Commit 1f773970 authored Apr 29, 2025 by Jakub Kicinski

Merge tag 'nf-next-25-04-29' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following batch contains Netfilter updates for net-next:

1) Replace msecs_to_jiffies() by secs_to_jiffies(), from Easwar Hariharan.

2) Allow to compile xt_cgroup with cgroupsv2 support only,
   from Michal Koutny.

3) Prepare for sock_cgroup_classid() removal by wrapping it around
   ifdef, also from Michal Koutny.

4) Remove redundant pointer fetch on conntrack template, from Xuanqiang Luo.

5) Re-format one block in the tproxy documentation for consistency,
   from Chen Linxuan.

6) Expose set element count and type via netlink attributes,
   from Florian Westphal.

* tag 'nf-next-25-04-29' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
  netfilter: nf_tables: export set count and backend name to userspace
  docs: tproxy: fix formatting for nft code block
  netfilter: conntrack: Remove redundant NFCT_ALIGN call
  net: cgroup: Guard users of sock_cgroup_classid()
  netfilter: xt_cgroup: Make it independent from net_cls
  netfilter: xt_IDLETIMER: convert timeouts to secs_to_jiffies()
====================

Link: https://patch.msgid.link/20250428221254.3853-1-pablo@netfilter.org


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parents 8e36fcaa 0014af80

Documentation/networking/tproxy.rst

+2 −2

Original line number	Diff line number	Diff line
		@@ -69,7 +69,7 @@ add rules like this to the iptables ruleset above::
		# iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
		--tproxy-mark 0x1/0x1 --on-port 50080

		Or the following rule to nft:
		Or the following rule to nft::

		# nft add rule filter divert tcp dport 80 tproxy to :50080 meta mark set 1 accept

include/uapi/linux/netfilter/nf_tables.h

+4 −0

Original line number	Diff line number	Diff line
		@@ -394,6 +394,8 @@ enum nft_set_field_attributes {
		* @NFTA_SET_HANDLE: set handle (NLA_U64)
		* @NFTA_SET_EXPR: set expression (NLA_NESTED: nft_expr_attributes)
		* @NFTA_SET_EXPRESSIONS: list of expressions (NLA_NESTED: nft_list_attributes)
		* @NFTA_SET_TYPE: set backend type (NLA_STRING)
		* @NFTA_SET_COUNT: number of set elements (NLA_U32)
		*/
		enum nft_set_attributes {
		NFTA_SET_UNSPEC,
		@@ -415,6 +417,8 @@ enum nft_set_attributes {
		NFTA_SET_HANDLE,
		NFTA_SET_EXPR,
		NFTA_SET_EXPRESSIONS,
		NFTA_SET_TYPE,
		NFTA_SET_COUNT,
		__NFTA_SET_MAX
		};
		#define NFTA_SET_MAX (__NFTA_SET_MAX - 1)

net/ipv4/inet_diag.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -160,7 +160,7 @@ int inet_diag_msg_attrs_fill(struct sock sk, struct sk_buff skb,
		ext & (1 << (INET_DIAG_TCLASS - 1))) {
		u32 classid = 0;

		#ifdef CONFIG_SOCK_CGROUP_DATA
		#ifdef CONFIG_CGROUP_NET_CLASSID
		classid = sock_cgroup_classid(&sk->sk_cgrp_data);
		#endif
		/* Fallback to socket priority if class id isn't set.

net/netfilter/Kconfig

+1 −1

Original line number	Diff line number	Diff line
		@@ -1180,7 +1180,7 @@ config NETFILTER_XT_MATCH_CGROUP
		tristate '"control group" match support'
		depends on NETFILTER_ADVANCED
		depends on CGROUPS
		select CGROUP_NET_CLASSID
		select SOCK_CGROUP_DATA
		help
		Socket/process control group matching allows you to match locally
		generated packets based on which net_cls control group processes

net/netfilter/nf_conntrack_core.c

+1 −3

Original line number	Diff line number	Diff line
		@@ -531,10 +531,8 @@ struct nf_conn nf_ct_tmpl_alloc(struct net net,

		p = tmpl;
		tmpl = (struct nf_conn *)NFCT_ALIGN((unsigned long)p);
		if (tmpl != p) {
		tmpl = (struct nf_conn *)NFCT_ALIGN((unsigned long)p);
		if (tmpl != p)
		tmpl->proto.tmpl_padto = (char )tmpl - (char )p;
		}
		} else {
		tmpl = kzalloc(sizeof(*tmpl), flags);
		if (!tmpl)