GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/patches/2225648/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2225648,
    "url": "http://patchwork.ozlabs.org/api/patches/2225648/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260421104409.5452-1-fmancera@suse.de/",
    "project": {
        "id": 26,
        "url": "http://patchwork.ozlabs.org/api/projects/26/?format=api",
        "name": "Netfilter Development",
        "link_name": "netfilter-devel",
        "list_id": "netfilter-devel.vger.kernel.org",
        "list_email": "netfilter-devel@vger.kernel.org",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null,
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260421104409.5452-1-fmancera@suse.de>",
    "list_archive_url": null,
    "date": "2026-04-21T10:44:07",
    "name": "[1/3,nf,v3] netfilter: nf_socket: skip socket lookup for non-first fragments",
    "commit_ref": null,
    "pull_url": null,
    "state": "new",
    "archived": false,
    "hash": "a5aa5aa53da4ad56e8db30c5642d0fa3fc3cd54e",
    "submitter": {
        "id": 90904,
        "url": "http://patchwork.ozlabs.org/api/people/90904/?format=api",
        "name": "Fernando Fernandez Mancera",
        "email": "fmancera@suse.de"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260421104409.5452-1-fmancera@suse.de/mbox/",
    "series": [
        {
            "id": 500779,
            "url": "http://patchwork.ozlabs.org/api/series/500779/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=500779",
            "date": "2026-04-21T10:44:08",
            "name": "[1/3,nf,v3] netfilter: nf_socket: skip socket lookup for non-first fragments",
            "version": 3,
            "mbox": "http://patchwork.ozlabs.org/series/500779/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2225648/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2225648/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "\n <netfilter-devel+bounces-12104-incoming=patchwork.ozlabs.org@vger.kernel.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "netfilter-devel@vger.kernel.org"
        ],
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=wgjNRAle;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=ytXZh8GK;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=wgjNRAle;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=ytXZh8GK;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12104-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)",
            "smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"wgjNRAle\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"ytXZh8GK\";\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"wgjNRAle\";\n\tdkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=\"ytXZh8GK\"",
            "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=195.135.223.131",
            "smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de",
            "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=suse.de",
            "smtp-out2.suse.de;\n\tnone"
        ],
        "Received": [
            "from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0Jvy0vGqz1yGt\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 21 Apr 2026 20:47:26 +1000 (AEST)",
            "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id D1C7A305AD47\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 21 Apr 2026 10:44:26 +0000 (UTC)",
            "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 877F93BD644;\n\tTue, 21 Apr 2026 10:44:24 +0000 (UTC)",
            "from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 74A223BD649\n\tfor <netfilter-devel@vger.kernel.org>; Tue, 21 Apr 2026 10:44:22 +0000 (UTC)",
