[PATCH net 0/2] Netfilter fixes for net

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Do not allow to add conntrack helper extension for confirmed
   conntracks in the nf_tables ct expectation support.

2) Fix bogus EBUSY in nfnetlink_cthelper when NFCTH_PRIV_DATA_LEN
   is passed on userspace helper updates.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thank you!

----------------------------------------------------------------

The following changes since commit b000372627ce9dbbe641dafbf40db0718276ab77:

  MAINTAINERS: nfc mailing lists are subscribers-only (2021-06-01 17:09:28 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 8971ee8b087750a23f3cd4dc55bff2d0303fd267:

  netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches (2021-06-02 12:43:50 +0200)

----------------------------------------------------------------
Pablo Neira Ayuso (2):
      netfilter: nft_ct: skip expectations for confirmed conntrack
      netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches

 net/netfilter/nfnetlink_cthelper.c | 8 ++++++--
 net/netfilter/nft_ct.c             | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

[PATCH net 1/2] netfilter: nft_ct: skip expectations for confirmed conntrack

[Pablo Neira Ayuso]

nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed
conntrack entry. However, nf_ct_ext_add() can only be called for
!nf_ct_is_confirmed().

[ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack]
[ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack]
[ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00
[ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202
[ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887
[ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440
[ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447
[ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440
[ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20
[ 1825.352240] FS:  00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000
[ 1825.352343] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0
[ 1825.352508] Call Trace:
[ 1825.352544]  nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack]
[ 1825.352641]  nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct]
[ 1825.352716]  nft_do_chain+0x232/0x850 [nf_tables]

Add the ct helper extension only for unconfirmed conntrack. Skip rule
evaluation if the ct helper extension does not exist. Thus, you can
only create expectations from the first packet.

It should be possible to remove this limitation by adding a new action
to attach a generic ct helper to the first packet. Then, use this ct
helper extension from follow up packets to create the ct expectation.

While at it, add a missing check to skip the template conntrack too
and remove check for IPCT_UNTRACK which is implicit to !ct.

Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nft_ct.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 0592a9456084..337e22d8b40b 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -1217,7 +1217,7 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj,
 	struct nf_conn *ct;
 
 	ct = nf_ct_get(pkt->skb, &ctinfo);
-	if (!ct || ctinfo == IP_CT_UNTRACKED) {
+	if (!ct || nf_ct_is_confirmed(ct) || nf_ct_is_template(ct)) {
 		regs->verdict.code = NFT_BREAK;
 		return;
 	}
-- 
2.20.1

[PATCH net 2/2] netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches

[Pablo Neira Ayuso]

The private helper data size cannot be updated. However, updates that
contain NFCTH_PRIV_DATA_LEN might bogusly hit EBUSY even if the size is
the same.

Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nfnetlink_cthelper.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index 322ac5dd5402..752b10cae524 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -380,10 +380,14 @@ static int
 nfnl_cthelper_update(const struct nlattr * const tb[],
 		     struct nf_conntrack_helper *helper)
 {
+	u32 size;
 	int ret;
 
-	if (tb[NFCTH_PRIV_DATA_LEN])
-		return -EBUSY;
+	if (tb[NFCTH_PRIV_DATA_LEN]) {
+		size = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
+		if (size != helper->data_len)
+			return -EBUSY;
+	}
 
 	if (tb[NFCTH_POLICY]) {
 		ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]);
-- 
2.20.1

Re: [PATCH net 1/2] netfilter: nft_ct: skip expectations for confirmed conntrack

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (refs/heads/master):

On Wed,  2 Jun 2021 14:44:29 +0200 you wrote:
> nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed
> conntrack entry. However, nf_ct_ext_add() can only be called for
> !nf_ct_is_confirmed().
> 
> [ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack]
> [ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack]
> [ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00
> [ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202
> [ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887
> [ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440
> [ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447
> [ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440
> [ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20
> [ 1825.352240] FS:  00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000
> [ 1825.352343] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0
> [ 1825.352508] Call Trace:
> [ 1825.352544]  nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack]
> [ 1825.352641]  nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct]
> [ 1825.352716]  nft_do_chain+0x232/0x850 [nf_tables]
> 
> [...]

