From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
<netfilter-devel@vger.kernel.org>,
pablo@netfilter.org
Subject: [PATCH net-next 00/11] netfilter: updates for net-next
Date: Fri, 10 Apr 2026 13:23:41 +0200 [thread overview]
Message-ID: <20260410112352.23599-1-fw@strlen.de> (raw)
Hi,
The following patchset contains Netfilter updates for *net-next*:
1-3) IPVS updates from Julian Anastasov to enhance visibility into
IPVS internal state by exposing hash size, load factor etc and
allows userspace to tune the load factor used for resizing hash
tables.
4) reject empty/not nul terminated device names from xt_physdev.
This isn't a bug fix; existing code doesn't require a c-string.
But clean this up anyway because conceptually the interface name
definitely should be a c-string.
5) Switch nfnetlink to skb_mac_header helpers that didn't exist back
when this code was written. This gives us additional debug checks
but is not intended to change functionality.
6) Let the xt ttl/hoplimit match reject unknown operator modes.
This is a cleanup, the evaluation function simply returns false when
the mode is out of range. From Marino Dzalto.
7) xt_socket match should enable defrag after all other checks. This
bug is harmless, historically defrag could not be disabled either
except by rmmod.
8) remove UDP-Lite conntrack support, from Fernando Fernandez Mancera.
9) Avoid a couple -Wflex-array-member-not-at-end warnings in the old
xtables 32bit compat code, from Gustavo A. R. Silva.
10) nftables fwd expression should drop packets when their ttl/hl has
expired. This is a bug fix deferred, its not deemed important
enough for -rc8.
11) Add additional checks before assuming the mac header is an ethernet
header, from Zhengchuan Liang.
Please, pull these changes from:
The following changes since commit 42f9b4c6ef19e71d2c7d9bfd3c5037d4fe434ad7:
tools: ynl: tests: fix leading space on Makefile target (2026-04-09 20:41:40 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-26-04-10
for you to fetch changes up to 62443dc21114c0bbc476fa62973db89743f2f137:
netfilter: require Ethernet MAC header before using eth_hdr() (2026-04-10 12:16:27 +0200)
----------------------------------------------------------------
netfilter pull request nf-next-26-04-10
----------------------------------------------------------------
Fernando Fernandez Mancera (1):
netfilter: conntrack: remove UDP-Lite conntrack support
Florian Westphal (4):
netfilter: x_physdev: reject empty or not-nul terminated device names
netfilter: nfnetlink: prefer skb_mac_header helpers
netfilter: xt_socket: enable defrag after all other checks
netfilter: nft_fwd_netdev: check ttl/hl before forwarding
Gustavo A. R. Silva (1):
netfilter: x_tables: Avoid a couple -Wflex-array-member-not-at-end warnings
Julian Anastasov (3):
ipvs: show the current conn_tab size to users
ipvs: add ip_vs_status info
ipvs: add conn_lfactor and svc_lfactor sysctl vars
Marino Dzalto (1):
netfilter: xt_HL: add pr_fmt and checkentry validation
Zhengchuan Liang (1):
netfilter: require Ethernet MAC header before using eth_hdr()
Documentation/networking/ipvs-sysctl.rst | 37 +++
.../net/netfilter/ipv4/nf_conntrack_ipv4.h | 3 -
include/net/netfilter/nf_conntrack_l4proto.h | 7 -
net/ipv6/netfilter/ip6t_eui64.c | 7 +-
net/netfilter/Kconfig | 11 -
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 5 +-
net/netfilter/ipset/ip_set_hash_ipmac.c | 9 +-
net/netfilter/ipset/ip_set_hash_mac.c | 5 +-
net/netfilter/ipvs/ip_vs_ctl.c | 247 +++++++++++++++++-
net/netfilter/nf_conntrack_core.c | 8 -
net/netfilter/nf_conntrack_proto.c | 3 -
net/netfilter/nf_conntrack_proto_udp.c | 108 --------
net/netfilter/nf_conntrack_standalone.c | 2 -
net/netfilter/nf_log_syslog.c | 8 +-
net/netfilter/nf_nat_core.c | 6 -
net/netfilter/nf_nat_proto.c | 20 --
net/netfilter/nfnetlink_cttimeout.c | 1 -
net/netfilter/nfnetlink_log.c | 19 +-
net/netfilter/nfnetlink_queue.c | 25 +-
net/netfilter/nft_ct.c | 1 -
net/netfilter/nft_fwd_netdev.c | 10 +
net/netfilter/x_tables.c | 12 +-
net/netfilter/xt_hl.c | 27 ++
net/netfilter/xt_mac.c | 4 +-
net/netfilter/xt_physdev.c | 22 ++
net/netfilter/xt_socket.c | 23 +-
26 files changed, 399 insertions(+), 231 deletions(-)
--
2.52.0
next reply other threads:[~2026-04-10 11:23 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-10 11:23 Florian Westphal [this message]
2026-04-10 11:23 ` [PATCH net-next 01/11] ipvs: show the current conn_tab size to users Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 02/11] ipvs: add ip_vs_status info Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 03/11] ipvs: add conn_lfactor and svc_lfactor sysctl vars Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 04/11] netfilter: x_physdev: reject empty or not-nul terminated device names Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 05/11] netfilter: nfnetlink: prefer skb_mac_header helpers Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 06/11] netfilter: xt_HL: add pr_fmt and checkentry validation Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 07/11] netfilter: xt_socket: enable defrag after all other checks Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 08/11] netfilter: conntrack: remove UDP-Lite conntrack support Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 09/11] netfilter: x_tables: Avoid a couple -Wflex-array-member-not-at-end warnings Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 10/11] netfilter: nft_fwd_netdev: check ttl/hl before forwarding Florian Westphal
2026-04-10 11:23 ` [PATCH net-next 11/11] netfilter: require Ethernet MAC header before using eth_hdr() Florian Westphal
-- strict thread matches above, loose matches on Subject: below --
2026-02-05 11:08 [PATCH net-next 00/11] netfilter: updates for net-next Florian Westphal
2026-02-06 12:41 ` Florian Westphal
2024-11-06 23:46 [PATCH net-next 00/11] Netfilter " Pablo Neira Ayuso
2024-11-07 0:19 ` Jakub Kicinski
2024-11-07 7:08 ` Florian Westphal
2024-11-07 20:48 ` Jakub Kicinski
2024-11-07 21:07 ` Florian Westphal
2024-11-07 21:09 ` Eric Dumazet
2022-05-19 22:01 Pablo Neira Ayuso
2022-04-11 10:27 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260410112352.23599-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox