Commit c6dc26df authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'nf-next-25-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 

Pablo Neira Ayuso says:

====================
Netfilter/IPVS updates for net-next

The following series contains Netfilter/IPVS updates for net-next:

1) Display netns inode in conntrack table full log, from lvxiafei.

2) Autoload nf_log_syslog in case no logging backend is available,
   from Lance Yang.

3) Three patches to remove unused functions in x_tables, nf_tables and
   conntrack. From Yue Haibing.

4) Exclude LEGACY TABLES on PREEMPT_RT: Add NETFILTER_XTABLES_LEGACY
   to exclude xtables legacy infrastructure.

5) Restore selftests by toggling NETFILTER_XTABLES_LEGACY where needed.
   From Florian Westphal.

6) Use CONFIG_INET_SCTP_DIAG in tools/testing/selftests/net/netfilter/config,
   from Sebastian Andrzej Siewior.

7) Use timer_delete in comment in IPVS codebase, from WangYuli.

8) Dump flowtable information in nfnetlink_hook, this includes an initial
   patch to consolidate common code in helper function, from Phil Sutter.

9) Remove unused arguments in nft_pipapo set backend, from Florian Westphal.

10) Return nft_set_ext instead of boolean in set lookup function,
    from Florian Westphal.

11) Remove indirection in dynamic set infrastructure, also from Florian.

12) Consolidate pipapo_get/lookup, from Florian.

13) Use kvmalloc in nft_pipapop, from Florian Westphal.

14) syzbot reports slab-out-of-bounds in xt_nfacct log message,
    fix from Florian Westphal.

15) Ignored tainted kernels in selftest nft_interface_stress.sh,
    from Phil Sutter.

16) Fix IPVS selftest by disabling rp_filter with ipip tunnel device,
    from Yi Chen.

* tag 'nf-next-25-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
  selftests: netfilter: ipvs.sh: Explicity disable rp_filter on interface tunl0
  selftests: netfilter: Ignore tainted kernels in interface stress test
  netfilter: xt_nfacct: don't assume acct name is null-terminated
  netfilter: nft_set_pipapo: prefer kvmalloc for scratch maps
  netfilter: nft_set_pipapo: merge pipapo_get/lookup
  netfilter: nft_set: remove indirection from update API call
  netfilter: nft_set: remove one argument from lookup and update functions
  netfilter: nft_set_pipapo: remove unused arguments
  netfilter: nfnetlink_hook: Dump flowtable info
  netfilter: nfnetlink: New NFNLA_HOOK_INFO_DESC helper
  ipvs: Rename del_timer in comment in ip_vs_conn_expire_now()
  selftests: netfilter: Enable CONFIG_INET_SCTP_DIAG
  selftests: net: Enable legacy netfilter legacy options.
  netfilter: Exclude LEGACY TABLES on PREEMPT_RT.
  netfilter: conntrack: Remove unused net in nf_conntrack_double_lock()
  netfilter: nf_tables: Remove unused nft_reduce_is_readonly()
  netfilter: x_tables: Remove unused functions xt_{in|out}name()
  netfilter: load nf_log_syslog on enabling nf_conntrack_log_invalid
  netfilter: conntrack: table full detailed log
====================

Link: https://patch.msgid.link/20250725170340.21327-1-pablo@netfilter.org


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents ecc383e5 8b4a1a46

include/linux/netfilter.h

+1 −0
Original line number Diff line number Diff line
@@ -92,6 +92,7 @@ enum nf_hook_ops_type { 
	NF_HOOK_OP_UNDEFINED,

	NF_HOOK_OP_NF_TABLES,

	NF_HOOK_OP_BPF,

	NF_HOOK_OP_NFT_FT,

};



struct nf_hook_ops {

include/linux/netfilter/x_tables.h

+0 −10
Original line number Diff line number Diff line
@@ -51,21 +51,11 @@ static inline struct net_device *xt_in(const struct xt_action_param *par) 
	return par->state->in;

}



static inline const char *xt_inname(const struct xt_action_param *par)

{

	return par->state->in->name;

}



static inline struct net_device *xt_out(const struct xt_action_param *par)

{

	return par->state->out;

}



static inline const char *xt_outname(const struct xt_action_param *par)

{

	return par->state->out->name;

}



static inline unsigned int xt_hooknum(const struct xt_action_param *par)

{

	return par->state->hook;

include/net/netfilter/nf_log.h

+3 −0
Original line number Diff line number Diff line
@@ -59,6 +59,9 @@ extern int sysctl_nf_log_all_netns; 
int nf_log_register(u_int8_t pf, struct nf_logger *logger);

void nf_log_unregister(struct nf_logger *logger);



/* Check if any logger is registered for a given protocol family. */

bool nf_log_is_registered(u_int8_t pf);



int nf_log_set(struct net *net, u_int8_t pf, const struct nf_logger *logger);

void nf_log_unset(struct net *net, const struct nf_logger *logger);

include/net/netfilter/nf_tables.h

+4 −15
Original line number Diff line number Diff line
@@ -459,19 +459,13 @@ struct nft_set_ext; 
 *	control plane functions.

 */

struct nft_set_ops {

	bool				(*lookup)(const struct net *net,

	const struct nft_set_ext *	(*lookup)(const struct net *net,

						  const struct nft_set *set,

						  const u32 *key);

	const struct nft_set_ext *	(*update)(struct nft_set *set,

						  const u32 *key,

						  const struct nft_set_ext **ext);

	bool				(*update)(struct nft_set *set,

						  const u32 *key,

						  struct nft_elem_priv *

							(*new)(struct nft_set *,

							       const struct nft_expr *,

							       struct nft_regs *),

						  const struct nft_expr *expr,

						  struct nft_regs *regs,

						  const struct nft_set_ext **ext);

						  struct nft_regs *regs);

	bool				(*delete)(const struct nft_set *set,

						  const u32 *key);
@@ -1939,11 +1933,6 @@ static inline u64 nft_net_tstamp(const struct net *net) 
#define __NFT_REDUCE_READONLY	1UL

#define NFT_REDUCE_READONLY	(void *)__NFT_REDUCE_READONLY



static inline bool nft_reduce_is_readonly(const struct nft_expr *expr)

{

	return expr->ops->reduce == NFT_REDUCE_READONLY;

}



void nft_reg_track_update(struct nft_regs_track *track,

			  const struct nft_expr *expr, u8 dreg, u8 len);

void nft_reg_track_cancel(struct nft_regs_track *track, u8 dreg, u8 len);

include/net/netfilter/nf_tables_core.h

+30 −20
Original line number Diff line number Diff line
@@ -94,34 +94,41 @@ extern const struct nft_set_type nft_set_pipapo_type; 
extern const struct nft_set_type nft_set_pipapo_avx2_type;



#ifdef CONFIG_MITIGATION_RETPOLINE

bool nft_rhash_lookup(const struct net *net, const struct nft_set *set,

		      const u32 *key, const struct nft_set_ext **ext);

bool nft_rbtree_lookup(const struct net *net, const struct nft_set *set,

		       const u32 *key, const struct nft_set_ext **ext);

bool nft_bitmap_lookup(const struct net *net, const struct nft_set *set,

		       const u32 *key, const struct nft_set_ext **ext);

bool nft_hash_lookup_fast(const struct net *net,

			  const struct nft_set *set,

			  const u32 *key, const struct nft_set_ext **ext);

bool nft_hash_lookup(const struct net *net, const struct nft_set *set,

		     const u32 *key, const struct nft_set_ext **ext);

bool nft_set_do_lookup(const struct net *net, const struct nft_set *set,

		       const u32 *key, const struct nft_set_ext **ext);

const struct nft_set_ext *

nft_rhash_lookup(const struct net *net, const struct nft_set *set,

		 const u32 *key);

const struct nft_set_ext *

nft_rbtree_lookup(const struct net *net, const struct nft_set *set,

		  const u32 *key);

const struct nft_set_ext *

nft_bitmap_lookup(const struct net *net, const struct nft_set *set,

		  const u32 *key);

const struct nft_set_ext *

nft_hash_lookup_fast(const struct net *net, const struct nft_set *set,

		     const u32 *key);

const struct nft_set_ext *

nft_hash_lookup(const struct net *net, const struct nft_set *set,

		const u32 *key);

const struct nft_set_ext *

nft_set_do_lookup(const struct net *net, const struct nft_set *set,

		  const u32 *key);

#else

static inline bool

static inline const struct nft_set_ext *

nft_set_do_lookup(const struct net *net, const struct nft_set *set,

		  const u32 *key, const struct nft_set_ext **ext)

		  const u32 *key)

{

	return set->ops->lookup(net, set, key, ext);

	return set->ops->lookup(net, set, key);

}

#endif



/* called from nft_pipapo_avx2.c */

bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set,

		       const u32 *key, const struct nft_set_ext **ext);

const struct nft_set_ext *

nft_pipapo_lookup(const struct net *net, const struct nft_set *set,

		  const u32 *key);

/* called from nft_set_pipapo.c */

bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,

			    const u32 *key, const struct nft_set_ext **ext);

const struct nft_set_ext *

nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,

			const u32 *key);



void nft_counter_init_seqcount(void);
@@ -181,4 +188,7 @@ void nft_objref_eval(const struct nft_expr *expr, struct nft_regs *regs, 
		     const struct nft_pktinfo *pkt);

void nft_objref_map_eval(const struct nft_expr *expr, struct nft_regs *regs,

			 const struct nft_pktinfo *pkt);

struct nft_elem_priv *nft_dynset_new(struct nft_set *set,

				     const struct nft_expr *expr,

				     struct nft_regs *regs);

#endif /* _NET_NF_TABLES_CORE_H */