Commit 284f1f17 authored Feb 18, 2026 by Jakub Kicinski

Merge tag 'nf-26-02-17' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Florian Westphal says:

====================
netfilter: updates for net

The following patchset contains Netfilter fixes for *net*:

1) Add missing __rcu annotations to NAT helper hook pointers in Amanda,
   FTP, IRC, SNMP and TFTP helpers.  From Sun Jian.

2-4):
 - Add global spinlock to serialize nft_counter fetch+reset operations.
 - Use atomic64_xchg() for nft_quota reset instead of read+subtract pattern.
   Note AI review detects a race in this change but it isn't new. The
   'racing' bit only exists to prevent constant stream of 'quota expired'
   notifications.
 - Revert commit_mutex usage in nf_tables reset path, it caused
   circular lock dependency.  All from Brian Witte.

5) Fix uninitialized l3num value in nf_conntrack_h323 helper.

6) Fix musl libc compatibility in netfilter_bridge.h UAPI header. This
   change isn't nice (UAPI headers should not include libc headers), but
   as-is musl builds may fail due to redefinition of struct ethhdr.

7) Fix protocol checksum validation in IPVS for IPv6 with extension headers,
   from Julian Anastasov.

8) Fix device reference leak in IPVS when netdev goes down. Also from
   Julian.

9) Remove WARN_ON_ONCE when accessing forward path array, this can
   trigger with sufficiently long forward paths.  From Pablo Neira Ayuso.

10) Fix use-after-free in nf_tables_addchain() error path, from Inseo An.

* tag 'nf-26-02-17' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: nf_tables: fix use-after-free in nf_tables_addchain()
  net: remove WARN_ON_ONCE when accessing forward path array
  ipvs: do not keep dest_dst if dev is going down
  ipvs: skip ipv6 extension headers for csum checks
  include: uapi: netfilter_bridge.h: Cover for musl libc
  netfilter: nf_conntrack_h323: don't pass uninitialised l3num value
  netfilter: nf_tables: revert commit_mutex usage in reset path
  netfilter: nft_quota: use atomic64_xchg for reset
  netfilter: nft_counter: serialize reset with spinlock
  netfilter: annotate NAT helper hook pointers with __rcu
====================

Link: https://patch.msgid.link/20260217163233.31455-1-fw@strlen.de


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parents 0da1dba7 71e99ee2

include/linux/netfilter/nf_conntrack_amanda.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -7,7 +7,7 @@
		#include <linux/skbuff.h>
		#include <net/netfilter/nf_conntrack_expect.h>

		extern unsigned int (nf_nat_amanda_hook)(struct sk_buff skb,
		extern unsigned int (__rcu nf_nat_amanda_hook)(struct sk_buff skb,
		enum ip_conntrack_info ctinfo,
		unsigned int protoff,
		unsigned int matchoff,

include/linux/netfilter/nf_conntrack_ftp.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -26,7 +26,7 @@ struct nf_ct_ftp_master {

		/* For NAT to hook in when we find a packet which describes what other
		* connection we should expect. */
		extern unsigned int (nf_nat_ftp_hook)(struct sk_buff skb,
		extern unsigned int (__rcu nf_nat_ftp_hook)(struct sk_buff skb,
		enum ip_conntrack_info ctinfo,
		enum nf_ct_ftp_type type,
		unsigned int protoff,

include/linux/netfilter/nf_conntrack_irc.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -8,7 +8,7 @@

		#define IRC_PORT 6667

		extern unsigned int (nf_nat_irc_hook)(struct sk_buff skb,
		extern unsigned int (__rcu nf_nat_irc_hook)(struct sk_buff skb,
		enum ip_conntrack_info ctinfo,
		unsigned int protoff,
		unsigned int matchoff,

include/linux/netfilter/nf_conntrack_snmp.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -5,7 +5,7 @@
		#include <linux/netfilter.h>
		#include <linux/skbuff.h>

		extern int (nf_nat_snmp_hook)(struct sk_buff skb,
		extern int (__rcu nf_nat_snmp_hook)(struct sk_buff skb,
		unsigned int protoff,
		struct nf_conn *ct,
		enum ip_conntrack_info ctinfo);

include/linux/netfilter/nf_conntrack_tftp.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -19,7 +19,7 @@ struct tftphdr {
		#define TFTP_OPCODE_ACK 4
		#define TFTP_OPCODE_ERROR 5

		extern unsigned int (nf_nat_tftp_hook)(struct sk_buff skb,
		extern unsigned int (__rcu nf_nat_tftp_hook)(struct sk_buff skb,
		enum ip_conntrack_info ctinfo,
		struct nf_conntrack_expect *exp);