Here is the summary with links:
  - [net,1/2] netfilter: nft_ct: skip expectations for confirmed conntrack
    https://git.kernel.org/netdev/net/c/1710eb913bdc
  - [net,2/2] netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches
    https://git.kernel.org/netdev/net/c/8971ee8b0877

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix nat packets in the related state in OVS, from Brad Cowie.

2) Drop chain reference counter on error path in case chain binding
   fails.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-01-03

Thanks.

----------------------------------------------------------------

The following changes since commit 9bf2e9165f90dc9f416af53c902be7e33930f728:

  net: qrtr: ns: Return 0 if server port is not present (2024-01-01 18:41:29 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-01-03

for you to fetch changes up to b29be0ca8e816119ccdf95cc7d7c7be9bde005f1:

  netfilter: nft_immediate: drop chain reference counter on error (2024-01-03 11:17:17 +0100)

----------------------------------------------------------------
netfilter pull request 24-01-03

----------------------------------------------------------------
Brad Cowie (1):
      netfilter: nf_nat: fix action not being set for all ct states

Pablo Neira Ayuso (1):
      netfilter: nft_immediate: drop chain reference counter on error

 net/netfilter/nf_nat_ovs.c    | 3 ++-
 net/netfilter/nft_immediate.c | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

Re: [PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

On Fri, Dec 22, 2023 at 11:49:14AM +0100, Pablo Neira Ayuso wrote:
> On Fri, Dec 22, 2023 at 11:42:03AM +0100, Pablo Neira Ayuso wrote:
> > [ resent, apparently this was only posted to netfilter-devel@vger.kernel.org,
> >   not to netdev@vger.kernel.org ]
> 
> For the record, previous is still in patchwork:
> 
> https://patchwork.kernel.org/project/netdevbpf/patch/20231220151544.270214-1-pablo@netfilter.org/

Actually, I Cc'ed netdev@vger.kernel.org in PR from Dec 20.

So this PR got lost?

Re: [PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

On Fri, Dec 22, 2023 at 11:42:03AM +0100, Pablo Neira Ayuso wrote:
> [ resent, apparently this was only posted to netfilter-devel@vger.kernel.org,
>   not to netdev@vger.kernel.org ]

For the record, previous is still in patchwork:

https://patchwork.kernel.org/project/netdevbpf/patch/20231220151544.270214-1-pablo@netfilter.org/

> Hi,
> 
> The following patchset contains Netfilter fixes for net:
> 
> 1) Skip set commit for deleted/destroyed sets, this might trigger
>    double deactivation of expired elements.
> 
> 2) Fix packet mangling from egress, set transport offset from
>    mac header for netdev/egress.
> 
> Both fixes address bugs already present in several releases.
> 
> Please, pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-12-20
> 
> Thanks.
> 
> ----------------------------------------------------------------
> 
> The following changes since commit 8353c2abc02cf8302d5e6177b706c1879e7b833c:
> 
>   Merge branch 'check-vlan-filter-feature-in-vlan_vids_add_by_dev-and-vlan_vids_del_by_dev' (2023-12-19 13:13:59 +0100)
> 
> are available in the Git repository at:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-12-20
> 
> for you to fetch changes up to 7315dc1e122c85ffdfc8defffbb8f8b616c2eb1a:
> 
>   netfilter: nf_tables: skip set commit for deleted/destroyed sets (2023-12-20 13:48:00 +0100)
> 
> ----------------------------------------------------------------
> netfilter pull request 23-12-20
> 
> ----------------------------------------------------------------
> Pablo Neira Ayuso (2):
>       netfilter: nf_tables: set transport offset from mac header for netdev/egress
>       netfilter: nf_tables: skip set commit for deleted/destroyed sets
> 
>  include/net/netfilter/nf_tables_ipv4.h | 2 +-
>  net/netfilter/nf_tables_api.c          | 2 +-
>  net/netfilter/nf_tables_core.c         | 2 +-
>  3 files changed, 3 insertions(+), 3 deletions(-)
> 

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

[ resent, apparently this was only posted to netfilter-devel@vger.kernel.org,
  not to netdev@vger.kernel.org ]

Hi,

The following patchset contains Netfilter fixes for net:

1) Skip set commit for deleted/destroyed sets, this might trigger
   double deactivation of expired elements.

2) Fix packet mangling from egress, set transport offset from
   mac header for netdev/egress.

Both fixes address bugs already present in several releases.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-12-20

Thanks.

----------------------------------------------------------------

The following changes since commit 8353c2abc02cf8302d5e6177b706c1879e7b833c:

  Merge branch 'check-vlan-filter-feature-in-vlan_vids_add_by_dev-and-vlan_vids_del_by_dev' (2023-12-19 13:13:59 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-12-20

for you to fetch changes up to 7315dc1e122c85ffdfc8defffbb8f8b616c2eb1a:

  netfilter: nf_tables: skip set commit for deleted/destroyed sets (2023-12-20 13:48:00 +0100)

----------------------------------------------------------------
netfilter pull request 23-12-20

----------------------------------------------------------------
Pablo Neira Ayuso (2):
      netfilter: nf_tables: set transport offset from mac header for netdev/egress
      netfilter: nf_tables: skip set commit for deleted/destroyed sets

 include/net/netfilter/nf_tables_ipv4.h | 2 +-
 net/netfilter/nf_tables_api.c          | 2 +-
 net/netfilter/nf_tables_core.c         | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Skip set commit for deleted/destroyed sets, this might trigger
   double deactivation of expired elements.

2) Fix packet mangling from egress, set transport offset from
   mac header for netdev/egress.

Both fixes address bugs already present in several releases.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-12-20

Thanks.

----------------------------------------------------------------

The following changes since commit 8353c2abc02cf8302d5e6177b706c1879e7b833c:

  Merge branch 'check-vlan-filter-feature-in-vlan_vids_add_by_dev-and-vlan_vids_del_by_dev' (2023-12-19 13:13:59 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-12-20

for you to fetch changes up to 7315dc1e122c85ffdfc8defffbb8f8b616c2eb1a:

  netfilter: nf_tables: skip set commit for deleted/destroyed sets (2023-12-20 13:48:00 +0100)

----------------------------------------------------------------
netfilter pull request 23-12-20

----------------------------------------------------------------
Pablo Neira Ayuso (2):
      netfilter: nf_tables: set transport offset from mac header for netdev/egress
      netfilter: nf_tables: skip set commit for deleted/destroyed sets

 include/net/netfilter/nf_tables_ipv4.h | 2 +-
 net/netfilter/nf_tables_api.c          | 2 +-
 net/netfilter/nf_tables_core.c         | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

This patch contains two late Netfilter's flowtable fixes for net:

1) Flowtable GC pushes back packets to classic path in every GC run,
   ie. every second. This is because NF_FLOW_HW_ESTABLISHED is only
   used by sched/act_ct (never set) and IPS_SEEN_REPLY might be unset
   by the time the flow is offloaded (this status bit is only reliable
   in the sched/act_ct datapath).

2) sched/act_ct logic to push back packets to classic path to reevaluate
   if UDP flow is unidirectional only applies if IPS_HW_OFFLOAD_BIT is
   set on and no hardware offload request is pending to be handled.
   From Vlad Buslov.

These two patches fixes two problems that were introduced in the
previous 6.5 development cycle.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-10-25

Thanks.

----------------------------------------------------------------

The following changes since commit d2a0fc372aca561556e765d0a9ec365c7c12f0ad:

  tcp: fix wrong RTO timeout when received SACK reneging (2023-10-22 11:47:44 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-10-25

for you to fetch changes up to a63b6622120cd03a304796dbccb80655b3a21798:

  net/sched: act_ct: additional checks for outdated flows (2023-10-25 11:35:57 +0200)

----------------------------------------------------------------
netfilter pull request 23-10-25

----------------------------------------------------------------
Pablo Neira Ayuso (1):
      netfilter: flowtable: GC pushes back packets to classic path

Vlad Buslov (1):
      net/sched: act_ct: additional checks for outdated flows

 include/net/netfilter/nf_flow_table.h |  1 +
 net/netfilter/nf_flow_table_core.c    | 14 +++++++-------
 net/sched/act_ct.c                    |  9 +++++++++
 3 files changed, 17 insertions(+), 7 deletions(-)

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains late Netfilter fixes for net:

1) Set on IPS_CONFIRMED before change_status() otherwise EBUSY is
   bogusly hit. This bug was introduced in the 6.3 release cycle.

2) Fix nfnetlink_queue conntrack support: Set/dump timeout
   accordingly for unconfirmed conntrack entries. Make sure this
   is done after IPS_CONFIRMED is set on. This is an old bug, it
   happens since the introduction of this feature.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-04-21

Thanks.

----------------------------------------------------------------

The following changes since commit 92e8c732d8518588ac34b4cb3feaf37d2cb87555:

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf (2023-04-18 20:46:31 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-04-21

for you to fetch changes up to 73db1b8f2bb6725b7391e85aab41fdf592b3c0c1:

  netfilter: conntrack: fix wrong ct->timeout value (2023-04-19 12:08:38 +0200)

----------------------------------------------------------------
netfilter pull request

----------------------------------------------------------------
Pablo Neira Ayuso (1):
      netfilter: conntrack: restore IPS_CONFIRMED out of nf_conntrack_hash_check_insert()

Tzung-Bi Shih (1):
      netfilter: conntrack: fix wrong ct->timeout value

 include/net/netfilter/nf_conntrack_core.h |  6 +++++-
 net/netfilter/nf_conntrack_bpf.c          |  1 +
 net/netfilter/nf_conntrack_core.c         |  1 -
 net/netfilter/nf_conntrack_netlink.c      | 16 ++++++++++++----
 4 files changed, 18 insertions(+), 6 deletions(-)

Re: [PATCH net 0/2] Netfilter fixes for net

[Jakub Kicinski]

On Thu, 20 Apr 2023 19:06:55 +0200 Pablo Neira Ayuso wrote:
> 1) Set on IPS_CONFIRMED before change_status() otherwise EBUSY is
>    bogusly hit. This bug was introduced in the 6.3 release cycle.
> 
> 2) Fix nfnetlink_queue conntrack support: Set/dump timeout
>    accordingly for unconfirmed conntrack entries. Make sure this
>    is done after IPS_CONFIRMED is set on. This is an old bug, it
>    happens since the introduction of this feature.

It missed our PR anyway so please resend with a signed tag.

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains late Netfilter fixes for net:

1) Set on IPS_CONFIRMED before change_status() otherwise EBUSY is
   bogusly hit. This bug was introduced in the 6.3 release cycle.

