Commit 8bc251e5 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'nf-25-04-03' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf 

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following batch contains Netfilter fixes for net:

1) conncount incorrectly removes element for non-dynamic sets,
   these elements represent a static control plane configuration,
   leave them in place.

2) syzbot found a way to unregister a basechain that has been never
   registered from the chain update path, fix from Florian Westphal.

3) Fix incorrect pointer arithmetics in geneve support for tunnel,
   from Lin Ma.

* tag 'nf-25-04-03' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: nft_tunnel: fix geneve_opt type confusion addition
  netfilter: nf_tables: don't unregister hook when table is dormant
  netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only
====================

Link: https://patch.msgid.link/20250403115752.19608-1-pablo@netfilter.org


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 91587375 1b755d8e

net/netfilter/nf_tables_api.c

+2 −2
Original line number Diff line number Diff line
@@ -2839,10 +2839,10 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, 
			err = nft_netdev_register_hooks(ctx->net, &hook.list);

			if (err < 0)

				goto err_hooks;

		}

	}



			unregister = true;

		}

	}



	if (nla[NFTA_CHAIN_COUNTERS]) {

		if (!nft_is_base_chain(chain)) {

net/netfilter/nft_set_hash.c

+2 −1
Original line number Diff line number Diff line
@@ -309,7 +309,8 @@ static bool nft_rhash_expr_needs_gc_run(const struct nft_set *set, 


	nft_setelem_expr_foreach(expr, elem_expr, size) {

		if (expr->ops->gc &&

		    expr->ops->gc(read_pnet(&set->net), expr))

		    expr->ops->gc(read_pnet(&set->net), expr) &&

		    set->flags & NFT_SET_EVAL)

			return true;

	}

net/netfilter/nft_tunnel.c

+2 −2
Original line number Diff line number Diff line
@@ -341,7 +341,7 @@ static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GEN 
static int nft_tunnel_obj_geneve_init(const struct nlattr *attr,

				      struct nft_tunnel_opts *opts)

{

	struct geneve_opt *opt = (struct geneve_opt *)opts->u.data + opts->len;

	struct geneve_opt *opt = (struct geneve_opt *)(opts->u.data + opts->len);

	struct nlattr *tb[NFTA_TUNNEL_KEY_GENEVE_MAX + 1];

	int err, data_len;
@@ -625,7 +625,7 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb, 
		if (!inner)

			goto failure;

		while (opts->len > offset) {

			opt = (struct geneve_opt *)opts->u.data + offset;

			opt = (struct geneve_opt *)(opts->u.data + offset);

			if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS,

					 opt->opt_class) ||

			    nla_put_u8(skb, NFTA_TUNNEL_KEY_GENEVE_TYPE,