Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2225646/?format=api
{ "id": 2225646, "url": "http://patchwork.ozlabs.org/api/patches/2225646/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260421104409.5452-2-fmancera@suse.de/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260421104409.5452-2-fmancera@suse.de>", "list_archive_url": null, "date": "2026-04-21T10:44:08", "name": "[2/3,nf,v3] netfilter: nf_tables: skip L4 header parsing for non-first fragments", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "bbed437d0f10a6bfe27e25874b5512e84405ef92", "submitter": { "id": 90904, "url": "http://patchwork.ozlabs.org/api/people/90904/?format=api", "name": "Fernando Fernandez Mancera", "email": "fmancera@suse.de" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260421104409.5452-2-fmancera@suse.de/mbox/", "series": [ { "id": 500779, "url": "http://patchwork.ozlabs.org/api/series/500779/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=500779", "date": "2026-04-21T10:44:08", "name": "[1/3,nf,v3] netfilter: nf_socket: skip socket lookup for non-first fragments", "version": 3, "mbox": "http://patchwork.ozlabs.org/series/500779/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2225646/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2225646/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <netfilter-devel+bounces-12106-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.105.105.114; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12106-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.131", "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de", "smtp-out2.suse.de;\n\tnone" ], "Received": [ "from tor.lore.kernel.org (tor.lore.kernel.org [172.105.105.114])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0JsQ5MhZz1yGs\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 21 Apr 2026 20:45:14 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 232CE3043ADD\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 21 Apr 2026 10:44:33 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 272B93BD633;\n\tTue, 21 Apr 2026 10:44:30 +0000 (UTC)", "from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 8F5B63AE6FA\n\tfor <netfilter-devel@vger.kernel.org>; Tue, 21 Apr 2026 10:44:28 +0000 (UTC)", "from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org\n [IPv6:2a07:de40:b281:104:10:150:64:97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out2.suse.de (Postfix) with ESMTPS id 8B7EA5BD61;\n\tTue, 21 Apr 2026 10:44:23 +0000 (UTC)", "from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 15E74593B0;\n\tTue, 21 Apr 2026 10:44:23 +0000 (UTC)", "from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid OFhFAgdV52ljagAAD6G6ig\n\t(envelope-from <fmancera@suse.de>); Tue, 21 Apr 2026 10:44:23 +0000" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776768269; cv=none;\n b=FtiDV8H4VWfE1rTf1mqHgOqiN1nd2D+6iaro4u789puayrnmrEvLrvXWuc0RVIn6EvzMTiYPYYKqlEoTW+p+ND0JEWpKM1I5lxYnTijD8eJAnMYKA4EYbTQkIz4B6iS6a0c9aRh4JcELE+hNi/m30iAIwKRvrnSV+Hqtayvnh1c=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776768269; c=relaxed/simple;\n\tbh=vSjP9BHlGkRs3WlDd+eYwg/rEtDZNLcDyRaYoJdCyhI=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=BquHQPv9WcMvMm57RS8UoQrNITTEJBZUWucqRsd6VFq/lASSaQI1zt3c3aNJ+jdIIABAWJmAhYXzu6GCjtpfvQIqdEZNGuNKE1C4m019TdSshlUd8oU2+W+Xg+rCvgde0ueRprzjR/bZlsFRIEXvBlwua+DfLXin3DTnilESR9w=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de; arc=none smtp.client-ip=195.135.223.131", "From": "Fernando Fernandez Mancera <fmancera@suse.de>", "To": "netfilter-devel@vger.kernel.org", "Cc": "coreteam@netfilter.org,\n\tecklm94@gmail.com,\n\tphil@nwl.cc,\n\tfw@strlen.de,\n\tpablo@netfilter.org,\n\tFernando Fernandez Mancera <fmancera@suse.de>", "Subject": "[PATCH 2/3 nf v3] netfilter: nf_tables: skip L4 header parsing for\n non-first fragments", "Date": "Tue, 21 Apr 2026 12:44:08 +0200", "Message-ID": "<20260421104409.5452-2-fmancera@suse.de>", "X-Mailer": "git-send-email 2.51.0", "In-Reply-To": "<20260421104409.5452-1-fmancera@suse.de>", "References": "<20260421104409.5452-1-fmancera@suse.de>", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-Rspamd-Pre-Result": [ "action=no action;\n\tmodule=replies;\n\tMessage is reply to one we originated", "action=no action;\n\tmodule=replies;\n\tMessage is reply to one we originated" ], "X-Rspamd-Queue-Id": "8B7EA5BD61", "X-Rspamd-Action": "no action", "X-Spam-Score": "-4.00", "X-Spam-Level": "", "X-Spam-Flag": "NO", "X-Spamd-Result": "default: False [-4.00 / 50.00];\n\tREPLY(-4.00)[]", "X-Rspamd-Server": "rspamd1.dmz-prg2.suse.org" }, "content": "The tproxy, osf and exthdr (SCTP) expressions rely on the presence of\ntransport layer headers to perform socket lookups, fingerprint matching,\nor chunk extraction. For fragmented packets, while the IP protocol\nremains constant across all fragments, only the first fragment contains\nthe actual L4 header.\n\nThe expressions could be attached to a chain with a priority lower than\n-400, bypassing defragmentation. Or could be used in stateless\nenvironments where defragmentation is not happening at all. This could\nresult in garbage data being used for the matching.\n\nAdd a check for pkt->fragoff so only unfragmented packets or the first\nfragment is processed.\n\nFixes: 133dc203d77d (\"netfilter: nft_exthdr: Support SCTP chunks\")\nFixes: 4ed8eb6570a4 (\"netfilter: nf_tables: Add native tproxy support\")\nFixes: b96af92d6eaf (\"netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf\")\nSigned-off-by: Fernando Fernandez Mancera <fmancera@suse.de>\n---\nv2: handled fragmented packets for socket expression too,\nsquashed nftables expression commits into this one.\nv3: removed changes to nft_socket and created a generic solution for\nxt/nft\n---\n net/netfilter/nft_exthdr.c | 2 +-\n net/netfilter/nft_osf.c | 2 +-\n net/netfilter/nft_tproxy.c | 8 ++++----\n 3 files changed, 6 insertions(+), 6 deletions(-)", "diff": "diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c\nindex 0407d6f708ae..e6a07c0df207 100644\n--- a/net/netfilter/nft_exthdr.c\n+++ b/net/netfilter/nft_exthdr.c\n@@ -376,7 +376,7 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,\n \tconst struct sctp_chunkhdr *sch;\n \tstruct sctp_chunkhdr _sch;\n \n-\tif (pkt->tprot != IPPROTO_SCTP)\n+\tif (pkt->tprot != IPPROTO_SCTP || pkt->fragoff)\n \t\tgoto err;\n \n \tdo {\ndiff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c\nindex 18003433476c..966c7745c423 100644\n--- a/net/netfilter/nft_osf.c\n+++ b/net/netfilter/nft_osf.c\n@@ -28,7 +28,7 @@ static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,\n \tstruct nf_osf_data data;\n \tstruct tcphdr _tcph;\n \n-\tif (pkt->tprot != IPPROTO_TCP) {\n+\tif (pkt->tprot != IPPROTO_TCP || pkt->fragoff) {\n \t\tregs->verdict.code = NFT_BREAK;\n \t\treturn;\n \t}\ndiff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c\nindex f2101af8c867..89be443734f6 100644\n--- a/net/netfilter/nft_tproxy.c\n+++ b/net/netfilter/nft_tproxy.c\n@@ -30,8 +30,8 @@ static void nft_tproxy_eval_v4(const struct nft_expr *expr,\n \t__be16 tport = 0;\n \tstruct sock *sk;\n \n-\tif (pkt->tprot != IPPROTO_TCP &&\n-\t pkt->tprot != IPPROTO_UDP) {\n+\tif ((pkt->tprot != IPPROTO_TCP &&\n+\t pkt->tprot != IPPROTO_UDP) || pkt->fragoff) {\n \t\tregs->verdict.code = NFT_BREAK;\n \t\treturn;\n \t}\n@@ -97,8 +97,8 @@ static void nft_tproxy_eval_v6(const struct nft_expr *expr,\n \n \tmemset(&taddr, 0, sizeof(taddr));\n \n-\tif (pkt->tprot != IPPROTO_TCP &&\n-\t pkt->tprot != IPPROTO_UDP) {\n+\tif ((pkt->tprot != IPPROTO_TCP &&\n+\t pkt->tprot != IPPROTO_UDP) || pkt->fragoff) {\n \t\tregs->verdict.code = NFT_BREAK;\n \t\treturn;\n \t}\n", "prefixes": [ "2/3", "nf", "v3" ] }