2) Fix nfnetlink_queue conntrack support: Set/dump timeout
   accordingly for unconfirmed conntrack entries. Make sure this
   is done after IPS_CONFIRMED is set on. This is an old bug, it
   happens since the introduction of this feature.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 92e8c732d8518588ac34b4cb3feaf37d2cb87555:

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf (2023-04-18 20:46:31 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 73db1b8f2bb6725b7391e85aab41fdf592b3c0c1:

  netfilter: conntrack: fix wrong ct->timeout value (2023-04-19 12:08:38 +0200)

----------------------------------------------------------------
Pablo Neira Ayuso (1):
      netfilter: conntrack: restore IPS_CONFIRMED out of nf_conntrack_hash_check_insert()

Tzung-Bi Shih (1):
      netfilter: conntrack: fix wrong ct->timeout value

 include/net/netfilter/nf_conntrack_core.h |  6 +++++-
 net/netfilter/nf_conntrack_bpf.c          |  1 +
 net/netfilter/nf_conntrack_core.c         |  1 -
 net/netfilter/nf_conntrack_netlink.c      | 16 ++++++++++++----
 4 files changed, 18 insertions(+), 6 deletions(-)

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains two Netfilter fixes for net:

1) Release bridge info once packet escapes the br_netfilter path,
   from Florian Westphal.

2) Revert incorrect fix for the SCTP connection tracking chunk
   iterator, also from Florian.

First path fixes a long standing issue, the second path addresses
a mistake in the previous pull request for net.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 9b3fc325c2a7e9e17e22b008357cb0ceb810d9b2:

  Merge tag 'ieee802154-for-net-2023-01-30' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan (2023-01-30 21:11:11 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to bd0e06f0def75ba26572a94e5350324474a55562:

  Revert "netfilter: conntrack: fix bug in for_each_sctp_chunk" (2023-01-31 14:02:48 +0100)

----------------------------------------------------------------
Florian Westphal (2):
      netfilter: br_netfilter: disable sabotage_in hook after first suppression
      Revert "netfilter: conntrack: fix bug in for_each_sctp_chunk"

 net/bridge/br_netfilter_hooks.c         | 1 +
 net/netfilter/nf_conntrack_proto_sctp.c | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix overlap detection in rbtree set backend: Detect overlap by going
   through the ordered list of valid tree nodes. To shorten the number of
   visited nodes in the list, this algorithm descends the tree to search
   for an existing element greater than the key value to insert that is
   greater than the new element.

2) Fix for the rbtree set garbage collector: Skip inactive and busy
   elements when checking for expired elements to avoid interference
   with an ongoing transaction from control plane.

This is a rather large fix coming at this stage of the 6.2-rc. Since
33c7aba0b4ff ("netfilter: nf_tables: do not set up extensions for end
interval"), bogus overlap errors in the rbtree set occur more frequently.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 71ab9c3e2253619136c31c89dbb2c69305cc89b1:

  net: fix UaF in netns ops registration error path (2023-01-20 18:51:18 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 5d235d6ce75c12a7fdee375eb211e4116f7ab01b:

  netfilter: nft_set_rbtree: skip elements in transaction from garbage collection (2023-01-23 21:38:33 +0100)

----------------------------------------------------------------
Pablo Neira Ayuso (2):
      netfilter: nft_set_rbtree: Switch to node list walk for overlap detection
      netfilter: nft_set_rbtree: skip elements in transaction from garbage collection

 net/netfilter/nft_set_rbtree.c | 332 +++++++++++++++++++++++++----------------
 1 file changed, 204 insertions(+), 128 deletions(-)

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains late Netfilter fixes for net:

1) Use READ_ONCE()/WRITE_ONCE() to update ct->mark, from Daniel Xu.
   Not reported by syzbot, but I presume KASAN would trigger post
   a splat on this. This is a rather old issue, predating git history.

2) Do not set up extensions for set element with end interval flag
   set on. This leads to bogusly skipping this elements as expired
   when listing the set/map to userspace as well as increasing
   memory consumpton when stateful expressions are used. This issue
   has been present since 4.18, when timeout support for rbtree set
   was added.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 40b9d1ab63f5c4f3cb69450044d07b45e5af72e1:

  ipvlan: hold lower dev to avoid possible use-after-free (2022-11-18 10:39:22 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 33c7aba0b4ffd6d7cdab862a034eb582a5120a38:

  netfilter: nf_tables: do not set up extensions for end interval (2022-11-18 15:21:32 +0100)

----------------------------------------------------------------
Daniel Xu (1):
      netfilter: conntrack: Fix data-races around ct mark

Pablo Neira Ayuso (1):
      netfilter: nf_tables: do not set up extensions for end interval

 net/core/flow_dissector.c               |  2 +-
 net/ipv4/netfilter/ipt_CLUSTERIP.c      |  4 ++--
 net/netfilter/nf_conntrack_core.c       |  2 +-
 net/netfilter/nf_conntrack_netlink.c    | 24 ++++++++++++++----------
 net/netfilter/nf_conntrack_standalone.c |  2 +-
 net/netfilter/nf_tables_api.c           |  6 ++++--
 net/netfilter/nft_ct.c                  |  6 +++---
 net/netfilter/xt_connmark.c             | 18 ++++++++++--------
 net/openvswitch/conntrack.c             |  8 ++++----
 net/sched/act_connmark.c                |  4 ++--
 net/sched/act_ct.c                      |  8 ++++----
 net/sched/act_ctinfo.c                  |  6 +++---
 12 files changed, 49 insertions(+), 41 deletions(-)

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Missing flowi uid field in nft_fib expression, from Guillaume Nault.
   This is broken since the creation of the fib expression.

2) Relax sanity check to fix bogus EINVAL error when deleting elements
   belonging set intervals. Broken since 6.0-rc.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 1ca695207ed2271ecbf8ee6c641970f621c157cc:

  ip6mr: fix UAF issue in ip6mr_sk_done() when addrconf_init_net() failed (2022-10-18 11:05:55 +0200)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 96df8360dbb435cc69f7c3c8db44bf8b1c24cd7b:

  netfilter: nf_tables: relax NFTA_SET_ELEM_KEY_END set flags requirements (2022-10-19 08:46:48 +0200)

----------------------------------------------------------------
Guillaume Nault (1):
      netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces.

Pablo Neira Ayuso (1):
      netfilter: nf_tables: relax NFTA_SET_ELEM_KEY_END set flags requirements

 net/ipv4/netfilter/ipt_rpfilter.c  | 1 +
 net/ipv4/netfilter/nft_fib_ipv4.c  | 1 +
 net/ipv6/netfilter/ip6t_rpfilter.c | 1 +
 net/ipv6/netfilter/nft_fib_ipv6.c  | 2 ++
 net/netfilter/nf_tables_api.c      | 5 +++--
 5 files changed, 8 insertions(+), 2 deletions(-)

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Insufficient validation of element datatype and length in
   nft_setelem_parse_data(). At least commit 7d7402642eaf updates
   maximum element data area up to 64 bytes when only 16 bytes
   where supported at the time. Support for larger element size
   came later in fdb9c405e35b though. Picking this older commit
   as Fixes: tag to be safe than sorry.

2) Memleak in pipapo destroy path, reproducible when transaction
   in aborted. This is already triggering in the existing netfilter
   test infrastructure since more recent new tests are covering this
   path.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit f8ebb3ac881b17712e1d5967c97ab1806b16d3d6:

  net: usb: ax88179_178a: Fix packet receiving (2022-06-30 10:41:57 +0200)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e:

  netfilter: nft_set_pipapo: release elements in clone from abort path (2022-07-02 21:04:19 +0200)

----------------------------------------------------------------
Pablo Neira Ayuso (2):
      netfilter: nf_tables: stricter validation of element data
      netfilter: nft_set_pipapo: release elements in clone from abort path

 net/netfilter/nf_tables_api.c  |  9 +++++++-
 net/netfilter/nft_set_pipapo.c | 48 +++++++++++++++++++++++++++++-------------
 2 files changed, 41 insertions(+), 16 deletions(-)

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix UAF when creating non-stateful expression in set.

