{"id":2215865,"url":"http://patchwork.ozlabs.org/api/patches/2215865/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260325131108.23045-15-fw@strlen.de/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260325131108.23045-15-fw@strlen.de>","list_archive_url":null,"date":"2026-03-25T13:11:08","name":"[net,14/14] netfilter: ctnetlink: use netlink policy range checks","commit_ref":null,"pull_url":null,"state":"handled-elsewhere","archived":true,"hash":"74a033393d88f712d119333ba0334a079f6ba532","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/?format=json","name":"Florian Westphal","email":"fw@strlen.de"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260325131108.23045-15-fw@strlen.de/mbox/","series":[{"id":497441,"url":"http://patchwork.ozlabs.org/api/series/497441/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=497441","date":"2026-03-25T13:10:55","name":"[net,01/14] netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry","version":1,"mbox":"http://patchwork.ozlabs.org/series/497441/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2215865/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2215865/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n <netfilter-devel+bounces-11408-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11408-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fgnxK2QdXz1xy1\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 26 Mar 2026 00:36:21 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 788E8317C4E6\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 25 Mar 2026 13:14:34 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id BF9AD3DD538;\n\tWed, 25 Mar 2026 13:12:45 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 2F17A3DD52D;\n\tWed, 25 Mar 2026 13:12:44 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 7042460CA9; Wed, 25 Mar 2026 14:12:34 +0100 (CET)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774444365; cv=none;\n b=AVeCcscLKCQGBwrk/a/+5MQIdJn3nqEc4lfWRtNhj8CmHEqFkdYf5xW0dprI+suHXsFr0W3nDhoTJmM6cUMmTsP9s5Q4zkymATttJdiYhvkrmXJSi3jolwcPfLhjuOzVU1YkqXl5uTe5sPo5CRvrZK+WHVMzuRmUmjskvegJmtU=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774444365; c=relaxed/simple;\n\tbh=7/wgadVitLUg3Lz74GQhOpohsncTiCNmt1zIiAtL8PM=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=kTNKqVlGFD+eJijiEOccTF+w0JK/GpmjHouPzzpGlQLTNu1EvMn9vjzjRwZMbep1gjZhvmaXF4jw12z05cQ44TJUOD2uqnuWZeC2SnCCJ1DJbbmKtTwbN+Vujt8PjJZb6oBBbdQFc6uZYdSuTTlgVAu2KsnYKN428qgkiVrFwPs=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc;\n arc=none smtp.client-ip=91.216.245.30","From":"Florian Westphal <fw@strlen.de>","To":"<netdev@vger.kernel.org>","Cc":"Paolo Abeni <pabeni@redhat.com>,\n\t\"David S. Miller\" <davem@davemloft.net>,\n\tEric Dumazet <edumazet@google.com>,\n\tJakub Kicinski <kuba@kernel.org>,\n\t<netfilter-devel@vger.kernel.org>,\n\tpablo@netfilter.org","Subject":"[PATCH net 14/14] netfilter: ctnetlink: use netlink policy range\n checks","Date":"Wed, 25 Mar 2026 14:11:08 +0100","Message-ID":"<20260325131108.23045-15-fw@strlen.de>","X-Mailer":"git-send-email 2.52.0","In-Reply-To":"<20260325131108.23045-1-fw@strlen.de>","References":"<20260325131108.23045-1-fw@strlen.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"From: David Carlier <devnexen@gmail.com>\n\nReplace manual range and mask validations with netlink policy\nannotations in ctnetlink code paths, so that the netlink core rejects\ninvalid values early and can generate extack errors.\n\n- CTA_PROTOINFO_TCP_STATE: reject values > TCP_CONNTRACK_SYN_SENT2 at\n  policy level, removing the manual >= TCP_CONNTRACK_MAX check.\n- CTA_PROTOINFO_TCP_WSCALE_ORIGINAL/REPLY: reject values > TCP_MAX_WSCALE\n  (14). The normal TCP option parsing path already clamps to this value,\n  but the ctnetlink path accepted 0-255, causing undefined behavior when\n  used as a u32 shift count.\n- CTA_FILTER_ORIG_FLAGS/REPLY_FLAGS: use NLA_POLICY_MASK with\n  CTA_FILTER_F_ALL, removing the manual mask checks.\n- CTA_EXPECT_FLAGS: use NLA_POLICY_MASK with NF_CT_EXPECT_MASK, adding\n  a new mask define grouping all valid expect flags.\n\nExtracted from a broader nf-next patch by Florian Westphal, scoped to\nctnetlink for the fixes tree.