            "from imap1.dmz-prg2.suse.org (unknown [10.150.64.97])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby smtp-out2.suse.de (Postfix) with ESMTPS id A67575BD53;\n\tTue, 21 Apr 2026 10:44:20 +0000 (UTC)",
            "from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 2EB1D593AF;\n\tTue, 21 Apr 2026 10:44:20 +0000 (UTC)",
            "from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])\n\tby imap1.dmz-prg2.suse.org with ESMTPSA\n\tid IbFJCARV52ljagAAD6G6ig\n\t(envelope-from <fmancera@suse.de>); Tue, 21 Apr 2026 10:44:20 +0000"
        ],
        "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776768264; cv=none;\n b=RpMpzBEisZKmygI2fO72BmruIlt8Ejl2Isdo5HQ7VXrRX4HOQhqUn4eoyMzZgbQFTiFuDf6VkN9p9xf655dpCpnmkLJPEW8Pa4swqqUGSaQg/clrMCyC5gT+zwSfUxIw+vCHP1cHv3jtLB3czHOlG2Rsmd8kjM2deRwbuUMLfv8=",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776768264; c=relaxed/simple;\n\tbh=jCGAbJcqZie1khDgn3UuLEEK7eaElN//qbAj/1davI8=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=gQatSwAUEXeuAjFTsKF9T0KUsRWT80x4M05ZWouEK6il7LSE+3AWPEl94JM0q/wQY0ylv0jQikyMMSD0vm81cVwfU1aMdxhM2bROu4KN/7Hq8XCZy9xj0na4V/bgej0YeT9WppzIWemK0EOjGQj2Jk09ejBSkfzrOzXM9mjDBCE=",
        "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=suse.de;\n spf=pass smtp.mailfrom=suse.de;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=wgjNRAle;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=ytXZh8GK;\n dkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.b=wgjNRAle;\n dkim=permerror (0-bit key) header.d=suse.de header.i=@suse.de\n header.b=ytXZh8GK; arc=none smtp.client-ip=195.135.223.131",
        "DKIM-Signature": [
            "v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776768260;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n  content-transfer-encoding:content-transfer-encoding;\n\tbh=svQOENRHQ8RnEbPHv1nVUZshhRbtJGNdUhcT04uheuU=;\n\tb=wgjNRAleXLmDEzxjf5PAyVe9G9EJnBbPIiwmyD44d366UAd/EliO86Y7UEHnKyb7O5X9JN\n\tQXJ/c32RGj91Z0xe08jNJT2TF1HCupqd4XjLNZdUp5tGq9FZQbKzT9cboUv2x3AVVqm2LJ\n\tw4Ol55MeI42b1TmiglVpO42wkgiTvCE=",
            "v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776768260;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n  content-transfer-encoding:content-transfer-encoding;\n\tbh=svQOENRHQ8RnEbPHv1nVUZshhRbtJGNdUhcT04uheuU=;\n\tb=ytXZh8GKVBfhvx16N9WKeaBcs9yUmafN8ixBXJipy4N3PPcq3zxvL9vukJWHkDtMVtRgCR\n\tnNEoUWjbgQrz7fCA==",
            "v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n\tt=1776768260;\n h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n  content-transfer-encoding:content-transfer-encoding;\n\tbh=svQOENRHQ8RnEbPHv1nVUZshhRbtJGNdUhcT04uheuU=;\n\tb=wgjNRAleXLmDEzxjf5PAyVe9G9EJnBbPIiwmyD44d366UAd/EliO86Y7UEHnKyb7O5X9JN\n\tQXJ/c32RGj91Z0xe08jNJT2TF1HCupqd4XjLNZdUp5tGq9FZQbKzT9cboUv2x3AVVqm2LJ\n\tw4Ol55MeI42b1TmiglVpO42wkgiTvCE=",
            "v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n\ts=susede2_ed25519; t=1776768260;\n\th=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:\n\t mime-version:mime-version:\n  content-transfer-encoding:content-transfer-encoding;\n\tbh=svQOENRHQ8RnEbPHv1nVUZshhRbtJGNdUhcT04uheuU=;\n\tb=ytXZh8GKVBfhvx16N9WKeaBcs9yUmafN8ixBXJipy4N3PPcq3zxvL9vukJWHkDtMVtRgCR\n\tnNEoUWjbgQrz7fCA=="
        ],
        "From": "Fernando Fernandez Mancera <fmancera@suse.de>",
        "To": "netfilter-devel@vger.kernel.org",
        "Cc": "coreteam@netfilter.org,\n\tecklm94@gmail.com,\n\tphil@nwl.cc,\n\tfw@strlen.de,\n\tpablo@netfilter.org,\n\tFernando Fernandez Mancera <fmancera@suse.de>",
        "Subject": "[PATCH 1/3 nf v3] netfilter: nf_socket: skip socket lookup for\n non-first fragments",
        "Date": "Tue, 21 Apr 2026 12:44:07 +0200",
        "Message-ID": "<20260421104409.5452-1-fmancera@suse.de>",
        "X-Mailer": "git-send-email 2.51.0",
        "Precedence": "bulk",
        "X-Mailing-List": "netfilter-devel@vger.kernel.org",
