Commit 24ee9fee authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'nf-next-25-09-02' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 

Florian Westphal says:

====================
netfilter: updates for net-next

1) prefer vmalloc_array in ebtables, from  Qianfeng Rong.

2) Use csum_replace4 instead of open-coding it, from Christophe Leroy.

3+4) Get rid of GFP_ATOMIC in transaction object allocations, those
     cause silly failures with large sets under memory pressure, from
     myself.

5) Remove test for AVX cpu feature in nftables pipapo set type,
   testing for AVX2 feature is sufficient.

6) Unexport a few function in nf_reject infra: no external callers.

7) Extend payload offset to u16, this was restricted to values <=255
   so far, from Fernando Fernandez Mancera.

* tag 'nf-next-25-09-02' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
  netfilter: nft_payload: extend offset to 65535 bytes
  netfilter: nf_reject: remove unneeded exports
  netfilter: nft_set_pipapo: remove redundant test for avx feature bit
  netfilter: nf_tables: all transaction allocations can now sleep
  netfilter: nf_tables: allow iter callbacks to sleep
  netfilter: nft_payload: Use csum_replace4() instead of opencoding
  netfilter: ebtables: Use vmalloc_array() to improve code
====================

Link: https://patch.msgid.link/20250902133549.15945-1-fw@strlen.de


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents a7ddedc8 077dc4a2

include/net/netfilter/ipv4/nf_reject.h

+0 −8
Original line number Diff line number Diff line
@@ -10,14 +10,6 @@ 
void nf_send_unreach(struct sk_buff *skb_in, int code, int hook);

void nf_send_reset(struct net *net, struct sock *, struct sk_buff *oldskb,

		   int hook);

const struct tcphdr *nf_reject_ip_tcphdr_get(struct sk_buff *oldskb,

					     struct tcphdr *_oth, int hook);

struct iphdr *nf_reject_iphdr_put(struct sk_buff *nskb,

				  const struct sk_buff *oldskb,

				  __u8 protocol, int ttl);

void nf_reject_ip_tcphdr_put(struct sk_buff *nskb, const struct sk_buff *oldskb,

			     const struct tcphdr *oth);



struct sk_buff *nf_reject_skb_v4_unreach(struct net *net,

                                         struct sk_buff *oldskb,

                                         const struct net_device *dev,

include/net/netfilter/ipv6/nf_reject.h

+0 −10
Original line number Diff line number Diff line
@@ -9,16 +9,6 @@ void nf_send_unreach6(struct net *net, struct sk_buff *skb_in, unsigned char cod 
		      unsigned int hooknum);

void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,

		    int hook);

const struct tcphdr *nf_reject_ip6_tcphdr_get(struct sk_buff *oldskb,

					      struct tcphdr *otcph,

					      unsigned int *otcplen, int hook);

struct ipv6hdr *nf_reject_ip6hdr_put(struct sk_buff *nskb,

				     const struct sk_buff *oldskb,

				     __u8 protocol, int hoplimit);

void nf_reject_ip6_tcphdr_put(struct sk_buff *nskb,

			      const struct sk_buff *oldskb,

			      const struct tcphdr *oth, unsigned int otcplen);



struct sk_buff *nf_reject_skb_v6_tcp_reset(struct net *net,

					   struct sk_buff *oldskb,

					   const struct net_device *dev,

include/net/netfilter/nf_tables.h

+2 −0
Original line number Diff line number Diff line
@@ -556,6 +556,7 @@ struct nft_set_elem_expr { 
 * 	@size: maximum set size

 *	@field_len: length of each field in concatenation, bytes

 *	@field_count: number of concatenated fields in element

 *	@in_update_walk: true during ->walk() in transaction phase

 *	@use: number of rules references to this set

 * 	@nelems: number of elements

 * 	@ndeact: number of deactivated elements queued for removal
@@ -590,6 +591,7 @@ struct nft_set { 
	u32				size;

	u8				field_len[NFT_REG32_COUNT];

	u8				field_count;

	bool				in_update_walk;

	u32				use;

	atomic_t			nelems;

	u32				ndeact;

include/net/netfilter/nf_tables_core.h

+1 −1
Original line number Diff line number Diff line
@@ -73,7 +73,7 @@ struct nft_ct { 


struct nft_payload {

	enum nft_payload_bases	base:8;

	u8			offset;

	u16			offset;

	u8			len;

	u8			dreg;

};

net/bridge/netfilter/ebtables.c

+7 −7
Original line number Diff line number Diff line
@@ -920,8 +920,8 @@ static int translate_table(struct net *net, const char *name, 
		 * if an error occurs

		 */

		newinfo->chainstack =

			vmalloc(array_size(nr_cpu_ids,

					   sizeof(*(newinfo->chainstack))));

			vmalloc_array(nr_cpu_ids,

				      sizeof(*(newinfo->chainstack)));

		if (!newinfo->chainstack)

			return -ENOMEM;

		for_each_possible_cpu(i) {
@@ -938,7 +938,7 @@ static int translate_table(struct net *net, const char *name, 
			}

		}



		cl_s = vmalloc(array_size(udc_cnt, sizeof(*cl_s)));

		cl_s = vmalloc_array(udc_cnt, sizeof(*cl_s));

		if (!cl_s)

			return -ENOMEM;

		i = 0; /* the i'th udc */
@@ -1018,8 +1018,8 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl, 
	 * the check on the size is done later, when we have the lock

	 */

	if (repl->num_counters) {

		unsigned long size = repl->num_counters * sizeof(*counterstmp);

		counterstmp = vmalloc(size);

		counterstmp = vmalloc_array(repl->num_counters,

					    sizeof(*counterstmp));

		if (!counterstmp)

			return -ENOMEM;

	}
@@ -1386,7 +1386,7 @@ static int do_update_counters(struct net *net, const char *name, 
	if (num_counters == 0)

		return -EINVAL;



	tmp = vmalloc(array_size(num_counters, sizeof(*tmp)));

	tmp = vmalloc_array(num_counters, sizeof(*tmp));

	if (!tmp)

		return -ENOMEM;
@@ -1526,7 +1526,7 @@ static int copy_counters_to_user(struct ebt_table *t, 
	if (num_counters != nentries)

		return -EINVAL;



	counterstmp = vmalloc(array_size(nentries, sizeof(*counterstmp)));

	counterstmp = vmalloc_array(nentries, sizeof(*counterstmp));

	if (!counterstmp)

		return -ENOMEM;