From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
<netfilter-devel@vger.kernel.org>,
pablo@netfilter.org
Subject: [PATCH net-next 0/9] netfilter: updates for net-next
Date: Tue, 24 Feb 2026 21:50:39 +0100 [thread overview]
Message-ID: <20260224205048.4718-1-fw@strlen.de> (raw)
Hi,
The following patchset contains Netfilter fixes for *net-next*,
including IPVS updates from and via Julian Anastasov.
First updates for IPVS. From Julians cover-letter:
* Convert the global __ip_vs_mutex to per-net service_mutex and
switch the service tables to be per-net, cowork by Jiejian Wu and
Dust Li
* Convert some code that walks the service lists to use RCU instead of
the service_mutex
* We used two tables for services (non-fwmark and fwmark), merge them
into single svc_table
* The list for unavailable destinations (dest_trash) holds dsts and
thus dev references causing extra work for the ip_vs_dst_event() dev
notifier handler. Change this by dropping the reference when dest
is removed and saved into dest_trash. The dest_trash will need more
changes to make it light for lookups. TODO.
* On new connection we can do multiple lookups for services by trying
different fallback options. Add more counters for service types, so
that we can avoid unneeded lookups for services.
* The no_cport and dropentry counters can be per-net and also we can
avoid extra conn lookups
Then, a few cleanups for nf_tables:
* keep BH enabled during nft_set_rbtree inserts, this is possible because the
root lock is now only taken from control plane.
* toss a few EXPORT_SYMBOLs from nf_tables; these were historic
leftovers from back in the day when e.g. set backends were still
residing in their own modules.
* remove the register tracking infra from nftables. It was disabled
years ago in 5.18 and there are no plans to salvage this work; the
idea was good (remove redundant register stores), but there is just
one too many pitfalls, and better rule structuring (verdict maps)
largely avoids the scenarios where this would have helped.
Florian Westphal (3):
netfilter: nft_set_rbtree: don't disable bh when acquiring tree lock
netfilter: nf_tables: drop obsolete EXPORT_SYMBOLs
netfilter: nf_tables: remove register tracking infrastructure
Jiejian Wu (1):
ipvs: make ip_vs_svc_table and ip_vs_svc_fwm_table per netns
Julian Anastasov (5):
ipvs: some service readers can use RCU
ipvs: use single svc table
ipvs: do not keep dest_dst after dest is removed
ipvs: use more counters to avoid service lookups
ipvs: no_cport and dropentry counters can be per-net
include/net/ip_vs.h | 39 ++-
include/net/netfilter/nf_tables.h | 32 --
include/net/netfilter/nft_fib.h | 2 -
include/net/netfilter/nft_meta.h | 3 -
net/bridge/netfilter/nft_meta_bridge.c | 20 --
net/bridge/netfilter/nft_reject_bridge.c | 1 -
net/ipv4/netfilter/nft_dup_ipv4.c | 1 -
net/ipv4/netfilter/nft_fib_ipv4.c | 2 -
net/ipv4/netfilter/nft_reject_ipv4.c | 1 -
net/ipv6/netfilter/nft_dup_ipv6.c | 1 -
net/ipv6/netfilter/nft_fib_ipv6.c | 2 -
net/ipv6/netfilter/nft_reject_ipv6.c | 1 -
net/netfilter/ipvs/ip_vs_conn.c | 64 ++--
net/netfilter/ipvs/ip_vs_core.c | 2 +-
net/netfilter/ipvs/ip_vs_ctl.c | 368 ++++++++---------------
net/netfilter/ipvs/ip_vs_est.c | 18 +-
net/netfilter/ipvs/ip_vs_xmit.c | 12 +-
net/netfilter/nf_tables_api.c | 78 -----
net/netfilter/nft_bitwise.c | 104 -------
net/netfilter/nft_byteorder.c | 11 -
net/netfilter/nft_cmp.c | 3 -
net/netfilter/nft_compat.c | 10 -
net/netfilter/nft_connlimit.c | 1 -
net/netfilter/nft_counter.c | 1 -
net/netfilter/nft_ct.c | 46 ---
net/netfilter/nft_dup_netdev.c | 1 -
net/netfilter/nft_dynset.c | 1 -
net/netfilter/nft_exthdr.c | 34 ---
net/netfilter/nft_fib.c | 42 ---
net/netfilter/nft_fib_inet.c | 1 -
net/netfilter/nft_fib_netdev.c | 1 -
net/netfilter/nft_flow_offload.c | 1 -
net/netfilter/nft_fwd_netdev.c | 2 -
net/netfilter/nft_hash.c | 36 ---
net/netfilter/nft_immediate.c | 12 -
net/netfilter/nft_last.c | 1 -
net/netfilter/nft_limit.c | 2 -
net/netfilter/nft_log.c | 1 -
net/netfilter/nft_lookup.c | 12 -
net/netfilter/nft_masq.c | 3 -
net/netfilter/nft_meta.c | 45 ---
net/netfilter/nft_nat.c | 2 -
net/netfilter/nft_numgen.c | 22 --
net/netfilter/nft_objref.c | 2 -
net/netfilter/nft_osf.c | 25 --
net/netfilter/nft_payload.c | 47 ---
net/netfilter/nft_queue.c | 2 -
net/netfilter/nft_quota.c | 1 -
net/netfilter/nft_range.c | 1 -
net/netfilter/nft_redir.c | 3 -
net/netfilter/nft_reject_inet.c | 1 -
net/netfilter/nft_reject_netdev.c | 1 -
net/netfilter/nft_rt.c | 1 -
net/netfilter/nft_set_rbtree.c | 23 +-
net/netfilter/nft_socket.c | 26 --
net/netfilter/nft_synproxy.c | 1 -
net/netfilter/nft_tproxy.c | 1 -
net/netfilter/nft_tunnel.c | 26 --
net/netfilter/nft_xfrm.c | 27 --
59 files changed, 221 insertions(+), 1009 deletions(-)
--
2.52.0
next reply other threads:[~2026-02-24 20:50 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-24 20:50 Florian Westphal [this message]
2026-02-24 20:50 ` [PATCH net-next 1/9] ipvs: make ip_vs_svc_table and ip_vs_svc_fwm_table per netns Florian Westphal
2026-02-26 3:41 ` [net-next,1/9] " Jakub Kicinski
2026-02-26 19:19 ` Julian Anastasov
2026-02-24 20:50 ` [PATCH net-next 2/9] ipvs: some service readers can use RCU Florian Westphal
2026-02-24 20:50 ` [PATCH net-next 3/9] ipvs: use single svc table Florian Westphal
2026-02-26 3:41 ` [net-next,3/9] " Jakub Kicinski
2026-02-24 20:50 ` [PATCH net-next 4/9] ipvs: do not keep dest_dst after dest is removed Florian Westphal
2026-02-26 3:41 ` [net-next,4/9] " Jakub Kicinski
2026-02-26 3:44 ` Jakub Kicinski
2026-02-24 20:50 ` [PATCH net-next 5/9] ipvs: use more counters to avoid service lookups Florian Westphal
2026-02-24 20:50 ` [PATCH net-next 6/9] ipvs: no_cport and dropentry counters can be per-net Florian Westphal
2026-02-24 20:50 ` [PATCH net-next 7/9] netfilter: nft_set_rbtree: don't disable bh when acquiring tree lock Florian Westphal
2026-02-24 20:50 ` [PATCH net-next 8/9] netfilter: nf_tables: drop obsolete EXPORT_SYMBOLs Florian Westphal
2026-02-24 20:50 ` [PATCH net-next 9/9] netfilter: nf_tables: remove register tracking infrastructure Florian Westphal
2026-02-26 3:50 ` [PATCH net-next 0/9] netfilter: updates for net-next patchwork-bot+netdevbpf
-- strict thread matches above, loose matches on Subject: below --
2026-01-28 15:41 Florian Westphal
2026-01-29 5:03 ` Jakub Kicinski
2026-01-29 8:56 ` Florian Westphal
2026-01-29 10:08 ` Florian Westphal
2026-01-29 10:40 ` Paolo Abeni
2024-08-22 22:19 [PATCH net-next 0/9] Netfilter " Pablo Neira Ayuso
2023-05-18 10:07 Florian Westphal
2023-03-08 19:30 Florian Westphal
2023-01-18 12:31 Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260224205048.4718-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox