From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
<netfilter-devel@vger.kernel.org>,
pablo@netfilter.org
Subject: [PATCH net-next 00/10] Subject: netfilter: updates for net-next
Date: Tue, 20 Jan 2026 20:17:53 +0100 [thread overview]
Message-ID: <20260120191803.22208-1-fw@strlen.de> (raw)
Hi,
The following patchset contains Netfilter fixes for *net-next*:
1) Speed up nftables transactions after earlier transaction failed.
Due to a (harmeless) bug we remained in slow paranoia mode until a
successful transaction completes.
2) Allow generic tracker to resolve clashes, this avoids very rare
packet drops. From Yuto Hamaguchi.
3) Increase the cleanup budget to 64 entries in nf_conncount to reap
more entries in one go, from Fernando Fernandez Mancera.
4) Allow icmp trackers to resolve clashes, this avoids very rare
initial packet drop with test cases that have high-frequency pings.
After this all trackers except tcp and sctp allow clash resolution.
5) Disentangle netfilter headers, don't include nftables/xtables headers
in subsystems that are unrelated.
6) Don't rely on implicit includes coming from nf_conntrack_proto_gre.h.
7) Allow nfnetlink_queue nfq instance struct to get accounted via memcg,
from Scott Mitchell.
8) Reject bogus xt target/match data upfront via netlink policiy in
nft_compat interface rather than relying on x_tables API to do it.
9) Fix nf_conncount breakage when trying to limit loopback flows via
prerouting rule, from Fernando Fernandez Mancera.
This is a recent breakage but not seen as urgent enough to rush this
via net tree at this late stage in development cycle.
10) Fix a possible off-by-one when parsing tcp option in xtables tcpmss
match. Also handled via -next due to late stage in development
cycle.
0003-netfilter-nf_conncount-increase-the-connection-clean.patch fixes commit from v5.19-rc1~159^2~45^2~2
0008-netfilter-nft_compat-add-more-restrictions-on-netlin.patch fixes commit from v3.13-rc1~105^2~186^2~8
0009-netfilter-nf_conncount-fix-tracking-of-connections-f.patch fixes commit from nf-next-25-11-28~6
Please, pull these changes from:
The following changes since commit 77b9c4a438fc66e2ab004c411056b3fb71a54f2c:
Merge branch 'netkit-support-for-io_uring-zero-copy-and-af_xdp' (2026-01-20 12:25:29 +0100)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-26-01-20
for you to fetch changes up to 735ee8582da3d239eb0c7a53adca61b79fb228b3:
netfilter: xt_tcpmss: check remaining length before reading optlen (2026-01-20 16:23:38 +0100)
----------------------------------------------------------------
netfilter pull request nf-next-26-01-20
----------------------------------------------------------------
Fernando Fernandez Mancera (2):
netfilter: nf_conncount: increase the connection clean up limit to 64
netfilter: nf_conncount: fix tracking of connections from localhost
Florian Westphal (6):
netfilter: nf_tables: reset table validation state on abort
netfilter: nf_conntrack: enable icmp clash support
netfilter: don't include xt and nftables.h in unrelated subsystems
netfilter: nf_conntrack: don't rely on implicit includes
netfilter: nft_compat: add more restrictions on netlink attributes
netfilter: xt_tcpmss: check remaining length before reading optlen
Scott Mitchell (1):
netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC -> GFP_KERNEL_ACCOUNT allocation
Yuto Hamaguchi (1):
netfilter: nf_conntrack: Add allow_clash to generic protocol handler
include/linux/audit.h | 1 -
.../linux/netfilter/nf_conntrack_proto_gre.h | 3 -
include/net/netfilter/nf_conntrack.h | 1 +
include/net/netfilter/nf_conntrack_count.h | 1 +
include/net/netfilter/nf_conntrack_tuple.h | 2 +-
include/net/netfilter/nf_tables.h | 1 -
net/bridge/netfilter/nf_conntrack_bridge.c | 3 +-
net/netfilter/nf_conncount.c | 30 ++++++--
net/netfilter/nf_conntrack_bpf.c | 1 +
net/netfilter/nf_conntrack_h323_main.c | 1 +
net/netfilter/nf_conntrack_netlink.c | 1 +
net/netfilter/nf_conntrack_proto_generic.c | 1 +
net/netfilter/nf_conntrack_proto_gre.c | 2 +
net/netfilter/nf_conntrack_proto_icmp.c | 1 +
net/netfilter/nf_conntrack_proto_icmpv6.c | 1 +
net/netfilter/nf_flow_table_ip.c | 2 +
net/netfilter/nf_flow_table_offload.c | 1 +
net/netfilter/nf_flow_table_path.c | 1 +
net/netfilter/nf_nat_ovs.c | 3 +
net/netfilter/nf_nat_proto.c | 1 +
net/netfilter/nf_synproxy_core.c | 1 +
net/netfilter/nf_tables_api.c | 8 ++
net/netfilter/nfnetlink_queue.c | 75 +++++++++----------
net/netfilter/nft_compat.c | 13 +++-
net/netfilter/nft_flow_offload.c | 1 +
net/netfilter/nft_synproxy.c | 1 +
net/netfilter/xt_tcpmss.c | 2 +-
net/sched/act_ct.c | 2 +
net/sched/act_ctinfo.c | 1 +
29 files changed, 102 insertions(+), 60 deletions(-)
--
2.52.0
next reply other threads:[~2026-01-20 19:18 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-20 19:17 Florian Westphal [this message]
2026-01-20 19:17 ` [PATCH net-next 01/10] netfilter: nf_tables: reset table validation state on abort Florian Westphal
2026-01-22 4:40 ` patchwork-bot+netdevbpf
2026-01-20 19:17 ` [PATCH net-next 02/10] netfilter: nf_conntrack: Add allow_clash to generic protocol handler Florian Westphal
2026-01-20 19:17 ` [PATCH net-next 03/10] netfilter: nf_conncount: increase the connection clean up limit to 64 Florian Westphal
2026-01-20 19:17 ` [PATCH net-next 04/10] netfilter: nf_conntrack: enable icmp clash support Florian Westphal
2026-01-20 19:17 ` [PATCH net-next 05/10] netfilter: don't include xt and nftables.h in unrelated subsystems Florian Westphal
2026-01-20 19:17 ` [PATCH net-next 06/10] netfilter: nf_conntrack: don't rely on implicit includes Florian Westphal
2026-01-20 19:18 ` [PATCH net-next 07/10] netfilter: nfnetlink_queue: nfqnl_instance GFP_ATOMIC -> GFP_KERNEL_ACCOUNT allocation Florian Westphal
2026-01-20 19:18 ` [PATCH net-next 08/10] netfilter: nft_compat: add more restrictions on netlink attributes Florian Westphal
2026-01-20 19:18 ` [PATCH net-next 09/10] netfilter: nf_conncount: fix tracking of connections from localhost Florian Westphal
2026-01-20 19:18 ` [PATCH net-next 10/10] netfilter: xt_tcpmss: check remaining length before reading optlen Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260120191803.22208-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox