{"id":2231769,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2231769/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260501122237.296262-3-pablo@netfilter.org/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.1/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260501122237.296262-3-pablo@netfilter.org>","date":"2026-05-01T12:22:25","name":"[net,02/14] netfilter: nft_fwd_netdev: add device and headroom validate with neigh forwarding","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"15662778f5ea90d1a1a464f62c4d0a6f9adc8b3a","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/1.1/people/1315/?format=json","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260501122237.296262-3-pablo@netfilter.org/mbox/","series":[{"id":502449,"url":"http://patchwork.ozlabs.org/api/1.1/series/502449/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=502449","date":"2026-05-01T12:22:23","name":"[net,01/14] netfilter: replace skb_try_make_writable() by skb_ensure_writable()","version":1,"mbox":"http://patchwork.ozlabs.org/series/502449/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2231769/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2231769/checks/","tags":{},"headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=dEmt2CjU;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12373-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"dEmt2CjU\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g6VYb5sgPz1yJv\n\tfor ; Fri, 01 May 2026 22:22:59 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id 63EC5300BE84\n\tfor ; Fri, 1 May 2026 12:22:50 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 924853A16BE;\n\tFri, 1 May 2026 12:22:48 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 8D8FB18DB01;\n\tFri, 1 May 2026 12:22:46 +0000 (UTC)","from localhost.localdomain (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with ESMTPSA id 6C9BD6024E;\n\tFri, 1 May 2026 14:22:44 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777638168; cv=none;\n b=suDiSR7avSZ/RenFmg6iGIqEdzqR5hsqoN5f0DJ/CUKOKk/1u4dFZMC3DS1wVtzp76RZOSgNgZRGgNY2Y+YWlTv+CG84Dk3a+UoFXT/qoOnhMQaVRuTuLmQs0ra370GvUIeVFflLmC6Jca0DGoeTVWSiovP60ozW6qRaXoiXHXw=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777638168; c=relaxed/simple;\n\tbh=zoAbIRrdAKFpOVTrxKdkyEu/qfxQtjayieagMLT+Nh8=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=C72T8mLYK/85PmL6rvnzL9sdIkVexl1FMMaZrtbxp4bXWOYeVRsOBJVmEEOmDXmwcCybUySEmTWKPIkjLCYGB5TpF4wxElMepBQsVmuTj3CGCB749o/EooQgxhGT8EOBKP+j7v/1qs+egA07ekrFHs6SntC0aI7mDUJ93o9DzUs=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=dEmt2CjU; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1777638164;\n\tbh=EQCBMVFfc2pT8teCqSidZbSDdheBUZC2P5L7/mhKd7I=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=dEmt2CjUZbsTC4qjYb7dd/G/zdHh1OwrxFGFkjnuXF9DnWFK9Bqrf7fqaNB4v/Eh8\n\t 9Q+pb/GqAaupQeLUvjNH7O0Mac19ndpbbMejzSs9emamHTwL/aUuSoSJC6PP7gMXc4\n\t bM3nDhbY/r9dJWaOnMd9MEKQJvsU77IArhaRt9uHFN1wohxrxcAxwCf/v4iCjB2ZxY\n\t /Gq9ELT6jlVOOUtVOd8NoNgpMf3CdCkHQ2qN/NKSyaxsOfkS5/9Byhc+H513UZRS/w\n\t 3P6ycorRxbad+SZUzJylnLzaPUcrRvwSJqb9GObIlHAzX1noW2njvf3kJvJi8YS+mF\n\t pr83zoWYIm0bA==","From":"Pablo Neira Ayuso ","To":"netfilter-devel@vger.kernel.org","Cc":"davem@davemloft.net,\n\tnetdev@vger.kernel.org,\n\tkuba@kernel.org,\n\tpabeni@redhat.com,\n\tedumazet@google.com,\n\tfw@strlen.de,\n\thorms@kernel.org","Subject":"[PATCH net 02/14] netfilter: nft_fwd_netdev: add device and headroom\n validate with neigh forwarding","Date":"Fri, 1 May 2026 14:22:25 +0200","Message-ID":"<20260501122237.296262-3-pablo@netfilter.org>","X-Mailer":"git-send-email 2.47.3","In-Reply-To":"<20260501122237.296262-1-pablo@netfilter.org>","References":"<20260501122237.296262-1-pablo@netfilter.org>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"The ttl field has been decremented already and evaluation of this rule\nwould proceed, just drop this packet instead if there is no destination\ndevice to forwards this packet. This is exactly what nf_dup already does\nin this case.\n\nMoreover, check for headroom and call skb_expand_head() like in the IP\noutput path to ensure there is sufficient headroom when forwarding this\nvia neigh_xmit().\n\nFixes: d32de98ea70f (\"netfilter: nft_fwd_netdev: allow to forward packets via neighbour layer\")\nSigned-off-by: Pablo Neira Ayuso \n---\n net/netfilter/nft_fwd_netdev.c | 16 ++++++++++++++--\n 1 file changed, 14 insertions(+), 2 deletions(-)","diff":"diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c\nindex 2cc809303ce8..605b1d42abce 100644\n--- a/net/netfilter/nft_fwd_netdev.c\n+++ b/net/netfilter/nft_fwd_netdev.c\n@@ -102,6 +102,7 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,\n \tstruct sk_buff *skb = pkt->skb;\n \tint nhoff = skb_network_offset(skb);\n \tstruct net_device *dev;\n+\tunsigned int hh_len;\n \tint neigh_table;\n \n \tswitch (priv->nfproto) {\n@@ -153,8 +154,19 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,\n \t}\n \n \tdev = dev_get_by_index_rcu(nft_net(pkt), oif);\n-\tif (dev == NULL)\n-\t\treturn;\n+\tif (dev == NULL) {\n+\t\tverdict = NF_DROP;\n+\t\tgoto out;\n+\t}\n+\n+\thh_len = LL_RESERVED_SPACE(dev);\n+\tif (unlikely(skb_headroom(skb) < hh_len && dev->header_ops)) {\n+\t\tskb = skb_expand_head(skb, hh_len);\n+\t\tif (!skb) {\n+\t\t\tverdict = NF_STOLEN;\n+\t\t\tgoto out;\n+\t\t}\n+\t}\n \n \tskb->dev = dev;\n \tskb_clear_tstamp(skb);\n","prefixes":["net","02/14"]}