[PATCH net-next 00/12] netfilter updates for net-next

[Florian Westphal <fw@strlen.de>]

This pull request contains updates for your *net-next* tree:

1. Prefer KMEM_CACHE() macro to create kmem caches, from Kunwu Chan.

Patches 2 and 3 consolidate nf_log NULL checks and introduces
extra boundary checks on family and type to make it clear that no out
of bounds access will happen.  No in-tree user currently passes such
values, but thats not clear from looking at the function.
From Pablo Neira Ayuso.

Patch 4, also from Pablo, gets rid of unneeded conditional in
nft_osf init function.

Patch 5, from myself, fixes erroneous Kconfig dependencies that
came in an earlier net-next pull request. This should get rid
of the xtables related build failure reports.

Patches 6 to 10 are an update to nftables' concatenated-ranges
set type to speed up element insertions.  This series also
compacts a few data structures and cleans up a few oddities such
as reliance on ZERO_SIZE_PTR when asking to allocate a set with
no elements. From myself.

Patches 11 moves the nf_reinject function from the netfilter core
(vmlinux) into the nfnetlink_queue backend, the only location where
this is called from. Also from myself.

Patch 12, from Kees Cook, switches xtables' compat layer to use
unsafe_memcpy because xt_entry_target cannot easily get converted
to a real flexible array (its UAPI and used inside other structs).

The following changes since commit b0117d136bb9e4a1facb7ce354e0580dde876f6b:

  Merge branch 'net-constify-device_type' (2024-02-21 09:45:24 +0000)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-24-02-21

for you to fetch changes up to 26f4dac11775a1ca24e2605cb30e828d4dbdea93:

  netfilter: x_tables: Use unsafe_memcpy() for 0-sized destination (2024-02-21 12:03:22 +0100)

----------------------------------------------------------------
netfilter pr 2024-21-02

----------------------------------------------------------------
Florian Westphal (7):
      netfilter: xtables: fix up kconfig dependencies
      netfilter: nft_set_pipapo: constify lookup fn args where possible
      netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR
      netfilter: nft_set_pipapo: shrink data structures
      netfilter: nft_set_pipapo: speed up bulk element insertions
      netfilter: nft_set_pipapo: use GFP_KERNEL for insertions
      netfilter: move nf_reinject into nfnetlink_queue modules

Kees Cook (1):
      netfilter: x_tables: Use unsafe_memcpy() for 0-sized destination

Kunwu Chan (1):
      netfilter: expect: Simplify the allocation of slab caches in nf_conntrack_expect_init

Pablo Neira Ayuso (3):
      netfilter: nf_log: consolidate check for NULL logger in lookup function
      netfilter: nf_log: validate nf_logger_find_get()
      netfilter: nft_osf: simplify init path

 include/linux/netfilter.h           |   1 -
 include/net/netfilter/nf_queue.h    |   1 -
 net/ipv4/netfilter/Kconfig          |   3 +-
 net/netfilter/nf_conntrack_expect.c |   4 +-
 net/netfilter/nf_log.c              |   9 +-
 net/netfilter/nf_queue.c            | 106 --------------------
 net/netfilter/nfnetlink_queue.c     | 142 ++++++++++++++++++++++++++
 net/netfilter/nft_osf.c             |  11 +-
 net/netfilter/nft_set_pipapo.c      | 193 ++++++++++++++++++++++++++----------
 net/netfilter/nft_set_pipapo.h      |  37 +++----
 net/netfilter/nft_set_pipapo_avx2.c |  59 ++++++-----
 net/netfilter/utils.c               |  37 -------
 net/netfilter/x_tables.c            |   3 +-
 13 files changed, 346 insertions(+), 260 deletions(-)