Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2217423/?format=api
{ "id": 2217423, "url": "http://patchwork.ozlabs.org/api/patches/2217423/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260328194222.4752-1-fw@strlen.de/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260328194222.4752-1-fw@strlen.de>", "list_archive_url": null, "date": "2026-03-28T19:42:17", "name": "[nf] netfilter: nft_compat: tighten the nft_compat interface", "commit_ref": null, "pull_url": null, "state": "not-applicable", "archived": false, "hash": "28ffba92a820d36557657b9e14e2c7dcac5ed781", "submitter": { "id": 1025, "url": "http://patchwork.ozlabs.org/api/people/1025/?format=api", "name": "Florian Westphal", "email": "fw@strlen.de" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260328194222.4752-1-fw@strlen.de/mbox/", "series": [ { "id": 497890, "url": "http://patchwork.ozlabs.org/api/series/497890/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=497890", "date": "2026-03-28T19:42:17", "name": "[nf] netfilter: nft_compat: tighten the nft_compat interface", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/497890/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2217423/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2217423/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <netfilter-devel+bounces-11481-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.105.105.114; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11481-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30", "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc" ], "Received": [ "from tor.lore.kernel.org (tor.lore.kernel.org [172.105.105.114])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fjnwk3LLRz1xy1\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 29 Mar 2026 06:42:46 +1100 (AEDT)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 6F547302737B\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 28 Mar 2026 19:42:44 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 482AB2F4A18;\n\tSat, 28 Mar 2026 19:42:41 +0000 (UTC)", "from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 712DD19E819\n\tfor <netfilter-devel@vger.kernel.org>; Sat, 28 Mar 2026 19:42:39 +0000 (UTC)", "by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 2A89760508; Sat, 28 Mar 2026 20:42:32 +0100 (CET)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774726961; cv=none;\n b=QViiu2vNyzcr8OFmoO1ajag00HvLSuwjcAInVplwbkRDcrOnBspojoLGgyq0OivWAcZ52secJ2OA6IYXaQhmZcwbwr2qUYdA1U8c/W6UOpZENSU0F61kDOkEFdPRnX/Y2LFpzHt62+poxxGv5X5Cl88PRyVaJ4UWt6ZkK7IoPoA=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774726961; c=relaxed/simple;\n\tbh=1E46YMFg5WdwyBtnUcD64Jxn+9o/a2Btq3yxRvC5RCA=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=rjVOS0FhrOilhZW+Okz14jGvtztUQUjxc40RSLYganCtEwNziLnY6wz8RCy5LudwSZ752umSyDvP8JLY/EhpGqijHvtwL7uwIvY4OFoR2AyOBZnt+L/WCGu+AZ0DyTNWRbg68UmURBS/gqDVwKwgq6DufN2U3hWhLPuYGpZ9VuM=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc;\n arc=none smtp.client-ip=91.216.245.30", "From": "Florian Westphal <fw@strlen.de>", "To": "<netfilter-devel@vger.kernel.org>", "Cc": "Florian Westphal <fw@strlen.de>", "Subject": "[PATCH nf] netfilter: nft_compat: tighten the nft_compat interface", "Date": "Sat, 28 Mar 2026 20:42:17 +0100", "Message-ID": "<20260328194222.4752-1-fw@strlen.de>", "X-Mailer": "git-send-email 2.53.0", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "nft_compat is used by xtables-over-nftables:\n - arptables-nft\n - ebtables-nft\n - iptables-nft\n - ip6tables-nft\n\nx_tables doesn't support NFPROTO_NETDEV and NFPROTO_INET.\nReject unsupported families. As-is, this allows use of xtables\nNFPROTO_UNSPEC extensions that are crashing the kernel when used\nwith e.g. NFPROTO_NETDEV.\n\nNFPROTO_INET *might* be safe (since its a superset of\nNFPROTO_IPV4/IPV6), but it is not used by the existing compat\nlayer.\n\nSigned-off-by: Florian Westphal <fw@strlen.de>\n---\n This is in addition to\n \"netfilter: x_tables: reject unsupported families in xt_check_match/xt_check_target\".\n\n net/netfilter/nft_compat.c | 20 ++++++++++++++++++++\n 1 file changed, 20 insertions(+)", "diff": "diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c\nindex 27cc983a7cdf..bafc0bf450e6 100644\n--- a/net/netfilter/nft_compat.c\n+++ b/net/netfilter/nft_compat.c\n@@ -786,6 +786,20 @@ static bool nft_match_reduce(struct nft_regs_track *track,\n \treturn strcmp(match->name, \"comment\") == 0;\n }\n \n+static bool is_valid_compat_family(u32 family)\n+{\n+\tswitch (family) {\n+\tcase NFPROTO_IPV4:\n+\tcase NFPROTO_ARP:\n+\tcase NFPROTO_BRIDGE:\n+\tcase NFPROTO_IPV6:\n+\t\treturn true;\n+\t}\n+\n+\t/* others are nftables only */\n+\treturn false;\n+}\n+\n static const struct nft_expr_ops *\n nft_match_select_ops(const struct nft_ctx *ctx,\n \t\t const struct nlattr * const tb[])\n@@ -806,6 +820,9 @@ nft_match_select_ops(const struct nft_ctx *ctx,\n \trev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));\n \tfamily = ctx->family;\n \n+\tif (!is_valid_compat_family(family))\n+\t\treturn ERR_PTR(-EAFNOSUPPORT);\n+\n \tmatch = xt_request_find_match(family, mt_name, rev);\n \tif (IS_ERR(match))\n \t\treturn ERR_PTR(-ENOENT);\n@@ -886,6 +903,9 @@ nft_target_select_ops(const struct nft_ctx *ctx,\n \trev = ntohl(nla_get_be32(tb[NFTA_TARGET_REV]));\n \tfamily = ctx->family;\n \n+\tif (!is_valid_compat_family(family))\n+\t\treturn ERR_PTR(-EAFNOSUPPORT);\n+\n \tif (strcmp(tg_name, XT_ERROR_TARGET) == 0 ||\n \t strcmp(tg_name, XT_STANDARD_TARGET) == 0 ||\n \t strcmp(tg_name, \"standard\") == 0)\n", "prefixes": [ "nf" ] }