Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2229925/?format=api
{ "id": 2229925, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2229925/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260428221038.96012-2-pablo@netfilter.org/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/1.1/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260428221038.96012-2-pablo@netfilter.org>", "date": "2026-04-28T22:10:38", "name": "[nf,2/2] netfilter: nft_compat: run checkentry() from .validate", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": true, "hash": "1a9a59775682952890e08b977bf4f3f56285212d", "submitter": { "id": 1315, "url": "http://patchwork.ozlabs.org/api/1.1/people/1315/?format=api", "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org" }, "delegate": { "id": 11902, "url": "http://patchwork.ozlabs.org/api/1.1/users/11902/?format=api", "username": "strlen", "first_name": "Florian", "last_name": "Westphal", "email": "fw@strlen.de" }, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260428221038.96012-2-pablo@netfilter.org/mbox/", "series": [ { "id": 501940, "url": "http://patchwork.ozlabs.org/api/1.1/series/501940/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=501940", "date": "2026-04-28T22:10:37", "name": "[nf,1/2] netfilter: x_tables: add .check_hooks to matches and targets", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/501940/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2229925/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2229925/checks/", "tags": {}, "headers": { "Return-Path": "\n <netfilter-devel+bounces-12276-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=VFrR+kpP;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12276-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"VFrR+kpP\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124", "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org" ], "Received": [ "from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4vlY17kBz1yHX\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 08:11:05 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 25E2C304C955\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 22:10:56 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 0B4D737AA96;\n\tTue, 28 Apr 2026 22:10:55 +0000 (UTC)", "from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id CBDB92F9998\n\tfor <netfilter-devel@vger.kernel.org>; Tue, 28 Apr 2026 22:10:52 +0000 (UTC)", "from localhost.localdomain (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with ESMTPSA id 4F62760253;\n\tWed, 29 Apr 2026 00:10:44 +0200 (CEST)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777414254; cv=none;\n b=ckirvsvsdAhpxYK2NVuokm8zL3Hy/bJ/tFN+kJD7yb6KTJGIwaYwDHWcv2+xg2VbiND0+4CB2bQJ1dmDqPMTBSevn1pWgMNXLw+oedlGT33LD2N6crrH2KKzJ22Dyup6hqnXRHqufKB5XkODSFeQfOa48gs+yZWtWMdMgxjy4yU=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777414254; c=relaxed/simple;\n\tbh=1DOv+hF/ml+LuMMqUVgBwdezXXekibkRwn04pAl6A/s=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=kGr1pFHheLV5ODUbJiqtrWUG63vrC6+K3a7tpchTQEe6ukM9XfnFVlsLq1QoEUBILee70pyAGlbvZO4CRNV2nwHeqDmjBizHGzGTiPN4YRQrg1pU1LRR8ScYwx52uYaF+FLkiZ3VolR0YlC5YAja9FM3Fsk9cCs8C5fxnBEghMc=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=VFrR+kpP; arc=none smtp.client-ip=217.70.190.124", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1777414244;\n\tbh=4lGdNNUubkhDVueTsynt9Wc868CSMqIOu5zt5WfEplM=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=VFrR+kpPNWsKXq92xNq6mGD/9hy6/Shs6uUWb+A0l3yWZZ7y0HOQNViSViwrDZKTP\n\t Dhq/RUO2ZvDZSHXd54egIs6n5J6Q8b/DMEZgta14Kh7KTrMrnK7QS+DseqF8PhtJL1\n\t SuX+ovVe7nte/jw05oqAYXLZGl6dCTFP7J1UPUitSjT/XYj3bX/d+Kulb2lNVPNNWj\n\t 13Ef66OsWVm78E8kh80Csd9rInLRx4/N/DPyzD40h2aM0CC27MKnhsSPD+nhTbZX88\n\t 4n52khUwCRS3UwTaf8WtPfSq2hQF0jtFVeXJ2+GHdqtMnfcu0sn1D/0IAtpd1O59r5\n\t uRcoife+rAAfA==", "From": "Pablo Neira Ayuso <pablo@netfilter.org>", "To": "netfilter-devel@vger.kernel.org", "Cc": "fw@strlen.de", "Subject": "[PATCH nf 2/2] netfilter: nft_compat: run checkentry() from .validate", "Date": "Wed, 29 Apr 2026 00:10:38 +0200", "Message-ID": "<20260428221038.96012-2-pablo@netfilter.org>", "X-Mailer": "git-send-email 2.47.3", "In-Reply-To": "<20260428221038.96012-1-pablo@netfilter.org>", "References": "<20260428221038.96012-1-pablo@netfilter.org>", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "Several matches and one target check that the hook is correct from\ncheckentry(), however, the basechain is only available from\nnft_table_validate().\n\nThis patch calls checkentry() for matches and targets from the\nnft_compat expression .validate path for the following matches/target:\n\n- addrtype\n- devgroup\n- physdev\n- policy\n- set\n- TCPMSS\n- SET\n\nThe .destroy indirection is also called to restore the xt_set refcounts\nthat is performed by .checkentry. The remaining extensions provide no\n.destroy interface.\n\nThis patch sets the table in the nft_ctx struct in nft_table_validate()\nwhich is required by this patch.\n\nThe nft_compat_check_match() and nft_compat_check_target() helper\nfunctions are added to wrap common code used from .init and .validate\npath.\n\nThe protocol and inverse flags are set to always match from the\nexpression .validate path, this is already checked from the init path.\n\nBased on patch from Florian Westphal.\n\nFixes: 0ca743a55991 (\"netfilter: nf_tables: add compatibility layer for x_tables\")\nReported-by: Xiang Mei <xmei5@asu.edu>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\n net/netfilter/nf_tables_api.c | 1 +\n net/netfilter/nft_compat.c | 58 ++++++++++++++++++++++++++++++++---\n 2 files changed, 55 insertions(+), 4 deletions(-)", "diff": "diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c\nindex d20ce5c36d31..38e33c66c618 100644\n--- a/net/netfilter/nf_tables_api.c\n+++ b/net/netfilter/nf_tables_api.c\n@@ -4205,6 +4205,7 @@ static int nft_table_validate(struct net *net, const struct nft_table *table)\n \tstruct nft_chain *chain;\n \tstruct nft_ctx ctx = {\n \t\t.net\t= net,\n+\t\t.table\t= (struct nft_table *)table,\n \t\t.family\t= table->family,\n \t};\n \tint err = 0;\ndiff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c\nindex decc725a33c2..0c4315b66b09 100644\n--- a/net/netfilter/nft_compat.c\n+++ b/net/netfilter/nft_compat.c\n@@ -261,9 +261,17 @@ nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,\n \t\t\treturn ret;\n \t}\n \n+\tnft_compat_wait_for_destructors(ctx->net);\n+\n \tnft_target_set_tgchk_param(&par, ctx, target, info, &e, proto, inv);\n \n-\tnft_compat_wait_for_destructors(ctx->net);\n+\tif (nft_is_base_chain(ctx->chain)) {\n+\t\tif (target->hooks && !