Commit c85e41bf authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'nf-next-24-05-12' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for net-next:

Patch #1 skips transaction if object type provides no .update interface.

Patch #2 skips NETDEV_CHANGENAME which is unused.

Patch #3 enables conntrack to handle Multicast Router Advertisements and
	 Multicast Router Solicitations from the Multicast Router Discovery
	 protocol (RFC4286) as untracked opposed to invalid packets.
	 From Linus Luessing.

Patch #4 updates DCCP conntracker to mark invalid as invalid, instead of
	 dropping them, from Jason Xing.

Patch #5 uses NF_DROP instead of -NF_DROP since NF_DROP is 0,
	 also from Jason.

Patch #6 removes reference in netfilter's sysctl documentation on pickup
	 entries which were already removed by Florian Westphal.

Patch #7 removes check for IPS_OFFLOAD flag to disable early drop which
	 allows to evict entries from the conntrack table,
	 also from Florian.

Patches #8 to #16 updates nf_tables pipapo set backend to allocate
	 the datastructure copy on-demand from preparation phase,
	 to better deal with OOM situations where .commit step is too late
	 to fail. Series from Florian Westphal.

Patch #17 adds a selftest with packetdrill to cover conntrack TCP state
	 transitions, also from Florian.

Patch #18 use GFP_KERNEL to clone elements from control plane to avoid
	 quick atomic reserves exhaustion with large sets, reporter refers
	 to million entries magnitude.

* tag 'nf-next-24-05-12' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
  netfilter: nf_tables: allow clone callbacks to sleep
  selftests: netfilter: add packetdrill based conntrack tests
  netfilter: nft_set_pipapo: remove dirty flag
  netfilter: nft_set_pipapo: move cloning of match info to insert/removal path
  netfilter: nft_set_pipapo: prepare pipapo_get helper for on-demand clone
  netfilter: nft_set_pipapo: merge deactivate helper into caller
  netfilter: nft_set_pipapo: prepare walk function for on-demand clone
  netfilter: nft_set_pipapo: prepare destroy function for on-demand clone
  netfilter: nft_set_pipapo: make pipapo_clone helper return NULL
  netfilter: nft_set_pipapo: move prove_locking helper around
  netfilter: conntrack: remove flowtable early-drop test
  netfilter: conntrack: documentation: remove reference to non-existent sysctl
  netfilter: use NF_DROP instead of -NF_DROP
  netfilter: conntrack: dccp: try not to drop skb in conntrack
  netfilter: conntrack: fix ct-state for ICMPv6 Multicast Router Discovery
  netfilter: nf_tables: remove NETDEV_CHANGENAME from netdev chain event handler
  netfilter: nf_tables: skip transaction if update object is not implemented
====================

Link: https://lore.kernel.org/r/20240512161436.168973-1-pablo@netfilter.org


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents cddd2dc6 fa23e0d4

Documentation/networking/nf_conntrack-sysctl.rst

+2 −2
Original line number Diff line number Diff line
@@ -222,11 +222,11 @@ nf_flowtable_tcp_timeout - INTEGER (seconds) 


        Control offload timeout for tcp connections.

        TCP connections may be offloaded from nf conntrack to nf flow table.

        Once aged, the connection is returned to nf conntrack with tcp pickup timeout.

        Once aged, the connection is returned to nf conntrack.



nf_flowtable_udp_timeout - INTEGER (seconds)

        default 30



        Control offload timeout for udp connections.

        UDP connections may be offloaded from nf conntrack to nf flow table.

        Once aged, the connection is returned to nf conntrack with udp pickup timeout.
 
        Once aged, the connection is returned to nf conntrack.

include/net/netfilter/nf_tables.h

+2 −2
Original line number Diff line number Diff line
@@ -416,7 +416,7 @@ struct nft_expr_info; 


int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,

			 struct nft_expr_info *info);

int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src);

int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp);

void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr);

int nft_expr_dump(struct sk_buff *skb, unsigned int attr,

		  const struct nft_expr *expr, bool reset);
@@ -935,7 +935,7 @@ struct nft_expr_ops { 
						struct nft_regs *regs,

						const struct nft_pktinfo *pkt);

	int				(*clone)(struct nft_expr *dst,

						 const struct nft_expr *src);

						 const struct nft_expr *src, gfp_t gfp);

	unsigned int			size;



	int				(*init)(const struct nft_ctx *ctx,

include/uapi/linux/icmpv6.h

+1 −0
Original line number Diff line number Diff line
@@ -112,6 +112,7 @@ struct icmp6hdr { 
#define ICMPV6_MOBILE_PREFIX_ADV	147



#define ICMPV6_MRDISC_ADV		151

#define ICMPV6_MRDISC_SOL		152



#define ICMPV6_MSG_MAX          255

net/ipv4/netfilter/iptable_filter.c

+1 −1
Original line number Diff line number Diff line
@@ -44,7 +44,7 @@ static int iptable_filter_table_init(struct net *net) 
		return -ENOMEM;

	/* Entry 1 is the FORWARD hook */

	((struct ipt_standard *)repl->entries)[1].target.verdict =

		forward ? -NF_ACCEPT - 1 : -NF_DROP - 1;

		forward ? -NF_ACCEPT - 1 : NF_DROP - 1;



	err = ipt_register_table(net, &packet_filter, repl, filter_ops);

	kfree(repl);

net/ipv6/netfilter/ip6table_filter.c

+1 −1
Original line number Diff line number Diff line
@@ -43,7 +43,7 @@ static int ip6table_filter_table_init(struct net *net) 
		return -ENOMEM;

	/* Entry 1 is the FORWARD hook */

	((struct ip6t_standard *)repl->entries)[1].target.verdict =

		forward ? -NF_ACCEPT - 1 : -NF_DROP - 1;

		forward ? -NF_ACCEPT - 1 : NF_DROP - 1;



	err = ip6t_register_table(net, &packet_filter, repl, filter_ops);

	kfree(repl);