Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2228779/?format=api
{ "id": 2228779, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2228779/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260427112720.5128-2-fmancera@suse.de/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/1.1/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260427112720.5128-2-fmancera@suse.de>", "date": "2026-04-27T11:27:19", "name": "[2/3,nf,v4] netfilter: nf_tables: skip L4 header parsing for non-first fragments", "commit_ref": null, "pull_url": null, "state": "changes-requested", "archived": true, "hash": "f71599bf601bba4d6aa4175c23fd404a0057cc61", "submitter": { "id": 90904, "url": "http://patchwork.ozlabs.org/api/1.1/people/90904/?format=api", "name": "Fernando Fernandez Mancera", "email": "fmancera@suse.de" }, "delegate": { "id": 11902, "url": "http://patchwork.ozlabs.org/api/1.1/users/11902/?format=api", "username": "strlen", "first_name": "Florian", "last_name": "Westphal", "email": "fw@strlen.de" }, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260427112720.5128-2-fmancera@suse.de/mbox/", "series": [ { "id": 501628, "url": "http://patchwork.ozlabs.org/api/1.1/series/501628/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=501628", "date": "2026-04-27T11:27:18", "name": "[1/3,nf,v4] netfilter: nf_socket: skip socket lookup for non-first fragments", "version": 4, "mbox": "http://patchwork.ozlabs.org/series/501628/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2228779/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2228779/checks/", "tags": {}, "headers": { "Return-Path": "\n <netfilter-devel+bounces-12214-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=nPpjS3qM;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=UhBpTpm8;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=nPpjS3qM;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=UhBpTpm8;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12214-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"nPpjS3qM\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"UhBpTpm8\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"nPpjS3qM\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"UhBpTpm8\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.130", "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de", "smtp-out1.suse.de;\n\tnone" ], "Received": [ "from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g41bg4pbRz1yHv\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 27 Apr 2026 21:31:11 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id A76B530305ED\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 27 Apr 2026 11:27:52 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 633AD3B7B8E;\n\tMon, 27 Apr 2026 11:27:51 +0000 (UTC)", "from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 9BB863B6362\n\tfor <netfilter-devel@vger.kernel.org>; Mon, 27 Apr 2026 11:27:49 +0000 (UTC)", "from imap1.dmz-prg2.suse.org (unknown [10.150.64.97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out1.suse.de (Postfix) with ESMTPS id 5639B6A8F4;\n\tMon, 27 Apr 2026 11:27:45 +0000 (UTC)", "from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id E710A593B0;\n\tMon, 27 Apr 2026 11:27:44 +0000 (UTC)", "from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid yAqTNTBI72kaWgAAD6G6ig\n\t(envelope-from <fmancera@suse.de>); Mon, 27 Apr 2026 11:27:44 +0000" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777289271; cv=none;\n b=CNuekuNxjexsrrYcE2SYy3FA5aZsm7U74SO4Rlt5noyY2eWpEPX85qeXJgZj+TX1U1X2i1ehaB2/Td4B3r4NdoH+NX7lK6t8KaDSInN0JCo2EVhRoQ18faM9mUbGA7fpzmscgHIkhZmmm5kvj+YsNmfejvHbmzzPOFitvswwIg0=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777289271; c=relaxed/simple;\n\tbh=tWb4oRI1J8bHuO/d1QhsEHnpdk2IL04us3Qf0wao0N8=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=UctfA40mB8KWuGWpjZk63BJOYLELW6jxD0Osu2ILllFoLZbNSOwXPZCgPyUx3CaJxw0dUBNpGgTzOkYpa0263jh0I4AI5hHSORQayvJBx5NG/bGbmzlgSgYQsI7wM0efpUCoucAIGmJq9oA15QC11a3BBBqqwn9rvPuldc7wIgU=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=nPpjS3qM;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=UhBpTpm8;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=nPpjS3qM;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=UhBpTpm8; arc=none smtp.client-ip=195.135.223.130", "DKIM-Signature": [ "v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1777289265;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=P4sfyHVGVCWugPgqsQnJeFB9wh9im86EzMZDt51M5PY=;\n\tb=nPpjS3qM2PKJh4kO/Rsu3w0Dor/XDPOvsfd4T3Ilnekpig74iZ0TELI+AfsYsWw0ZXxuOJ\n\t7tGm9LtDubgZBqbvmcMjeoWRrTJ2NE1ItggYlxTbO1L9M/GB4XI8TFRrkOSRLxKjRPo/g8\n\tM3Lmq5qBhmX0NGvk/qkzoZdwDXCQvyM=", "v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1777289265;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=P4sfyHVGVCWugPgqsQnJeFB9wh9im86EzMZDt51M5PY=;\n\tb=UhBpTpm8clxkGLzSx+BDetkRVlItpjiNuM/5NfEgDRvIVbSqiiqaZkDM3LV7EWJdGZaLr8\n\tWKbyPvLK/TSObCBQ==", "v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1777289265;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=P4sfyHVGVCWugPgqsQnJeFB9wh9im86EzMZDt51M5PY=;\n\tb=nPpjS3qM2PKJh4kO/Rsu3w0Dor/XDPOvsfd4T3Ilnekpig74iZ0TELI+AfsYsWw0ZXxuOJ\n\t7tGm9LtDubgZBqbvmcMjeoWRrTJ2NE1ItggYlxTbO1L9M/GB4XI8TFRrkOSRLxKjRPo/g8\n\tM3Lmq5qBhmX0NGvk/qkzoZdwDXCQvyM=", "v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1777289265;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=P4sfyHVGVCWugPgqsQnJeFB9wh9im86EzMZDt51M5PY=;\n\tb=UhBpTpm8clxkGLzSx+BDetkRVlItpjiNuM/5NfEgDRvIVbSqiiqaZkDM3LV7EWJdGZaLr8\n\tWKbyPvLK/TSObCBQ==" ], "From": "Fernando