GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/1.1/patches/2231781/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2231781,
    "url": "http://patchwork.ozlabs.org/api/1.1/patches/2231781/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260501122237.296262-10-pablo@netfilter.org/",
    "project": {
        "id": 26,
        "url": "http://patchwork.ozlabs.org/api/1.1/projects/26/?format=api",
        "name": "Netfilter Development",
        "link_name": "netfilter-devel",
        "list_id": "netfilter-devel.vger.kernel.org",
        "list_email": "netfilter-devel@vger.kernel.org",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null
    },
    "msgid": "<20260501122237.296262-10-pablo@netfilter.org>",
    "date": "2026-05-01T12:22:32",
    "name": "[net,09/14] netfilter: nf_tables: skip L4 header parsing for non-first fragments",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "b81d305bbe550be1955c63b8cfba33715b632bca",
    "submitter": {
        "id": 1315,
        "url": "http://patchwork.ozlabs.org/api/1.1/people/1315/?format=api",
        "name": "Pablo Neira Ayuso",
        "email": "pablo@netfilter.org"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260501122237.296262-10-pablo@netfilter.org/mbox/",
    "series": [
        {
            "id": 502449,
            "url": "http://patchwork.ozlabs.org/api/1.1/series/502449/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=502449",
            "date": "2026-05-01T12:22:23",
            "name": "[net,01/14] netfilter: replace skb_try_make_writable() by skb_ensure_writable()",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/502449/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2231781/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2231781/checks/",
    "tags": {},
    "headers": {
        "Return-Path": "\n <netfilter-devel+bounces-12384-incoming=patchwork.ozlabs.org@vger.kernel.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "netfilter-devel@vger.kernel.org"
        ],
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=lXq6RYmy;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12384-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)",
            "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"lXq6RYmy\"",
            "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124",
            "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org",
            "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"
        ],
        "Received": [
            "from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g6VfQ6BJ7z1xqf\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 01 May 2026 22:27:10 +1000 (AEST)",
            "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id B1C31305D6CE\n\tfor <incoming@patchwork.ozlabs.org>; Fri,  1 May 2026 12:23:04 +0000 (UTC)",
            "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 42C183A2570;\n\tFri,  1 May 2026 12:23:04 +0000 (UTC)",
            "from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 5ADF13A1E67;\n\tFri,  1 May 2026 12:22:55 +0000 (UTC)",
            "from localhost.localdomain (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with ESMTPSA id E1F1F6017E;\n\tFri,  1 May 2026 14:22:53 +0200 (CEST)"
        ],
        "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777638183; cv=none;\n b=q8kCc3B/mBckfi6koXcBmBtnla7OFYbR6tPqVCoYRVVpnF2oVFayRCtfnqZPSCqoaJLv8glcDUsIHzXriUXPj8joII3CsgURHaOP7krY/ySiBYzXuzIGNGoim9LO69EbiCM/NCbCyapjt9D4KapPgB4TbdU5d9HLt2iwvGOOzp0=",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777638183; c=relaxed/simple;\n\tbh=oqqTWfGnPyLAtneYKuVaq1SsjDyTKX3QVfdWOIBC5qI=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=AifHXP0clDzbZ33c0gGUV+J5miohkcjAlibZe+7BnyaThLEh+xRo61pM9P7iB7dFO6UtXXjDMSkNSjNhq3ZcXQVr4Hb69cGZfMsXucJwezbSmTyAQCJnAEz/8/ZTGOYUxwbnjhWh0Tk4MvwCECuUN65zcN2y0V8mKW4ig+RsbfA=",
        "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=lXq6RYmy; arc=none smtp.client-ip=217.70.190.124",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1777638174;\n\tbh=Mp/JXNuUBdeI9ihtX9QNuyNpx7fuho/7XkOS4owfwW8=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=lXq6RYmyW9lydJFM/mXDGNkXsxjedmWgkXAz0nJAojDelrFMlFNRn+0yVHhJdH35h\n\t qZp5BUGj3Vp9s1zsXP+3wCsc71YjCEhqSdbg3dYTgVO2PhEQlT8FEb9s+LZRlzQSeA\n\t MXEvXYCJpz2yd2i16cfkApApXJ+YDL+kcj1FoCWvNZYxPJlzE70cV/z19eYBhSo6Kp\n\t zG/jIcG7wnQQoA5625Fz1ARGo0P7ih+vLzb1VGtv5qIi8ZC/yke94yBz+7rcNB6tc4\n\t VaaRb2T9qQUO/9xsZgHKdmeZlfjibImR3nZjet4dsv+phLgVQAU9jnup9WcKVPM56J\n\t edQvJSC5XHWWg==",
