[PATCH net 0/3] Netfilter fixes for net

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi Jakub, David,

The following patchset contains Netfilter fixes for net:

1) Missing sanitization of rateest userspace string, bug has been
   triggered by syzbot, patch from Florian Westphal.

2) Report EOPNOTSUPP on missing set features in nft_dynset, otherwise
   error reporting to userspace via EINVAL is misleading since this is
   reserved for malformed netlink requests.

3) New binaries with old kernels might silently accept several set
   element expressions. New binaries set on the NFT_SET_EXPR and
   NFT_DYNSET_F_EXPR flags to request for several expressions per
   element, hence old kernels which do not support for this bail out
   with EOPNOTSUPP.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

P.S: Best wishes for 2021.

----------------------------------------------------------------

The following changes since commit 1f45dc22066797479072978feeada0852502e180:

  ibmvnic: continue fatal error reset after passive init (2020-12-23 12:56:10 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to b4e70d8dd9ea6bd5d5fb3122586f652326ca09cd:

  netfilter: nftables: add set expression flags (2020-12-28 10:50:26 +0100)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: xt_RATEEST: reject non-null terminated string from userspace

Pablo Neira Ayuso (2):
      netfilter: nft_dynset: report EOPNOTSUPP on missing set feature
      netfilter: nftables: add set expression flags

 include/uapi/linux/netfilter/nf_tables.h |  3 +++
 net/netfilter/nf_tables_api.c            |  6 +++++-
 net/netfilter/nft_dynset.c               | 15 ++++++++++-----
 net/netfilter/xt_RATEEST.c               |  3 +++
 4 files changed, 21 insertions(+), 6 deletions(-)

Re: [PATCH net 0/3] Netfilter fixes for net

[Jakub Kicinski]

On Sun,  3 Jan 2021 20:29:17 +0100 Pablo Neira Ayuso wrote:
> Hi Jakub, David,
> 
> The following patchset contains Netfilter fixes for net:
> 
> 1) Missing sanitization of rateest userspace string, bug has been
>    triggered by syzbot, patch from Florian Westphal.
> 
> 2) Report EOPNOTSUPP on missing set features in nft_dynset, otherwise
>    error reporting to userspace via EINVAL is misleading since this is
>    reserved for malformed netlink requests.
> 
> 3) New binaries with old kernels might silently accept several set
>    element expressions. New binaries set on the NFT_SET_EXPR and
>    NFT_DYNSET_F_EXPR flags to request for several expressions per
>    element, hence old kernels which do not support for this bail out
>    with EOPNOTSUPP.
> 
> Please, pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thanks!

> P.S: Best wishes for 2021.

Happy 2021!

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Pass conntrack -f to specify family in netfilter conntrack helper
   selftests, from Chen Yi.

2) Honor hashsize modparam from nf_conntrack_buckets sysctl,
   from Jesper D. Brouer.

3) Fix memleak in nf_nat_init() error path, from Dinghao Liu.

Chen Yi (1):
  selftests: netfilter: Pass family parameter "-f" to conntrack tool

Dinghao Liu (1):
  netfilter: nf_nat: Fix memleak in nf_nat_init

Jesper Dangaard Brouer (1):
  netfilter: conntrack: fix reading nf_conntrack_buckets

 net/netfilter/nf_conntrack_standalone.c              |  3 +++
 net/netfilter/nf_nat_core.c                          |  1 +
 .../selftests/netfilter/nft_conntrack_helper.sh      | 12 +++++++++---
 3 files changed, 13 insertions(+), 3 deletions(-)

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit c49243e8898233de18edfaaa5b7b261ea457f221:

  Merge branch 'net-fix-issues-around-register_netdevice-failures' (2021-01-08 19:27:44 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 869f4fdaf4ca7bb6e0d05caf6fa1108dddc346a7:

  netfilter: nf_nat: Fix memleak in nf_nat_init (2021-01-11 00:34:11 +0100)

----------------------------------------------------------------
Chen Yi (1):
      selftests: netfilter: Pass family parameter "-f" to conntrack tool

Dinghao Liu (1):
      netfilter: nf_nat: Fix memleak in nf_nat_init

Jesper Dangaard Brouer (1):
      netfilter: conntrack: fix reading nf_conntrack_buckets

 net/netfilter/nf_conntrack_standalone.c                   |  3 +++
 net/netfilter/nf_nat_core.c                               |  1 +
 tools/testing/selftests/netfilter/nft_conntrack_helper.sh | 12 +++++++++---
 3 files changed, 13 insertions(+), 3 deletions(-)

Re: [PATCH net 0/3] Netfilter fixes for net

[Jakub Kicinski]

On Tue, 12 Jan 2021 23:20:30 +0100 Pablo Neira Ayuso wrote:
> The following patchset contains Netfilter fixes for net:
> 
> 1) Pass conntrack -f to specify family in netfilter conntrack helper
>    selftests, from Chen Yi.
> 
> 2) Honor hashsize modparam from nf_conntrack_buckets sysctl,
>    from Jesper D. Brouer.
> 
> 3) Fix memleak in nf_nat_init() error path, from Dinghao Liu.

Pulled, thanks!

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Honor stateful expressions defined in the set from the dynset
   extension. The set definition provides a stateful expression
   that must be used by the dynset expression in case it is specified.

2) Missing timeout extension in the set element in the dynset
   extension leads to inconsistent ruleset listing, not allowing
   the user to restore timeout and expiration on ruleset reload.

3) Do not dump the stateful expression from the dynset extension
   if it coming from the set definition.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit c8a8ead01736419a14c3106e1f26a79d74fc84c7:

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf (2021-01-12 20:25:29 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to ce5379963b2884e9d23bea0c5674a7251414c84b:

  netfilter: nft_dynset: dump expressions when set definition contains no expressions (2021-01-16 19:54:42 +0100)

----------------------------------------------------------------
Pablo Neira Ayuso (3):
      netfilter: nft_dynset: honor stateful expressions in set definition
      netfilter: nft_dynset: add timeout extension to template
      netfilter: nft_dynset: dump expressions when set definition contains no expressions

 include/net/netfilter/nf_tables.h |  2 ++
 net/netfilter/nf_tables_api.c     |  5 ++---
 net/netfilter/nft_dynset.c        | 41 +++++++++++++++++++++++++--------------
 3 files changed, 30 insertions(+), 18 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Honor stateful expressions defined in the set from the dynset
   extension. The set definition provides a stateful expression
   that must be used by the dynset expression in case it is specified.

2) Missing timeout extension in the set element in the dynset
   extension leads to inconsistent ruleset listing, not allowing
   the user to restore timeout and expiration on ruleset reload.

3) Do not dump the stateful expression from the dynset extension
   if it coming from the set definition.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit c8a8ead01736419a14c3106e1f26a79d74fc84c7:

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf (2021-01-12 20:25:29 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to ce5379963b2884e9d23bea0c5674a7251414c84b:

  netfilter: nft_dynset: dump expressions when set definition contains no expressions (2021-01-16 19:54:42 +0100)

----------------------------------------------------------------
Pablo Neira Ayuso (3):
      netfilter: nft_dynset: honor stateful expressions in set definition
      netfilter: nft_dynset: add timeout extension to template
      netfilter: nft_dynset: dump expressions when set definition contains no expressions

 include/net/netfilter/nf_tables.h |  2 ++
 net/netfilter/nf_tables_api.c     |  5 ++---
 net/netfilter/nft_dynset.c        | 41 +++++++++++++++++++++++++--------------
 3 files changed, 30 insertions(+), 18 deletions(-)

Re: [PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Please, scratch this.

My robot resent an old pull request that was stale on my submission
folder.

Sorry for the noise.

On Tue, Feb 02, 2021 at 04:21:52PM +0100, Pablo Neira Ayuso wrote:
> Hi,
> 
> The following patchset contains Netfilter fixes for net:
> 
> 1) Honor stateful expressions defined in the set from the dynset
>    extension. The set definition provides a stateful expression
>    that must be used by the dynset expression in case it is specified.
> 
> 2) Missing timeout extension in the set element in the dynset
>    extension leads to inconsistent ruleset listing, not allowing
>    the user to restore timeout and expiration on ruleset reload.
> 
> 3) Do not dump the stateful expression from the dynset extension
>    if it coming from the set definition.
> 
> Please, pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
> 
> Thanks!
> 
> ----------------------------------------------------------------
> 
> The following changes since commit c8a8ead01736419a14c3106e1f26a79d74fc84c7:
> 
>   Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf (2021-01-12 20:25:29 -0800)
> 
> are available in the Git repository at:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
> 
> for you to fetch changes up to ce5379963b2884e9d23bea0c5674a7251414c84b:
> 
>   netfilter: nft_dynset: dump expressions when set definition contains no expressions (2021-01-16 19:54:42 +0100)
> 
> ----------------------------------------------------------------
> Pablo Neira Ayuso (3):
>       netfilter: nft_dynset: honor stateful expressions in set definition
>       netfilter: nft_dynset: add timeout extension to template
>       netfilter: nft_dynset: dump expressions when set definition contains no expressions
> 
>  include/net/netfilter/nf_tables.h |  2 ++
>  net/netfilter/nf_tables_api.c     |  5 ++---
>  net/netfilter/nft_dynset.c        | 41 +++++++++++++++++++++++++--------------
>  3 files changed, 30 insertions(+), 18 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix a crash when stateful expression with its own gc callback
   is used in a set definition.

2) Skip IPv6 packets from any link-local address in IPv6 fib expression.
   Add a selftest for this scenario, from Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thank you!

----------------------------------------------------------------

The following changes since commit f2386cf7c5f4ff5d7b584f5d92014edd7df6c676:

  net: lantiq: disable interrupt before sheduling NAPI (2021-06-08 19:16:32 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 12f36e9bf678a81d030ca1b693dcda62b55af7c5:

  netfilter: nft_fib_ipv6: skip ipv6 packets from any to link-local (2021-06-09 21:11:03 +0200)

----------------------------------------------------------------
Florian Westphal (2):
      selftests: netfilter: add fib test case
      netfilter: nft_fib_ipv6: skip ipv6 packets from any to link-local

Pablo Neira Ayuso (1):
      netfilter: nf_tables: initialize set before expression setup

 net/ipv6/netfilter/nft_fib_ipv6.c            |  22 ++-
 net/netfilter/nf_tables_api.c                |  85 ++++++-----
 tools/testing/selftests/netfilter/Makefile   |   2 +-
 tools/testing/selftests/netfilter/nft_fib.sh | 221 +++++++++++++++++++++++++++
 4 files changed, 283 insertions(+), 47 deletions(-)
 create mode 100755 tools/testing/selftests/netfilter/nft_fib.sh

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=y, Size: 1578 bytes --]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix UAF in set catch-all element, from Eric Dumazet.

2) Fix MAC mangling for multicast/loopback traffic in nfnetlink_queue
   and nfnetlink_log, from Ignacy Gawędzki.

3) Remove expired entries from ctnetlink dump path regardless the tuple
   direction, from Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 1d1c950faa81e1c287c9e14f307f845b190eb578:

  Merge tag 'wireless-drivers-2021-12-15' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers (2021-12-15 14:43:07 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 76f12e632a15a20c8de3532d64a0708cf0e32f11:

  netfilter: ctnetlink: remove expired entries first (2021-12-16 14:10:52 +0100)

----------------------------------------------------------------
Eric Dumazet (1):
      netfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy()

Florian Westphal (1):
      netfilter: ctnetlink: remove expired entries first

Ignacy Gawędzki (1):
      netfilter: fix regression in looped (broad|multi)cast's MAC handling

 net/netfilter/nf_conntrack_netlink.c | 5 +++--
 net/netfilter/nf_tables_api.c        | 4 ++--
 net/netfilter/nfnetlink_log.c        | 3 ++-
 net/netfilter/nfnetlink_queue.c      | 3 ++-
 4 files changed, 9 insertions(+), 6 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net coming late
in the 5.17-rc process:

1) Revert port remap to mitigate shadowing service ports, this is causing
   problems in existing setups and this mitigation can be achieved with
   explicit ruleset, eg.

	... tcp sport < 16386 tcp dport >= 32768 masquerade random

  This patches provided a built-in policy similar to the one described above.

2) Disable register tracking infrastructure in nf_tables. Florian reported
   two issues:

   - Existing expressions with no implemented .reduce interface
     that causes data-store on register should cancel the tracking.
   - Register clobbering might be possible storing data on registers that
     are larger than 32-bits.

   This might lead to generating incorrect ruleset bytecode. These two
   issues are scheduled to be addressed in the next release cycle.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit f8e9bd34cedd89b93b1167aa32ab8ecd6c2ccf4a:

  Merge branch 'smc-fix' (2022-03-03 10:34:18 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to ed5f85d4229010235eab1e3d9acf6970d9304963:

  netfilter: nf_tables: disable register tracking (2022-03-12 16:07:38 +0100)

----------------------------------------------------------------
Florian Westphal (2):
      Revert "netfilter: nat: force port remap to prevent shadowing well-known ports"
      Revert "netfilter: conntrack: tag conntracks picked up in local out hook"

Pablo Neira Ayuso (1):
      netfilter: nf_tables: disable register tracking

 include/net/netfilter/nf_conntrack.h         |  1 -
 net/netfilter/nf_conntrack_core.c            |  3 --
 net/netfilter/nf_nat_core.c                  | 43 ++--------------------------
 net/netfilter/nf_tables_api.c                |  9 ++++--
 tools/testing/selftests/netfilter/nft_nat.sh |  5 ++--
 5 files changed, 12 insertions(+), 49 deletions(-)

Re: [PATCH net 0/3] Netfilter fixes for net

[Jakub Kicinski]

On Sat, 12 Mar 2022 23:03:12 +0100 Pablo Neira Ayuso wrote:
> 1) Revert port remap to mitigate shadowing service ports, this is causing
>    problems in existing setups and this mitigation can be achieved with
>    explicit ruleset, eg.
> 
> 	... tcp sport < 16386 tcp dport >= 32768 masquerade random
> 
>   This patches provided a built-in policy similar to the one described above.
> 
> 2) Disable register tracking infrastructure in nf_tables. Florian reported
>    two issues:
> 
>    - Existing expressions with no implemented .reduce interface
>      that causes data-store on register should cancel the tracking.
>    - Register clobbering might be possible storing data on registers that
>      are larger than 32-bits.
> 
>    This might lead to generating incorrect ruleset bytecode. These two
>    issues are scheduled to be addressed in the next release cycle.

