netfilter pull request nf-25-10-29

-----BEGIN PGP SIGNATURE----- iQJBBAABCAArFiEEgKkgxbID4Gn1hq6fcJGo2a1f9gAFAmkCGxcNHGZ3QHN0cmxl bi5kZQAKCRBwkajZrV/2AFj4D/9665knSUnx2YSzCeydCf5E8htWOM6dcxidr2d8 lwpczAOG3bLpxFMPEZbMHKXDe09dJZJqNcL0nsGOSr0GEckag+eIVgh/w5tmHSIV hpjdsl24mAwyUENUZIqt7sPBqbnePPMAYvDNG44qckdhZTr1ztqF/sk9y5YYFixA 3igil7JatgpB9f7OBSNx6Y1mcelN5bIaMlyi5sUopH/kOSH3S6n7FnRkJGY6voa7 ct74QvNCZm4HnaD98mK08dkeTv3th/21jsNDmJKIGZ2rKj0Nss2PiNhSEp6JrkaR q61w98xQl1ARl1lyHbbzsUQ5dW4sR4CvlHK9JUiBNOCVNXuAnZ8qkUermSqvQx+M dfgS28G9fUVpLARvVjdX1nSYaHRDOASikNFfkKuTT5es8sD+s29adiknwQ/3sCCg aL4pzltTqqU06vqW1p7JXATvt+MPIsf2IovIUzjk4j06l8sYG5xpxVUEh5um150B NppppBavesFQLpaA+pdIUyONPo9wiSo/2+Ay6mkDkCzOXcPPTUpJUXibAOq4Fua7 7QpzutszxScH5eUON1adWj6eHAeVLCnAbI4mfKXtVd7GbinUlLMhSJhCOh+/rWwJ JxSRfy551r8Zk8pQSVrKQH28WR8+5rT6NXn7lzuce6d2/7FNv4Cx6irFPBfvj2NN g59uQA== =ynIB -----END PGP SIGNATURE----- Merge tag 'nf-25-10-29' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Florian Westphal says: ==================== netfilter: updates for net 1) its not possible to attach conntrack labels via ctnetlink unless one creates a dummy 'ct labels set' rule in nftables. This is an oversight, the 'ruleset tests presence, userspace (netlink) sets' use-case is valid and should 'just work'. Always broken since this got added in Linux 4.7. 2) nft_connlimit reads count value without holding the relevant lock, add a READ_ONCE annotation. From Fernando Fernandez Mancera. 3) There is a long-standing bug (since 4.12) in nftables helper infra when NAT is in use: if the helper gets assigned after the nat binding was set up, we fail to initialise the 'seqadj' extension, which is needed in case NAT payload rewrites need to add (or remove) from the packet payload. Fix from Andrii Melnychenko. * tag 'nf-25-10-29' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nft_ct: add seqadj extension for natted connections netfilter: nft_connlimit: fix possible data race on connection count netfilter: nft_ct: enable labels for get case too ==================== Link: https://patch.msgid.link/20251029135617.18274-1-fw@strlen.de Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-31 10:33:41 +02:00 · 2025-10-29 18:25:12 -07:00 · 2025-10-29 18:25:12 -07:00 · e98cda764a
commit e98cda764a
parent 298574936a 90918e3b64
2 changed files with 28 additions and 4 deletions
--- a/net/netfilter/nft_connlimit.c
+++ b/net/netfilter/nft_connlimit.c
@ -48,7 +48,7 @@ static inline void nft_connlimit_do_eval(struct nft_connlimit *priv,
 		return;
 	}

-	count = priv->list->count;
+	count = READ_ONCE(priv->list->count);

 	if ((count > priv->limit) ^ priv->invert) {
 		regs->verdict.code = NFT_BREAK;
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@ -22,6 +22,7 @@
 #include <net/netfilter/nf_conntrack_timeout.h>
 #include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_conntrack_expect.h>
+#include <net/netfilter/nf_conntrack_seqadj.h>

 struct nft_ct_helper_obj  {
 	struct nf_conntrack_helper *helper4;
@ -379,6 +380,14 @@ static bool nft_ct_tmpl_alloc_pcpu(void)
 }
 #endif

+static void __nft_ct_get_destroy(const struct nft_ctx *ctx, struct nft_ct *priv)
+{
+#ifdef CONFIG_NF_CONNTRACK_LABELS
+	if (priv->key == NFT_CT_LABELS)
+		nf_connlabels_put(ctx->net);
+#endif
+}
+
 static int nft_ct_get_init(const struct nft_ctx *ctx,
 			   const struct nft_expr *expr,
 			   const struct nlattr * const tb[])
@ -413,6 +422,10 @@ static int nft_ct_get_init(const struct nft_ctx *ctx,
 		if (tb[NFTA_CT_DIRECTION] != NULL)
 			return -EINVAL;
 		len = NF_CT_LABELS_MAX_SIZE;
+
+		err = nf_connlabels_get(ctx->net, (len * BITS_PER_BYTE) - 1);
+		if (err)
+			return err;
 		break;
 #endif
 	case NFT_CT_HELPER:
@ -494,7 +507,8 @@ static int nft_ct_get_init(const struct nft_ctx *ctx,
 		case IP_CT_DIR_REPLY:
 			break;
 		default:
-			return -EINVAL;
+			err = -EINVAL;
+			goto err;
 		}
 	}

@ -502,11 +516,11 @@ static int nft_ct_get_init(const struct nft_ctx *ctx,
 	err = nft_parse_register_store(ctx, tb[NFTA_CT_DREG], &priv->dreg, NULL,
 				       NFT_DATA_VALUE, len);
 	if (err < 0)
-		return err;
+		goto err;

 	err = nf_ct_netns_get(ctx->net, ctx->family);
 	if (err < 0)
-		return err;
+		goto err;

 	if (priv->key == NFT_CT_BYTES ||
 	    priv->key == NFT_CT_PKTS  ||
@ -514,6 +528,9 @@ static int nft_ct_get_init(const struct nft_ctx *ctx,
 		nf_ct_set_acct(ctx->net, true);

 	return 0;
+err:
+	__nft_ct_get_destroy(ctx, priv);
+	return err;
 }

 static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv)
@ -626,6 +643,9 @@ static int nft_ct_set_init(const struct nft_ctx *ctx,
 static void nft_ct_get_destroy(const struct nft_ctx *ctx,
 			       const struct nft_expr *expr)
 {
+	struct nft_ct *priv = nft_expr_priv(expr);
+
+	__nft_ct_get_destroy(ctx, priv);
 	nf_ct_netns_put(ctx->net, ctx->family);
 }

@ -1173,6 +1193,10 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj,
 	if (help) {
 		rcu_assign_pointer(help->helper, to_assign);
 		set_bit(IPS_HELPER_BIT, &ct->status);
+
+		if ((ct->status & IPS_NAT_MASK) && !nfct_seqadj(ct))
+			if (!nfct_seqadj_ext_add(ct))
+				regs->verdict.code = NF_DROP;
 	}
 }