2) Set limit cost when cloning expression accordingly, from Phil Sutter.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 6c465408a7709cf180cde7569e141191b67a175c:

  dt-bindings: net: adin: Fix adi,phy-output-clock description syntax (2022-05-25 22:03:45 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 558254b0b602b8605d7246a10cfeb584b1fcabfc:

  netfilter: nft_limit: Clone packet limits' cost value (2022-05-26 22:50:34 +0200)

----------------------------------------------------------------
Pablo Neira Ayuso (1):
      netfilter: nf_tables: disallow non-stateful expression in sets earlier

Phil Sutter (1):
      netfilter: nft_limit: Clone packet limits' cost value

 net/netfilter/nf_tables_api.c | 19 ++++++++++---------
 net/netfilter/nft_limit.c     |  2 ++
 2 files changed, 12 insertions(+), 9 deletions(-)

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix cgroupv2 from the input path, from Florian Westphal.

2) Fix incorrect return value of nft_parse_register(), from Antoine Tenart.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit e8a64bbaaad1f6548cec5508297bc6d45e8ab69e:

  net/sched: taprio: Check if socket flags are valid (2022-04-11 10:51:00 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 6c6f9f31ecd47dce1d0dafca4bec8805f9bc97cd:

  netfilter: nf_tables: nft_parse_register can return a negative value (2022-04-12 11:36:37 +0200)

----------------------------------------------------------------
Antoine Tenart (1):
      netfilter: nf_tables: nft_parse_register can return a negative value

Florian Westphal (1):
      netfilter: nft_socket: make cgroup match work in input too

 net/netfilter/nf_tables_api.c | 2 +-
 net/netfilter/nft_socket.c    | 7 +++----
 2 files changed, 4 insertions(+), 5 deletions(-)

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Incorrect comparison in bitmask .reduce, from Jeremy Sowden.

2) Missing GFP_KERNEL_ACCOUNT for dynamically allocated objects,
   from Vasily Averin.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit ad7da1ce5749c0eb4f09dd7e5510123be56f10fb:

  net: lan966x: fix kernel oops on ioctl when I/F is down (2022-03-29 10:47:24 +0200)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 42193ffd79bd3acd91bd947e53f3548a3661d0a1:

  netfilter: nf_tables: memcg accounting for dynamically allocated objects (2022-04-05 11:55:46 +0200)

----------------------------------------------------------------
Jeremy Sowden (1):
      netfilter: bitwise: fix reduce comparisons

Vasily Averin (1):
      netfilter: nf_tables: memcg accounting for dynamically allocated objects

 net/netfilter/nf_tables_api.c | 2 +-
 net/netfilter/nft_bitwise.c   | 4 ++--
 net/netfilter/nft_connlimit.c | 2 +-
 net/netfilter/nft_counter.c   | 2 +-
 net/netfilter/nft_last.c      | 2 +-
 net/netfilter/nft_limit.c     | 2 +-
 net/netfilter/nft_quota.c     | 2 +-
 7 files changed, 8 insertions(+), 8 deletions(-)

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) nf_conntrack_tuple_taken() needs to recheck zone for
   NAT clash resolution, from Florian Westphal.

2) Restore support for stateful expressions when set definition
   specifies no stateful expressions.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit ce7536bc7398e2ae552d2fabb7e0e371a9f1fe46:

  vsock/virtio: update credit only if socket is not closed (2021-02-08 13:27:46 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 664899e85c1312e51d2761e7f8b2f25d053e8489:

  netfilter: nftables: relax check for stateful expressions in set definition (2021-02-09 00:50:14 +0100)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: conntrack: skip identical origin tuple in same zone only

Pablo Neira Ayuso (1):
      netfilter: nftables: relax check for stateful expressions in set definition

 net/netfilter/nf_conntrack_core.c |  3 ++-
 net/netfilter/nf_tables_api.c     | 28 +++++++++++++++-------------
 2 files changed, 17 insertions(+), 14 deletions(-)