From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
<netfilter-devel@vger.kernel.org>,
pablo@netfilter.org
Subject: [PATCH net-next 00/13] netfilter: updates for net-next
Date: Tue, 7 Apr 2026 16:15:27 +0200 [thread overview]
Message-ID: <20260407141540.11549-1-fw@strlen.de> (raw)
Hi,
The following patchset contains Netfilter fixes for *net-next*:
1) Fix ancient sparse warnings in nf conntrack nat modules, from
Sun Jian.
2) Fix typo in enum description, from Jelle van der Waa.
3) remove redundant refetch of netns pointer in nf_conntrack_sip.
4) add a deprecation warning for dccp match.
We can extend the deadline later if needed, but plan atm is to
remove the feature.
5) remove nf_conntrack_h323 debug code that can read out-of-bounds
with malformed messages. This code was commented out, but better
remove this.
6+7) add more netlink policy validations in netfilter.
This could theoretically cause issues when a client sends e.g.
unsupported feature flags that were previously ignored, so we
may have to relax some changes. For now, try to be stricter and
reject upfront.
8+9) minor code cleanup in nft_set_pipapo (an nftables set backend).
10) Add nftables matching support fro double-tagged vlan and pppoe
frames, from Pablo Neira Ayuso.
11) Fix up indentation of debug messages in nf_conntrack_h323 conntrack
helper, from David Laight.
12) Add a helper to iterate to next flow action and bail out if the
maximum number of actions is reached, also from Pablo.
13) Impose more retrictions on expectations attached via ctnetlink
control plane by restricting this based on the helper attached to
the master conntrack, also from Pablo Neira Ayuso.
Please, pull these changes from:
The following changes since commit 97a8355b6a715c79c090b906894e12dc3934b3fe:
Merge branch 'net-mlx5e-xdp-add-support-for-multi-packet-per-page' (2026-04-07 13:34:08 +0200)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-26-04-07
for you to fetch changes up to ead9479042e7349e3deab204add7b7ccebe20429:
netfilter: ctnetlink: restrict expectfn to helper (2026-04-07 15:48:16 +0200)
----------------------------------------------------------------
netfilter pull request nf-next-26-04-07
----------------------------------------------------------------
David Laight (1):
netfilter: nf_conntrack_h323: Correct indentation when H323_TRACE
defined
Florian Westphal (7):
netfilter: nf_conntrack_sip: remove net variable shadowing
netfilter: add deprecation warning for dccp support
netfilter: nf_conntrack_h323: remove unreliable debug code in
decode_octstr
netfilter: add more netlink-based policy range checks
netfilter: nf_tables: add netlink policy based cap on registers
netfilter: nft_set_pipapo: increment data in one step
netfilter: nft_set_pipapo_avx2: remove redundant loop in lookup_slow
Jelle van der Waa (1):
netfilter: nf_tables: Fix typo in enum description
Pablo Neira Ayuso (3):
netfilter: nft_meta: add double-tagged vlan and pppoe support
netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use
it
netfilter: ctnetlink: restrict expectfn to helper
Sun Jian (1):
netfilter: use function typedefs for __rcu NAT helper hook pointers
include/linux/netfilter/nf_conntrack_amanda.h | 15 +++--
include/linux/netfilter/nf_conntrack_ftp.h | 17 +++---
include/linux/netfilter/nf_conntrack_irc.h | 15 +++--
include/linux/netfilter/nf_conntrack_snmp.h | 11 ++--
include/linux/netfilter/nf_conntrack_tftp.h | 9 ++-
include/net/netfilter/nf_conntrack_helper.h | 3 +-
include/net/netfilter/nf_tables.h | 4 ++
include/net/netfilter/nf_tables_ipv4.h | 17 ++++--
include/net/netfilter/nf_tables_ipv6.h | 16 +++--
include/net/netfilter/nf_tables_offload.h | 10 ++++
include/uapi/linux/netfilter/nf_tables.h | 6 +-
net/ipv4/netfilter/nf_nat_h323.c | 2 +
net/netfilter/ipset/ip_set_core.c | 2 +-
net/netfilter/nf_conntrack_amanda.c | 10 +---
net/netfilter/nf_conntrack_ftp.c | 10 +---
net/netfilter/nf_conntrack_h323_asn1.c | 45 ++++++--------
net/netfilter/nf_conntrack_helper.c | 5 +-
net/netfilter/nf_conntrack_irc.c | 10 +---
net/netfilter/nf_conntrack_netlink.c | 2 +-
net/netfilter/nf_conntrack_sip.c | 3 +-
net/netfilter/nf_conntrack_snmp.c | 7 +--
net/netfilter/nf_conntrack_tftp.c | 7 +--
net/netfilter/nf_dup_netdev.c | 5 +-
net/netfilter/nf_nat_sip.c | 1 +
net/netfilter/nf_tables_api.c | 20 +++++--
net/netfilter/nf_tables_core.c | 2 +-
net/netfilter/nfnetlink_acct.c | 2 +-
net/netfilter/nfnetlink_cthelper.c | 2 +-
net/netfilter/nfnetlink_hook.c | 2 +-
net/netfilter/nfnetlink_log.c | 4 +-
net/netfilter/nfnetlink_osf.c | 2 +-
net/netfilter/nfnetlink_queue.c | 2 +-
net/netfilter/nft_bitwise.c | 6 +-
net/netfilter/nft_byteorder.c | 4 +-
net/netfilter/nft_cmp.c | 2 +-
net/netfilter/nft_compat.c | 2 +-
net/netfilter/nft_connlimit.c | 2 +-
net/netfilter/nft_ct.c | 6 +-
net/netfilter/nft_dynset.c | 3 +-
net/netfilter/nft_exthdr.c | 9 ++-
net/netfilter/nft_fib.c | 2 +-
net/netfilter/nft_hash.c | 4 +-
net/netfilter/nft_immediate.c | 6 +-
net/netfilter/nft_inner.c | 2 +-
net/netfilter/nft_limit.c | 2 +-
net/netfilter/nft_log.c | 2 +-
net/netfilter/nft_lookup.c | 4 +-
net/netfilter/nft_meta.c | 58 ++++++++++++++++++-
net/netfilter/nft_numgen.c | 2 +-
net/netfilter/nft_objref.c | 2 +-
net/netfilter/nft_osf.c | 4 +-
net/netfilter/nft_payload.c | 8 +--
net/netfilter/nft_queue.c | 2 +-
net/netfilter/nft_quota.c | 2 +-
net/netfilter/nft_range.c | 2 +-
net/netfilter/nft_rt.c | 2 +-
net/netfilter/nft_set_pipapo.c | 4 +-
net/netfilter/nft_set_pipapo.h | 3 -
net/netfilter/nft_set_pipapo_avx2.c | 32 +++-------
net/netfilter/nft_socket.c | 2 +-
net/netfilter/nft_synproxy.c | 4 +-
net/netfilter/nft_tunnel.c | 6 +-
net/netfilter/nft_xfrm.c | 6 +-
net/netfilter/xt_dccp.c | 3 +
64 files changed, 271 insertions(+), 195 deletions(-)
--
2.52.0
next reply other threads:[~2026-04-07 14:15 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-07 14:15 Florian Westphal [this message]
2026-04-07 14:15 ` [PATCH net-next 01/13] netfilter: use function typedefs for __rcu NAT helper hook pointers Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 02/13] netfilter: nf_tables: Fix typo in enum description Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 03/13] netfilter: nf_conntrack_sip: remove net variable shadowing Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 04/13] netfilter: add deprecation warning for dccp support Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 05/13] netfilter: nf_conntrack_h323: remove unreliable debug code in decode_octstr Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 06/13] netfilter: add more netlink-based policy range checks Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 07/13] netfilter: nf_tables: add netlink policy based cap on registers Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 08/13] netfilter: nft_set_pipapo: increment data in one step Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 09/13] netfilter: nft_set_pipapo_avx2: remove redundant loop in lookup_slow Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 10/13] netfilter: nft_meta: add double-tagged vlan and pppoe support Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 11/13] netfilter: nf_conntrack_h323: Correct indentation when H323_TRACE defined Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 12/13] netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use it Florian Westphal
2026-04-07 14:15 ` [PATCH net-next 13/13] netfilter: ctnetlink: restrict expectfn to helper Florian Westphal
2026-04-07 14:27 ` Florian Westphal
-- strict thread matches above, loose matches on Subject: below --
2021-06-09 21:45 [PATCH net-next 00/13] Netfilter updates for net-next Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260407141540.11549-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox