Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2229502/?format=api
{ "id": 2229502, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2229502/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260428102548.6750-2-fmancera@suse.de/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/1.1/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260428102548.6750-2-fmancera@suse.de>", "date": "2026-04-28T10:25:47", "name": "[2/3,nf,v5] netfilter: nf_tables: skip L4 header parsing for non-first fragments", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "b81d305bbe550be1955c63b8cfba33715b632bca", "submitter": { "id": 90904, "url": "http://patchwork.ozlabs.org/api/1.1/people/90904/?format=api", "name": "Fernando Fernandez Mancera", "email": "fmancera@suse.de" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260428102548.6750-2-fmancera@suse.de/mbox/", "series": [ { "id": 501819, "url": "http://patchwork.ozlabs.org/api/1.1/series/501819/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=501819", "date": "2026-04-28T10:25:46", "name": "[1/3,nf,v5] netfilter: nf_socket: skip socket lookup for non-first fragments", "version": 5, "mbox": "http://patchwork.ozlabs.org/series/501819/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2229502/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2229502/checks/", "tags": {}, "headers": { "Return-Path": "\n <netfilter-devel+bounces-12250-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=jU64j3fL;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=k4GzsSU7;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=jU64j3fL;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=k4GzsSU7;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.105.105.114; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12250-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"jU64j3fL\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"k4GzsSU7\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"jU64j3fL\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"k4GzsSU7\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.131", "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de", "smtp-out2.suse.de;\n\tdkim=pass header.d=suse.de header.s=susede2_rsa header.b=jU64j3fL;\n\tdkim=pass header.d=suse.de header.s=susede2_ed25519 header.b=k4GzsSU7" ], "Received": [ "from tor.lore.kernel.org (tor.lore.kernel.org [172.105.105.114])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4c6z28BJz1xvV\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 20:26:51 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 871D2302D0A1\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 10:26:16 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id C926D3E7150;\n\tTue, 28 Apr 2026 10:26:15 +0000 (UTC)", "from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 121572E88BD\n\tfor <netfilter-devel@vger.kernel.org>; Tue, 28 Apr 2026 10:26:13 +0000 (UTC)", "from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org\n [IPv6:2a07:de40:b281:104:10:150:64:97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out2.suse.de (Postfix) with ESMTPS id 515C55BCCB;\n\tTue, 28 Apr 2026 10:26:12 +0000 (UTC)", "from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id E5DBC593B0;\n\tTue, 28 Apr 2026 10:26:11 +0000 (UTC)", "from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid aKT/NEOL8GmULQAAD6G6ig\n\t(envelope-from <fmancera@suse.de>); Tue, 28 Apr 2026 10:26:11 +0000" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777371975; cv=none;\n