        "List-Id": "<netfilter-devel.vger.kernel.org>",
        "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>",
        "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit",
        "X-Spam-Score": "-2.80",
        "X-Spam-Level": "",
        "X-Spamd-Result": "default: False [-2.80 / 50.00];\n\tBAYES_HAM(-3.00)[100.00%];\n\tNEURAL_HAM_LONG(-1.00)[-1.000];\n\tMID_CONTAINS_FROM(1.00)[];\n\tR_MISSING_CHARSET(0.50)[];\n\tNEURAL_HAM_SHORT(-0.20)[-1.000];\n\tMIME_GOOD(-0.10)[text/plain];\n\tTO_MATCH_ENVRCPT_ALL(0.00)[];\n\tRCVD_VIA_SMTP_AUTH(0.00)[];\n\tFUZZY_RATELIMITED(0.00)[rspamd.com];\n\tARC_NA(0.00)[];\n\tMIME_TRACE(0.00)[0:+];\n\tFREEMAIL_CC(0.00)[netfilter.org,gmail.com,nwl.cc,strlen.de,suse.de];\n\tDBL_BLOCKED_OPENRESOLVER(0.00)[suse.de:mid,suse.de:email,imap1.dmz-prg2.suse.org:helo];\n\tFROM_HAS_DN(0.00)[];\n\tRCPT_COUNT_SEVEN(0.00)[7];\n\tRCVD_COUNT_TWO(0.00)[2];\n\tRCVD_TLS_ALL(0.00)[];\n\tFROM_EQ_ENVFROM(0.00)[];\n\tTO_DN_SOME(0.00)[];\n\tDKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n\tFREEMAIL_ENVRCPT(0.00)[gmail.com]",
        "X-Spam-Flag": "NO"
    },
    "content": "Both nft_socket and xt_socket relies on L4 headers to perform socket\nlookup in the slow path. For fragmented packets, while the IP protocol\nremains constant across all fragments, only the first fragment contains\nthe actual L4 header.\n\nAs the expression/match could be attached to a chain with a priority\nlower than -400, it could bypass defragmentation.\n\nAdd a check for fragmentation in the lookup functions directly so the\nproblem is handled for both nft_socket and xt_socket at the same time.\nIn addition, future users of the functions would not need to care about\nthis.\n\nFixes: 902d6a4c2a4f (\"netfilter: nf_defrag: Skip defrag if NOTRACK is set\")\nFixes: 554ced0a6e29 (\"netfilter: nf_tables: add support for native socket matching\")\nSigned-off-by: Fernando Fernandez Mancera <fmancera@suse.de>\n---\nv3: added this patch to the series, I splitted this as the fix is\ngeneric for both nft_socket and xt_socket\n---\n net/ipv4/netfilter/nf_socket_ipv4.c | 3 +++\n net/ipv6/netfilter/nf_socket_ipv6.c | 5 +++--\n 2 files changed, 6 insertions(+), 2 deletions(-)",
    "diff": "diff --git a/net/ipv4/netfilter/nf_socket_ipv4.c b/net/ipv4/netfilter/nf_socket_ipv4.c\nindex 5080fa5fbf6a..f9c6755f5ec5 100644\n--- a/net/ipv4/netfilter/nf_socket_ipv4.c\n+++ b/net/ipv4/netfilter/nf_socket_ipv4.c\n@@ -94,6 +94,9 @@ struct sock *nf_sk_lookup_slow_v4(struct net *net, const struct sk_buff *skb,\n #endif\n \tint doff = 0;\n \n+\tif (ntohs(iph->frag_off) & IP_OFFSET)\n+\t\treturn NULL;\n+\n \tif (iph->protocol == IPPROTO_UDP || iph->protocol == IPPROTO_TCP) {\n \t\tstruct tcphdr _hdr;\n \t\tstruct udphdr *hp;\ndiff --git a/net/ipv6/netfilter/nf_socket_ipv6.c b/net/ipv6/netfilter/nf_socket_ipv6.c\nindex ced8bd44828e..893f2aeb4711 100644\n--- a/net/ipv6/netfilter/nf_socket_ipv6.c\n+++ b/net/ipv6/netfilter/nf_socket_ipv6.c\n@@ -100,6 +100,7 @@ struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb,\n \tconst struct in6_addr *daddr = NULL, *saddr = NULL;\n \tstruct ipv6hdr *iph = ipv6_hdr(skb), ipv6_var;\n \tstruct sk_buff *data_skb = NULL;\n+\tunsigned short fragoff = 0;\n \tint doff = 0;\n \tint thoff = 0, tproto;\n #if IS_ENABLED(CONFIG_NF_CONNTRACK)\n@@ -107,8 +108,8 @@ struct sock *nf_sk_lookup_slow_v6(struct net *net, const struct sk_buff *skb,\n \tstruct nf_conn const *ct;\n #endif\n \n-\ttproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);\n-\tif (tproto < 0) {\n+\ttproto = ipv6_find_hdr(skb, &thoff, -1, &fragoff, NULL);\n+\tif (tproto < 0 || fragoff) {\n \t\tpr_debug(\"unable to find transport header in IPv6 packet, dropping\\n\");\n \t\treturn NULL;\n \t}\n",
    "prefixes": [
        "1/3",
        "nf",
        "v3"
    ]
}