Fernandez Mancera <fmancera@suse.de>", "To": "netfilter-devel@vger.kernel.org", "Cc": "coreteam@netfilter.org,\n\tphil@nwl.cc,\n\tfw@strlen.de,\n\tpablo@netfilter.org,\n\tFernando Fernandez Mancera <fmancera@suse.de>", "Subject": "[PATCH 2/3 nf v4] netfilter: nf_tables: skip L4 header parsing for\n non-first fragments", "Date": "Mon, 27 Apr 2026 13:27:19 +0200", "Message-ID": "<20260427112720.5128-2-fmancera@suse.de>", "X-Mailer": "git-send-email 2.51.0", "In-Reply-To": "<20260427112720.5128-1-fmancera@suse.de>", "References": "<20260427112720.5128-1-fmancera@suse.de>", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-Spamd-Result": "default: False [-6.80 / 50.00];\n\tREPLY(-4.00)[];\n\tBAYES_HAM(-3.00)[100.00%];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tMID_CONTAINS_FROM(1.00)[];\n\tR_MISSING_CHARSET(0.50)[];\n\tNEURAL_HAM_SHORT(-0.20)[-0.984];\n\tMIME_GOOD(-0.10)[text/plain];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tFROM_HAS_DN(0.00)[];\n\tARC_NA(0.00)[];\n\tMIME_TRACE(0.00)[0:+];\n\tTO_DN_SOME(0.00)[];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tRCPT_COUNT_FIVE(0.00)[6];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo];\n\tRCVD_TLS_ALL(0.00)[]", "X-Spam-Flag": "NO", "X-Spam-Score": "-6.80", "X-Spam-Level": "" }, "content": "The tproxy, osf and exthdr (SCTP) expressions rely on the presence of\ntransport layer headers to perform socket lookups, fingerprint matching,\nor chunk extraction. For fragmented packets, while the IP protocol\nremains constant across all fragments, only the first fragment contains\nthe actual L4 header.\n\nThe expressions could be attached to a chain with a priority lower than\n-400, bypassing defragmentation. Or could be used in stateless\nenvironments where defragmentation is not happening at all. This could\nresult in garbage data being used for the matching.\n\nAdd a check for pkt->fragoff so only unfragmented packets or the first\nfragment is processed.\n\nFixes: 133dc203d77d (\"netfilter: nft_exthdr: Support SCTP chunks\")\nFixes: 4ed8eb6570a4 (\"netfilter: nf_tables: Add native tproxy support\")\nFixes: b96af92d6eaf (\"netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf\")\nSigned-off-by: Fernando Fernandez Mancera <fmancera@suse.de>\n---\nv2: handled fragmented packets for socket expression too,\nsquashed nftables expression commits into this one.\nv3: removed changes to nft_socket and created a generic solution for\nxt/nft\nv4: no changes\n---\n net/netfilter/nft_exthdr.c | 2 +-\n net/netfilter/nft_osf.c | 2 +-\n net/netfilter/nft_tproxy.c | 8 ++++----\n 3 files changed, 6 insertions(+), 6 deletions(-)", "diff": "diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c\nindex 0407d6f708ae..e6a07c0df207 100644\n--- a/net/netfilter/nft_exthdr.c\n+++ b/net/netfilter/nft_exthdr.c\n@@ -376,7 +376,7 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,\n \tconst struct sctp_chunkhdr *sch;\n \tstruct sctp_chunkhdr _sch;\n \n-\tif (pkt->tprot != IPPROTO_SCTP)\n+\tif (pkt->tprot != IPPROTO_SCTP || pkt->fragoff)\n \t\tgoto err;\n \n \tdo {\ndiff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c\nindex c02d5cb52143..45fe56da5044 100644\n--- a/net/netfilter/nft_osf.c\n+++ b/net/netfilter/nft_osf.c\n@@ -33,7 +33,7 @@ static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,\n \t\treturn;\n \t}\n \n-\tif (pkt->tprot != IPPROTO_TCP) {\n+\tif (pkt->tprot != IPPROTO_TCP || pkt->fragoff) {\n \t\tregs->verdict.code = NFT_BREAK;\n \t\treturn;\n \t}\ndiff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c\nindex f2101af8c867..89be443734f6 100644\n--- a/net/netfilter/nft_tproxy.c\n+++ b/net/netfilter/nft_tproxy.c\n@@ -30,8 +30,8 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr,\n \t__be16 tport = 0;\n \tstruct sock *sk;\n \n-\tif (pkt->tprot != IPPROTO_TCP &&\n-\t pkt->tprot != IPPROTO_UDP) {\n+\tif ((pkt->tprot != IPPROTO_TCP &&\n+\t pkt->tprot != IPPROTO_UDP) || pkt->fragoff) {\n \t\tregs->verdict.code = NFT_BREAK;\n \t\treturn;\n \t}\n@@ -97,8 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,\n \n \tmemset(&taddr, 0, sizeof(taddr));\n \n-\tif (pkt->tprot != IPPROTO_TCP &&\n-\t pkt->tprot != IPPROTO_UDP) {\n+\tif ((pkt->tprot != IPPROTO_TCP &&\n+\t pkt->tprot != IPPROTO_UDP) || pkt->fragoff) {\n \t\tregs->verdict.code = NFT_BREAK;\n \t\treturn;\n \t}\n", "prefixes": [ "2/3", "nf", "v4" ] }