Commit f6a2a310 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'nf-25-08-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf 

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Reinstantiate Florian Westphal as a Netfilter maintainer.

2) Depend on both NETFILTER_XTABLES and NETFILTER_XTABLES_LEGACY,
   from Arnd Bergmann.

3) Use id to annotate last conntrack/expectation visited to resume
   netlink dump, patches from Florian Westphal.

4) Fix bogus element in nft_pipapo avx2 lookup, introduced in
   the last nf-next batch of updates, also from Florian.

5) Return 0 instead of recycling ret variable in
   nf_conntrack_log_invalid_sysctl(), introduced in the last
   nf-next batch of updates, from Dan Carpenter.

6) Fix WARN_ON_ONCE triggered by syzbot with larger cgroup level
   in nft_socket.

* tag 'nf-25-08-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: nft_socket: remove WARN_ON_ONCE with huge level value
  netfilter: conntrack: clean up returns in nf_conntrack_log_invalid_sysctl()
  netfilter: nft_set_pipapo: don't return bogus extension pointer
  netfilter: ctnetlink: remove refcounting in expectation dumpers
  netfilter: ctnetlink: fix refcount leak on table dump
  netfilter: add back NETFILTER_XTABLES dependencies
  MAINTAINERS: resurrect my netfilter maintainer entry
====================

Link: https://patch.msgid.link/20250807112948.1400523-1-pablo@netfilter.org


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 37816488 1dee968d

MAINTAINERS

+1 −0
Original line number Diff line number Diff line
@@ -17451,6 +17451,7 @@ F: drivers/net/ethernet/neterion/ 
NETFILTER

M:	Pablo Neira Ayuso <pablo@netfilter.org>

M:	Jozsef Kadlecsik <kadlec@netfilter.org>

M:	Florian Westphal <fw@strlen.de>

L:	netfilter-devel@vger.kernel.org

L:	coreteam@netfilter.org

S:	Maintained

net/bridge/netfilter/Kconfig

+1 −0
Original line number Diff line number Diff line
@@ -43,6 +43,7 @@ config NF_CONNTRACK_BRIDGE 
config BRIDGE_NF_EBTABLES_LEGACY

	tristate "Legacy EBTABLES support"

	depends on BRIDGE && NETFILTER_XTABLES_LEGACY

	depends on NETFILTER_XTABLES

	default	n

	help

	 Legacy ebtables packet/frame classifier.

net/ipv4/netfilter/Kconfig

+3 −0
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@ config NF_DEFRAG_IPV4 
config IP_NF_IPTABLES_LEGACY

	tristate "Legacy IP tables support"

	depends on NETFILTER_XTABLES_LEGACY

	depends on NETFILTER_XTABLES

	default	m if NETFILTER_XTABLES_LEGACY

	help

	  iptables is a legacy packet classifier.
@@ -326,6 +327,7 @@ endif # IP_NF_IPTABLES 
config IP_NF_ARPTABLES

	tristate "Legacy ARPTABLES support"

	depends on NETFILTER_XTABLES_LEGACY

	depends on NETFILTER_XTABLES

	default	n

	help

	  arptables is a legacy packet classifier.
@@ -343,6 +345,7 @@ config IP_NF_ARPFILTER 
	select IP_NF_ARPTABLES

	select NETFILTER_FAMILY_ARP

	depends on NETFILTER_XTABLES_LEGACY

	depends on NETFILTER_XTABLES

	help

	  ARP packet filtering defines a table `filter', which has a series of

	  rules for simple ARP packet filtering at local input and

net/ipv6/netfilter/Kconfig

+1 −0
Original line number Diff line number Diff line
@@ -10,6 +10,7 @@ menu "IPv6: Netfilter Configuration" 
config IP6_NF_IPTABLES_LEGACY

	tristate "Legacy IP6 tables support"

	depends on INET && IPV6 && NETFILTER_XTABLES_LEGACY

	depends on NETFILTER_XTABLES

	default	m if NETFILTER_XTABLES_LEGACY

	help

	  ip6tables is a legacy packet classifier.

net/netfilter/nf_conntrack_netlink.c

+30 −35
Original line number Diff line number Diff line
@@ -884,8 +884,6 @@ ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item) 


static int ctnetlink_done(struct netlink_callback *cb)

{

	if (cb->args[1])

		nf_ct_put((struct nf_conn *)cb->args[1]);

	kfree(cb->data);

	return 0;

}
@@ -1208,19 +1206,26 @@ static int ctnetlink_filter_match(struct nf_conn *ct, void *data) 
	return 0;

}



static unsigned long ctnetlink_get_id(const struct nf_conn *ct)

{

	unsigned long id = nf_ct_get_id(ct);



	return id ? id : 1;

}



static int

ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)

{

	unsigned int flags = cb->data ? NLM_F_DUMP_FILTERED : 0;

	struct net *net = sock_net(skb->sk);

	struct nf_conn *ct, *last;

	unsigned long last_id = cb->args[1];

	struct nf_conntrack_tuple_hash *h;

	struct hlist_nulls_node *n;

	struct nf_conn *nf_ct_evict[8];

	struct nf_conn *ct;

	int res, i;

	spinlock_t *lockp;



	last = (struct nf_conn *)cb->args[1];

	i = 0;



	local_bh_disable();
@@ -1257,7 +1262,7 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 
				continue;



			if (cb->args[1]) {

				if (ct != last)

				if (ctnetlink_get_id(ct) != last_id)

					continue;

				cb->args[1] = 0;

			}
@@ -1270,8 +1275,7 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 
					    NFNL_MSG_TYPE(cb->nlh->nlmsg_type),

					    ct, true, flags);

			if (res < 0) {

				nf_conntrack_get(&ct->ct_general);

				cb->args[1] = (unsigned long)ct;

				cb->args[1] = ctnetlink_get_id(ct);

				spin_unlock(lockp);

				goto out;

			}
@@ -1284,12 +1288,10 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 
	}

out:

	local_bh_enable();

	if (last) {

	if (last_id) {

		/* nf ct hash resize happened, now clear the leftover. */

		if ((struct nf_conn *)cb->args[1] == last)

		if (cb->args[1] == last_id)

			cb->args[1] = 0;



		nf_ct_put(last);

	}



	while (i) {
@@ -3168,23 +3170,27 @@ ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item) 
	return 0;

}

#endif

static int ctnetlink_exp_done(struct netlink_callback *cb)



static unsigned long ctnetlink_exp_id(const struct nf_conntrack_expect *exp)

{

	if (cb->args[1])

		nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);

	return 0;

	unsigned long id = (unsigned long)exp;



	id += nf_ct_get_id(exp->master);

	id += exp->class;



	return id ? id : 1;

}



static int

ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)

{

	struct net *net = sock_net(skb->sk);

	struct nf_conntrack_expect *exp, *last;

	struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);

	u_int8_t l3proto = nfmsg->nfgen_family;

	unsigned long last_id = cb->args[1];

	struct nf_conntrack_expect *exp;



	rcu_read_lock();

	last = (struct nf_conntrack_expect *)cb->args[1];

	for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {

restart:

		hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]],
@@ -3196,7 +3202,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 
				continue;



			if (cb->args[1]) {

				if (exp != last)

				if (ctnetlink_exp_id(exp) != last_id)

					continue;

				cb->args[1] = 0;

			}
@@ -3205,9 +3211,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 
						    cb->nlh->nlmsg_seq,

						    IPCTNL_MSG_EXP_NEW,

						    exp) < 0) {

				if (!refcount_inc_not_zero(&exp->use))

					continue;

				cb->args[1] = (unsigned long)exp;

				cb->args[1] = ctnetlink_exp_id(exp);

				goto out;

			}

		}
@@ -3218,32 +3222,30 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 
	}

out:

	rcu_read_unlock();

	if (last)

		nf_ct_expect_put(last);



	return skb->len;

}



static int

ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)

{

	struct nf_conntrack_expect *exp, *last;

	struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);

	struct nf_conn *ct = cb->data;

	struct nf_conn_help *help = nfct_help(ct);

	u_int8_t l3proto = nfmsg->nfgen_family;

	unsigned long last_id = cb->args[1];

	struct nf_conntrack_expect *exp;



	if (cb->args[0])

		return 0;



	rcu_read_lock();

	last = (struct nf_conntrack_expect *)cb->args[1];



restart:

	hlist_for_each_entry_rcu(exp, &help->expectations, lnode) {

		if (l3proto && exp->tuple.src.l3num != l3proto)

			continue;

		if (cb->args[1]) {

			if (exp != last)

			if (ctnetlink_exp_id(exp) != last_id)

				continue;

			cb->args[1] = 0;

		}
@@ -3251,9 +3253,7 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 
					    cb->nlh->nlmsg_seq,

					    IPCTNL_MSG_EXP_NEW,

					    exp) < 0) {

			if (!refcount_inc_not_zero(&exp->use))

				continue;

			cb->args[1] = (unsigned long)exp;

			cb->args[1] = ctnetlink_exp_id(exp);

			goto out;

		}

	}
@@ -3264,9 +3264,6 @@ ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 
	cb->args[0] = 1;

out:

	rcu_read_unlock();

	if (last)

		nf_ct_expect_put(last);



	return skb->len;

}
@@ -3285,7 +3282,6 @@ static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, 
	struct nf_conntrack_zone zone;

	struct netlink_dump_control c = {

		.dump = ctnetlink_exp_ct_dump_table,

		.done = ctnetlink_exp_done,

	};



	err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
@@ -3335,7 +3331,6 @@ static int ctnetlink_get_expect(struct sk_buff *skb, 
		else {

			struct netlink_dump_control c = {

				.dump = ctnetlink_exp_dump_table,

				.done = ctnetlink_exp_done,

			};

			return netlink_dump_start(info->sk, skb, info->nlh, &c);

		}