b=V4Tf9U3xlXLWrn9BC+uskIXSpFLzhPDxjltuRPPIxXLs070fGyErFBQ1OMOICxNUPIeoyVDCtmtukbe10Zl4Y+4Hr7209cAPlmRkmSkiWQ1UNTR1awuGcEazxfxZ0NbGxhps6FKkuxx8EYxoXZJHmsGhVT+QBFV4u2Ps/QpfgAE=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777371975; c=relaxed/simple;\n\tbh=wF8kQbq3gKXkHwy602InlMerXaRJsV3ZvBXYE7N0R8c=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=CAFULq8L47wIe/CXHB3YxtzRhHtF9BkV4XudPp/363PrNtF3tyP6MdX7kzD844vvGdzBWg8Gdb4+rpKwrEKFBcmBCd2u+0ceY6BPJ0tAaLk9zSo08+KNIjfTUdmv4kEbncYo3cFLyu6zgI6Bl7YRjEkJBbP6UiV8ZsctFND5y90=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=jU64j3fL;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=k4GzsSU7;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=jU64j3fL;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=k4GzsSU7; arc=none smtp.client-ip=195.135.223.131", "DKIM-Signature": [ "v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1777371972;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=XmC/A0DYDjd545bDdChH92GZFz6jyps73WhO3spjhMU=;\n\tb=jU64j3fLqzV+uA1mvAyy/12VAvd7sD6efCAA7Owe7R7DRm9n/OeHPjwYr/0gMZVaoEpddW\n\tchJCnuDnMAOWN6AxtpSAFnJqRuUvdIZOV+TeMFinVwnHyHE7UASuVhw/yYHCAZfBf2o0gE\n\t1PPNNM54BHrA4Xh7RUydglkhTzu5V6Y=", "v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1777371972;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=XmC/A0DYDjd545bDdChH92GZFz6jyps73WhO3spjhMU=;\n\tb=k4GzsSU7LATZw56CVGjEOoOLLX7nlKNv9ApYjE3zlj/VKxFEPw3NUbpCdlhT9UIjr/Hvbp\n\t5G8rx8DExWj/iPAw==", "v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1777371972;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=XmC/A0DYDjd545bDdChH92GZFz6jyps73WhO3spjhMU=;\n\tb=jU64j3fLqzV+uA1mvAyy/12VAvd7sD6efCAA7Owe7R7DRm9n/OeHPjwYr/0gMZVaoEpddW\n\tchJCnuDnMAOWN6AxtpSAFnJqRuUvdIZOV+TeMFinVwnHyHE7UASuVhw/yYHCAZfBf2o0gE\n\t1PPNNM54BHrA4Xh7RUydglkhTzu5V6Y=", "v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1777371972;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n\t content-transfer-encoding:content-transfer-encoding:\n\t in-reply-to:in-reply-to:references:references;\n\tbh=XmC/A0DYDjd545bDdChH92GZFz6jyps73WhO3spjhMU=;\n\tb=k4GzsSU7LATZw56CVGjEOoOLLX7nlKNv9ApYjE3zlj/VKxFEPw3NUbpCdlhT9UIjr/Hvbp\n\t5G8rx8DExWj/iPAw==" ], "From": "Fernando Fernandez Mancera <fmancera@suse.de>", "To": "netfilter-devel@vger.kernel.org", "Cc": "coreteam@netfilter.org,\n\tphil@nwl.cc,\n\tfw@strlen.de,\n\tpablo@netfilter.org,\n\tFernando Fernandez Mancera <fmancera@suse.de>", "Subject": "[PATCH 2/3 nf v5] netfilter: nf_tables: skip L4 header parsing for\n non-first fragments", "Date": "Tue, 28 Apr 2026 12:25:47 +0200", "Message-ID": "<20260428102548.6750-2-fmancera@suse.de>", "X-Mailer": "git-send-email 2.51.0", "In-Reply-To": "<20260428102548.6750-1-fmancera@suse.de>", "References": "<20260428102548.6750-1-fmancera@suse.de>", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-Spamd-Result": "default: False [-4.01 / 50.00];\n\tBAYES_HAM(-3.00)[100.00%];\n\tDWL_DNSWL_LOW(-1.00)[suse.de:dkim];\n\tMID_CONTAINS_FROM(1.00)[];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tR_MISSING_CHARSET(0.50)[];\n\tR_DKIM_ALLOW(-0.20)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tNEURAL_HAM_SHORT(-0.20)[-1.000];\n\tMIME_GOOD(-0.10)[text/plain];\n\tMX_GOOD(-0.01)[];\n\tMIME_TRACE(0.00)[0:+];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tTO_DN_SOME(0.00)[];\n\tRBL_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:104:10:150:64:97:from];\n\tSPAMHAUS_XBL(0.00)[2a07:de40:b281:104:10:150:64:97:from];\n\tARC_NA(0.00)[];\n\tDNSWL_BLOCKED(0.00)[2a07:de40:b281:104:10:150:64:97:from,2a07:de40:b281:106:10:150:64:167:received];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tFROM_HAS_DN(0.00)[];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tRECEIVED_SPAMHAUS_BLOCKED_OPENRESOLVER(0.00)[2a07:de40:b281:106:10:150:64:167:received];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tRCVD_TLS_ALL(0.00)[];\n\tDKIM_TRACE(0.00)[suse.de:+];\n\tRCPT_COUNT_FIVE(0.00)[6];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.de:mid,suse.de:dkim,suse.de:email]", "X-Rspamd-Action": "no action", "X-Spam-Flag": "NO", "X-Spam-Score": "-4.01", "X-Spam-Level": "", "X-Rspamd-Server": "rspamd1.dmz-prg2.suse.org", "X-Rspamd-Queue-Id": "515C55BCCB" }, "content": "The tproxy, osf and exthdr (SCTP) expressions rely on the presence of\ntransport layer headers to perform socket lookups, fingerprint matching,\nor chunk extraction. For fragmented packets, while the IP protocol\nremains constant across all fragments, only the first fragment contains\nthe actual L4 header.