{"id":2223495,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2223495/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260415113334.61008-1-pablo@netfilter.org/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.2/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260415113334.61008-1-pablo@netfilter.org>","list_archive_url":null,"date":"2026-04-15T11:33:34","name":"[nf,v2] netfilter: xtables: restrict several matches to inet family","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"a053fc3f57e1b51ee425fb1b2eacbc9e40ec6fa8","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/1.2/people/1315/?format=json","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260415113334.61008-1-pablo@netfilter.org/mbox/","series":[{"id":499979,"url":"http://patchwork.ozlabs.org/api/1.2/series/499979/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=499979","date":"2026-04-15T11:33:34","name":"[nf,v2] netfilter: xtables: restrict several matches to inet family","version":2,"mbox":"http://patchwork.ozlabs.org/series/499979/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2223495/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2223495/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=o40bIsQ+;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11918-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"o40bIsQ+\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fwfD94k6gz1yDF\n\tfor ; Wed, 15 Apr 2026 21:33:45 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id 88DC93004680\n\tfor ; Wed, 15 Apr 2026 11:33:44 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 546EF33F5B5;\n\tWed, 15 Apr 2026 11:33:42 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 9815941754\n\tfor ; Wed, 15 Apr 2026 11:33:40 +0000 (UTC)","from localhost.localdomain (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with ESMTPSA id A774F60177;\n\tWed, 15 Apr 2026 13:33:38 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776252821; cv=none;\n b=J2qAaWUXKSXasKMqgofH9pICzb2qkOhC11U/RZhRwMIQPNS1uqfNYVg8YbCAQ7rGIkq3rrL6w1i13iaj8MaP+VGH1OWjWOcnHukNgA0prylecgfrk7DJ0oYYwdXNT8fC/nY4v4vt6LpBTFIBjwcuybA7j6VMu98ABzMlaYDn1yw=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776252821; c=relaxed/simple;\n\tbh=e5lJJ3xnq2IJpBzX4iydzsN7BDyd0mROKII71td/eNs=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=e8ZZjFwJvPapLOa5Q7y6Y79fVwW5Gb11ki6QgNULCNl1P3x+Dbjzcw4t4ajg0zwA959m4452M/z6Dfsh3pL1lEii/x7eB9gW2IKe+ws6ycwuOT4s+0ctmqdnHU4xzVrjxf3DfWUTkJIO4DOwwNBXGrBgZOX/FkUqjwN+0eorgYs=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=o40bIsQ+; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776252818;\n\tbh=Y474SDLJ/SvbbAxbS1yo/rxjBFAr9n232haTsg3LIRs=;\n\th=From:To:Cc:Subject:Date:From;\n\tb=o40bIsQ+5x30/2+0a5ebF3cBWE67XBoUN/jG826JteBclxdzAqRnDV7dsyb/5YdON\n\t ESOKIv4IQ6B5ClUM6hXI5LskgHoDblRIjjguLyj/DIGCENQEIQ59GC5Q6RmQq31vd3\n\t sM0W0OkpmpzlALVIzfI+0vbiAvH+AlSpT8VovMUd6255mKDKplFaMZAc0YYMP6Er32\n\t 56qqsRSJ6pozU7V7V7PkXmwvnHg4AsOurQQij8pDJoVpQj2aGi1eKsYFV/aKT9Voa7\n\t EzPdOlvF6aqav88PcZ+iE0N0en5FbDtbNDUBTYzVhW/A6kG98R3+TfgOnElDeljWSb\n\t HLHJ/C3g/y7OQ==","From":"Pablo Neira Ayuso ","To":"netfilter-devel@vger.kernel.org","Cc":"fw@strlen.de","Subject":"[PATCH nf,v2] netfilter: xtables: restrict several matches to inet\n family","Date":"Wed, 15 Apr 2026 13:33:34 +0200","Message-ID":"<20260415113334.61008-1-pablo@netfilter.org>","X-Mailer":"git-send-email 2.47.3","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"This is a partial revert of:\n\n ab4f21e6fb1c (\"netfilter: xtables: use NFPROTO_UNSPEC in more extensions\")\n\nto allow ipv4 and ipv6 only.\n\n- xt_mac\n- xt_owner\n- xt_physdev\n\nThese extensions are not used by ebtables in userspace.\n\nMoreover, xt_realm is only for ipv4, since dst->tclassid is ipv4\nspecific.\n\nFixes: ab4f21e6fb1c (\"netfilter: xtables: use NFPROTO_UNSPEC in more extensions\")\nReported-by: \"Kito Xu (veritas501)\" \nSigned-off-by: Pablo Neira Ayuso \n---\nv2: just restrict xt_realm to ipv4 per Florian.\n\n net/netfilter/xt_mac.c | 34 +++++++++++++++++++++++-----------\n net/netfilter/xt_owner.c | 37 +++++++++++++++++++++++++------------\n net/netfilter/xt_physdev.c | 29 +++++++++++++++++++----------\n net/netfilter/xt_realm.c | 2 +-\n 4 files changed, 68 insertions(+), 34 deletions(-)","diff":"diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c\nindex 81649da57ba5..bd2354760895 100644\n--- a/net/netfilter/xt_mac.c\n+++ b/net/netfilter/xt_mac.c\n@@ -38,25 +38,37 @@ static bool mac_mt(const struct sk_buff *skb, struct xt_action_param *par)\n \treturn ret;\n }\n \n-static struct xt_match mac_mt_reg __read_mostly = {\n-\t.name = \"mac\",\n-\t.revision = 0,\n-\t.family = NFPROTO_UNSPEC,\n-\t.match = mac_mt,\n-\t.matchsize = sizeof(struct xt_mac_info),\n-\t.hooks = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN) |\n-\t (1 << NF_INET_FORWARD),\n-\t.me = THIS_MODULE,\n+static struct xt_match mac_mt_reg[] __read_mostly = {\n+\t{\n+\t\t.name\t\t= \"mac\",\n+\t\t.family\t\t= NFPROTO_IPV4,\n+\t\t.match\t\t= mac_mt,\n+\t\t.matchsize\t= sizeof(struct xt_mac_info),\n+\t\t.hooks\t\t= (1 << NF_INET_PRE_ROUTING) |\n+\t\t\t\t (1 << NF_INET_LOCAL_IN) |\n+\t\t\t\t (1 << NF_INET_FORWARD),\n+\t\t.me\t\t= THIS_MODULE,\n+\t},\n+\t{\n+\t\t.name\t\t= \"mac\",\n+\t\t.family\t\t= NFPROTO_IPV6,\n+\t\t.match\t\t= mac_mt,\n+\t\t.matchsize\t= sizeof(struct xt_mac_info),\n+\t\t.hooks\t\t= (1 << NF_INET_PRE_ROUTING) |\n+\t\t\t\t (1 << NF_INET_LOCAL_IN) |\n+\t\t\t\t (1 << NF_INET_FORWARD),\n+\t\t.me\t\t= THIS_MODULE,\n+\t},\n };\n \n static int __init mac_mt_init(void)\n {\n-\treturn xt_register_match(&mac_mt_reg);\n+\treturn xt_register_matches(mac_mt_reg, ARRAY_SIZE(mac_mt_reg));\n }\n \n static void __exit mac_mt_exit(void)\n {\n-\txt_unregister_match(&mac_mt_reg);\n+\txt_unregister_matches(mac_mt_reg, ARRAY_SIZE(mac_mt_reg));\n }\n \n module_init(mac_mt_init);\ndiff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c\nindex 50332888c8d2..4786ea157269 100644\n--- a/net/netfilter/xt_owner.c\n+++ b/net/netfilter/xt_owner.c\n@@ -127,26 +127,39 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par)\n \treturn true;\n }\n \n-static struct xt_match owner_mt_reg __read_mostly = {\n-\t.name = \"owner\",\n-\t.revision = 1,\n-\t.family = NFPROTO_UNSPEC,\n-\t.checkentry = owner_check,\n-\t.match = owner_mt,\n-\t.matchsize = sizeof(struct xt_owner_match_info),\n-\t.hooks = (1 << NF_INET_LOCAL_OUT) |\n-\t (1 << NF_INET_POST_ROUTING),\n-\t.me = THIS_MODULE,\n+static struct xt_match owner_mt_reg[] __read_mostly = {\n+\t{\n+\t\t.name = \"owner\",\n+\t\t.revision = 1,\n+\t\t.family = NFPROTO_IPV4,\n+\t\t.checkentry = owner_check,\n+\t\t.match = owner_mt,\n+\t\t.matchsize = sizeof(struct xt_owner_match_info),\n+\t\t.hooks = (1 << NF_INET_LOCAL_OUT) |\n+\t\t (1 << NF_INET_POST_ROUTING),\n+\t\t.me = THIS_MODULE,\n+\t},\n+\t{\n+\t\t.name = \"owner\",\n+\t\t.revision = 1,\n+\t\t.family = NFPROTO_IPV6,\n+\t\t.checkentry = owner_check,\n+\t\t.match = owner_mt,\n+\t\t.matchsize = sizeof(struct xt_owner_match_info),\n+\t\t.hooks = (1 << NF_INET_LOCAL_OUT) |\n+\t\t (1 << NF_INET_POST_ROUTING),\n+\t\t.me = THIS_MODULE,\n+\t}\n };\n \n static int __init owner_mt_init(void)\n {\n-\treturn xt_register_match(&owner_mt_reg);\n+\treturn xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));\n }\n \n static void __exit owner_mt_exit(void)\n {\n-\txt_unregister_match(&owner_mt_reg);\n+\txt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));\n }\n \n module_init(owner_mt_init);\ndiff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c\nindex 343e65f377d4..130842c35c6f 100644\n--- a/net/netfilter/xt_physdev.c\n+++ b/net/netfilter/xt_physdev.c\n@@ -115,24 +115,33 @@ static int physdev_mt_check(const struct xt_mtchk_param *par)\n \treturn 0;\n }\n \n-static struct xt_match physdev_mt_reg __read_mostly = {\n-\t.name = \"physdev\",\n-\t.revision = 0,\n-\t.family = NFPROTO_UNSPEC,\n-\t.checkentry = physdev_mt_check,\n-\t.match = physdev_mt,\n-\t.matchsize = sizeof(struct xt_physdev_info),\n-\t.me = THIS_MODULE,\n+static struct xt_match physdev_mt_reg[] __read_mostly = {\n+\t{\n+\t\t.name\t\t= \"physdev\",\n+\t\t.family\t\t= NFPROTO_IPV4,\n+\t\t.checkentry\t= physdev_mt_check,\n+\t\t.match\t\t= physdev_mt,\n+\t\t.matchsize\t= sizeof(struct xt_physdev_info),\n+\t\t.me\t\t= THIS_MODULE,\n+\t},\n+\t{\n+\t\t.name\t\t= \"physdev\",\n+\t\t.family\t\t= NFPROTO_IPV6,\n+\t\t.checkentry\t= physdev_mt_check,\n+\t\t.match\t\t= physdev_mt,\n+\t\t.matchsize\t= sizeof(struct xt_physdev_info),\n+\t\t.me\t\t= THIS_MODULE,\n+\t},\n };\n \n static int __init physdev_mt_init(void)\n {\n-\treturn xt_register_match(&physdev_mt_reg);\n+\treturn xt_register_matches(physdev_mt_reg, ARRAY_SIZE(physdev_mt_reg));\n }\n \n static void __exit physdev_mt_exit(void)\n {\n-\txt_unregister_match(&physdev_mt_reg);\n+\txt_unregister_matches(physdev_mt_reg, ARRAY_SIZE(physdev_mt_reg));\n }\n \n module_init(physdev_mt_init);\ndiff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c\nindex 6df485f4403d..61b2f1e58d15 100644\n--- a/net/netfilter/xt_realm.c\n+++ b/net/netfilter/xt_realm.c\n@@ -33,7 +33,7 @@ static struct xt_match realm_mt_reg __read_mostly = {\n \t.matchsize\t= sizeof(struct xt_realm_info),\n \t.hooks\t\t= (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_FORWARD) |\n \t\t\t (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_LOCAL_IN),\n-\t.family\t\t= NFPROTO_UNSPEC,\n+\t.family\t\t= NFPROTO_IPV4,\n \t.me\t\t= THIS_MODULE\n };\n \n","prefixes":["nf","v2"]}