From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com, fw@strlen.de,
horms@kernel.org
Subject: [PATCH net-next 00/11] Netfilter/IPVS updates for net-next
Date: Sun, 14 Jun 2026 13:45:54 +0200 [thread overview]
Message-ID: <20260614114605.474783-1-pablo@netfilter.org> (raw)
Hi,
The following patchset contains Netfilter/IPVS updates for net-next.
More specifically, this contains conncount rework to address AI related
reports, assorted Netfiter updates and two small incremental updates on
IPVS:
1) Replace old obsolete workqueues (system_wq, system_unbound_wq)
in IPVS, from Marco Crivellari.
2) Replace WARN_ON{_ONCE} by DEBUG_NET_WARN_ON_ONCE in nf_tables.
In the recent years, reporters say that the use of WARN_ON{_ONCE}
in conjunction with panic_on_warn=1 results in DoS. Let's replace
it by DEBUG_NET_WARN_ON_ONCE so this is only exercised by test
infrastructure and fuzzers, while also providing context to AI
agents. From Fernando F. Mancera.
Five patches from Florian Westphal to address AI reports in the conncount
infrastructures:
3) Fix missing rcu read lock section when calling
__ovs_ct_limit_get_zone_limit().
4) Add a dedicate lock per rbtree tree, this increases memory
usage but it should improve scalability.
5) Add a helper function to find the rbtree node, no functional
changes are intented.
6) Add sequence counter to detect concurrent tree modifications
and retry lookups.
7) Add locks to GC conncount walk and address other nitpicks.
Then, several assorted updates:
8) Defensive Tree-wide addition of NULL checks for ct extensions.
9) Bail out if flowtable bypass cannot be fully set up from the
flow offload expression, instead of lazy building a likely
incomplete one.
10) Fix documentation for the new conn_max sysctl toggle in IPVS.
11) Add nf_dev_xmit_recursion*() helpers and use them, to address
recent AI reports.
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git nf-next-26-06-14
Thanks.
----------------------------------------------------------------
The following changes since commit 4ed4f607e1cb6041db46ca5cd3200987d7d1eff2:
Merge tag 'batadv-next-pullrequest-20260605' of https://git.open-mesh.org/batadv (2026-06-08 15:40:55 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-26-06-14
for you to fetch changes up to 2354e975932dabb06fad239f07a3b68fd1809737:
netfilter: nf_dup_netdev: add nf_dev_xmit_recursion*() helpers and use them (2026-06-14 13:07:03 +0200)
----------------------------------------------------------------
netfilter pull request 26-06-14
----------------------------------------------------------------
Fernando Fernandez Mancera (1):
netfilter: nf_tables: use DEBUG_NET_WARN_ON_ONCE in packet and control paths
Florian Westphal (5):
netfilter: nf_conncount: callers must hold rcu read lock
netfilter: nf_conncount: use per nf_conncount_data spinlocks
netfilter: nf_conncount: split count_tree_node rbtree walk into helper
netfilter: nf_conncount: add sequence counter to detect tree modifications
netfilter: nf_conncount: gc and rcu fixes
Julian Anastasov (1):
ipvs: fix doc syntax for conn_max sysctl
Marco Crivellari (1):
ipvs: Replace use of system_unbound_wq with system_dfl_long_wq
Pablo Neira Ayuso (3):
netfilter: conntrack: check NULL when retrieving ct extension
netfilter: flowtable: bail out if forward path cannot be discovered
netfilter: nf_dup_netdev: add nf_dev_xmit_recursion*() helpers and use them
Documentation/networking/ipvs-sysctl.rst | 23 ++-
include/net/netfilter/nf_conntrack_helper.h | 2 +
include/net/netfilter/nf_dup_netdev.h | 34 +++-
net/ipv4/netfilter/nf_nat_h323.c | 12 ++
net/ipv4/netfilter/nf_nat_pptp.c | 14 +-
net/netfilter/ipvs/ip_vs_conn.c | 4 +-
net/netfilter/ipvs/ip_vs_ctl.c | 10 +-
net/netfilter/nf_conncount.c | 230 +++++++++++++++++-----------
net/netfilter/nf_conntrack_broadcast.c | 3 +
net/netfilter/nf_conntrack_expect.c | 33 ++--
net/netfilter/nf_conntrack_ftp.c | 6 +
net/netfilter/nf_conntrack_h323_main.c | 18 +++
net/netfilter/nf_conntrack_pptp.c | 9 ++
net/netfilter/nf_conntrack_proto_gre.c | 9 ++
net/netfilter/nf_conntrack_sane.c | 3 +
net/netfilter/nf_conntrack_seqadj.c | 17 +-
net/netfilter/nf_conntrack_sip.c | 41 ++++-
net/netfilter/nf_dup_netdev.c | 15 +-
net/netfilter/nf_flow_table_path.c | 81 +++++-----
net/netfilter/nf_nat_sip.c | 12 ++
net/netfilter/nf_tables_api.c | 38 +++--
net/netfilter/nf_tables_core.c | 8 +-
net/netfilter/nf_tables_offload.c | 2 +-
net/netfilter/nf_tables_trace.c | 6 +-
net/netfilter/nfnetlink_cthelper.c | 6 +
net/netfilter/nft_ct.c | 2 +-
net/netfilter/nft_ct_fast.c | 2 +-
net/netfilter/nft_exthdr.c | 2 +-
net/netfilter/nft_fib.c | 2 +-
net/netfilter/nft_fwd_netdev.c | 17 +-
net/netfilter/nft_inner.c | 2 +-
net/netfilter/nft_lookup.c | 2 +-
net/netfilter/nft_masq.c | 2 +-
net/netfilter/nft_meta.c | 10 +-
net/netfilter/nft_payload.c | 6 +-
net/netfilter/nft_redir.c | 2 +-
net/netfilter/nft_reject.c | 8 +-
net/netfilter/nft_rt.c | 2 +-
net/netfilter/nft_set_hash.c | 2 +-
net/netfilter/nft_set_pipapo.c | 2 +-
net/netfilter/nft_set_rbtree.c | 6 +-
net/netfilter/nft_socket.c | 8 +-
net/netfilter/nft_tunnel.c | 2 +-
net/netfilter/nft_xfrm.c | 6 +-
net/openvswitch/conntrack.c | 2 +-
45 files changed, 494 insertions(+), 229 deletions(-)
next reply other threads:[~2026-06-14 11:46 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-14 11:45 Pablo Neira Ayuso [this message]
2026-06-14 11:45 ` [PATCH net-next 01/11] ipvs: Replace use of system_unbound_wq with system_dfl_long_wq Pablo Neira Ayuso
2026-06-14 11:45 ` [PATCH net-next 02/11] netfilter: nf_tables: use DEBUG_NET_WARN_ON_ONCE in packet and control paths Pablo Neira Ayuso
2026-06-14 11:45 ` [PATCH net-next 03/11] netfilter: nf_conncount: callers must hold rcu read lock Pablo Neira Ayuso
2026-06-14 11:45 ` [PATCH net-next 04/11] netfilter: nf_conncount: use per nf_conncount_data spinlocks Pablo Neira Ayuso
2026-06-14 11:45 ` [PATCH net-next 05/11] netfilter: nf_conncount: split count_tree_node rbtree walk into helper Pablo Neira Ayuso
2026-06-14 11:46 ` [PATCH net-next 06/11] netfilter: nf_conncount: add sequence counter to detect tree modifications Pablo Neira Ayuso
2026-06-14 11:46 ` [PATCH net-next 07/11] netfilter: nf_conncount: gc and rcu fixes Pablo Neira Ayuso
2026-06-14 11:46 ` [PATCH net-next 08/11] netfilter: conntrack: check NULL when retrieving ct extension Pablo Neira Ayuso
2026-06-14 11:46 ` [PATCH net-next 09/11] netfilter: flowtable: bail out if forward path cannot be discovered Pablo Neira Ayuso
2026-06-14 11:46 ` [PATCH net-next 10/11] ipvs: fix doc syntax for conn_max sysctl Pablo Neira Ayuso
2026-06-14 11:46 ` [PATCH net-next 11/11] netfilter: nf_dup_netdev: add nf_dev_xmit_recursion*() helpers and use them Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260614114605.474783-1-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox