netfilter pull request 25-04-03

-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEjF9xRqF1emXiQiqU1w0aZmrPKyEFAmfudsoACgkQ1w0aZmrP KyFv/w/7BUGRu2U6nRJEmPJh7AEjeDc9RMb/WHbx4NiDBhqldE08SVfPC8X+KaZ9 0KmqedFnopP50kt+v7Jxc4oS+/uG1GuYk+afiiAuvKgF5jKKnePO4m7hZddjx0ev QewjXsGrU4gwgKGgc+2my0ZuRiaH/s9LcoweQ+M+XsrcgWXIRygrayIapq376tLT pH6zaKnHvXvTRB5ie6kxMCE4t3P0hVp/0Sf6CBcLv3t+F9/gtdwTOmazYT63fVcn JbmSc+enp3h5B5B/jlaX9xjazWSS1p1awKVKsoiWWwPZHVRciLKz8mcbeC451xoj WmM/m94kLP6I3oK5hEKQfCwxPoKMqMRmlXHv/HPSg6S9JF6+knXVM1BahHAdo+FZ XySOe3+SEJSFLo67oqLp60GEdcU94RmpouWszGI9/ERmINQxB4v9nZLI1aJ2zfyb Dmh+zdHXdFoTq8/G6tyrlEJwcTWcI6pRaYYO/i1LERLsXEfwfw4A4QXAZ/oLm7iU 13xdN5ZjBBBmhwUpkNQcP+5g2tCwABC8KTFK0oCdFGClZoOnpdC9Vn1jP7eOEG2O iR15jfpkBLCZQhD4LNUKRgGPc07eBneJ8Z1T4f1pnDJNO7tHRCY8DsqMTMalMX3A vx19ODiNEsKMRehlraxD+DM8ZUZVQIkPEe+Ybt8si+fTZd2i1i4= =em17 -----END PGP SIGNATURE----- Merge tag 'nf-25-04-03' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following batch contains Netfilter fixes for net: 1) conncount incorrectly removes element for non-dynamic sets, these elements represent a static control plane configuration, leave them in place. 2) syzbot found a way to unregister a basechain that has been never registered from the chain update path, fix from Florian Westphal. 3) Fix incorrect pointer arithmetics in geneve support for tunnel, from Lin Ma. * tag 'nf-25-04-03' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nft_tunnel: fix geneve_opt type confusion addition netfilter: nf_tables: don't unregister hook when table is dormant netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only ==================== Link: https://patch.msgid.link/20250403115752.19608-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-31 18:43:33 +02:00 · 2025-04-03 16:23:00 -07:00 · 2025-04-03 16:23:00 -07:00 · 8bc251e5d8
commit 8bc251e5d8
parent 915873752c 1b755d8eb1
3 changed files with 6 additions and 5 deletions
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@ -2839,11 +2839,11 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
 			err = nft_netdev_register_hooks(ctx->net, &hook.list);
 			if (err < 0)
 				goto err_hooks;
+
+			unregister = true;
 		}
 	}

-	unregister = true;
-
 	if (nla[NFTA_CHAIN_COUNTERS]) {
 		if (!nft_is_base_chain(chain)) {
 			err = -EOPNOTSUPP;
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@ -309,7 +309,8 @@ static bool nft_rhash_expr_needs_gc_run(const struct nft_set *set,

 	nft_setelem_expr_foreach(expr, elem_expr, size) {
 		if (expr->ops->gc &&
-		    expr->ops->gc(read_pnet(&set->net), expr))
+		    expr->ops->gc(read_pnet(&set->net), expr) &&
+		    set->flags & NFT_SET_EVAL)
 			return true;
 	}

--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@ -341,7 +341,7 @@ static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GEN
 static int nft_tunnel_obj_geneve_init(const struct nlattr *attr,
 				      struct nft_tunnel_opts *opts)
 {
-	struct geneve_opt *opt = (struct geneve_opt *)opts->u.data + opts->len;
+	struct geneve_opt *opt = (struct geneve_opt *)(opts->u.data + opts->len);
 	struct nlattr *tb[NFTA_TUNNEL_KEY_GENEVE_MAX + 1];
 	int err, data_len;

@ -625,7 +625,7 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
 		if (!inner)
 			goto failure;
 		while (opts->len > offset) {
-			opt = (struct geneve_opt *)opts->u.data + offset;
+			opt = (struct geneve_opt *)(opts->u.data + offset);
 			if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS,
 					 opt->opt_class) ||
 			    nla_put_u8(skb, NFTA_TUNNEL_KEY_GENEVE_TYPE,