GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/1.2/patches/2225886/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2225886,
    "url": "http://patchwork.ozlabs.org/api/1.2/patches/2225886/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260421183514.167201-1-pablo@netfilter.org/",
    "project": {
        "id": 26,
        "url": "http://patchwork.ozlabs.org/api/1.2/projects/26/?format=api",
        "name": "Netfilter Development",
        "link_name": "netfilter-devel",
        "list_id": "netfilter-devel.vger.kernel.org",
        "list_email": "netfilter-devel@vger.kernel.org",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null,
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260421183514.167201-1-pablo@netfilter.org>",
    "list_archive_url": null,
    "date": "2026-04-21T18:35:14",
    "name": "[nf,v5] netfilter: arp_tables: fix IEEE1394 ARP payload parsing",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "3713a27807bc911daf27304c3fca954a99f577b3",
    "submitter": {
        "id": 1315,
        "url": "http://patchwork.ozlabs.org/api/1.2/people/1315/?format=api",
        "name": "Pablo Neira Ayuso",
        "email": "pablo@netfilter.org"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260421183514.167201-1-pablo@netfilter.org/mbox/",
    "series": [
        {
            "id": 500867,
            "url": "http://patchwork.ozlabs.org/api/1.2/series/500867/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=500867",
            "date": "2026-04-21T18:35:14",
            "name": "[nf,v5] netfilter: arp_tables: fix IEEE1394 ARP payload parsing",
            "version": 5,
            "mbox": "http://patchwork.ozlabs.org/series/500867/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2225886/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2225886/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "\n <netfilter-devel+bounces-12120-incoming=patchwork.ozlabs.org@vger.kernel.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "netfilter-devel@vger.kernel.org"
        ],
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=gBld8f+x;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12120-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)",
            "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"gBld8f+x\"",
            "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124",
            "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org",
            "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"
        ],
        "Received": [
            "from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0WJ81B8jz1yGs\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 22 Apr 2026 04:35:36 +1000 (AEST)",
            "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 4401C3001023\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 21 Apr 2026 18:35:33 +0000 (UTC)",
            "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 1F3212DCBE3;\n\tTue, 21 Apr 2026 18:35:32 +0000 (UTC)",
            "from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id D0D772BE7BE\n\tfor <netfilter-devel@vger.kernel.org>; Tue, 21 Apr 2026 18:35:21 +0000 (UTC)",
            "from localhost.localdomain (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with ESMTPSA id 343D960255;\n\tTue, 21 Apr 2026 20:35:18 +0200 (CEST)"
        ],
        "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776796526; cv=none;\n b=obbQ92he0gbCTo9wD1SaIUy2hh7WRUuighEuJ4mkMAaG0/x40wWS9uvHEZXw2DQxYdsqn2O9Abz1MdNyKHrpy5yVuVh7TFOv135qCkOnLgb/B0dkv+RUSB7Qx+r9FUEaPSSslJXXJDRYVwlvnRmELmrcY0f3FAVe60XhBdtTv4s=",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776796526; c=relaxed/simple;\n\tbh=kC8ZCTDsJAYQL8OlZ+k+6JY9z8/Sqx7fYh1Qpcb4iqU=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=nj9T62NNOtQW3dRB05js2N8DmiNJHEW67h0S6FgiHWI902I4pDypVZSq38w9MqEClW7VMvOcHBZe8ly+jswQ/K/PIs0nbH6Ei8Cw03kTwu3M1Hz019zwuMowCaXFGwu8xw4RGlyLz1+ugvP5q0TMm51VP6qrr6jj7JH/edcOQ7Q=",
        "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=gBld8f+x; arc=none smtp.client-ip=217.70.190.124",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776796518;\n\tbh=4F8FKUzN+rQdLlW6EPbWJ59sgS7CjxTIoDPe8l9IDcg=;\n\th=From:To:Cc:Subject:Date:From;\n\tb=gBld8f+x0TGRciqKPq3qRPG3jWmKiJCKkeEdJzgllOVZxbvjZRUGhPHfH6mUhxIcs\n\t qwFeVLM69tccs5E8vofkLuZdl2mllhUIIzq0+ZBuHoz64Os66sV5MKy+qsPRtNyR39\n\t ll6Mg6P30D/KcGNklA7KBpdqCnu9/lRr4BkhO+KrSenbC6t6wAw3cfhhK4BSmTBX+M\n\t UoH/OHFd1SH7VxqtiGDVUBO6eWcWAuc1owSeAJvgLNumKy29qefmaOYJBc4X+/hMii\n\t HPejTkyfYqG+ewPMsg1uzn5wbNqjkQdT1gXR2siHLkVAoC9xxTmlzipPNjC7FRz+S/\n\t luZikbXRW1wdw==",
        "From": "Pablo Neira Ayuso <pablo@netfilter.org>",
        "To": "netfilter-devel@vger.kernel.org",
