Merge tag 'nf-next-25-10-30' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next

	/* called by gc worker if table is full */

	bool (*can_early_drop)(const struct nf_conn *ct);

	/* convert protoinfo to nfnetink attributes */

	/* convert protoinfo to nfnetlink attributes */

	int (*to_nlattr)(struct sk_buff *skb, struct nlattr *nla,

			 struct nf_conn *ct, bool destroy);

	/* We don't want any race condition at early drop stage */

	ct_count = atomic_inc_return(&cnet->count);

	if (nf_conntrack_max && unlikely(ct_count > nf_conntrack_max)) {

	if (unlikely(ct_count > nf_conntrack_max)) {

		if (!early_drop(net, hash)) {

			if (!conntrack_gc_work.early_drop)

				conntrack_gc_work.early_drop = true;

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= proc_dointvec_minmax,

		.extra1		= SYSCTL_ZERO,

		.extra1		= SYSCTL_ONE,

		.extra2		= SYSCTL_INT_MAX,

	},

	[NF_SYSCTL_CT_COUNT] = {

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= proc_dointvec_minmax,

		.extra1		= SYSCTL_ZERO,

		.extra1		= SYSCTL_ONE,

		.extra2		= SYSCTL_INT_MAX,

	},

};

		       struct nft_set_binding *binding)

{

	struct nft_set_binding *i;

	struct nft_set_iter iter;

	struct nft_set_iter iter = {

		.genmask	= nft_genmask_next(ctx->net),

		.type		= NFT_ITER_UPDATE,

		.fn		= nf_tables_bind_check_setelem,

	};

	if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))

		return -EBUSY;

				goto bind;

		}

		iter.genmask	= nft_genmask_next(ctx->net);

		iter.type	= NFT_ITER_UPDATE;

		iter.skip 	= 0;

		iter.count	= 0;

		iter.err	= 0;

		iter.fn		= nf_tables_bind_check_setelem;

		set->ops->walk(ctx, set, &iter);

		if (!iter.err)

			iter.err = nft_set_catchall_bind_check(ctx, set);

	struct nftables_pernet *nft_net;

	struct nft_table *table;

	struct nft_set *set;

	struct nft_set_dump_args args;

	struct nft_set_dump_args args = {

		.cb = cb,

		.skb = skb,

		.reset = dump_ctx->reset,

		.iter = {

			.genmask = nft_genmask_cur(net),

			.type = NFT_ITER_READ,

			.skip = cb->args[0],

			.fn = nf_tables_dump_setelem,

		},

	};

	bool set_found = false;

	struct nlmsghdr *nlh;

	struct nlattr *nest;

	if (nest == NULL)

		goto nla_put_failure;

	args.cb			= cb;

	args.skb		= skb;

	args.reset		= dump_ctx->reset;

	args.iter.genmask	= nft_genmask_cur(net);

	args.iter.type		= NFT_ITER_READ;

	args.iter.skip		= cb->args[0];

	args.iter.count		= 0;

	args.iter.err		= 0;

	args.iter.fn		= nf_tables_dump_setelem;

	set->ops->walk(&dump_ctx->ctx, set, &args.iter);

	if (!args.iter.err && args.iter.count == cb->args[0])

			       const struct nft_expr *expr)

{

	const struct nft_lookup *priv = nft_expr_priv(expr);

	struct nft_set_iter iter;

	struct nft_set_iter iter = {

		.genmask	= nft_genmask_next(ctx->net),

		.type		= NFT_ITER_UPDATE,

		.fn		= nft_setelem_validate,

	};

	if (!(priv->set->flags & NFT_SET_MAP) ||

	    priv->set->dtype != NFT_DATA_VERDICT)

		return 0;

	iter.genmask	= nft_genmask_next(ctx->net);

	iter.type	= NFT_ITER_UPDATE;

	iter.skip	= 0;

	iter.count	= 0;

	iter.err	= 0;

	iter.fn		= nft_setelem_validate;

	priv->set->ops->walk(ctx, priv->set, &iter);

	if (!iter.err)

		iter.err = nft_set_catchall_validate(ctx, priv->set);