Netdev List
 help / color / mirror / Atom feed
* [PATCH net-next 00/12] netfilter: updates for net-next
@ 2026-07-02 10:49 Florian Westphal
  2026-07-02 10:49 ` [PATCH net-next 01/12] netfilter: nfnetlink_hook: Dump nat type chains Florian Westphal
                   ` (12 more replies)
  0 siblings, 13 replies; 16+ messages in thread
From: Florian Westphal @ 2026-07-02 10:49 UTC (permalink / raw)
  To: netdev
  Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
	netfilter-devel, pablo

Hi,

The following patchset contains Netfilter updates for *net-next*.

1) Update nfnetlink_hook to dump the individual NAT type chains
instead of the nat base chains to userspace. From Phil Sutter.

2) Replace strlcpy/strlcat() with snprintf() in x_tables, from Ian Bridges.

3) Start replacing u_int8_t and u_int16t with u8 and u16 in netfilter.
From Carlos Grillet.

4) Replace strcpy() with strscpy() in netfilter, from David Laight.

5) Remove redundant NULL check before kvfree().

6) Add parameter validation to xt_tcpmss. Ensure mss_min <= mss_max and
invert <= 1.  From Feng Wu.

7) Add checkentry for xt_dscp 'tos' match. Implement tos_mt_check() to reject
invalid invert values.  Also from Feng Wu.

8) Stop hashing nf_conntrack_helper by tuple. Switch to hashing by name and
L4 protocol.

9) Remove tuples from conntrack helper definitions and port usage from
broadcast helpers. Add netlink policy validation to prevent protocol
number truncation.

10) Remove obsolete netfilter conntrack module parameters.

11) Bound num_counters in ebtables: do_replace() by MAX_EBT_ENTRIES to prevent
oversized vmalloc_array() allocations.  From Jiayuan Chen.

12) Make expectations created via nft_ct rules work with NAT.

Please, pull these changes from:
The following changes since commit b8ea7da314c2efcb9c2f559ed65b7a36c869d68e:

  net: dsa: qca8k: fall back to ethernet-ports node name for LEDs (2026-07-02 11:48:25 +0200)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-26-07-02

for you to fetch changes up to d4beefc90a66672e43fdf82b43e4b3c0b1b18c5e:

  netfilter: nft_ct: support expectation creation for natted flows (2026-07-02 12:17:14 +0200)

----------------------------------------------------------------
netfilter pull request nf-next-26-07-02
----------------------------------------------------------------

Carlos Grillet (1):
  netfilter: replace u_int8_t and u_int16t with u8 and u16

David Laight (1):
  netfilter: avoid strcpy usage

Feng Wu (2):
  netfilter: xt_tcpmss: add checkentry for parameter validation
  netfilter: xt_dscp: add checkentry for tos match

Florian Westphal (4):
  netfilter: nf_conntrack_helper: do not hash by tuple
  netfilter: conntrack: get rid of tuple in helper definitions
  netfilter: conntrack: remove obsolete module parameters
  netfilter: nft_ct: support expectation creation for natted flows

Ian Bridges (1):
  netfilter: x_tables: replace strlcat() with snprintf()

Jiayuan Chen (1):
  netfilter: ebtables: bound num_counters like nentries in do_replace()

Phil Sutter (1):
  netfilter: nfnetlink_hook: Dump nat type chains

Subasri S (1):
  netfilter: remove redundant null check before kvfree()

 include/linux/netfilter.h                   |  7 ++
 include/linux/netfilter/nf_conntrack_h323.h |  2 -
 include/linux/netfilter/nf_conntrack_pptp.h |  2 -
 include/linux/netfilter/nf_conntrack_sane.h |  2 -
 include/linux/netfilter/nf_conntrack_tftp.h |  2 -
 include/net/ip_vs.h                         |  2 +-
 include/net/netfilter/nf_conntrack_helper.h | 10 ++-
 net/bridge/netfilter/ebtables.c             | 12 ++--
 net/ipv4/netfilter/nf_nat_snmp_basic_main.c |  2 +-
 net/netfilter/ipvs/ip_vs_nfct.c             |  2 +-
 net/netfilter/nf_conntrack_amanda.c         |  6 +-
 net/netfilter/nf_conntrack_broadcast.c      |  2 -
 net/netfilter/nf_conntrack_ftp.c            | 32 +++------
 net/netfilter/nf_conntrack_h323_main.c      | 12 ++--
 net/netfilter/nf_conntrack_helper.c         | 77 +++++++++------------
 net/netfilter/nf_conntrack_irc.c            | 27 +++-----
 net/netfilter/nf_conntrack_netbios_ns.c     |  2 -
 net/netfilter/nf_conntrack_ovs.c            |  6 +-
 net/netfilter/nf_conntrack_pptp.c           |  2 +-
 net/netfilter/nf_conntrack_sane.c           | 34 +++------
 net/netfilter/nf_conntrack_sip.c            | 45 ++++--------
 net/netfilter/nf_conntrack_snmp.c           |  4 +-
 net/netfilter/nf_conntrack_tftp.c           | 33 +++------
 net/netfilter/nf_nat_core.c                 |  6 --
 net/netfilter/nf_nat_proto.c                |  8 +++
 net/netfilter/nfnetlink_cthelper.c          | 21 +++---
 net/netfilter/nfnetlink_cttimeout.c         |  2 +-
 net/netfilter/nfnetlink_hook.c              | 37 ++++++++--
 net/netfilter/nft_ct.c                      | 35 ++++++++++
 net/netfilter/nft_set_rbtree.c              |  3 +-
 net/netfilter/x_tables.c                    | 30 +++-----
 net/netfilter/xt_TCPOPTSTRIP.c              |  8 +--
 net/netfilter/xt_dscp.c                     | 12 ++++
 net/netfilter/xt_recent.c                   |  2 +-
 net/netfilter/xt_tcpmss.c                   | 13 ++++
 net/sched/act_ct.c                          |  4 +-
 36 files changed, 246 insertions(+), 260 deletions(-)

-- 
2.54.0


^ permalink raw reply	[flat|nested] 16+ messages in thread
* [PATCH net-next 00/12] netfilter updates for net-next
@ 2024-02-21 11:26 Florian Westphal
  0 siblings, 0 replies; 16+ messages in thread
From: Florian Westphal @ 2024-02-21 11:26 UTC (permalink / raw)
  To: netdev
  Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
	netfilter-devel

This pull request contains updates for your *net-next* tree:

1. Prefer KMEM_CACHE() macro to create kmem caches, from Kunwu Chan.

Patches 2 and 3 consolidate nf_log NULL checks and introduces
extra boundary checks on family and type to make it clear that no out
of bounds access will happen.  No in-tree user currently passes such
values, but thats not clear from looking at the function.
From Pablo Neira Ayuso.

Patch 4, also from Pablo, gets rid of unneeded conditional in
nft_osf init function.

Patch 5, from myself, fixes erroneous Kconfig dependencies that
came in an earlier net-next pull request. This should get rid
of the xtables related build failure reports.

Patches 6 to 10 are an update to nftables' concatenated-ranges
set type to speed up element insertions.  This series also
compacts a few data structures and cleans up a few oddities such
as reliance on ZERO_SIZE_PTR when asking to allocate a set with
no elements. From myself.

Patches 11 moves the nf_reinject function from the netfilter core
(vmlinux) into the nfnetlink_queue backend, the only location where
this is called from. Also from myself.

Patch 12, from Kees Cook, switches xtables' compat layer to use
unsafe_memcpy because xt_entry_target cannot easily get converted
to a real flexible array (its UAPI and used inside other structs).

The following changes since commit b0117d136bb9e4a1facb7ce354e0580dde876f6b:

  Merge branch 'net-constify-device_type' (2024-02-21 09:45:24 +0000)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-24-02-21

for you to fetch changes up to 26f4dac11775a1ca24e2605cb30e828d4dbdea93:

  netfilter: x_tables: Use unsafe_memcpy() for 0-sized destination (2024-02-21 12:03:22 +0100)

----------------------------------------------------------------
netfilter pr 2024-21-02

----------------------------------------------------------------
Florian Westphal (7):
      netfilter: xtables: fix up kconfig dependencies
      netfilter: nft_set_pipapo: constify lookup fn args where possible
      netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR
      netfilter: nft_set_pipapo: shrink data structures
      netfilter: nft_set_pipapo: speed up bulk element insertions
      netfilter: nft_set_pipapo: use GFP_KERNEL for insertions
      netfilter: move nf_reinject into nfnetlink_queue modules

Kees Cook (1):
      netfilter: x_tables: Use unsafe_memcpy() for 0-sized destination

Kunwu Chan (1):
      netfilter: expect: Simplify the allocation of slab caches in nf_conntrack_expect_init

Pablo Neira Ayuso (3):
      netfilter: nf_log: consolidate check for NULL logger in lookup function
      netfilter: nf_log: validate nf_logger_find_get()
      netfilter: nft_osf: simplify init path

 include/linux/netfilter.h           |   1 -
 include/net/netfilter/nf_queue.h    |   1 -
 net/ipv4/netfilter/Kconfig          |   3 +-
 net/netfilter/nf_conntrack_expect.c |   4 +-
 net/netfilter/nf_log.c              |   9 +-
 net/netfilter/nf_queue.c            | 106 --------------------
 net/netfilter/nfnetlink_queue.c     | 142 ++++++++++++++++++++++++++
 net/netfilter/nft_osf.c             |  11 +-
 net/netfilter/nft_set_pipapo.c      | 193 ++++++++++++++++++++++++++----------
 net/netfilter/nft_set_pipapo.h      |  37 +++----
 net/netfilter/nft_set_pipapo_avx2.c |  59 ++++++-----
 net/netfilter/utils.c               |  37 -------
 net/netfilter/x_tables.c            |   3 +-
 13 files changed, 346 insertions(+), 260 deletions(-)

^ permalink raw reply	[flat|nested] 16+ messages in thread

end of thread, other threads:[~2026-07-03 20:10 UTC | newest]

Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02 10:49 [PATCH net-next 00/12] netfilter: updates for net-next Florian Westphal
2026-07-02 10:49 ` [PATCH net-next 01/12] netfilter: nfnetlink_hook: Dump nat type chains Florian Westphal
2026-07-03 20:10   ` patchwork-bot+netdevbpf
2026-07-02 10:49 ` [PATCH net-next 02/12] netfilter: x_tables: replace strlcat() with snprintf() Florian Westphal
2026-07-02 10:49 ` [PATCH net-next 03/12] netfilter: replace u_int8_t and u_int16t with u8 and u16 Florian Westphal
2026-07-02 10:49 ` [PATCH net-next 04/12] netfilter: avoid strcpy usage Florian Westphal
2026-07-02 10:49 ` [PATCH net-next 05/12] netfilter: remove redundant null check before kvfree() Florian Westphal
2026-07-02 10:49 ` [PATCH net-next 06/12] netfilter: xt_tcpmss: add checkentry for parameter validation Florian Westphal
2026-07-02 10:49 ` [PATCH net-next 07/12] netfilter: xt_dscp: add checkentry for tos match Florian Westphal
2026-07-02 10:49 ` [PATCH net-next 08/12] netfilter: nf_conntrack_helper: do not hash by tuple Florian Westphal
2026-07-02 10:50 ` [PATCH net-next 09/12] netfilter: conntrack: get rid of tuple in helper definitions Florian Westphal
2026-07-02 10:50 ` [PATCH net-next 10/12] netfilter: conntrack: remove obsolete module parameters Florian Westphal
2026-07-02 10:50 ` [PATCH net-next 11/12] netfilter: ebtables: bound num_counters like nentries in do_replace() Florian Westphal
2026-07-02 10:50 ` [PATCH net-next 12/12] netfilter: nft_ct: support expectation creation for natted flows Florian Westphal
2026-07-03 19:59 ` [PATCH net-next 00/12] netfilter: updates for net-next Paolo Abeni
  -- strict thread matches above, loose matches on Subject: below --
2024-02-21 11:26 [PATCH net-next 00/12] netfilter " Florian Westphal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox