From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
<netfilter-devel@vger.kernel.org>,
pablo@netfilter.org
Subject: [GIT PULL v2 net-next] netfilter: updates for net-next
Date: Wed, 8 Apr 2026 08:04:19 +0200 [thread overview]
Message-ID: <20260408060419.25258-1-fw@strlen.de> (raw)
No changes since v1, I only dropped the last patch (13/13). This is also
why I am not resending the individual patches again.
The following PR contains Netfilter updates for *net-next*:
1) Fix ancient sparse warnings in nf conntrack nat modules, from
Sun Jian.
2) Fix typo in enum description, from Jelle van der Waa.
3) remove redundant refetch of netns pointer in nf_conntrack_sip.
4) add a deprecation warning for dccp match.
We can extend the deadline later if needed, but plan atm is to
remove the feature.
5) remove nf_conntrack_h323 debug code that can read out-of-bounds
with malformed messages. This code was commented out, but better
remove this.
6+7) add more netlink policy validations in netfilter.
This could theoretically cause issues when a client sends e.g.
unsupported feature flags that were previously ignored, so we
may have to relax some changes. For now, try to be stricter and
reject upfront.
8+9) minor code cleanup in nft_set_pipapo (an nftables set backend).
10) Add nftables matching support fro double-tagged vlan and pppoe
frames, from Pablo Neira Ayuso.
11) Fix up indentation of debug messages in nf_conntrack_h323 conntrack
helper, from David Laight.
12) Add a helper to iterate to next flow action and bail out if the
maximum number of actions is reached, also from Pablo.
Please, pull these changes from:
The following changes since commit b3e69fc3196fc421e26196e7792f17b0463edc6f:
Merge branch 'net-pull-gso-packet-headers-in-core-stack' (2026-04-07 19:02:18 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-26-04-08
for you to fetch changes up to c6f85577584b5f8414141ae389e974b8ca6a698b:
netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use it (2026-04-08 07:51:31 +0200)
----------------------------------------------------------------
netfilter pull request nf-next-26-04-08
----------------------------------------------------------------
David Laight (1):
netfilter: nf_conntrack_h323: Correct indentation when H323_TRACE defined
Florian Westphal (7):
netfilter: nf_conntrack_sip: remove net variable shadowing
netfilter: add deprecation warning for dccp support
netfilter: nf_conntrack_h323: remove unreliable debug code in decode_octstr
netfilter: add more netlink-based policy range checks
netfilter: nf_tables: add netlink policy based cap on registers
netfilter: nft_set_pipapo: increment data in one step
netfilter: nft_set_pipapo_avx2: remove redundant loop in lookup_slow
Jelle van der Waa (1):
netfilter: nf_tables: Fix typo in enum description
Pablo Neira Ayuso (2):
netfilter: nft_meta: add double-tagged vlan and pppoe support
netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use
it
Sun Jian (1):
netfilter: use function typedefs for __rcu NAT helper hook pointers
include/linux/netfilter/nf_conntrack_amanda.h | 15 +++--
include/linux/netfilter/nf_conntrack_ftp.h | 17 +++---
include/linux/netfilter/nf_conntrack_irc.h | 15 +++--
include/linux/netfilter/nf_conntrack_snmp.h | 11 ++--
include/linux/netfilter/nf_conntrack_tftp.h | 9 ++-
include/net/netfilter/nf_tables.h | 4 ++
include/net/netfilter/nf_tables_ipv4.h | 17 ++++--
include/net/netfilter/nf_tables_ipv6.h | 16 +++--
include/net/netfilter/nf_tables_offload.h | 10 ++++
include/uapi/linux/netfilter/nf_tables.h | 6 +-
net/netfilter/ipset/ip_set_core.c | 2 +-
net/netfilter/nf_conntrack_amanda.c | 10 +---
net/netfilter/nf_conntrack_ftp.c | 10 +---
net/netfilter/nf_conntrack_h323_asn1.c | 45 ++++++--------
net/netfilter/nf_conntrack_irc.c | 10 +---
net/netfilter/nf_conntrack_sip.c | 3 +-
net/netfilter/nf_conntrack_snmp.c | 7 +--
net/netfilter/nf_conntrack_tftp.c | 7 +--
net/netfilter/nf_dup_netdev.c | 5 +-
net/netfilter/nf_tables_api.c | 20 +++++--
net/netfilter/nf_tables_core.c | 2 +-
net/netfilter/nfnetlink_acct.c | 2 +-
net/netfilter/nfnetlink_cthelper.c | 2 +-
net/netfilter/nfnetlink_hook.c | 2 +-
net/netfilter/nfnetlink_log.c | 4 +-
net/netfilter/nfnetlink_osf.c | 2 +-
net/netfilter/nfnetlink_queue.c | 2 +-
net/netfilter/nft_bitwise.c | 6 +-
net/netfilter/nft_byteorder.c | 4 +-
net/netfilter/nft_cmp.c | 2 +-
net/netfilter/nft_compat.c | 2 +-
net/netfilter/nft_connlimit.c | 2 +-
net/netfilter/nft_ct.c | 6 +-
net/netfilter/nft_dynset.c | 3 +-
net/netfilter/nft_exthdr.c | 9 ++-
net/netfilter/nft_fib.c | 2 +-
net/netfilter/nft_hash.c | 4 +-
net/netfilter/nft_immediate.c | 6 +-
net/netfilter/nft_inner.c | 2 +-
net/netfilter/nft_limit.c | 2 +-
net/netfilter/nft_log.c | 2 +-
net/netfilter/nft_lookup.c | 4 +-
net/netfilter/nft_meta.c | 58 ++++++++++++++++++-
net/netfilter/nft_numgen.c | 2 +-
net/netfilter/nft_objref.c | 2 +-
net/netfilter/nft_osf.c | 4 +-
net/netfilter/nft_payload.c | 8 +--
net/netfilter/nft_queue.c | 2 +-
net/netfilter/nft_quota.c | 2 +-
net/netfilter/nft_range.c | 2 +-
net/netfilter/nft_rt.c | 2 +-
net/netfilter/nft_set_pipapo.c | 4 +-
net/netfilter/nft_set_pipapo.h | 3 -
net/netfilter/nft_set_pipapo_avx2.c | 32 +++-------
net/netfilter/nft_socket.c | 2 +-
net/netfilter/nft_synproxy.c | 4 +-
net/netfilter/nft_tunnel.c | 6 +-
net/netfilter/nft_xfrm.c | 6 +-
net/netfilter/xt_dccp.c | 3 +
59 files changed, 262 insertions(+), 191 deletions(-)
--
2.52.0
reply other threads:[~2026-04-08 6:04 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260408060419.25258-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox