Commit 17bcfe66 authored by Paolo Abeni's avatar Paolo Abeni
Browse files

Merge tag 'nf-next-24-11-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following series contains Netfilter updates for net-next:

1) Make legacy xtables configs user selectable, from Breno Leitao.

2) Fix a few sparse warnings related to percpu, from Uros Bizjak.

3) Use strscpy_pad, from Justin Stitt.

4) Use nft_trans_elem_alloc() in catchall flush, from Florian Westphal.

5) A series of 7 patches to fix false positive with CONFIG_RCU_LIST=y.
   Florian also sees possible issue with 10 while module load/removal
   when requesting an expression that is available via module. As for
   patch 11, object is being updated so reference on the module already
   exists so I don't see any real issue.

   Florian says:

   "Unfortunately there are many more errors, and not all are false positives.

   First patches pass lockdep_commit_lock_is_held() to the rcu list traversal
   macro so that those splats are avoided.

   The last two patches are real code change as opposed to
   'pass the transaction mutex to relax rcu check':

   Those two lists are not protected by transaction mutex so could be altered
   in parallel.

   This targets nf-next because these are long-standing issues."

netfilter pull request 24-11-07

* tag 'nf-next-24-11-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
  netfilter: nf_tables: must hold rcu read lock while iterating object type list
  netfilter: nf_tables: must hold rcu read lock while iterating expression type list
  netfilter: nf_tables: avoid false-positive lockdep splats with basechain hook
  netfilter: nf_tables: avoid false-positive lockdep splats in set walker
  netfilter: nf_tables: avoid false-positive lockdep splats with flowtables
  netfilter: nf_tables: avoid false-positive lockdep splats with sets
  netfilter: nf_tables: avoid false-positive lockdep splat on rule deletion
  netfilter: nf_tables: prefer nft_trans_elem_alloc helper
  netfilter: nf_tables: replace deprecated strncpy with strscpy_pad
  netfilter: nf_tables: Fix percpu address space issues in nf_tables_api.c
  netfilter: Make legacy configs user selectable
====================

Link: https://patch.msgid.link/20241106234625.168468-1-pablo@netfilter.org


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parents 90c940ff cddc0427

include/net/netfilter/nf_tables.h

+2 −1
Original line number Diff line number Diff line
@@ -1463,7 +1463,8 @@ struct nft_flowtable { 
	struct nf_flowtable		data;

};



struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,

struct nft_flowtable *nft_flowtable_lookup(const struct net *net,

					   const struct nft_table *table,

					   const struct nlattr *nla,

					   u8 genmask);

net/bridge/netfilter/Kconfig

+7 −1
Original line number Diff line number Diff line
@@ -41,7 +41,13 @@ config NF_CONNTRACK_BRIDGE 


# old sockopt interface and eval loop

config BRIDGE_NF_EBTABLES_LEGACY

	tristate

	tristate "Legacy EBTABLES support"

	depends on BRIDGE && NETFILTER_XTABLES

	default n

	help

	 Legacy ebtables packet/frame classifier.

	 This is not needed if you are using ebtables over nftables

	 (iptables-nft).



menuconfig BRIDGE_NF_EBTABLES

	tristate "Ethernet Bridge tables (ebtables) support"

net/bridge/netfilter/nft_meta_bridge.c

+1 −1
Original line number Diff line number Diff line
@@ -63,7 +63,7 @@ static void nft_meta_bridge_get_eval(const struct nft_expr *expr, 
		return nft_meta_get_eval(expr, regs, pkt);

	}



	strncpy((char *)dest, br_dev ? br_dev->name : "", IFNAMSIZ);

	strscpy_pad((char *)dest, br_dev ? br_dev->name : "", IFNAMSIZ);

	return;

err:

	regs->verdict.code = NFT_BREAK;

net/ipv4/netfilter/Kconfig

+14 −2
Original line number Diff line number Diff line
@@ -12,7 +12,13 @@ config NF_DEFRAG_IPV4 


# old sockopt interface and eval loop

config IP_NF_IPTABLES_LEGACY

	tristate

	tristate "Legacy IP tables support"

	default	n

	select NETFILTER_XTABLES

	help

	  iptables is a legacy packet classifier.

	  This is not needed if you are using iptables over nftables

	  (iptables-nft).



config NF_SOCKET_IPV4

	tristate "IPv4 socket lookup support"
@@ -318,7 +324,13 @@ endif # IP_NF_IPTABLES 


# ARP tables

config IP_NF_ARPTABLES

	tristate

	tristate "Legacy ARPTABLES support"

	depends on NETFILTER_XTABLES

	default n

	help

	  arptables is a legacy packet classifier.

	  This is not needed if you are using arptables over nftables

	  (iptables-nft).



config NFT_COMPAT_ARP

	tristate

net/ipv6/netfilter/Kconfig

+8 −1
Original line number Diff line number Diff line
@@ -8,7 +8,14 @@ menu "IPv6: Netfilter Configuration" 


# old sockopt interface and eval loop

config IP6_NF_IPTABLES_LEGACY

	tristate

	tristate "Legacy IP6 tables support"

	depends on INET && IPV6

	select NETFILTER_XTABLES

	default n

	help

	  ip6tables is a legacy packet classifier.

	  This is not needed if you are using iptables over nftables

	  (iptables-nft).



config NF_SOCKET_IPV6

	tristate "IPv6 socket lookup support"