\n\nFixes: c8e2078cfe41 (\"[NETFILTER]: ctnetlink: add support for internal tcp connection tracking flags handling\")\nSigned-off-by: David Carlier <devnexen@gmail.com>\nCo-developed-by: Florian Westphal <fw@strlen.de>\nSigned-off-by: Florian Westphal <fw@strlen.de>\n---\n .../uapi/linux/netfilter/nf_conntrack_common.h   |  4 ++++\n net/netfilter/nf_conntrack_netlink.c             | 16 +++++-----------\n net/netfilter/nf_conntrack_proto_tcp.c           | 10 +++-------\n 3 files changed, 12 insertions(+), 18 deletions(-)","diff":"diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h\nindex 26071021e986..56b6b60a814f 100644\n--- a/include/uapi/linux/netfilter/nf_conntrack_common.h\n+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h\n@@ -159,5 +159,9 @@ enum ip_conntrack_expect_events {\n #define NF_CT_EXPECT_INACTIVE\t\t0x2\n #define NF_CT_EXPECT_USERSPACE\t\t0x4\n \n+#ifdef __KERNEL__\n+#define NF_CT_EXPECT_MASK\t(NF_CT_EXPECT_PERMANENT | NF_CT_EXPECT_INACTIVE | \\\n+\t\t\t\t NF_CT_EXPECT_USERSPACE)\n+#endif\n \n #endif /* _UAPI_NF_CONNTRACK_COMMON_H */\ndiff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c\nindex 2ec33c0518e9..e99f15cdcc5a 100644\n--- a/net/netfilter/nf_conntrack_netlink.c\n+++ b/net/netfilter/nf_conntrack_netlink.c\n@@ -910,8 +910,8 @@ struct ctnetlink_filter {\n };\n \n static const struct nla_policy cta_filter_nla_policy[CTA_FILTER_MAX + 1] = {\n-\t[CTA_FILTER_ORIG_FLAGS]\t\t= { .type = NLA_U32 },\n-\t[CTA_FILTER_REPLY_FLAGS]\t= { .type = NLA_U32 },\n+\t[CTA_FILTER_ORIG_FLAGS]\t\t= NLA_POLICY_MASK(NLA_U32, CTA_FILTER_F_ALL),\n+\t[CTA_FILTER_REPLY_FLAGS]\t= NLA_POLICY_MASK(NLA_U32, CTA_FILTER_F_ALL),\n };\n \n static int ctnetlink_parse_filter(const struct nlattr *attr,\n@@ -925,17 +925,11 @@ static int ctnetlink_parse_filter(const struct nlattr *attr,\n \tif (ret)\n \t\treturn ret;\n \n-\tif (tb[CTA_FILTER_ORIG_FLAGS]) {\n+\tif (tb[CTA_FILTER_ORIG_FLAGS])\n \t\tfilter->orig_flags = nla_get_u32(tb[CTA_FILTER_ORIG_FLAGS]);\n-\t\tif (filter->orig_flags & ~CTA_FILTER_F_ALL)\n-\t\t\treturn -EOPNOTSUPP;\n-\t}\n \n-\tif (tb[CTA_FILTER_REPLY_FLAGS]) {\n+\tif (tb[CTA_FILTER_REPLY_FLAGS])\n \t\tfilter->reply_flags = nla_get_u32(tb[CTA_FILTER_REPLY_FLAGS]);\n-\t\tif (filter->reply_flags & ~CTA_FILTER_F_ALL)\n-\t\t\treturn -EOPNOTSUPP;\n-\t}\n \n \treturn 0;\n }\n@@ -2634,7 +2628,7 @@ static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {\n \t[CTA_EXPECT_HELP_NAME]\t= { .type = NLA_NUL_STRING,\n \t\t\t\t    .len = NF_CT_HELPER_NAME_LEN - 1 },\n \t[CTA_EXPECT_ZONE]\t= { .type = NLA_U16 },\n-\t[CTA_EXPECT_FLAGS]\t= { .type = NLA_U32 },\n+\t[CTA_EXPECT_FLAGS]\t= NLA_POLICY_MASK(NLA_BE32, NF_CT_EXPECT_MASK),\n \t[CTA_EXPECT_CLASS]\t= { .type = NLA_U32 },\n \t[CTA_EXPECT_NAT]\t= { .type = NLA_NESTED },\n \t[CTA_EXPECT_FN]\t\t= { .type = NLA_NUL_STRING },\ndiff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c\nindex 0c1d086e96cb..b67426c2189b 100644\n--- a/net/netfilter/nf_conntrack_proto_tcp.c\n+++ b/net/netfilter/nf_conntrack_proto_tcp.c\n@@ -1385,9 +1385,9 @@ static int tcp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,\n }\n \n static const struct nla_policy tcp_nla_policy[CTA_PROTOINFO_TCP_MAX+1] = {\n-\t[CTA_PROTOINFO_TCP_STATE]\t    = { .type = NLA_U8 },\n-\t[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = { .type = NLA_U8 },\n-\t[CTA_PROTOINFO_TCP_WSCALE_REPLY]    = { .type = NLA_U8 },\n+\t[CTA_PROTOINFO_TCP_STATE]\t    = NLA_POLICY_MAX(NLA_U8, TCP_CONNTRACK_SYN_SENT2),\n+\t[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = NLA_POLICY_MAX(NLA_U8, TCP_MAX_WSCALE),\n+\t[CTA_PROTOINFO_TCP_WSCALE_REPLY]    = NLA_POLICY_MAX(NLA_U8, TCP_MAX_WSCALE),\n \t[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]  = { .len = sizeof(struct nf_ct_tcp_flags) },\n \t[CTA_PROTOINFO_TCP_FLAGS_REPLY]\t    = { .len = sizeof(struct nf_ct_tcp_flags) },\n };\n@@ -1414,10 +1414,6 @@ static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct)\n \tif (err < 0)\n \t\treturn err;\n \n-\tif (tb[CTA_PROTOINFO_TCP_STATE] &&\n-\t    nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]) >= TCP_CONNTRACK_MAX)\n-\t\treturn -EINVAL;\n-\n \tspin_lock_bh(&ct->lock);\n \tif (tb[CTA_PROTOINFO_TCP_STATE])\n \t\tct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]);\n","prefixes":["net","14/14"]}