From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: pve-devel@lists.proxmox.com, Gabriel Goller <g.goller@proxmox.com>
Subject: [pve-devel] applied: [PATCH kernel 0/5] backport nftables atomicity fix
Date: Fri, 26 Sep 2025 10:08:59 +0200 [thread overview]
Message-ID: <175887413661.3426394.13405794635246501139.b4-ty@proxmox.com> (raw)
In-Reply-To: <20250911100555.63174-1-g.goller@proxmox.com>
On Thu, 11 Sep 2025 12:05:41 +0200, Gabriel Goller wrote:
> Stefan Hanreich discovered this nftables bug which breaks the atomicity when
> updating certain sets. This means that when updating a set, packets sometimes
> slip through even though the existing and the incoming rules deny the packet.
> A full reproducer is available here: [0].
> More information in following commit messages.
>
> The upstream series has not been applied yet, but is available here:
> https://lore.kernel.org/netfilter-devel/20250910080227.11174-1-fw@strlen.de/
>
> [...]
Applied, thanks! As of now you can condese these backports that are patches of
a single patch series also into a single patch for submission as it effectively
is one semantic change to our kernel repo.
[1/5] kernel: backport: netfilter: nft_set_pipapo: don't check genbit from packetpath lookups
commit: 92933a19ce966faab12cdf8898ec360dcee2c378
[2/5] kernel: backport: netfilter: nft_set_rbtree: continue traversal if element is inactive
commit: 7f29adff3aee976485b0ae01426e6347f44f304b
[3/5] kernel: backport: netfilter: nf_tables: place base_seq in struct net
commit: 40dd293b362702e92fb8768bbe19df0faf602df2
[4/5] kernel: backport: netfilter: nf_tables: make nft_set_do_lookup available unconditionally
commit: 88da89ad66863668b2aaa2ba8464a7e2f0a5f1c6
[5/5] kernel: backport: netfilter: nf_tables: restart set lookup on base_seq change
commit: 8167fffb36aad7bf4d8d54f618ea6b78e066f28c
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
prev parent reply other threads:[~2025-09-26 8:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-11 10:05 [pve-devel] " Gabriel Goller
2025-09-11 10:05 ` [pve-devel] [PATCH pve-kernel 1/5] kernel: backport: netfilter: nft_set_pipapo: don't check genbit from packetpath lookups Gabriel Goller
2025-09-11 10:05 ` [pve-devel] [PATCH pve-kernel 2/5] kernel: backport: netfilter: nft_set_rbtree: continue traversal if element is inactive Gabriel Goller
2025-09-11 10:05 ` [pve-devel] [PATCH pve-kernel 3/5] kernel: backport: netfilter: nf_tables: place base_seq in struct net Gabriel Goller
2025-09-11 10:05 ` [pve-devel] [PATCH pve-kernel 4/5] kernel: backport: netfilter: nf_tables: make nft_set_do_lookup available unconditionally Gabriel Goller
2025-09-11 10:05 ` [pve-devel] [PATCH pve-kernel 5/5] kernel: backport: netfilter: nf_tables: restart set lookup on base_seq change Gabriel Goller
2025-09-26 8:08 ` Thomas Lamprecht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=175887413661.3426394.13405794635246501139.b4-ty@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=g.goller@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.