        "From": "Pablo Neira Ayuso <pablo@netfilter.org>",
        "To": "netfilter-devel@vger.kernel.org",
        "Cc": "davem@davemloft.net,\n\tnetdev@vger.kernel.org,\n\tkuba@kernel.org,\n\tpabeni@redhat.com,\n\tedumazet@google.com,\n\tfw@strlen.de,\n\thorms@kernel.org",
        "Subject": "[PATCH net 09/14] netfilter: nf_tables: skip L4 header parsing for\n non-first fragments",
        "Date": "Fri,  1 May 2026 14:22:32 +0200",
        "Message-ID": "<20260501122237.296262-10-pablo@netfilter.org>",
        "X-Mailer": "git-send-email 2.47.3",
        "In-Reply-To": "<20260501122237.296262-1-pablo@netfilter.org>",
        "References": "<20260501122237.296262-1-pablo@netfilter.org>",
        "Precedence": "bulk",
        "X-Mailing-List": "netfilter-devel@vger.kernel.org",
        "List-Id": "<netfilter-devel.vger.kernel.org>",
        "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>",
        "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit"
    },
    "content": "From: Fernando Fernandez Mancera <fmancera@suse.de>\n\nThe tproxy, osf and exthdr (SCTP) expressions rely on the presence of\ntransport layer headers to perform socket lookups, fingerprint matching,\nor chunk extraction. For fragmented packets, while the IP protocol\nremains constant across all fragments, only the first fragment contains\nthe actual L4 header.\n\nThe expressions could be attached to a chain with a priority lower than\n-400, bypassing defragmentation. Or could be used in stateless\nenvironments where defragmentation is not happening at all.  This could\nresult in garbage data being used for the matching.\n\nAdd a check for pkt->fragoff so only unfragmented packets or the first\nfragment is processed.\n\nFixes: 133dc203d77d (\"netfilter: nft_exthdr: Support SCTP chunks\")\nFixes: 4ed8eb6570a4 (\"netfilter: nf_tables: Add native tproxy support\")\nFixes: b96af92d6eaf (\"netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf\")\nSigned-off-by: Fernando Fernandez Mancera <fmancera@suse.de>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\n net/netfilter/nf_tables_core.c | 2 +-\n net/netfilter/nft_exthdr.c     | 2 +-\n net/netfilter/nft_osf.c        | 2 +-\n net/netfilter/nft_tproxy.c     | 8 ++++----\n 4 files changed, 7 insertions(+), 7 deletions(-)",
    "diff": "diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c\nindex 5ddd5b6e135f..8ab186f86dd4 100644\n--- a/net/netfilter/nf_tables_core.c\n+++ b/net/netfilter/nf_tables_core.c\n@@ -153,7 +153,7 @@ static bool nft_payload_fast_eval(const struct nft_expr *expr,\n \tif (priv->base == NFT_PAYLOAD_NETWORK_HEADER)\n \t\tptr = skb_network_header(skb) + pkt->nhoff;\n \telse {\n-\t\tif (!(pkt->flags & NFT_PKTINFO_L4PROTO))\n+\t\tif (!(pkt->flags & NFT_PKTINFO_L4PROTO) || pkt->fragoff)\n \t\t\treturn false;\n \t\tptr = skb->data + nft_thoff(pkt);\n \t}\ndiff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c\nindex 0407d6f708ae..e6a07c0df207 100644\n--- a/net/netfilter/nft_exthdr.c\n+++ b/net/netfilter/nft_exthdr.c\n@@ -376,7 +376,7 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,\n \tconst struct sctp_chunkhdr *sch;\n \tstruct sctp_chunkhdr _sch;\n \n-\tif (pkt->tprot != IPPROTO_SCTP)\n+\tif (pkt->tprot != IPPROTO_SCTP || pkt->fragoff)\n \t\tgoto err;\n \n \tdo {\ndiff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c\nindex c02d5cb52143..45fe56da5044 100644\n--- a/net/netfilter/nft_osf.c\n+++ b/net/netfilter/nft_osf.c\n@@ -33,7 +33,7 @@ static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,\n \t\treturn;\n \t}\n \n-\tif (pkt->tprot != IPPROTO_TCP) {\n+\tif (pkt->tprot != IPPROTO_TCP || pkt->fragoff) {\n \t\tregs->verdict.code = NFT_BREAK;\n \t\treturn;\n \t}\ndiff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c\nindex f2101af8c867..89be443734f6 100644\n--- a/net/netfilter/nft_tproxy.c\n+++ b/net/netfilter/nft_tproxy.c\n@@ -30,8 +30,8 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr,\n \t__be16 tport = 0;\n \tstruct sock *sk;\n \n-\tif (pkt->tprot != IPPROTO_TCP &&\n-\t    pkt->tprot != IPPROTO_UDP) {\n+\tif ((pkt->tprot != IPPROTO_TCP &&\n+\t     pkt->tprot != IPPROTO_UDP) || pkt->fragoff) {\n \t\tregs->verdict.code = NFT_BREAK;\n \t\treturn;\n \t}\n@@ -97,8 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,\n \n \tmemset(&taddr, 0, sizeof(taddr));\n \n-\tif (pkt->tprot != IPPROTO_TCP &&\n-\t    pkt->tprot != IPPROTO_UDP) {\n+\tif ((pkt->tprot != IPPROTO_TCP &&\n+\t     pkt->tprot != IPPROTO_UDP) || pkt->fragoff) {\n \t\tregs->verdict.code = NFT_BREAK;\n \t\treturn;\n \t}\n",
    "prefixes": [
        "net",
        "09/14"
    ]
}