(par.hook_mask & target->hooks))\n+\t\t\treturn -EINVAL;\n+\n+\t\tif (xt_check_hooks_target(&par) < 0)\n+\t\t\treturn -EOPNOTSUPP;\n+\t}\n \n \tret = xt_check_target(&par, size, proto, inv);\n \tif (ret < 0) {\n@@ -353,7 +361,6 @@ static int nft_target_dump(struct sk_buff *skb,\n static int nft_target_validate(const struct nft_ctx *ctx,\n \t\t\t const struct nft_expr *expr)\n {\n-\tstruct xt_target *target = expr->ops->data;\n \tunsigned int hook_mask = 0;\n \tint ret;\n \n@@ -377,11 +384,20 @@ static int nft_target_validate(const struct nft_ctx *ctx,\n \t\tconst struct nft_base_chain *basechain =\n \t\t\t\t\t\tnft_base_chain(ctx->chain);\n \t\tconst struct nf_hook_ops *ops = &basechain->ops;\n+\t\tstruct xt_target *target = expr->ops->data;\n+\t\tvoid *info = nft_expr_priv(expr);\n+\t\tstruct xt_tgchk_param par;\n+\t\tunion nft_entry e = {};\n \n \t\thook_mask = 1 << ops->hooknum;\n \t\tif (target->hooks && !(hook_mask & target->hooks))\n \t\t\treturn -EINVAL;\n \n+\t\tnft_target_set_tgchk_param(&par, ctx, target, info, &e, 0, false);\n+\n+\t\tif (xt_check_hooks_target(&par) < 0)\n+\t\t\treturn -EOPNOTSUPP;\n+\n \t\tret = nft_compat_chain_validate_dependency(ctx, target->table);\n \t\tif (ret < 0)\n \t\t\treturn ret;\n@@ -515,9 +531,18 @@ __nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,\n \t\t\treturn ret;\n \t}\n \n+\tnft_compat_wait_for_destructors(ctx->net);\n+\n \tnft_match_set_mtchk_param(&par, ctx, match, info, &e, proto, inv);\n \n-\tnft_compat_wait_for_destructors(ctx->net);\n+\tif (nft_is_base_chain(ctx->chain)) {\n+\t\tif (match->hooks && !(par.hook_mask & match->hooks))\n+\t\t\treturn -EINVAL;\n+\n+\t\tret = xt_check_hooks_match(&par);\n+\t\tif (ret < 0)\n+\t\t\treturn ret;\n+\t}\n \n \treturn xt_check_match(&par, size, proto, inv);\n }\n@@ -614,7 +639,6 @@ static int nft_match_large_dump(struct sk_buff *skb,\n static int nft_match_validate(const struct nft_ctx *ctx,\n \t\t\t const struct nft_expr *expr)\n {\n-\tstruct xt_match *match = expr->ops->data;\n \tunsigned int hook_mask = 0;\n \tint ret;\n \n@@ -638,11 +662,37 @@ static int nft_match_validate(const struct nft_ctx *ctx,\n \t\tconst struct nft_base_chain *basechain =\n \t\t\t\t\t\tnft_base_chain(ctx->chain);\n \t\tconst struct nf_hook_ops *ops = &basechain->ops;\n+\t\tstruct xt_match *match = expr->ops->data;\n+\t\tsize_t size = XT_ALIGN(match->matchsize);\n+\t\tvoid *info;\n \n \t\thook_mask = 1 << ops->hooknum;\n \t\tif (match->hooks && !(hook_mask & match->hooks))\n \t\t\treturn -EINVAL;\n \n+\t\tif (NFT_EXPR_SIZE(size) > NFT_MATCH_LARGE_THRESH) {\n+\t\t\tstruct nft_xt_match_priv *priv = nft_expr_priv(expr);\n+\n+\t\t\tinfo = priv->info;\n+\t\t} else {\n+\t\t\tinfo = nft_expr_priv(expr);\n+\t\t}\n+\n+\t\tif (nft_is_base_chain(ctx->chain)) {\n+\t\t\tunsigned int hook_mask = 1 << ops->hooknum;\n+\t\t\tstruct xt_mtchk_param par;\n+\t\t\tunion nft_entry e = {};\n+\n+\t\t\tif (match->hooks && !(hook_mask & match->hooks))\n+\t\t\t\treturn -EINVAL;\n+\n+\t\t\tnft_match_set_mtchk_param(&par, ctx, match, info, &e, 0, false);\n+\n+\t\t\tret = xt_check_hooks_match(&par);\n+\t\t\tif (ret < 0)\n+\t\t\t\treturn ret;\n+\t\t}\n+\n \t\tret = nft_compat_chain_validate_dependency(ctx, match->table);\n \t\tif (ret < 0)\n \t\t\treturn ret;\n", "prefixes": [ "nf", "2/2" ] }