\n\nThe expressions could be attached to a chain with a priority lower than\n-400, bypassing defragmentation. Or could be used in stateless\nenvironments where defragmentation is not happening at all. This could\nresult in garbage data being used for the matching.\n\nAdd a check for pkt->fragoff so only unfragmented packets or the first\nfragment is processed.\n\nFixes: 133dc203d77d (\"netfilter: nft_exthdr: Support SCTP chunks\")\nFixes: 4ed8eb6570a4 (\"netfilter: nf_tables: Add native tproxy support\")\nFixes: b96af92d6eaf (\"netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf\")\nSigned-off-by: Fernando Fernandez Mancera <fmancera@suse.de>\n---\nv2: handled fragmented packets for socket expression too,\nsquashed nftables expression commits into this one.\nv3: removed changes to nft_socket and created a generic solution for\nxt/nft\nv4: no changes\nv5: added check on payload fastpath\n---\n net/netfilter/nf_tables_core.c | 2 +-\n net/netfilter/nft_exthdr.c | 2 +-\n net/netfilter/nft_osf.c | 2 +-\n net/netfilter/nft_tproxy.c | 8 ++++----\n 4 files changed, 7 insertions(+), 7 deletions(-)", "diff": "diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c\nindex 5ddd5b6e135f..8ab186f86dd4 100644\n--- a/net/netfilter/nf_tables_core.c\n+++ b/net/netfilter/nf_tables_core.c\n@@ -153,7 +153,7 @@ static bool nft_payload_fast_eval(const struct nft_expr *expr,\n \tif (priv->base == NFT_PAYLOAD_NETWORK_HEADER)\n \t\tptr = skb_network_header(skb) + pkt->nhoff;\n \telse {\n-\t\tif (!(pkt->flags & NFT_PKTINFO_L4PROTO))\n+\t\tif (!(pkt->flags & NFT_PKTINFO_L4PROTO) || pkt->fragoff)\n \t\t\treturn false;\n \t\tptr = skb->data + nft_thoff(pkt);\n \t}\ndiff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c\nindex 0407d6f708ae..e6a07c0df207 100644\n--- a/net/netfilter/nft_exthdr.c\n+++ b/net/netfilter/nft_exthdr.c\n@@ -376,7 +376,7 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,\n \tconst struct sctp_chunkhdr *sch;\n \tstruct sctp_chunkhdr _sch;\n \n-\tif (pkt->tprot != IPPROTO_SCTP)\n+\tif (pkt->tprot != IPPROTO_SCTP || pkt->fragoff)\n \t\tgoto err;\n \n \tdo {\ndiff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c\nindex c02d5cb52143..45fe56da5044 100644\n--- a/net/netfilter/nft_osf.c\n+++ b/net/netfilter/nft_osf.c\n@@ -33,7 +33,7 @@ static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,\n \t\treturn;\n \t}\n \n-\tif (pkt->tprot != IPPROTO_TCP) {\n+\tif (pkt->tprot != IPPROTO_TCP || pkt->fragoff) {\n \t\tregs->verdict.code = NFT_BREAK;\n \t\treturn;\n \t}\ndiff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c\nindex f2101af8c867..89be443734f6 100644\n--- a/net/netfilter/nft_tproxy.c\n+++ b/net/netfilter/nft_tproxy.c\n@@ -30,8 +30,8 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr,\n \t__be16 tport = 0;\n \tstruct sock *sk;\n \n-\tif (pkt->tprot != IPPROTO_TCP &&\n-\t pkt->tprot != IPPROTO_UDP) {\n+\tif ((pkt->tprot != IPPROTO_TCP &&\n+\t pkt->tprot != IPPROTO_UDP) || pkt->fragoff) {\n \t\tregs->verdict.code = NFT_BREAK;\n \t\treturn;\n \t}\n@@ -97,8 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,\n \n \tmemset(&taddr, 0, sizeof(taddr));\n \n-\tif (pkt->tprot != IPPROTO_TCP &&\n-\t pkt->tprot != IPPROTO_UDP) {\n+\tif ((pkt->tprot != IPPROTO_TCP &&\n+\t pkt->tprot != IPPROTO_UDP) || pkt->fragoff) {\n \t\tregs->verdict.code = NFT_BREAK;\n \t\treturn;\n \t}\n", "prefixes": [ "2/3", "nf", "v5" ] }