        "Cc": "fw@strlen.de",
        "Subject": "[PATCH nf,v5] netfilter: arp_tables: fix IEEE1394 ARP payload parsing",
        "Date": "Tue, 21 Apr 2026 20:35:14 +0200",
        "Message-ID": "<20260421183514.167201-1-pablo@netfilter.org>",
        "X-Mailer": "git-send-email 2.47.3",
        "Precedence": "bulk",
        "X-Mailing-List": "netfilter-devel@vger.kernel.org",
        "List-Id": "<netfilter-devel.vger.kernel.org>",
        "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>",
        "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit"
    },
    "content": "Weiming Shi says:\n\n\"arp_packet_match() unconditionally parses the ARP payload assuming two\nhardware addresses are present (source and target). However,\nIPv4-over-IEEE1394 ARP (RFC 2734) omits the target hardware address\nfield, and arp_hdr_len() already accounts for this by returning a\nshorter length for ARPHRD_IEEE1394 devices.\n\nAs a result, on IEEE1394 interfaces arp_packet_match() advances past a\nnonexistent target hardware address and reads the wrong bytes for both\nthe target device address comparison and the target IP address. This\ncauses arptables rules to match against garbage data, leading to\nincorrect filtering decisions: packets that should be accepted may be\ndropped and vice versa.\n\nThe ARP stack in net/ipv4/arp.c (arp_create and arp_process) already\nhandles this correctly by skipping the target hardware address for\nARPHRD_IEEE1394. Apply the same pattern to arp_packet_match().\"\n\nThis patch always returns 0 (no match) in case user matches on the target\nhardware address which is never present in IEEE1394.\n\nNote that this returns 0 (no match) for either normal and inverse match\nbecause matching in the target hardware address in ARPHRD_IEEE1394 has\nnever been supported by arptables. This is intentional, matching on the\ntarget hardware address should never evaluate true for ARPHRD_IEEE1394.\n\nMoreover, adjust arpt_mangle to drop the packet if user tries to mangle\ntarget hardware and IP address in IEEE1394, this has never been\nsupported.\n\nFixes: 6752c8db8e0c (\"firewire net, ipv4 arp: Extend hardware address and remove driver-level packet inspection.\")\nReported-by: Xiang Mei <xmei5@asu.edu>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\nv5: check for arphdr->ar_hrd == htons(ARPHRD_IEEE1394) in\n    arp_packet_match() too.\n\n net/ipv4/netfilter/arp_tables.c  | 19 ++++++++++++++++---\n net/ipv4/netfilter/arpt_mangle.c |  8 ++++++++\n 2 files changed, 24 insertions(+), 3 deletions(-)",
    "diff": "diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c\nindex 1cdd9c28ab2d..e4b2106d0456 100644\n--- a/net/ipv4/netfilter/arp_tables.c\n+++ b/net/ipv4/netfilter/arp_tables.c\n@@ -110,13 +110,26 @@ static inline int arp_packet_match(const struct arphdr *arphdr,\n \tarpptr += dev->addr_len;\n \tmemcpy(&src_ipaddr, arpptr, sizeof(u32));\n \tarpptr += sizeof(u32);\n-\ttgt_devaddr = arpptr;\n-\tarpptr += dev->addr_len;\n+\n+\tif (IS_ENABLED(CONFIG_FIREWIRE_NET) &&\n+\t    arphdr->ar_hrd == htons(ARPHRD_IEEE1394)) {\n+\t\tif (unlikely(memchr_inv(arpinfo->tgt_devaddr.mask, 0,\n+\t\t\t\t\tsizeof(arpinfo->tgt_devaddr.mask))))\n+\t\t\treturn 0;\n+\n+\t\ttgt_devaddr = NULL;\n+\t} else {\n+\t\ttgt_devaddr = arpptr;\n+\t\tarpptr += dev->addr_len;\n+\t}\n \tmemcpy(&tgt_ipaddr, arpptr, sizeof(u32));\n \n \tif (NF_INVF(arpinfo, ARPT_INV_SRCDEVADDR,\n \t\t    arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr,\n-\t\t\t\t\tdev->addr_len)) ||\n+\t\t\t\t\tdev->addr_len)))\n+\t\treturn 0;\n+\n+\tif (tgt_devaddr &&\n \t    NF_INVF(arpinfo, ARPT_INV_TGTDEVADDR,\n \t\t    arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr,\n \t\t\t\t\tdev->addr_len)))\ndiff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c\nindex a4e07e5e9c11..285b1123b05c 100644\n--- a/net/ipv4/netfilter/arpt_mangle.c\n+++ b/net/ipv4/netfilter/arpt_mangle.c\n@@ -40,6 +40,10 @@ target(struct sk_buff *skb, const struct xt_action_param *par)\n \t}\n \tarpptr += pln;\n \tif (mangle->flags & ARPT_MANGLE_TDEV) {\n+\t\tif (IS_ENABLED(CONFIG_FIREWIRE_NET) &&\n+\t\t    arp->ar_hrd == htons(ARPHRD_IEEE1394))\n+\t\t\treturn NF_DROP;\n+\n \t\tif (ARPT_DEV_ADDR_LEN_MAX < hln ||\n \t\t   (arpptr + hln > skb_tail_pointer(skb)))\n \t\t\treturn NF_DROP;\n@@ -47,6 +51,10 @@ target(struct sk_buff *skb, const struct xt_action_param *par)\n \t}\n \tarpptr += hln;\n \tif (mangle->flags & ARPT_MANGLE_TIP) {\n+\t\tif (IS_ENABLED(CONFIG_FIREWIRE_NET) &&\n+\t\t    arp->ar_hrd == htons(ARPHRD_IEEE1394))\n+\t\t\treturn NF_DROP;\n+\n \t\tif (ARPT_MANGLE_ADDR_LEN_MAX < pln ||\n \t\t   (arpptr + pln > skb_tail_pointer(skb)))\n \t\t\treturn NF_DROP;\n",
    "prefixes": [
        "nf",
        "v5"
    ]
}