[pve-devel] applied: [PATCH kernel 0/5] backport nftables atomicity fix
Thomas Lamprecht
t.lamprecht at proxmox.com
Fri Sep 26 10:08:59 CEST 2025
On Thu, 11 Sep 2025 12:05:41 +0200, Gabriel Goller wrote:
> Stefan Hanreich discovered this nftables bug which breaks the atomicity when
> updating certain sets. This means that when updating a set, packets sometimes
> slip through even though the existing and the incoming rules deny the packet.
> A full reproducer is available here: [0].
> More information in following commit messages.
>
> The upstream series has not been applied yet, but is available here:
> https://lore.kernel.org/netfilter-devel/20250910080227.11174-1-fw@strlen.de/
>
> [...]
Applied, thanks! As of now you can condese these backports that are patches of
a single patch series also into a single patch for submission as it effectively
is one semantic change to our kernel repo.
[1/5] kernel: backport: netfilter: nft_set_pipapo: don't check genbit from packetpath lookups
commit: 92933a19ce966faab12cdf8898ec360dcee2c378
[2/5] kernel: backport: netfilter: nft_set_rbtree: continue traversal if element is inactive
commit: 7f29adff3aee976485b0ae01426e6347f44f304b
[3/5] kernel: backport: netfilter: nf_tables: place base_seq in struct net
commit: 40dd293b362702e92fb8768bbe19df0faf602df2
[4/5] kernel: backport: netfilter: nf_tables: make nft_set_do_lookup available unconditionally
commit: 88da89ad66863668b2aaa2ba8464a7e2f0a5f1c6
[5/5] kernel: backport: netfilter: nf_tables: restart set lookup on base_seq change
commit: 8167fffb36aad7bf4d8d54f618ea6b78e066f28c
More information about the pve-devel
mailing list