Minor nit for the future - it'd still be useful to have Fixes tags even
for reverts or current release fixes so that lowly backporters (myself
included) do not have to dig into history to double confirm patches
are not needed in the production kernels we maintain. Thanks!

Re: [PATCH net 0/3] Netfilter fixes for net

[Florian Westphal]

Jakub Kicinski <kuba@kernel.org> wrote:
> Minor nit for the future - it'd still be useful to have Fixes tags even
> for reverts or current release fixes so that lowly backporters (myself
> included) do not have to dig into history to double confirm patches
> are not needed in the production kernels we maintain. Thanks!

Understood, will do so next time.

For the record, the tags would have been:

Fixes: 878aed8db324 ("netfilter: nat: force port remap to prevent shadowing well-known ports")
Fixes: 4a6fbdd801e8 ("netfilter: conntrack: tag conntracks picked up in local out hook")
Fixes: 12e4ecfa244b ("netfilter: nf_tables: add register tracking infrastructure")

... all were merged v5.17-rc1 onwards.

Re: [PATCH net 0/3] Netfilter fixes for net

[Jakub Kicinski]

On Tue, 15 Mar 2022 00:07:19 +0100 Florian Westphal wrote:
> Jakub Kicinski <kuba@kernel.org> wrote:
> > Minor nit for the future - it'd still be useful to have Fixes tags even
> > for reverts or current release fixes so that lowly backporters (myself
> > included) do not have to dig into history to double confirm patches
> > are not needed in the production kernels we maintain. Thanks!  
> 
> Understood, will do so next time.
> 
> For the record, the tags would have been:
> 
> Fixes: 878aed8db324 ("netfilter: nat: force port remap to prevent shadowing well-known ports")
> Fixes: 4a6fbdd801e8 ("netfilter: conntrack: tag conntracks picked up in local out hook")
> Fixes: 12e4ecfa244b ("netfilter: nf_tables: add register tracking infrastructure")
> 
> ... all were merged v5.17-rc1 onwards.

Thanks!

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix PPPoE and QinQ with flowtable inet family.

2) Missing register validation in nf_tables.

3) Initialize registers to avoid stack memleak to userspace.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit dea2d93a8ba437460c5f21bdfa4ada57fa1d2179:

  Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue (2022-03-16 10:07:43 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 4c905f6740a365464e91467aa50916555b28213d:

  netfilter: nf_tables: initialize registers in nft_do_chain() (2022-03-17 15:50:27 +0100)

----------------------------------------------------------------
Pablo Neira Ayuso (3):
      netfilter: flowtable: Fix QinQ and pppoe support for inet table
      netfilter: nf_tables: validate registers coming from userspace.
      netfilter: nf_tables: initialize registers in nft_do_chain()

 include/net/netfilter/nf_flow_table.h | 18 ++++++++++++++++++
 net/netfilter/nf_flow_table_inet.c    | 17 +++++++++++++++++
 net/netfilter/nf_flow_table_ip.c      | 18 ------------------
 net/netfilter/nf_tables_api.c         | 22 +++++++++++++++++-----
 net/netfilter/nf_tables_core.c        |  2 +-
 5 files changed, 53 insertions(+), 24 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Incorrect output device in nf_egress hook, from Phill Sutter.

2) Preserve liberal flag in TCP conntrack state, reported by Sven Auhagen.

3) Use GFP_KERNEL_ACCOUNT flag for nf_tables objects, from Vasily Averin.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit f92fcb5c00dc924a4661d5bf68de7937040f26b8:

  Merge branch 'ice-avoid-sleeping-scheduling-in-atomic-contexts' (2022-03-23 10:40:44 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 33758c891479ea1c736abfee64b5225925875557:

  memcg: enable accounting for nft objects (2022-03-28 10:11:23 +0200)

----------------------------------------------------------------
Pablo Neira Ayuso (1):
      netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options

Phil Sutter (1):
      netfilter: egress: Report interface as outgoing

Vasily Averin (1):
      memcg: enable accounting for nft objects

 include/linux/netfilter_netdev.h       |  2 +-
 net/netfilter/core.c                   |  2 +-
 net/netfilter/nf_conntrack_proto_tcp.c | 17 +++++++++----
 net/netfilter/nf_tables_api.c          | 44 +++++++++++++++++-----------------
 4 files changed, 37 insertions(+), 28 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

This patchset contains Netfilter fixes for net:

1) Fix incorrect TCP connection tracking window reset for non-syn
   packets, from Florian Westphal.

2) Incorrect dependency on CONFIG_NFT_FLOW_OFFLOAD, from Volodymyr Mytnyk.

3) Fix nft_socket from the output path, from Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit a1bde8c92d27d178a988bfd13d229c170b8135aa:

  Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net -queue (2022-04-27 10:58:39 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 743b83f15d4069ea57c3e40996bf4a1077e0cdc1:

  netfilter: nft_socket: only do sk lookups when indev is available (2022-04-28 16:15:23 +0200)

----------------------------------------------------------------
Florian Westphal (2):
      netfilter: nf_conntrack_tcp: re-init for syn packets only
      netfilter: nft_socket: only do sk lookups when indev is available

Volodymyr Mytnyk (1):
      netfilter: conntrack: fix udp offload timeout sysctl

 net/netfilter/nf_conntrack_proto_tcp.c  | 21 ++++---------
 net/netfilter/nf_conntrack_standalone.c |  2 +-
 net/netfilter/nft_socket.c              | 52 ++++++++++++++++++++++++---------
 3 files changed, 45 insertions(+), 30 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Restore set counter when one of the CPU loses race to add elements
   to sets.

2) After NF_STOLEN, skb might be there no more, update nftables trace
   infra to avoid access to skb in this case. From Florian Westphal.

3) nftables bridge might register a prerouting hook with zero priority,
   br_netfilter incorrectly skips it. Also from Florian.

Florian Westphal (2):
  netfilter: nf_tables: avoid skb access on nf_stolen
  netfilter: br_netfilter: do not skip all hooks with 0 priority

Pablo Neira Ayuso (1):
  netfilter: nft_dynset: restore set element counter when failing to update

 include/net/netfilter/nf_tables.h | 16 ++++++-----
 net/bridge/br_netfilter_hooks.c   | 21 ++++++++++++---
 net/netfilter/nf_tables_core.c    | 24 ++++++++++++++---
 net/netfilter/nf_tables_trace.c   | 44 +++++++++++++++++--------------
 net/netfilter/nft_set_hash.c      |  2 ++
 5 files changed, 75 insertions(+), 32 deletions(-)

-- 
2.30.2

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit cb8092d70a6f5f01ec1490fce4d35efed3ed996c:

  tipc: move bc link creation back to tipc_node_create (2022-06-27 11:51:56 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to c2577862eeb0be94f151f2f1fff662b028061b00:

  netfilter: br_netfilter: do not skip all hooks with 0 priority (2022-06-27 19:23:27 +0200)

----------------------------------------------------------------
Florian Westphal (2):
      netfilter: nf_tables: avoid skb access on nf_stolen
      netfilter: br_netfilter: do not skip all hooks with 0 priority

Pablo Neira Ayuso (1):
      netfilter: nft_dynset: restore set element counter when failing to update

 include/net/netfilter/nf_tables.h | 16 ++++++++------
 net/bridge/br_netfilter_hooks.c   | 21 ++++++++++++++++---
 net/netfilter/nf_tables_core.c    | 24 ++++++++++++++++++---
 net/netfilter/nf_tables_trace.c   | 44 +++++++++++++++++++++------------------
 net/netfilter/nft_set_hash.c      |  2 ++
 5 files changed, 75 insertions(+), 32 deletions(-)

Re: [PATCH net 0/3] Netfilter fixes for net

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (master)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Wed, 29 Jun 2022 19:13:51 +0200 you wrote:
> Hi,
> 
> The following patchset contains Netfilter fixes for net:
> 
> 1) Restore set counter when one of the CPU loses race to add elements
>    to sets.
> 
> [...]

Here is the summary with links:
  - [net,1/3] netfilter: nft_dynset: restore set element counter when failing to update
    https://git.kernel.org/netdev/net/c/05907f10e235
  - [net,2/3] netfilter: nf_tables: avoid skb access on nf_stolen
    https://git.kernel.org/netdev/net/c/e34b9ed96ce3
  - [net,3/3] netfilter: br_netfilter: do not skip all hooks with 0 priority
    https://git.kernel.org/netdev/net/c/c2577862eeb0

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) refcount_inc_not_zero() is not semantically equivalent to
   atomic_int_not_zero(), from Florian Westphal. My understanding was
   that refcount_*() API provides a wrapper to easier debugging of
   reference count leaks, however, there are semantic differences
   between these two APIs, where refcount_inc_not_zero() needs a barrier.
   Reason for this subtle difference to me is unknown.

2) packet logging is not correct for ARP and IP packets, from the
   ARP family and netdev/egress respectively. Use skb_network_offset()
   to reach the headers accordingly.

3) set element extension length have been growing over time, replace
   a BUG_ON by EINVAL which might be triggerable from userspace.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 280e3a857d96f9ca8e24632788e1e7a0fec4e9f7:

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf (2022-07-03 12:29:18 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to c39ba4de6b0a843bec5d46c2b6f2064428dada5e:

  netfilter: nf_tables: replace BUG_ON by element length check (2022-07-09 16:25:09 +0200)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: conntrack: fix crash due to confirmed bit load reordering

Pablo Neira Ayuso (2):
      netfilter: nf_log: incorrect offset to network header
      netfilter: nf_tables: replace BUG_ON by element length check

 include/net/netfilter/nf_tables.h       | 14 ++++---
 net/netfilter/nf_conntrack_core.c       | 22 ++++++++++
 net/netfilter/nf_conntrack_netlink.c    |  1 +
 net/netfilter/nf_conntrack_standalone.c |  3 ++
 net/netfilter/nf_log_syslog.c           |  8 ++--
 net/netfilter/nf_tables_api.c           | 72 +++++++++++++++++++++++----------
 6 files changed, 90 insertions(+), 30 deletions(-)

[PATCH net 0/3] netfilter fixes for net

[Florian Westphal]

Hello,

This series from Phil Sutter for the *net* tree fixes a problem with a change
from the 6.1 development phase: the change to nft_fib should have used
the more recent flowic_l3mdev field.  Pointed out by Guillaume Nault.
This also makes the older iptables module follow the same pattern.

Also add selftest case and avoid test failure in nft_fib.sh when the
host environment has set rp_filter=1.

Please consider pulling this from

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git master

----------------------------------------------------------------
The following changes since commit 739cfa34518ef3a6789f5f77239073972a387359:

  net/mlx5: Make ASO poll CQ usable in atomic context (2022-10-12 09:16:05 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git master

for you to fetch changes up to 6a91e7270936c5a504af7e0a197d7021e169d281:

  selftests: netfilter: Fix nft_fib.sh for all.rp_filter=1 (2022-10-12 14:08:15 +0200)

----------------------------------------------------------------
Phil Sutter (3):
      selftests: netfilter: Test reverse path filtering
      netfilter: rpfilter/fib: Populate flowic_l3mdev field
      selftests: netfilter: Fix nft_fib.sh for all.rp_filter=1

 net/ipv4/netfilter/ipt_rpfilter.c            |   2 +-
 net/ipv4/netfilter/nft_fib_ipv4.c            |   2 +-
 net/ipv6/netfilter/ip6t_rpfilter.c           |   9 +-
 net/ipv6/netfilter/nft_fib_ipv6.c            |   5 +-
 tools/testing/selftests/netfilter/Makefile   |   2 +-
 tools/testing/selftests/netfilter/nft_fib.sh |   1 +
 tools/testing/selftests/netfilter/rpath.sh   | 147 +++++++++++++++++++++++++++
 7 files changed, 156 insertions(+), 12 deletions(-)
 create mode 100755 tools/testing/selftests/netfilter/rpath.sh

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix deadlock in nfnetlink due to missing mutex release in error path,
   from Ziyang Xuan.

2) Clean up pending autoload module list from nf_tables_exit_net() path,
   from Shigeru Yoshida.

3) Fixes for the netfilter's reverse path selftest, from Phil Sutter.

All of these bugs have been around for several releases.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit ce9e57feeed81d17d5e80ed86f516ff0d39c3867:

  drivers: net: xgene: disable napi when register irq failed in xgene_enet_open() (2022-11-08 15:15:55 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 58bb78ce02269c0cf5b1f2bd2e4a605500b44c6b:

  selftests: netfilter: Fix and review rpath.sh (2022-11-09 10:29:57 +0100)

----------------------------------------------------------------
Phil Sutter (1):
      selftests: netfilter: Fix and review rpath.sh

Shigeru Yoshida (1):
      netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()

Ziyang Xuan (1):
      netfilter: nfnetlink: fix potential dead lock in nfnetlink_rcv_msg()

 net/netfilter/nf_tables_api.c              |  3 ++-
 net/netfilter/nfnetlink.c                  |  1 +
 tools/testing/selftests/netfilter/rpath.sh | 14 ++++++++------
 3 files changed, 11 insertions(+), 7 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patch contains another round of Netfilter fixes for net:

1) Fix regression in ipset hash:ip with IPv4 range, from Vishwanath Pai.
   This is fixing up a bug introduced in the 6.0 release.

2) The "netfilter: ipset: enforce documented limit to prevent allocating
   huge memory" patch contained a wrong condition which makes impossible to
   add up to 64 clashing elements to a hash:net,iface type of set while it
   is the documented feature of the set type. The patch fixes the condition
   and thus makes possible to add the elements while keeps preventing
   allocating huge memory, from Jozsef Kadlecsik. This has been broken
   for several releases.

3) Missing locking when updating the flow block list which might lead
   a reader to crash. This has been broken since the introduction of the
   flowtable hardware offload support.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit badbda1a01860c80c6ab60f329ef46c713653a27:

  octeontx2-af: cn10k: mcs: Fix copy and paste bug in mcs_bbe_intr_handler() (2022-11-21 13:04:28 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to bcd9e3c1656d0f7dd9743598c65c3ae24efb38d0:

  netfilter: flowtable_offload: add missing locking (2022-11-22 22:17:12 +0100)

----------------------------------------------------------------
Felix Fietkau (1):
      netfilter: flowtable_offload: add missing locking

Jozsef Kadlecsik (1):
      netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface

Vishwanath Pai (1):
      netfilter: ipset: regression in ip_set_hash_ip.c

 net/netfilter/ipset/ip_set_hash_gen.h | 2 +-
 net/netfilter/ipset/ip_set_hash_ip.c  | 8 +++-----
 net/netfilter/nf_flow_table_offload.c | 4 ++++
 3 files changed, 8 insertions(+), 6 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Increase timeout to 120 seconds for netfilter selftests to fix
   nftables transaction tests, from Florian Westphal.

2) Fix overflow in bitmap_ip_create() due to integer arithmetics
   in a 64-bit bitmask, from Gavrilov Ilia.

3) Fix incorrect arithmetics in nft_payload with double-tagged
   vlan matching.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 8fed75653a670a4d3be0ab9949aed5e2968a03ef:

  Merge tag 'mlx5-fixes-2023-01-09' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux (2023-01-11 12:55:09 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 696e1a48b1a1b01edad542a1ef293665864a4dd0:

  netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits (2023-01-11 19:18:04 +0100)

----------------------------------------------------------------
Florian Westphal (1):
      selftests: netfilter: fix transaction test script timeout handling

Gavrilov Ilia (1):
      netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.

Pablo Neira Ayuso (1):
      netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits

 net/netfilter/ipset/ip_set_bitmap_ip.c                |  4 ++--
 net/netfilter/nft_payload.c                           |  2 +-
 tools/testing/selftests/netfilter/nft_trans_stress.sh | 16 +++++++++-------
 tools/testing/selftests/netfilter/settings            |  1 +
 4 files changed, 13 insertions(+), 10 deletions(-)
 create mode 100644 tools/testing/selftests/netfilter/settings

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

[ Resend Cc'ing netdev, previous PR did not CC netdev accidentally. ]

Hi,

The following patchset contains Netfilter fixes for net:

1) Increase timeout to 120 seconds for netfilter selftests to fix
   nftables transaction tests, from Florian Westphal.

2) Fix overflow in bitmap_ip_create() due to integer arithmetics
   in a 64-bit bitmask, from Gavrilov Ilia.

3) Fix incorrect arithmetics in nft_payload with double-tagged
   vlan matching.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 8fed75653a670a4d3be0ab9949aed5e2968a03ef:

  Merge tag 'mlx5-fixes-2023-01-09' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux (2023-01-11 12:55:09 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 696e1a48b1a1b01edad542a1ef293665864a4dd0:

  netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits (2023-01-11 19:18:04 +0100)

----------------------------------------------------------------
Florian Westphal (1):
      selftests: netfilter: fix transaction test script timeout handling

Gavrilov Ilia (1):
      netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.

Pablo Neira Ayuso (1):
      netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits

 net/netfilter/ipset/ip_set_bitmap_ip.c                |  4 ++--
 net/netfilter/nft_payload.c                           |  2 +-
 tools/testing/selftests/netfilter/nft_trans_stress.sh | 16 +++++++++-------
 tools/testing/selftests/netfilter/settings            |  1 +
 4 files changed, 13 insertions(+), 10 deletions(-)
 create mode 100644 tools/testing/selftests/netfilter/settings

Re: [PATCH net 0/3] Netfilter fixes for net

[Jakub Kicinski]

On Fri, 13 Jan 2023 17:41:03 +0100 Pablo Neira Ayuso wrote:
> 1) Increase timeout to 120 seconds for netfilter selftests to fix
>    nftables transaction tests, from Florian Westphal.
> 
> 2) Fix overflow in bitmap_ip_create() due to integer arithmetics
>    in a 64-bit bitmask, from Gavrilov Ilia.
> 
> 3) Fix incorrect arithmetics in nft_payload with double-tagged
>    vlan matching.

FWIW pulled yesterday, thanks!

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix bogus error report in selftests/netfilter/nft_nat.sh,
   from Hangbin Liu.

2) Initialize last and quota expressions from template when
   expr_ops::clone is called, otherwise, states are not restored
   accordingly when loading a dynamic set with elements using
   these two expressions.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 8f9850dd8d23c1290cb642ce9548a440da5771ec:

  net: phy: unlock on error in phy_probe() (2023-02-28 12:40:12 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to aabef97a35160461e9c576848ded737558d89055:

  netfilter: nft_quota: copy content when cloning expression (2023-03-01 17:23:23 +0100)

----------------------------------------------------------------
Hangbin Liu (1):
      selftests: nft_nat: ensuring the listening side is up before starting the client

Pablo Neira Ayuso (2):
      netfilter: nft_last: copy content when cloning expression
      netfilter: nft_quota: copy content when cloning expression

 net/netfilter/nft_last.c                     | 4 ++++
 net/netfilter/nft_quota.c                    | 6 +++++-
 tools/testing/selftests/netfilter/nft_nat.sh | 2 ++
 3 files changed, 11 insertions(+), 1 deletion(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Restore ctnetlink zero mark in events and dump, from Ivan Delalande.

2) Fix deadlock due to missing disabled bh in tproxy, from Florian Westphal.

3) Safer maximum chain load in conntrack, from Eric Dumazet.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 528125268588a18a2f257002af051b62b14bb282:

  Merge branch 'nfp-ipsec-csum' (2023-03-03 08:28:44 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to c77737b736ceb50fdf150434347dbd81ec76dbb1:

  netfilter: conntrack: adopt safer max chain length (2023-03-07 10:58:06 +0100)

----------------------------------------------------------------
Eric Dumazet (1):
      netfilter: conntrack: adopt safer max chain length

Florian Westphal (1):
      netfilter: tproxy: fix deadlock due to missing BH disable

Ivan Delalande (1):
      netfilter: ctnetlink: revert to dumping mark regardless of event type

 include/net/netfilter/nf_tproxy.h    |  7 +++++++
 net/ipv4/netfilter/nf_tproxy_ipv4.c  |  2 +-
 net/ipv6/netfilter/nf_tproxy_ipv6.c  |  2 +-
 net/netfilter/nf_conntrack_core.c    |  4 ++--
 net/netfilter/nf_conntrack_netlink.c | 14 +++++++-------
 5 files changed, 18 insertions(+), 11 deletions(-)

Re: [PATCH net 0/3] Netfilter fixes for net

[Paolo Abeni]

On Tue, 2023-03-07 at 11:04 +0100, Pablo Neira Ayuso wrote:
> Hi,
> 
> The following patchset contains Netfilter fixes for net:
> 
> 1) Restore ctnetlink zero mark in events and dump, from Ivan Delalande.
> 
> 2) Fix deadlock due to missing disabled bh in tproxy, from Florian Westphal.
> 
> 3) Safer maximum chain load in conntrack, from Eric Dumazet.
> 
> Please, pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
> 
> Thanks.
> 
> ----------------------------------------------------------------
> 
> The following changes since commit 528125268588a18a2f257002af051b62b14bb282:
> 
>   Merge branch 'nfp-ipsec-csum' (2023-03-03 08:28:44 +0000)
> 
> are available in the Git repository at:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

It's not clear to me the root cause, but pulling from the above ref.
yields nothing. I have to replace 'HEAD' with main to get the expected
patches.

Cheers,

Paolo

Re: [PATCH net 0/3] Netfilter fixes for net

[Jakub Kicinski]

On Tue, 07 Mar 2023 13:57:07 +0100 Paolo Abeni wrote:
> On Tue, 2023-03-07 at 11:04 +0100, Pablo Neira Ayuso wrote:
> > The following changes since commit 528125268588a18a2f257002af051b62b14bb282:
> > 
> >   Merge branch 'nfp-ipsec-csum' (2023-03-03 08:28:44 +0000)
> > 
> > are available in the Git repository at:
> > 
> >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD  
> 
> It's not clear to me the root cause, but pulling from the above ref.
> yields nothing. I have to replace 'HEAD' with main to get the expected
> patches.

Possibly netfilter folks did not update HEAD to point to main?

ssh git@gitolite.kernel.org symbolic-ref \
    pub/scm/linux/kernel/git/netfilter/nf \
    HEAD refs/heads/main

Re: [PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

On Tue, Mar 07, 2023 at 09:26:04AM -0800, Jakub Kicinski wrote:
> On Tue, 07 Mar 2023 13:57:07 +0100 Paolo Abeni wrote:
> > On Tue, 2023-03-07 at 11:04 +0100, Pablo Neira Ayuso wrote:
> > > The following changes since commit 528125268588a18a2f257002af051b62b14bb282:
> > > 
> > >   Merge branch 'nfp-ipsec-csum' (2023-03-03 08:28:44 +0000)
> > > 
> > > are available in the Git repository at:
> > > 
> > >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD  
> > 
> > It's not clear to me the root cause, but pulling from the above ref.
> > yields nothing. I have to replace 'HEAD' with main to get the expected
> > patches.
> 
> Possibly netfilter folks did not update HEAD to point to main?
> 
> ssh git@gitolite.kernel.org symbolic-ref \
>     pub/scm/linux/kernel/git/netfilter/nf \
>     HEAD refs/heads/main

Fixed, thanks.

I will also review my pull request scripts to check if someone got
unadjusted after the switch to the main branch.

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Hit ENOENT when trying to update an unexisting base chain.

2) Fix libmnl pkg-config usage in selftests, from Jeremy Sowden.

3) KASAN reports use-after-free when deleting a set element for an
   anonymous set that was already removed in the same transaction,
   reported by P. Sondej and P. Krysiuk.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit c6d96df9fa2c1d19525239d4262889cce594ce6c:

  net: ethernet: mtk_eth_soc: drop generic vlan rx offload, only use DSA untagging (2023-05-02 20:19:52 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-05-03

for you to fetch changes up to c1592a89942e9678f7d9c8030efa777c0d57edab:

  netfilter: nf_tables: deactivate anonymous set from preparation phase (2023-05-03 08:24:32 +0200)

----------------------------------------------------------------
netfilter pull request 23-05-03

----------------------------------------------------------------
Jeremy Sowden (1):
      selftests: netfilter: fix libmnl pkg-config usage

Pablo Neira Ayuso (2):
      netfilter: nf_tables: hit ENOENT on unexisting chain/flowtable update with missing attributes
      netfilter: nf_tables: deactivate anonymous set from preparation phase

 include/net/netfilter/nf_tables.h          |  1 +
 net/netfilter/nf_tables_api.c              | 41 +++++++++++++++++++++---------
 net/netfilter/nft_dynset.c                 |  2 +-
 net/netfilter/nft_lookup.c                 |  2 +-
 net/netfilter/nft_objref.c                 |  2 +-
 tools/testing/selftests/netfilter/Makefile |  7 +++--
 6 files changed, 38 insertions(+), 17 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Florian Westphal]

Hi,

This PR has three patches for your *net* tree:

1. Silence warning about unused variable when CONFIG_NF_NAT=n, from Tom Rix.
2. nftables: Fix possible out-of-bounds access, from myself.
3. nftables: fix null deref+UAF during element insertion into rbtree,
   also from myself.

The following changes since commit ab87603b251134441a67385ecc9d3371be17b7a7:

  net: wwan: t7xx: Ensure init is completed before system sleep (2023-05-17 13:02:25 +0100)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-05-17

for you to fetch changes up to 61ae320a29b0540c16931816299eb86bf2b66c08:

  netfilter: nft_set_rbtree: fix null deref on element insertion (2023-05-17 14:18:28 +0200)

----------------------------------------------------------------
Florian Westphal (2):
      netfilter: nf_tables: fix nft_trans type confusion
      netfilter: nft_set_rbtree: fix null deref on element insertion

Tom Rix (1):
      netfilter: conntrack: define variables exp_nat_nla_policy and any_addr with CONFIG_NF_NAT

 net/netfilter/nf_conntrack_netlink.c |  4 ++++
 net/netfilter/nf_tables_api.c        |  4 +---
 net/netfilter/nft_set_rbtree.c       | 20 +++++++++++++-------
-- 
2.39.3

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Add commit and abort set operation to pipapo set abort path.

2) Bail out immediately in case of ENOMEM in nfnetlink batch.

3) Incorrect error path handling when creating a new rule leads to
   dangling pointer in set transaction list.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-06-08

Thanks.

----------------------------------------------------------------

The following changes since commit ab39b113e74751958aac1b125a14ee42bd7d3efd:

  Merge tag 'for-net-2023-06-05' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth (2023-06-06 21:36:57 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-06-08

for you to fetch changes up to 1240eb93f0616b21c675416516ff3d74798fdc97:

  netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE (2023-06-08 21:49:26 +0200)

----------------------------------------------------------------
netfilter pull request 23-06-08

----------------------------------------------------------------
Pablo Neira Ayuso (3):
      netfilter: nf_tables: integrate pipapo into commit protocol
      netfilter: nfnetlink: skip error delivery on batch in case of ENOMEM
      netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE

 include/net/netfilter/nf_tables.h |  4 ++-
 net/netfilter/nf_tables_api.c     | 59 ++++++++++++++++++++++++++++++++++++++-
 net/netfilter/nfnetlink.c         |  3 +-
 net/netfilter/nft_set_pipapo.c    | 55 ++++++++++++++++++++++++++----------
 4 files changed, 103 insertions(+), 18 deletions(-)

[PATCH net 0/3] netfilter fixes for net

[Florian Westphal]

Hello,

Here are three netfilter fixes for the *net* tree:
1. On-demand overlap detection in 'rbtree' set can cause memory leaks.
   This is broken since 6.2.

2. An earlier fix in 6.4 to address an imbalance in refcounts during
   transaction error unwinding was incomplete, from Pablo Neira.

3. Disallow adding a rule to a deleted chain, also from Pablo.
   Broken since 5.9.

The following changes since commit d4a7ce642100765119a872d4aba1bf63e3a22c8a:

  igc: Fix Kernel Panic during ndo_tx_timeout callback (2023-07-26 09:54:40 +0100)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-07-26

for you to fetch changes up to 0ebc1064e4874d5987722a2ddbc18f94aa53b211:

  netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID (2023-07-26 16:48:49 +0200)

----------------------------------------------------------------
netfilter pull request 2023-07-26

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nft_set_rbtree: fix overlap expiration walk

Pablo Neira Ayuso (2):
      netfilter: nf_tables: skip immediate deactivate in _PREPARE_ERROR
      netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID

 net/netfilter/nf_tables_api.c  |  5 +++--
 net/netfilter/nft_immediate.c  | 27 ++++++++++++++++++---------
 net/netfilter/nft_set_rbtree.c | 20 ++++++++++++++------
 3 files changed, 35 insertions(+), 17 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following batch contains Netfilter fixes for net:

1) Missing : in kdoc field in nft_set_pipapo.

2) Restore default DNAT behavior When a DNAT rule is configured via
   iptables with different port ranges, from Kyle Swenson.

3) Restore flowtable hardware offload for bidirectional flows
   by setting NF_FLOW_HW_BIDIRECTIONAL flag, from Felix Fietkau.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-02-15

Thanks.

----------------------------------------------------------------

The following changes since commit 9b23fceb4158a3636ce4a2bda28ab03dcfa6a26f:

  ethernet: cpts: fix function pointer cast warnings (2024-02-14 12:50:53 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-02-15

for you to fetch changes up to 84443741faab9045d53f022a9ac6a6633067a481:

  netfilter: nf_tables: fix bidirectional offload regression (2024-02-15 00:20:00 +0100)

----------------------------------------------------------------
netfilter pull request 24-02-15

----------------------------------------------------------------
Felix Fietkau (1):
      netfilter: nf_tables: fix bidirectional offload regression

Kyle Swenson (1):
      netfilter: nat: restore default DNAT behavior

Pablo Neira Ayuso (1):
      netfilter: nft_set_pipapo: fix missing : in kdoc

 net/netfilter/nf_nat_core.c      | 5 ++++-
 net/netfilter/nft_flow_offload.c | 1 +
 net/netfilter/nft_set_pipapo.h   | 4 ++--
 3 files changed, 7 insertions(+), 3 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

Patch #1 restores NFPROTO_INET with nft_compat, from Ignat Korchagin.

Patch #2 fixes an issue with bridge netfilter and broadcast/multicast
packets.

There is a day 0 bug in br_netfilter when used with connection tracking.

Conntrack assumes that an nf_conn structure that is not yet added to
hash table ("unconfirmed"), is only visible by the current cpu that is
processing the sk_buff.

For bridge this isn't true, sk_buff can get cloned in between, and
clones can be processed in parallel on different cpu.

This patch disables NAT and conntrack helpers for multicast packets.

Patch #3 adds a selftest to cover for the br_netfilter bug.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-02-29

Thanks.

----------------------------------------------------------------

The following changes since commit 359e54a93ab43d32ee1bff3c2f9f10cb9f6b6e79:

  l2tp: pass correct message length to ip6_append_data (2024-02-22 10:42:17 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-02-29

for you to fetch changes up to 6523cf516c55db164f8f73306027b1caebb5628e:

  selftests: netfilter: add bridge conntrack + multicast test case (2024-02-29 00:22:48 +0100)

----------------------------------------------------------------
netfilter pull request 24-02-29

----------------------------------------------------------------
Florian Westphal (2):
      netfilter: bridge: confirm multicast packets before passing them up the stack
      selftests: netfilter: add bridge conntrack + multicast test case

Ignat Korchagin (1):
      netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate()

 include/linux/netfilter.h                          |   1 +
 net/bridge/br_netfilter_hooks.c                    |  96 +++++++++++
 net/bridge/netfilter/nf_conntrack_bridge.c         |  30 ++++
 net/netfilter/nf_conntrack_core.c                  |   1 +
 net/netfilter/nft_compat.c                         |  20 +++
 tools/testing/selftests/netfilter/Makefile         |   3 +-
 .../selftests/netfilter/bridge_netfilter.sh        | 188 +++++++++++++++++++++
 7 files changed, 338 insertions(+), 1 deletion(-)
 create mode 100644 tools/testing/selftests/netfilter/bridge_netfilter.sh

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net. There is a
larger batch of fixes still pending that will follow up asap, this is
what I deemed to be more urgent at this time:

1) Use clone view in pipapo set backend to release elements from destroy
   path, otherwise it is possible to destroy elements twice.

2) Incorrect check for internal table flags lead to bogus transaction
   objects.

3) Fix counters memleak in netdev basechain update error path,
   from Quan Tian.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-03-21

Thanks.

----------------------------------------------------------------

The following changes since commit 9c6a59543a3965071d65b0f9ea43aa396ce2ed14:

  Merge branch 'octeontx2-pf-mbox-fixes' (2024-03-20 10:49:08 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-03-21

for you to fetch changes up to 1c2e3b462542241d2e6f4d32f8356608ff51f487:

  netfilter: nf_tables: Fix a memory leak in nf_tables_updchain (2024-03-21 00:46:03 +0100)

----------------------------------------------------------------
netfilter pull request 24-03-21

----------------------------------------------------------------
Pablo Neira Ayuso (2):
      netfilter: nft_set_pipapo: release elements in clone only from destroy path
      netfilter: nf_tables: do not compare internal table flags on updates

Quan Tian (1):
      netfilter: nf_tables: Fix a memory leak in nf_tables_updchain

 net/netfilter/nf_tables_api.c  | 29 +++++++++++++++--------------
 net/netfilter/nft_set_pipapo.c |  5 +----
 2 files changed, 16 insertions(+), 18 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

Patch #1 amends a missing spot where the set iterator type is unset.
	 This is fixing a issue in the previous pull request.

Patch #2 fixes the delete set command abort path by restoring state
         of the elements. Reverse logic for the activate (abort) case
	 otherwise element state is not restored, this requires to move
	 the check for active/inactive elements to the set iterator
	 callback. From the deactivate path, toggle the next generation
	 bit and from the activate (abort) path, clear the next generation
	 bitmask.

Patch #3 skips elements already restored by delete set command from the
	 abort path in case there is a previous delete element command in
	 the batch. Check for the next generation bit just like it is done
	 via set iteration to restore maps.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-18

Thanks.

----------------------------------------------------------------

The following changes since commit 75ce9506ee3dc66648a7d74ab3b0acfa364d6d43:

  octeontx2-pf: fix FLOW_DIS_IS_FRAGMENT implementation (2024-04-15 10:45:03 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-18

for you to fetch changes up to 86a1471d7cde792941109b93b558b5dc078b9ee9:

  netfilter: nf_tables: fix memleak in map from abort path (2024-04-18 02:41:32 +0200)

----------------------------------------------------------------
netfilter pull request 24-04-18

----------------------------------------------------------------
Pablo Neira Ayuso (3):
      netfilter: nf_tables: missing iterator type in lookup walk
      netfilter: nf_tables: restore set elements when delete set fails
      netfilter: nf_tables: fix memleak in map from abort path

 net/netfilter/nf_tables_api.c  | 60 +++++++++++++++++++++++++++++++++++++-----
 net/netfilter/nft_lookup.c     |  1 +
 net/netfilter/nft_set_bitmap.c |  4 +--
 net/netfilter/nft_set_hash.c   |  8 ++----
 net/netfilter/nft_set_pipapo.c |  8 +++---
 net/netfilter/nft_set_rbtree.c |  4 +--
 6 files changed, 62 insertions(+), 23 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

Patch #1 fixes insufficient sanitization of netlink attributes for the
	 inner expression which can trigger nul-pointer dereference,
	 from Davide Ornaghi.

Patch #2 address a report that there is a race condition between
         namespace cleanup and the garbage collection of the list:set
         type. This patch resolves this issue with other minor issues
	 as well, from Jozsef Kadlecsik.

Patch #3 ip6_route_me_harder() ignores flowlabel/dsfield when ip dscp
	 has been mangled, this unbreaks ip6 dscp set $v,
	 from Florian Westphal.

All of these patches address issues that are present in several releases.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-06-11

Thanks.

----------------------------------------------------------------

The following changes since commit 36534d3c54537bf098224a32dc31397793d4594d:

  tcp: use signed arithmetic in tcp_rtx_probe0_timed_out() (2024-06-10 19:50:10 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-06-11

for you to fetch changes up to 6f8f132cc7bac2ac76911e47d5baa378aafda4cb:

  netfilter: Use flowlabel flow key when re-routing mangled packets (2024-06-11 18:46:04 +0200)

----------------------------------------------------------------
netfilter pull request 24-06-11

----------------------------------------------------------------
Davide Ornaghi (1):
      netfilter: nft_inner: validate mandatory meta and payload

Florian Westphal (1):
      netfilter: Use flowlabel flow key when re-routing mangled packets

Jozsef Kadlecsik (1):
      netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type

 net/ipv6/netfilter.c                  |  1 +
 net/netfilter/ipset/ip_set_core.c     | 81 ++++++++++++++++++++---------------
 net/netfilter/ipset/ip_set_list_set.c | 30 ++++++-------
 net/netfilter/nft_meta.c              |  3 ++
 net/netfilter/nft_payload.c           |  4 ++
 5 files changed, 68 insertions(+), 51 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

Patch #1 disable BH when collecting stats via hardware offload to ensure
	 concurrent updates from packet path do not result in losing stats.
	 From Sebastian Andrzej Siewior.

Patch #2 uses write seqcount to reset counters serialize against reader.
	 Also from Sebastian Andrzej Siewior.

Patch #3 ensures vlan header is in place before accessing its fields,
	 according to KMSAN splat triggered by syzbot.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-08-22

Thanks.

----------------------------------------------------------------

The following changes since commit 807067bf014d4a3ae2cc55bd3de16f22a01eb580:

  kcm: Serialise kcm_sendmsg() for the same socket. (2024-08-19 18:36:12 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-08-22

for you to fetch changes up to 0509ac6c6a9a282ade4ad79b04665395691f73b1:

  netfilter: flowtable: validate vlan header (2024-08-21 23:42:49 +0200)

----------------------------------------------------------------
netfilter pull request 24-08-22

----------------------------------------------------------------
Pablo Neira Ayuso (1):
      netfilter: flowtable: validate vlan header

Sebastian Andrzej Siewior (2):
      netfilter: nft_counter: Disable BH in nft_counter_offload_stats().
      netfilter: nft_counter: Synchronize nft_counter_reset() against reader.

 net/netfilter/nf_flow_table_inet.c | 3 +++
 net/netfilter/nf_flow_table_ip.c   | 3 +++
 net/netfilter/nft_counter.c        | 9 +++++++--
 3 files changed, 13 insertions(+), 2 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Restrict xtables extensions to families that are safe, syzbot found
   a way to combine ebtables with extensions that are never used by
   userspace tools. From Florian Westphal.

2) Set l3mdev inconditionally whenever possible in nft_fib to fix lookup
   mismatch, also from Florian.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-10-09

Thanks.

----------------------------------------------------------------

The following changes since commit 983e35ce2e1ee4037f6f5d5398dfc107b22ad569:

  net: hns3/hns: Update the maintainer for the HNS3/HNS ethernet driver (2024-10-09 13:40:42 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-10-09

for you to fetch changes up to c6a0862bee696cfb236a4e160a7f376c0ecdcf0c:

  selftests: netfilter: conntrack_vrf.sh: add fib test case (2024-10-09 23:31:15 +0200)

----------------------------------------------------------------
netfilter pull request 24-10-09

----------------------------------------------------------------
Florian Westphal (3):
      netfilter: xtables: avoid NFPROTO_UNSPEC where needed
      netfilter: fib: check correct rtable in vrf setups
      selftests: netfilter: conntrack_vrf.sh: add fib test case

 net/ipv4/netfilter/nft_fib_ipv4.c                  |   4 +-
 net/ipv6/netfilter/nft_fib_ipv6.c                  |   5 +-
 net/netfilter/xt_CHECKSUM.c                        |  33 +++++--
 net/netfilter/xt_CLASSIFY.c                        |  16 +++-
 net/netfilter/xt_CONNSECMARK.c                     |  36 ++++---
 net/netfilter/xt_CT.c                              | 106 ++++++++++++++-------
 net/netfilter/xt_IDLETIMER.c                       |  59 ++++++++----
 net/netfilter/xt_LED.c                             |  39 +++++---
 net/netfilter/xt_NFLOG.c                           |  36 ++++---
 net/netfilter/xt_RATEEST.c                         |  39 +++++---
 net/netfilter/xt_SECMARK.c                         |  27 +++++-
 net/netfilter/xt_TRACE.c                           |  35 ++++---
 net/netfilter/xt_addrtype.c                        |  15 ++-
 net/netfilter/xt_cluster.c                         |  33 +++++--
 net/netfilter/xt_connbytes.c                       |   4 +-
 net/netfilter/xt_connlimit.c                       |  39 +++++---
 net/netfilter/xt_connmark.c                        |  28 +++++-
 net/netfilter/xt_mark.c                            |  42 ++++++--
 .../selftests/net/netfilter/conntrack_vrf.sh       |  33 +++++++
 19 files changed, 459 insertions(+), 170 deletions(-)

[PATCH net 1/3] netfilter: xtables: avoid NFPROTO_UNSPEC where needed

[Pablo Neira Ayuso]

From: Florian Westphal <fw@strlen.de>

syzbot managed to call xt_cluster match via ebtables:

 WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780
 [..]
 ebt_do_table+0x174b/0x2a40

Module registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet
processing.  As this is only useful to restrict locally terminating
TCP/UDP traffic, register this for ipv4 and ipv6 family only.

Pablo points out that this is a general issue, direct users of the
set/getsockopt interface can call into targets/matches that were only
intended for use with ip(6)tables.

Check all UNSPEC matches and targets for similar issues:

- matches and targets are fine except if they assume skb_network_header()
  is valid -- this is only true when called from inet layer: ip(6) stack
  pulls the ip/ipv6 header into linear data area.
- targets that return XT_CONTINUE or other xtables verdicts must be
  restricted too, they are incompatbile with the ebtables traverser, e.g.
  EBT_CONTINUE is a completely different value than XT_CONTINUE.

Most matches/targets are changed to register for NFPROTO_IPV4/IPV6, as
they are provided for use by ip(6)tables.

The MARK target is also used by arptables, so register for NFPROTO_ARP too.

While at it, bail out if connbytes fails to enable the corresponding
conntrack family.

This change passes the selftests in iptables.git.

Reported-by: syzbot+256c348558aa5cf611a9@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netfilter-devel/66fec2e2.050a0220.9ec68.0047.GAE@google.com/
Fixes: 0269ea493734 ("netfilter: xtables: add cluster match")
Signed-off-by: Florian Westphal <fw@strlen.de>
Co-developed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_CHECKSUM.c    |  33 ++++++----
 net/netfilter/xt_CLASSIFY.c    |  16 ++++-
 net/netfilter/xt_CONNSECMARK.c |  36 +++++++----
 net/netfilter/xt_CT.c          | 106 +++++++++++++++++++++------------
 net/netfilter/xt_IDLETIMER.c   |  59 ++++++++++++------
 net/netfilter/xt_LED.c         |  39 ++++++++----
 net/netfilter/xt_NFLOG.c       |  36 +++++++----
 net/netfilter/xt_RATEEST.c     |  39 ++++++++----
 net/netfilter/xt_SECMARK.c     |  27 ++++++++-
 net/netfilter/xt_TRACE.c       |  35 +++++++----
 net/netfilter/xt_addrtype.c    |  15 ++++-
 net/netfilter/xt_cluster.c     |  33 ++++++----
 net/netfilter/xt_connbytes.c   |   4 +-
 net/netfilter/xt_connlimit.c   |  39 ++++++++----
 net/netfilter/xt_connmark.c    |  28 ++++++++-
 net/netfilter/xt_mark.c        |  42 +++++++++----
 16 files changed, 422 insertions(+), 165 deletions(-)

diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
index c8a639f56168..9d99f5a3d176 100644
--- a/net/netfilter/xt_CHECKSUM.c
+++ b/net/netfilter/xt_CHECKSUM.c
@@ -63,24 +63,37 @@ static int checksum_tg_check(const struct xt_tgchk_param *par)
 	return 0;
 }
 
-static struct xt_target checksum_tg_reg __read_mostly = {
-	.name		= "CHECKSUM",
-	.family		= NFPROTO_UNSPEC,
-	.target		= checksum_tg,
-	.targetsize	= sizeof(struct xt_CHECKSUM_info),
-	.table		= "mangle",
-	.checkentry	= checksum_tg_check,
-	.me		= THIS_MODULE,
+static struct xt_target checksum_tg_reg[] __read_mostly = {
+	{
+		.name		= "CHECKSUM",
+		.family		= NFPROTO_IPV4,
+		.target		= checksum_tg,
+		.targetsize	= sizeof(struct xt_CHECKSUM_info),
+		.table		= "mangle",
+		.checkentry	= checksum_tg_check,
+		.me		= THIS_MODULE,
+	},
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name		= "CHECKSUM",
+		.family		= NFPROTO_IPV6,
+		.target		= checksum_tg,
+		.targetsize	= sizeof(struct xt_CHECKSUM_info),
+		.table		= "mangle",
+		.checkentry	= checksum_tg_check,
+		.me		= THIS_MODULE,
+	},
+#endif
 };
 
 static int __init checksum_tg_init(void)
 {
-	return xt_register_target(&checksum_tg_reg);
+	return xt_register_targets(checksum_tg_reg, ARRAY_SIZE(checksum_tg_reg));
 }
 
 static void __exit checksum_tg_exit(void)
 {
-	xt_unregister_target(&checksum_tg_reg);
+	xt_unregister_targets(checksum_tg_reg, ARRAY_SIZE(checksum_tg_reg));
 }
 
 module_init(checksum_tg_init);
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 0accac98dea7..0ae8d8a1216e 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -38,9 +38,9 @@ static struct xt_target classify_tg_reg[] __read_mostly = {
 	{
 		.name       = "CLASSIFY",
 		.revision   = 0,
-		.family     = NFPROTO_UNSPEC,
+		.family     = NFPROTO_IPV4,
 		.hooks      = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
-		              (1 << NF_INET_POST_ROUTING),
+			      (1 << NF_INET_POST_ROUTING),
 		.target     = classify_tg,
 		.targetsize = sizeof(struct xt_classify_target_info),
 		.me         = THIS_MODULE,
@@ -54,6 +54,18 @@ static struct xt_target classify_tg_reg[] __read_mostly = {
 		.targetsize = sizeof(struct xt_classify_target_info),
 		.me         = THIS_MODULE,
 	},
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name       = "CLASSIFY",
+		.revision   = 0,
+		.family     = NFPROTO_IPV6,
+		.hooks      = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
+			      (1 << NF_INET_POST_ROUTING),
+		.target     = classify_tg,
+		.targetsize = sizeof(struct xt_classify_target_info),
+		.me         = THIS_MODULE,
+	},
+#endif
 };
 
 static int __init classify_tg_init(void)
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 76acecf3e757..1494b3ee30e1 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -114,25 +114,39 @@ static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par)
 	nf_ct_netns_put(par->net, par->family);
 }
 
-static struct xt_target connsecmark_tg_reg __read_mostly = {
-	.name       = "CONNSECMARK",
-	.revision   = 0,
-	.family     = NFPROTO_UNSPEC,
-	.checkentry = connsecmark_tg_check,
-	.destroy    = connsecmark_tg_destroy,
-	.target     = connsecmark_tg,
-	.targetsize = sizeof(struct xt_connsecmark_target_info),
-	.me         = THIS_MODULE,
+static struct xt_target connsecmark_tg_reg[] __read_mostly = {
+	{
+		.name       = "CONNSECMARK",
+		.revision   = 0,
+		.family     = NFPROTO_IPV4,
+		.checkentry = connsecmark_tg_check,
+		.destroy    = connsecmark_tg_destroy,
+		.target     = connsecmark_tg,
+		.targetsize = sizeof(struct xt_connsecmark_target_info),
+		.me         = THIS_MODULE,
+	},
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name       = "CONNSECMARK",
+		.revision   = 0,
+		.family     = NFPROTO_IPV6,
+		.checkentry = connsecmark_tg_check,
+		.destroy    = connsecmark_tg_destroy,
+		.target     = connsecmark_tg,
+		.targetsize = sizeof(struct xt_connsecmark_target_info),
+		.me         = THIS_MODULE,
+	},
+#endif
 };
 
 static int __init connsecmark_tg_init(void)
 {
-	return xt_register_target(&connsecmark_tg_reg);
+	return xt_register_targets(connsecmark_tg_reg, ARRAY_SIZE(connsecmark_tg_reg));
 }
 
 static void __exit connsecmark_tg_exit(void)
 {
-	xt_unregister_target(&connsecmark_tg_reg);
+	xt_unregister_targets(connsecmark_tg_reg, ARRAY_SIZE(connsecmark_tg_reg));
 }
 
 module_init(connsecmark_tg_init);
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 2be2f7a7b60f..3ba94c34297c 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -313,10 +313,30 @@ static void xt_ct_tg_destroy_v1(const struct xt_tgdtor_param *par)
 	xt_ct_tg_destroy(par, par->targinfo);
 }
 
+static unsigned int
+notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
+{
+	/* Previously seen (loopback)? Ignore. */
+	if (skb->_nfct != 0)
+		return XT_CONTINUE;
+
+	nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
+
+	return XT_CONTINUE;
+}
+
 static struct xt_target xt_ct_tg_reg[] __read_mostly = {
+	{
+		.name		= "NOTRACK",
+		.revision	= 0,
+		.family		= NFPROTO_IPV4,
+		.target		= notrack_tg,
+		.table		= "raw",
+		.me		= THIS_MODULE,
+	},
 	{
 		.name		= "CT",
-		.family		= NFPROTO_UNSPEC,
+		.family		= NFPROTO_IPV4,
 		.targetsize	= sizeof(struct xt_ct_target_info),
 		.usersize	= offsetof(struct xt_ct_target_info, ct),
 		.checkentry	= xt_ct_tg_check_v0,
@@ -327,7 +347,7 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = {
 	},
 	{
 		.name		= "CT",
-		.family		= NFPROTO_UNSPEC,
+		.family		= NFPROTO_IPV4,
 		.revision	= 1,
 		.targetsize	= sizeof(struct xt_ct_target_info_v1),
 		.usersize	= offsetof(struct xt_ct_target_info, ct),
@@ -339,7 +359,7 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = {
 	},
 	{
 		.name		= "CT",
-		.family		= NFPROTO_UNSPEC,
+		.family		= NFPROTO_IPV4,
 		.revision	= 2,
 		.targetsize	= sizeof(struct xt_ct_target_info_v1),
 		.usersize	= offsetof(struct xt_ct_target_info, ct),
@@ -349,49 +369,61 @@ static struct xt_target xt_ct_tg_reg[] __read_mostly = {
 		.table		= "raw",
 		.me		= THIS_MODULE,
 	},
-};
-
-static unsigned int
-notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
-{
-	/* Previously seen (loopback)? Ignore. */
-	if (skb->_nfct != 0)
-		return XT_CONTINUE;
-
-	nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
-
-	return XT_CONTINUE;
-}
-
-static struct xt_target notrack_tg_reg __read_mostly = {
-	.name		= "NOTRACK",
-	.revision	= 0,
-	.family		= NFPROTO_UNSPEC,
-	.target		= notrack_tg,
-	.table		= "raw",
-	.me		= THIS_MODULE,
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name		= "NOTRACK",
+		.revision	= 0,
+		.family		= NFPROTO_IPV6,
+		.target		= notrack_tg,
+		.table		= "raw",
+		.me		= THIS_MODULE,
+	},
+	{
+		.name		= "CT",
+		.family		= NFPROTO_IPV6,
+		.targetsize	= sizeof(struct xt_ct_target_info),
+		.usersize	= offsetof(struct xt_ct_target_info, ct),
+		.checkentry	= xt_ct_tg_check_v0,
+		.destroy	= xt_ct_tg_destroy_v0,
+		.target		= xt_ct_target_v0,
+		.table		= "raw",
+		.me		= THIS_MODULE,
+	},
+	{
+		.name		= "CT",
+		.family		= NFPROTO_IPV6,
+		.revision	= 1,
+		.targetsize	= sizeof(struct xt_ct_target_info_v1),
+		.usersize	= offsetof(struct xt_ct_target_info, ct),
+		.checkentry	= xt_ct_tg_check_v1,
+		.destroy	= xt_ct_tg_destroy_v1,
+		.target		= xt_ct_target_v1,
+		.table		= "raw",
+		.me		= THIS_MODULE,
+	},
+	{
+		.name		= "CT",
+		.family		= NFPROTO_IPV6,
+		.revision	= 2,
+		.targetsize	= sizeof(struct xt_ct_target_info_v1),
+		.usersize	= offsetof(struct xt_ct_target_info, ct),
+		.checkentry	= xt_ct_tg_check_v2,
+		.destroy	= xt_ct_tg_destroy_v1,
+		.target		= xt_ct_target_v1,
+		.table		= "raw",
+		.me		= THIS_MODULE,
+	},
+#endif
 };
 
 static int __init xt_ct_tg_init(void)
 {
-	int ret;
-
-	ret = xt_register_target(&notrack_tg_reg);
-	if (ret < 0)
-		return ret;
-
-	ret = xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
-	if (ret < 0) {
-		xt_unregister_target(&notrack_tg_reg);
-		return ret;
-	}
-	return 0;
+	return xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
 }
 
 static void __exit xt_ct_tg_exit(void)
 {
 	xt_unregister_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
-	xt_unregister_target(&notrack_tg_reg);
 }
 
 module_init(xt_ct_tg_init);
diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index db720efa811d..f8b25b6f5da7 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -458,28 +458,49 @@ static void idletimer_tg_destroy_v1(const struct xt_tgdtor_param *par)
 
 static struct xt_target idletimer_tg[] __read_mostly = {
 	{
-	.name		= "IDLETIMER",
-	.family		= NFPROTO_UNSPEC,
-	.target		= idletimer_tg_target,
-	.targetsize     = sizeof(struct idletimer_tg_info),
-	.usersize	= offsetof(struct idletimer_tg_info, timer),
-	.checkentry	= idletimer_tg_checkentry,
-	.destroy        = idletimer_tg_destroy,
-	.me		= THIS_MODULE,
+		.name		= "IDLETIMER",
+		.family		= NFPROTO_IPV4,
+		.target		= idletimer_tg_target,
+		.targetsize     = sizeof(struct idletimer_tg_info),
+		.usersize	= offsetof(struct idletimer_tg_info, timer),
+		.checkentry	= idletimer_tg_checkentry,
+		.destroy        = idletimer_tg_destroy,
+		.me		= THIS_MODULE,
 	},
 	{
-	.name		= "IDLETIMER",
-	.family		= NFPROTO_UNSPEC,
-	.revision	= 1,
-	.target		= idletimer_tg_target_v1,
-	.targetsize     = sizeof(struct idletimer_tg_info_v1),
-	.usersize	= offsetof(struct idletimer_tg_info_v1, timer),
-	.checkentry	= idletimer_tg_checkentry_v1,
-	.destroy        = idletimer_tg_destroy_v1,
-	.me		= THIS_MODULE,
+		.name		= "IDLETIMER",
+		.family		= NFPROTO_IPV4,
+		.revision	= 1,
+		.target		= idletimer_tg_target_v1,
+		.targetsize     = sizeof(struct idletimer_tg_info_v1),
+		.usersize	= offsetof(struct idletimer_tg_info_v1, timer),
+		.checkentry	= idletimer_tg_checkentry_v1,
+		.destroy        = idletimer_tg_destroy_v1,
+		.me		= THIS_MODULE,
 	},
-
-
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name		= "IDLETIMER",
+		.family		= NFPROTO_IPV6,
+		.target		= idletimer_tg_target,
+		.targetsize     = sizeof(struct idletimer_tg_info),
+		.usersize	= offsetof(struct idletimer_tg_info, timer),
+		.checkentry	= idletimer_tg_checkentry,
+		.destroy        = idletimer_tg_destroy,
+		.me		= THIS_MODULE,
+	},
+	{
+		.name		= "IDLETIMER",
+		.family		= NFPROTO_IPV6,
+		.revision	= 1,
+		.target		= idletimer_tg_target_v1,
+		.targetsize     = sizeof(struct idletimer_tg_info_v1),
+		.usersize	= offsetof(struct idletimer_tg_info_v1, timer),
+		.checkentry	= idletimer_tg_checkentry_v1,
+		.destroy        = idletimer_tg_destroy_v1,
+		.me		= THIS_MODULE,
+	},
+#endif
 };
 
 static struct class *idletimer_tg_class;
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index 36c9720ad8d6..f7b0286d106a 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -175,26 +175,41 @@ static void led_tg_destroy(const struct xt_tgdtor_param *par)
 	kfree(ledinternal);
 }
 
-static struct xt_target led_tg_reg __read_mostly = {
-	.name		= "LED",
-	.revision	= 0,
-	.family		= NFPROTO_UNSPEC,
-	.target		= led_tg,
-	.targetsize	= sizeof(struct xt_led_info),
-	.usersize	= offsetof(struct xt_led_info, internal_data),
-	.checkentry	= led_tg_check,
-	.destroy	= led_tg_destroy,
-	.me		= THIS_MODULE,
+static struct xt_target led_tg_reg[] __read_mostly = {
+	{
+		.name		= "LED",
+		.revision	= 0,
+		.family		= NFPROTO_IPV4,
+		.target		= led_tg,
+		.targetsize	= sizeof(struct xt_led_info),
+		.usersize	= offsetof(struct xt_led_info, internal_data),
+		.checkentry	= led_tg_check,
+		.destroy	= led_tg_destroy,
+		.me		= THIS_MODULE,
+	},
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name		= "LED",
+		.revision	= 0,
+		.family		= NFPROTO_IPV6,
+		.target		= led_tg,
+		.targetsize	= sizeof(struct xt_led_info),
+		.usersize	= offsetof(struct xt_led_info, internal_data),
+		.checkentry	= led_tg_check,
+		.destroy	= led_tg_destroy,
+		.me		= THIS_MODULE,
+	},
+#endif
 };
 
 static int __init led_tg_init(void)
 {
-	return xt_register_target(&led_tg_reg);
+	return xt_register_targets(led_tg_reg, ARRAY_SIZE(led_tg_reg));
 }
 
 static void __exit led_tg_exit(void)
 {
-	xt_unregister_target(&led_tg_reg);
+	xt_unregister_targets(led_tg_reg, ARRAY_SIZE(led_tg_reg));
 }
 
 module_init(led_tg_init);
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index e660c3710a10..d80abd6ccaf8 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -64,25 +64,39 @@ static void nflog_tg_destroy(const struct xt_tgdtor_param *par)
 	nf_logger_put(par->family, NF_LOG_TYPE_ULOG);
 }
 
-static struct xt_target nflog_tg_reg __read_mostly = {
-	.name       = "NFLOG",
-	.revision   = 0,
-	.family     = NFPROTO_UNSPEC,
-	.checkentry = nflog_tg_check,
-	.destroy    = nflog_tg_destroy,
-	.target     = nflog_tg,
-	.targetsize = sizeof(struct xt_nflog_info),
-	.me         = THIS_MODULE,
+static struct xt_target nflog_tg_reg[] __read_mostly = {
+	{
+		.name       = "NFLOG",
+		.revision   = 0,
+		.family     = NFPROTO_IPV4,
+		.checkentry = nflog_tg_check,
+		.destroy    = nflog_tg_destroy,
+		.target     = nflog_tg,
+		.targetsize = sizeof(struct xt_nflog_info),
+		.me         = THIS_MODULE,
+	},
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name       = "NFLOG",
+		.revision   = 0,
+		.family     = NFPROTO_IPV4,
+		.checkentry = nflog_tg_check,
+		.destroy    = nflog_tg_destroy,
+		.target     = nflog_tg,
+		.targetsize = sizeof(struct xt_nflog_info),
+		.me         = THIS_MODULE,
+	},
+#endif
 };
 
 static int __init nflog_tg_init(void)
 {
-	return xt_register_target(&nflog_tg_reg);
+	return xt_register_targets(nflog_tg_reg, ARRAY_SIZE(nflog_tg_reg));
 }
 
 static void __exit nflog_tg_exit(void)
 {
-	xt_unregister_target(&nflog_tg_reg);
+	xt_unregister_targets(nflog_tg_reg, ARRAY_SIZE(nflog_tg_reg));
 }
 
 module_init(nflog_tg_init);
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 80f6624e2355..4f49cfc27831 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -179,16 +179,31 @@ static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par)
 	xt_rateest_put(par->net, info->est);
 }
 
-static struct xt_target xt_rateest_tg_reg __read_mostly = {
-	.name       = "RATEEST",
-	.revision   = 0,
-	.family     = NFPROTO_UNSPEC,
-	.target     = xt_rateest_tg,
-	.checkentry = xt_rateest_tg_checkentry,
-	.destroy    = xt_rateest_tg_destroy,
-	.targetsize = sizeof(struct xt_rateest_target_info),
-	.usersize   = offsetof(struct xt_rateest_target_info, est),
-	.me         = THIS_MODULE,
+static struct xt_target xt_rateest_tg_reg[] __read_mostly = {
+	{
+		.name       = "RATEEST",
+		.revision   = 0,
+		.family     = NFPROTO_IPV4,
+		.target     = xt_rateest_tg,
+		.checkentry = xt_rateest_tg_checkentry,
+		.destroy    = xt_rateest_tg_destroy,
+		.targetsize = sizeof(struct xt_rateest_target_info),
+		.usersize   = offsetof(struct xt_rateest_target_info, est),
+		.me         = THIS_MODULE,
+	},
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name       = "RATEEST",
+		.revision   = 0,
+		.family     = NFPROTO_IPV6,
+		.target     = xt_rateest_tg,
+		.checkentry = xt_rateest_tg_checkentry,
+		.destroy    = xt_rateest_tg_destroy,
+		.targetsize = sizeof(struct xt_rateest_target_info),
+		.usersize   = offsetof(struct xt_rateest_target_info, est),
+		.me         = THIS_MODULE,
+	},
+#endif
 };
 
 static __net_init int xt_rateest_net_init(struct net *net)
@@ -214,12 +229,12 @@ static int __init xt_rateest_tg_init(void)
 
 	if (err)
 		return err;
-	return xt_register_target(&xt_rateest_tg_reg);
+	return xt_register_targets(xt_rateest_tg_reg, ARRAY_SIZE(xt_rateest_tg_reg));
 }
 
 static void __exit xt_rateest_tg_fini(void)
 {
-	xt_unregister_target(&xt_rateest_tg_reg);
+	xt_unregister_targets(xt_rateest_tg_reg, ARRAY_SIZE(xt_rateest_tg_reg));
 	unregister_pernet_subsys(&xt_rateest_net_ops);
 }
 
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 498a0bf6f044..5bc5ea505eb9 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -157,7 +157,7 @@ static struct xt_target secmark_tg_reg[] __read_mostly = {
 	{
 		.name		= "SECMARK",
 		.revision	= 0,
-		.family		= NFPROTO_UNSPEC,
+		.family		= NFPROTO_IPV4,
 		.checkentry	= secmark_tg_check_v0,
 		.destroy	= secmark_tg_destroy,
 		.target		= secmark_tg_v0,
@@ -167,7 +167,7 @@ static struct xt_target secmark_tg_reg[] __read_mostly = {
 	{
 		.name		= "SECMARK",
 		.revision	= 1,
-		.family		= NFPROTO_UNSPEC,
+		.family		= NFPROTO_IPV4,
 		.checkentry	= secmark_tg_check_v1,
 		.destroy	= secmark_tg_destroy,
 		.target		= secmark_tg_v1,
@@ -175,6 +175,29 @@ static struct xt_target secmark_tg_reg[] __read_mostly = {
 		.usersize	= offsetof(struct xt_secmark_target_info_v1, secid),
 		.me		= THIS_MODULE,
 	},
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name		= "SECMARK",
+		.revision	= 0,
+		.family		= NFPROTO_IPV6,
+		.checkentry	= secmark_tg_check_v0,
+		.destroy	= secmark_tg_destroy,
+		.target		= secmark_tg_v0,
+		.targetsize	= sizeof(struct xt_secmark_target_info),
+		.me		= THIS_MODULE,
+	},
+	{
+		.name		= "SECMARK",
+		.revision	= 1,
+		.family		= NFPROTO_IPV6,
+		.checkentry	= secmark_tg_check_v1,
+		.destroy	= secmark_tg_destroy,
+		.target		= secmark_tg_v1,
+		.targetsize	= sizeof(struct xt_secmark_target_info_v1),
+		.usersize	= offsetof(struct xt_secmark_target_info_v1, secid),
+		.me		= THIS_MODULE,
+	},
+#endif
 };
 
 static int __init secmark_tg_init(void)
diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c
index 5582dce98cae..f3fa4f11348c 100644
--- a/net/netfilter/xt_TRACE.c
+++ b/net/netfilter/xt_TRACE.c
@@ -29,25 +29,38 @@ trace_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	return XT_CONTINUE;
 }
 
-static struct xt_target trace_tg_reg __read_mostly = {
-	.name		= "TRACE",
-	.revision	= 0,
-	.family		= NFPROTO_UNSPEC,
-	.table		= "raw",
-	.target		= trace_tg,
-	.checkentry	= trace_tg_check,
-	.destroy	= trace_tg_destroy,
-	.me		= THIS_MODULE,
+static struct xt_target trace_tg_reg[] __read_mostly = {
+	{
+		.name		= "TRACE",
+		.revision	= 0,
+		.family		= NFPROTO_IPV4,
+		.table		= "raw",
+		.target		= trace_tg,
+		.checkentry	= trace_tg_check,
+		.destroy	= trace_tg_destroy,
+		.me		= THIS_MODULE,
+	},
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name		= "TRACE",
+		.revision	= 0,
+		.family		= NFPROTO_IPV6,
+		.table		= "raw",
+		.target		= trace_tg,
+		.checkentry	= trace_tg_check,
+		.destroy	= trace_tg_destroy,
+	},
+#endif
 };
 
 static int __init trace_tg_init(void)
 {
-	return xt_register_target(&trace_tg_reg);
+	return xt_register_targets(trace_tg_reg, ARRAY_SIZE(trace_tg_reg));
 }
 
 static void __exit trace_tg_exit(void)
 {
-	xt_unregister_target(&trace_tg_reg);
+	xt_unregister_targets(trace_tg_reg, ARRAY_SIZE(trace_tg_reg));
 }
 
 module_init(trace_tg_init);
diff --git a/net/netfilter/xt_addrtype.c b/net/netfilter/xt_addrtype.c
index e9b2181e8c42..a77088943107 100644
--- a/net/netfilter/xt_addrtype.c
+++ b/net/netfilter/xt_addrtype.c
@@ -208,13 +208,24 @@ static struct xt_match addrtype_mt_reg[] __read_mostly = {
 	},
 	{
 		.name		= "addrtype",
-		.family		= NFPROTO_UNSPEC,
+		.family		= NFPROTO_IPV4,
 		.revision	= 1,
 		.match		= addrtype_mt_v1,
 		.checkentry	= addrtype_mt_checkentry_v1,
 		.matchsize	= sizeof(struct xt_addrtype_info_v1),
 		.me		= THIS_MODULE
-	}
+	},
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name		= "addrtype",
+		.family		= NFPROTO_IPV6,
+		.revision	= 1,
+		.match		= addrtype_mt_v1,
+		.checkentry	= addrtype_mt_checkentry_v1,
+		.matchsize	= sizeof(struct xt_addrtype_info_v1),
+		.me		= THIS_MODULE
+	},
+#endif
 };
 
 static int __init addrtype_mt_init(void)
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index a047a545371e..908fd5f2c3c8 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -146,24 +146,37 @@ static void xt_cluster_mt_destroy(const struct xt_mtdtor_param *par)
 	nf_ct_netns_put(par->net, par->family);
 }
 
-static struct xt_match xt_cluster_match __read_mostly = {
-	.name		= "cluster",
-	.family		= NFPROTO_UNSPEC,
-	.match		= xt_cluster_mt,
-	.checkentry	= xt_cluster_mt_checkentry,
-	.matchsize	= sizeof(struct xt_cluster_match_info),
-	.destroy	= xt_cluster_mt_destroy,
-	.me		= THIS_MODULE,
+static struct xt_match xt_cluster_match[] __read_mostly = {
+	{
+		.name		= "cluster",
+		.family		= NFPROTO_IPV4,
+		.match		= xt_cluster_mt,
+		.checkentry	= xt_cluster_mt_checkentry,
+		.matchsize	= sizeof(struct xt_cluster_match_info),
+		.destroy	= xt_cluster_mt_destroy,
+		.me		= THIS_MODULE,
+	},
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name		= "cluster",
+		.family		= NFPROTO_IPV6,
+		.match		= xt_cluster_mt,
+		.checkentry	= xt_cluster_mt_checkentry,
+		.matchsize	= sizeof(struct xt_cluster_match_info),
+		.destroy	= xt_cluster_mt_destroy,
+		.me		= THIS_MODULE,
+	},
+#endif
 };
 
 static int __init xt_cluster_mt_init(void)
 {
-	return xt_register_match(&xt_cluster_match);
+	return xt_register_matches(xt_cluster_match, ARRAY_SIZE(xt_cluster_match));
 }
 
 static void __exit xt_cluster_mt_fini(void)
 {
-	xt_unregister_match(&xt_cluster_match);
+	xt_unregister_matches(xt_cluster_match, ARRAY_SIZE(xt_cluster_match));
 }
 
 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 93cb018c3055..2aabdcea8707 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -111,9 +111,11 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
 		return -EINVAL;
 
 	ret = nf_ct_netns_get(par->net, par->family);
-	if (ret < 0)
+	if (ret < 0) {
 		pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
 				    par->family);
+		return ret;
+	}
 
 	/*
 	 * This filter cannot function correctly unless connection tracking
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 0e762277bcf8..0189f8b6b0bd 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -117,26 +117,41 @@ static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
 	nf_ct_netns_put(par->net, par->family);
 }
 
-static struct xt_match connlimit_mt_reg __read_mostly = {
-	.name       = "connlimit",
-	.revision   = 1,
-	.family     = NFPROTO_UNSPEC,
-	.checkentry = connlimit_mt_check,
-	.match      = connlimit_mt,
-	.matchsize  = sizeof(struct xt_connlimit_info),
-	.usersize   = offsetof(struct xt_connlimit_info, data),
-	.destroy    = connlimit_mt_destroy,
-	.me         = THIS_MODULE,
+static struct xt_match connlimit_mt_reg[] __read_mostly = {
+	{
+		.name       = "connlimit",
+		.revision   = 1,
+		.family     = NFPROTO_IPV4,
+		.checkentry = connlimit_mt_check,
+		.match      = connlimit_mt,
+		.matchsize  = sizeof(struct xt_connlimit_info),
+		.usersize   = offsetof(struct xt_connlimit_info, data),
+		.destroy    = connlimit_mt_destroy,
+		.me         = THIS_MODULE,
+	},
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name       = "connlimit",
+		.revision   = 1,
+		.family     = NFPROTO_IPV6,
+		.checkentry = connlimit_mt_check,
+		.match      = connlimit_mt,
+		.matchsize  = sizeof(struct xt_connlimit_info),
+		.usersize   = offsetof(struct xt_connlimit_info, data),
+		.destroy    = connlimit_mt_destroy,
+		.me         = THIS_MODULE,
+	},
+#endif
 };
 
 static int __init connlimit_mt_init(void)
 {
-	return xt_register_match(&connlimit_mt_reg);
+	return xt_register_matches(connlimit_mt_reg, ARRAY_SIZE(connlimit_mt_reg));
 }
 
 static void __exit connlimit_mt_exit(void)
 {
-	xt_unregister_match(&connlimit_mt_reg);
+	xt_unregister_matches(connlimit_mt_reg, ARRAY_SIZE(connlimit_mt_reg));
 }
 
 module_init(connlimit_mt_init);
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index ad3c033db64e..4277084de2e7 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -151,7 +151,7 @@ static struct xt_target connmark_tg_reg[] __read_mostly = {
 	{
 		.name           = "CONNMARK",
 		.revision       = 1,
-		.family         = NFPROTO_UNSPEC,
+		.family         = NFPROTO_IPV4,
 		.checkentry     = connmark_tg_check,
 		.target         = connmark_tg,
 		.targetsize     = sizeof(struct xt_connmark_tginfo1),
@@ -161,13 +161,35 @@ static struct xt_target connmark_tg_reg[] __read_mostly = {
 	{
 		.name           = "CONNMARK",
 		.revision       = 2,
-		.family         = NFPROTO_UNSPEC,
+		.family         = NFPROTO_IPV4,
 		.checkentry     = connmark_tg_check,
 		.target         = connmark_tg_v2,
 		.targetsize     = sizeof(struct xt_connmark_tginfo2),
 		.destroy        = connmark_tg_destroy,
 		.me             = THIS_MODULE,
-	}
+	},
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name           = "CONNMARK",
+		.revision       = 1,
+		.family         = NFPROTO_IPV6,
+		.checkentry     = connmark_tg_check,
+		.target         = connmark_tg,
+		.targetsize     = sizeof(struct xt_connmark_tginfo1),
+		.destroy        = connmark_tg_destroy,
+		.me             = THIS_MODULE,
+	},
+	{
+		.name           = "CONNMARK",
+		.revision       = 2,
+		.family         = NFPROTO_IPV6,
+		.checkentry     = connmark_tg_check,
+		.target         = connmark_tg_v2,
+		.targetsize     = sizeof(struct xt_connmark_tginfo2),
+		.destroy        = connmark_tg_destroy,
+		.me             = THIS_MODULE,
+	},
+#endif
 };
 
 static struct xt_match connmark_mt_reg __read_mostly = {
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 1ad74b5920b5..f76fe04fc9a4 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -39,13 +39,35 @@ mark_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	return ((skb->mark & info->mask) == info->mark) ^ info->invert;
 }
 
-static struct xt_target mark_tg_reg __read_mostly = {
-	.name           = "MARK",
-	.revision       = 2,
-	.family         = NFPROTO_UNSPEC,
-	.target         = mark_tg,
-	.targetsize     = sizeof(struct xt_mark_tginfo2),
-	.me             = THIS_MODULE,
+static struct xt_target mark_tg_reg[] __read_mostly = {
+	{
+		.name           = "MARK",
+		.revision       = 2,
+		.family         = NFPROTO_IPV4,
+		.target         = mark_tg,
+		.targetsize     = sizeof(struct xt_mark_tginfo2),
+		.me             = THIS_MODULE,
+	},
+#if IS_ENABLED(CONFIG_IP_NF_ARPTABLES)
+	{
+		.name           = "MARK",
+		.revision       = 2,
+		.family         = NFPROTO_ARP,
+		.target         = mark_tg,
+		.targetsize     = sizeof(struct xt_mark_tginfo2),
+		.me             = THIS_MODULE,
+	},
+#endif
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
+	{
+		.name           = "MARK",
+		.revision       = 2,
+		.family         = NFPROTO_IPV4,
+		.target         = mark_tg,
+		.targetsize     = sizeof(struct xt_mark_tginfo2),
+		.me             = THIS_MODULE,
+	},
+#endif
 };
 
 static struct xt_match mark_mt_reg __read_mostly = {
@@ -61,12 +83,12 @@ static int __init mark_mt_init(void)
 {
 	int ret;
 
-	ret = xt_register_target(&mark_tg_reg);
+	ret = xt_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
 	if (ret < 0)
 		return ret;
 	ret = xt_register_match(&mark_mt_reg);
 	if (ret < 0) {
-		xt_unregister_target(&mark_tg_reg);
+		xt_unregister_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
 		return ret;
 	}
 	return 0;
@@ -75,7 +97,7 @@ static int __init mark_mt_init(void)
 static void __exit mark_mt_exit(void)
 {
 	xt_unregister_match(&mark_mt_reg);
-	xt_unregister_target(&mark_tg_reg);
+	xt_unregister_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
 }
 
 module_init(mark_mt_init);
-- 
2.30.2

[PATCH net 2/3] netfilter: fib: check correct rtable in vrf setups

[Pablo Neira Ayuso]

From: Florian Westphal <fw@strlen.de>

We need to init l3mdev unconditionally, else main routing table is searched
and incorrect result is returned unless strict (iif keyword) matching is
requested.

Next patch adds a selftest for this.

Fixes: 2a8a7c0eaa87 ("netfilter: nft_fib: Fix for rpath check with VRF devices")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1761
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/ipv4/netfilter/nft_fib_ipv4.c | 4 +---
 net/ipv6/netfilter/nft_fib_ipv6.c | 5 +++--
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c
index 00da1332bbf1..09fff5d424ef 100644
--- a/net/ipv4/netfilter/nft_fib_ipv4.c
+++ b/net/ipv4/netfilter/nft_fib_ipv4.c
@@ -65,6 +65,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
 		.flowi4_scope = RT_SCOPE_UNIVERSE,
 		.flowi4_iif = LOOPBACK_IFINDEX,
 		.flowi4_uid = sock_net_uid(nft_net(pkt), NULL),
+		.flowi4_l3mdev = l3mdev_master_ifindex_rcu(nft_in(pkt)),
 	};
 	const struct net_device *oif;
 	const struct net_device *found;
@@ -83,9 +84,6 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
 	else
 		oif = NULL;
 
-	if (priv->flags & NFTA_FIB_F_IIF)
-		fl4.flowi4_l3mdev = l3mdev_master_ifindex_rcu(oif);
-
 	if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&
 	    nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {
 		nft_fib_store_result(dest, priv, nft_in(pkt));
diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c
index 36dc14b34388..c9f1634b3838 100644
--- a/net/ipv6/netfilter/nft_fib_ipv6.c
+++ b/net/ipv6/netfilter/nft_fib_ipv6.c
@@ -41,8 +41,6 @@ static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv,
 	if (ipv6_addr_type(&fl6->daddr) & IPV6_ADDR_LINKLOCAL) {
 		lookup_flags |= RT6_LOOKUP_F_IFACE;
 		fl6->flowi6_oif = get_ifindex(dev ? dev : pkt->skb->dev);
-	} else if (priv->flags & NFTA_FIB_F_IIF) {
-		fl6->flowi6_l3mdev = l3mdev_master_ifindex_rcu(dev);
 	}
 
 	if (ipv6_addr_type(&fl6->saddr) & IPV6_ADDR_UNICAST)
@@ -75,6 +73,8 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
 	else if (priv->flags & NFTA_FIB_F_OIF)
 		dev = nft_out(pkt);
 
