br_netfilter_hooks.c     | 3 ---
 net/netfilter/nf_conntrack_helper.c | 4 ++--
 2 files changed, 2 insertions(+), 5 deletions(-)

-- 
2.49.1

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH net 1/2] netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm
  2025-08-27 13:38 [PATCH net 0/2] netfilter updates for net Florian Westphal
@ 2025-08-27 13:38 ` Florian Westphal
  2025-08-30  2:10   ` patchwork-bot+netdevbpf
  2025-08-27 13:39 ` [PATCH net 2/2] netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Florian Westphal
  1 sibling, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2025-08-27 13:38 UTC (permalink / raw)
  To: netdev
  Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
	netfilter-devel, pablo, Wang Liang

From: Wang Liang <wangliang74@huawei.com>

When send a broadcast packet to a tap device, which was added to a bridge,
br_nf_local_in() is called to confirm the conntrack. If another conntrack
with the same hash value is added to the hash table, which can be
triggered by a normal packet to a non-bridge device, the below warning
may happen.

  ------------[ cut here ]------------
  WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200
  CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)
  RIP: 0010:br_nf_local_in+0x168/0x200
  Call Trace:
   <TASK>
   nf_hook_slow+0x3e/0xf0
   br_pass_frame_up+0x103/0x180
   br_handle_frame_finish+0x2de/0x5b0
   br_nf_hook_thresh+0xc0/0x120
   br_nf_pre_routing_finish+0x168/0x3a0
   br_nf_pre_routing+0x237/0x5e0
   br_handle_frame+0x1ec/0x3c0
   __netif_receive_skb_core+0x225/0x1210
   __netif_receive_skb_one_core+0x37/0xa0
   netif_receive_skb+0x36/0x160
   tun_get_user+0xa54/0x10c0
   tun_chr_write_iter+0x65/0xb0
   vfs_write+0x305/0x410
   ksys_write+0x60/0xd0
   do_syscall_64+0xa4/0x260
   entry_SYSCALL_64_after_hwframe+0x77/0x7f
   </TASK>
  ---[ end trace 0000000000000000 ]---

To solve the hash conflict, nf_ct_resolve_clash() try to merge the
conntracks, and update skb->_nfct. However, br_nf_local_in() still use the
old ct from local variable 'nfct' after confirm(), which leads to this
warning.

If confirm() does not insert the conntrack entry and return NF_DROP, the
warning may also occur. There is no need to reserve the WARN_ON_ONCE, just
remove it.

Link: https://lore.kernel.org/netdev/20250820043329.2902014-1-wangliang74@huawei.com/
Fixes: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack")
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Wang Liang <wangliang74@huawei.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/bridge/br_netfilter_hooks.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 94cbe967d1c1..083e2fe96441 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -626,9 +626,6 @@ static unsigned int br_nf_local_in(void *priv,
 		break;
 	}
 
-	ct = container_of(nfct, struct nf_conn, ct_general);
-	WARN_ON_ONCE(!nf_ct_is_confirmed(ct));
-
 	return ret;
 }
 #endif
-- 
2.49.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH net 1/2] netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm
  2025-08-27 13:38 ` [PATCH net 1/2] netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm Florian Westphal
@ 2025-08-30  2:10   ` patchwork-bot+netdevbpf
  0 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-08-30  2:10 UTC (permalink / raw)
  To: Florian Westphal
  Cc: netdev, pabeni, davem, edumazet, kuba, netfilter-devel, pablo,
	wangliang74

Hello:

This series was applied to netdev/net.git (main)
by Florian Westphal <fw@strlen.de>:

On Wed, 27 Aug 2025 15:38:59 +0200 you wrote:
> From: Wang Liang <wangliang74@huawei.com>
> 
> When send a broadcast packet to a tap device, which was added to a bridge,
> br_nf_local_in() is called to confirm the conntrack. If another conntrack
> with the same hash value is added to the hash table, which can be
> triggered by a normal packet to a non-bridge device, the below warning
> may happen.
> 
> [...]

Here is the summary with links:
  - [net,1/2] netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm
    https://git.kernel.org/netdev/net/c/479a54ab9208
  - [net,2/2] netfilter: conntrack: helper: Replace -EEXIST by -EBUSY
    https://git.kernel.org/netdev/net/c/54416fd76770

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH net 2/2] netfilter: conntrack: helper: Replace -EEXIST by -EBUSY
  2025-08-27 13:38 [PATCH net 0/2] netfilter updates for net Florian Westphal
  2025-08-27 13:38 ` [PATCH net 1/2] netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm Florian Westphal
@ 2025-08-27 13:39 ` Florian Westphal
  1 sibling, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2025-08-27 13:39 UTC (permalink / raw)
  To: netdev
  Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
	netfilter-devel, pablo, Phil Sutter, Christophe Leroy

From: Phil Sutter <phil@nwl.cc>

The helper registration return value is passed-through by module_init
callbacks which modprobe confuses with the harmless -EEXIST returned
when trying to load an already loaded module.

Make sure modprobe fails so users notice their helper has not been
registered and won't work.

Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_conntrack_helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 4ed5878cb25b..ceb48c3ca0a4 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -368,7 +368,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
 			    (cur->tuple.src.l3num == NFPROTO_UNSPEC ||
 			     cur->tuple.src.l3num == me->tuple.src.l3num) &&
 			    cur->tuple.dst.protonum == me->tuple.dst.protonum) {
-				ret = -EEXIST;
+				ret = -EBUSY;
 				goto out;
 			}
 		}
@@ -379,7 +379,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
 		hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
 			if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple,
 						     &mask)) {
-				ret = -EEXIST;
+				ret = -EBUSY;
 				goto out;
 			}
 		}
-- 
2.49.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH net 0/2] netfilter: updates for net
@ 2025-09-02 18:58 Florian Westphal
  0 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2025-09-02 18:58 UTC (permalink / raw)
  To: netdev
  Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
	netfilter-devel, pablo

Hi,

The following patchset contains Netfilter fixes for *net*:

1) Fix a silly bug in conntrack selftest, busyloop may get optimized to
   for (;;), reported by Yi Chen.

2) Introduce new NFTA_DEVICE_PREFIX attribute in nftables netlink api,
   re-using old NFTA_DEVICE_NAME led to confusion with different
   kernel/userspace versions.  This refines the wildcard interface
   support added in 6.16 release.  From Phil Sutter.

Please, pull these changes from:
The following changes since commit a6099f263e1f408bcc7913c9df24b0677164fc5d:

  net: ethernet: ti: am65-cpsw-nuss: Fix null pointer dereference for ndev (2025-09-02 14:51:45 +0200)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-25-09-02

for you to fetch changes up to 745d9ca5317a03b55016cdd810e4d2aac57f45df:

  netfilter: nf_tables: Introduce NFTA_DEVICE_PREFIX (2025-09-02 20:52:28 +0200)

----------------------------------------------------------------
netfilter pull request nf-25-09-02

----------------------------------------------------------------
Florian Westphal (1):
      selftests: netfilter: fix udpclash tool hang

Phil Sutter (1):
      netfilter: nf_tables: Introduce NFTA_DEVICE_PREFIX

 include/uapi/linux/netfilter/nf_tables.h           |  2 ++
 net/netfilter/nf_tables_api.c                      | 42 ++++++++++++++++------
 .../selftests/net/netfilter/conntrack_clash.sh     |  2 +-
 .../selftests/net/netfilter/conntrack_resize.sh    |  5 +--
 tools/testing/selftests/net/netfilter/udpclash.c   |  3 +-
 5 files changed, 39 insertions(+), 15 deletions(-)

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2025-09-02 18:59 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-27 13:38 [PATCH net 0/2] netfilter updates for net Florian Westphal
2025-08-27 13:38 ` [PATCH net 1/2] netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm Florian Westphal
2025-08-30  2:10   ` patchwork-bot+netdevbpf
2025-08-27 13:39 ` [PATCH net 2/2] netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Florian Westphal
  -- strict thread matches above, loose matches on Subject: below --
2025-09-02 18:58 [PATCH net 0/2] netfilter: updates for net Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).