+	fl6.flowi6_l3mdev = l3mdev_master_ifindex_rcu(dev);
+
 	nft_fib6_flowi_init(&fl6, priv, pkt, dev, iph);
 
 	if (dev && nf_ipv6_chk_addr(nft_net(pkt), &fl6.daddr, dev, true))
@@ -165,6 +165,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
 		.flowi6_iif = LOOPBACK_IFINDEX,
 		.flowi6_proto = pkt->tprot,
 		.flowi6_uid = sock_net_uid(nft_net(pkt), NULL),
+		.flowi6_l3mdev = l3mdev_master_ifindex_rcu(nft_in(pkt)),
 	};
 	struct rt6_info *rt;
 	int lookup_flags;
-- 
2.30.2

[PATCH net 3/3] selftests: netfilter: conntrack_vrf.sh: add fib test case

[Pablo Neira Ayuso]

From: Florian Westphal <fw@strlen.de>

meta iifname veth0 ip daddr ... fib daddr oif

... is expected to return "dummy0" interface which is part of same vrf
as veth0.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 .../selftests/net/netfilter/conntrack_vrf.sh  | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/tools/testing/selftests/net/netfilter/conntrack_vrf.sh b/tools/testing/selftests/net/netfilter/conntrack_vrf.sh
index 073e8e62d350..e95ecb37c2b1 100755
--- a/tools/testing/selftests/net/netfilter/conntrack_vrf.sh
+++ b/tools/testing/selftests/net/netfilter/conntrack_vrf.sh
@@ -32,6 +32,7 @@ source lib.sh
 
 IP0=172.30.30.1
 IP1=172.30.30.2
+DUMMYNET=10.9.9
 PFXL=30
 ret=0
 
@@ -54,6 +55,7 @@ setup_ns ns0 ns1
 ip netns exec "$ns0" sysctl -q -w net.ipv4.conf.default.rp_filter=0
 ip netns exec "$ns0" sysctl -q -w net.ipv4.conf.all.rp_filter=0
 ip netns exec "$ns0" sysctl -q -w net.ipv4.conf.all.rp_filter=0
+ip netns exec "$ns0" sysctl -q -w net.ipv4.conf.all.forwarding=1
 
 if ! ip link add veth0 netns "$ns0" type veth peer name veth0 netns "$ns1" > /dev/null 2>&1; then
 	echo "SKIP: Could not add veth device"
@@ -65,13 +67,18 @@ if ! ip -net "$ns0" li add tvrf type vrf table 9876; then
 	exit $ksft_skip
 fi
 
+ip -net "$ns0" link add dummy0 type dummy
+
 ip -net "$ns0" li set veth0 master tvrf
+ip -net "$ns0" li set dummy0 master tvrf
 ip -net "$ns0" li set tvrf up
 ip -net "$ns0" li set veth0 up
+ip -net "$ns0" li set dummy0 up
 ip -net "$ns1" li set veth0 up
 
 ip -net "$ns0" addr add $IP0/$PFXL dev veth0
 ip -net "$ns1" addr add $IP1/$PFXL dev veth0
+ip -net "$ns0" addr add $DUMMYNET.1/$PFXL dev dummy0
 
 listener_ready()
 {
@@ -212,9 +219,35 @@ EOF
 	fi
 }
 
+test_fib()
+{
+ip netns exec "$ns0" nft -f - <<EOF
+flush ruleset
+table ip t {
+	counter fibcount { }
+
+	chain prerouting {
+		type filter hook prerouting priority 0;
+		meta iifname veth0 ip daddr $DUMMYNET.2 fib daddr oif dummy0 counter name fibcount notrack
+	}
+}
+EOF
+	ip -net "$ns1" route add 10.9.9.0/24 via "$IP0" dev veth0
+	ip netns exec "$ns1" ping -q -w 1 -c 1 "$DUMMYNET".2 > /dev/null
+
+	if ip netns exec "$ns0" nft list counter t fibcount | grep -q "packets 1"; then
+		echo "PASS: fib lookup returned exepected output interface"
+	else
+		echo "FAIL: fib lookup did not return exepected output interface"
+		ret=1
+		return
+	fi
+}
+
 test_ct_zone_in
 test_masquerade_vrf "default"
 test_masquerade_vrf "pfifo"
 test_masquerade_veth
+test_fib
 
 exit $ret
-- 
2.30.2

Re: [PATCH net 1/3] netfilter: xtables: avoid NFPROTO_UNSPEC where needed

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Wed,  9 Oct 2024 23:38:56 +0200 you wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> syzbot managed to call xt_cluster match via ebtables:
> 
>  WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780
>  [..]
>  ebt_do_table+0x174b/0x2a40
> 
> [...]

Here is the summary with links:
  - [net,1/3] netfilter: xtables: avoid NFPROTO_UNSPEC where needed
    https://git.kernel.org/netdev/net/c/0bfcb7b71e73
  - [net,2/3] netfilter: fib: check correct rtable in vrf setups
    https://git.kernel.org/netdev/net/c/05ef7055debc
  - [net,3/3] selftests: netfilter: conntrack_vrf.sh: add fib test case
    https://git.kernel.org/netdev/net/c/c6a0862bee69

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Update .gitignore in selftest to skip conntrack_reverse_clash,
   from Li Zhijian.

2) Fix conntrack_dump_flush return values, from Guan Jing.

3) syzbot found that ipset's bitmap type does not properly checks for
   bitmap's first ip, from Jeongjun Park.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-11-14

Thanks.

----------------------------------------------------------------

The following changes since commit 50ae879de107ca2fe2ca99180f6ba95770f32a62:

  Merge tag 'nf-24-10-31' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf (2024-10-31 12:13:08 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-11-14

for you to fetch changes up to 35f56c554eb1b56b77b3cf197a6b00922d49033d:

  netfilter: ipset: add missing range check in bitmap_ip_uadt (2024-11-14 13:47:26 +0100)

----------------------------------------------------------------
netfilter pull request 24-11-14

----------------------------------------------------------------
Jeongjun Park (1):
      netfilter: ipset: add missing range check in bitmap_ip_uadt

Li Zhijian (1):
      selftests: netfilter: Add missing gitignore file

guanjing (1):
      selftests: netfilter: Fix missing return values in conntrack_dump_flush

 net/netfilter/ipset/ip_set_bitmap_ip.c                       | 7 ++-----
 tools/testing/selftests/net/netfilter/.gitignore             | 1 +
 tools/testing/selftests/net/netfilter/conntrack_dump_flush.c | 6 ++++++
 3 files changed, 9 insertions(+), 5 deletions(-)

Re: [PATCH net 0/3] Netfilter fixes for net

[Paolo Abeni]

On 11/14/24 13:57, Pablo Neira Ayuso wrote:
> The following patchset contains Netfilter fixes for net:
> 
> 1) Update .gitignore in selftest to skip conntrack_reverse_clash,
>    from Li Zhijian.
> 
> 2) Fix conntrack_dump_flush return values, from Guan Jing.
> 
> 3) syzbot found that ipset's bitmap type does not properly checks for
>    bitmap's first ip, from Jeongjun Park.
> 
> Please, pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-11-14

Almost over the air collision, I just sent the net PR for -rc8. Do any
of the above fixes have a strong need to land into 6.12?

/P

Re: [PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

On Thu, Nov 14, 2024 at 03:54:56PM +0100, Paolo Abeni wrote:
> On 11/14/24 13:57, Pablo Neira Ayuso wrote:
> > The following patchset contains Netfilter fixes for net:
> > 
> > 1) Update .gitignore in selftest to skip conntrack_reverse_clash,
> >    from Li Zhijian.
> > 
> > 2) Fix conntrack_dump_flush return values, from Guan Jing.
> > 
> > 3) syzbot found that ipset's bitmap type does not properly checks for
> >    bitmap's first ip, from Jeongjun Park.
> > 
> > Please, pull these changes from:
> > 
> >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-11-14
> 
> Almost over the air collision, I just sent the net PR for -rc8. Do any
> of the above fixes have a strong need to land into 6.12?

selftests fixes are trivial.

ipset fix would be good to have.

But if this is pushing things too much too the limit on your side,
then skip.

Re: [PATCH net 0/3] Netfilter fixes for net

[Paolo Abeni]

On 11/14/24 16:00, Pablo Neira Ayuso wrote:
> On Thu, Nov 14, 2024 at 03:54:56PM +0100, Paolo Abeni wrote:
>> On 11/14/24 13:57, Pablo Neira Ayuso wrote:
>>> The following patchset contains Netfilter fixes for net:
>>>
>>> 1) Update .gitignore in selftest to skip conntrack_reverse_clash,
>>>    from Li Zhijian.
>>>
>>> 2) Fix conntrack_dump_flush return values, from Guan Jing.
>>>
>>> 3) syzbot found that ipset's bitmap type does not properly checks for
>>>    bitmap's first ip, from Jeongjun Park.
>>>
>>> Please, pull these changes from:
>>>
>>>   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-11-14
>>
>> Almost over the air collision, I just sent the net PR for -rc8. Do any
>> of the above fixes have a strong need to land into 6.12?
> 
> selftests fixes are trivial.
> 
> ipset fix would be good to have.
> 
> But if this is pushing things too much too the limit on your side,
> then skip.

I would need to take back the already shared net PR. I prefer to avoid
such a thing to avoid confusion with the process, especially for non
critical stuff.

It looks like the ipset fix addresses a quite ancient issue, I
guess/hope it's not extremely critical.

/P

Re: [PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

On Thu, Nov 14, 2024 at 04:31:48PM +0100, Paolo Abeni wrote:
> On 11/14/24 16:00, Pablo Neira Ayuso wrote:
> > On Thu, Nov 14, 2024 at 03:54:56PM +0100, Paolo Abeni wrote:
> >> On 11/14/24 13:57, Pablo Neira Ayuso wrote:
> >>> The following patchset contains Netfilter fixes for net:
> >>>
> >>> 1) Update .gitignore in selftest to skip conntrack_reverse_clash,
> >>>    from Li Zhijian.
> >>>
> >>> 2) Fix conntrack_dump_flush return values, from Guan Jing.
> >>>
> >>> 3) syzbot found that ipset's bitmap type does not properly checks for
> >>>    bitmap's first ip, from Jeongjun Park.
> >>>
> >>> Please, pull these changes from:
> >>>
> >>>   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-11-14
> >>
> >> Almost over the air collision, I just sent the net PR for -rc8. Do any
> >> of the above fixes have a strong need to land into 6.12?
> > 
> > selftests fixes are trivial.
> > 
> > ipset fix would be good to have.
> > 
> > But if this is pushing things too much too the limit on your side,
> > then skip.
> 
> I would need to take back the already shared net PR. I prefer to avoid
> such a thing to avoid confusion with the process, especially for non
> critical stuff.

We can wait, thanks.

> It looks like the ipset fix addresses a quite ancient issue, I
> guess/hope it's not extremely critical.

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix bogus test reports in rpath.sh selftest by adding permanent
   neighbor entries, from Phil Sutter.

2) Lockdep reports possible ABBA deadlock in xt_IDLETIMER, fix it by
   removing sysfs out of the mutex section, also from Phil Sutter.

3) It is illegal to release basechain via RCU callback, for several
   reasons. Keep it simple and safe by calling synchronize_rcu() instead.
   This is a partially reverting a botched recent attempt of me to fix
   this basechain release path on netdevice removal.
   From Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-12-11

Thanks.

----------------------------------------------------------------

The following changes since commit 31f1b55d5d7e531cd827419e5d71c19f24de161c:

  net :mana :Request a V2 response version for MANA_QUERY_GF_STAT (2024-12-05 12:02:15 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-12-11

for you to fetch changes up to b04df3da1b5c6f6dc7cdccc37941740c078c4043:

  netfilter: nf_tables: do not defer rule destruction via call_rcu (2024-12-11 23:27:50 +0100)

----------------------------------------------------------------
netfilter pull request 24-12-11

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nf_tables: do not defer rule destruction via call_rcu

Phil Sutter (2):
      selftests: netfilter: Stabilize rpath.sh
      netfilter: IDLETIMER: Fix for possible ABBA deadlock

 include/net/netfilter/nf_tables.h              |  4 --
 net/netfilter/nf_tables_api.c                  | 32 ++++++++--------
 net/netfilter/xt_IDLETIMER.c                   | 52 ++++++++++++++------------
 tools/testing/selftests/net/netfilter/rpath.sh | 18 ++++++++-
 4 files changed, 59 insertions(+), 47 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix racy non-atomic read-then-increment operation with
   PREEMPT_RT in nft_ct, from Sebastian Andrzej Siewior.

2) GC is not skipped when jiffies wrap around in nf_conncount,
   from Nicklas Bo Jensen.

3) flush_work() on nf_tables_destroy_work waits for the last queued
   instance, this could be an instance that is different from the one
   that we must wait for, then make destruction work queue.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-03-06

Thanks.

P.S: This is coming late after net-6.14-rc6, please, apply after your
pending pull request is accepted. Thanks.

----------------------------------------------------------------

The following changes since commit a466fd7e9fafd975949e5945e2f70c33a94b1a70:

  caif_virtio: fix wrong pointer check in cfv_probe() (2025-02-28 18:04:23 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-03-06

for you to fetch changes up to fb8286562ecfb585e26b033c5e32e6fb85efb0b3:

  netfilter: nf_tables: make destruction work queue pernet (2025-03-06 13:35:54 +0100)

----------------------------------------------------------------
netfilter pull request 25-03-06

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nf_tables: make destruction work queue pernet

Nicklas Bo Jensen (1):
      netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around

Sebastian Andrzej Siewior (1):
      netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template.

 include/net/netfilter/nf_tables.h |  4 +++-
 net/netfilter/nf_conncount.c      |  4 ++--
 net/netfilter/nf_tables_api.c     | 24 ++++++++++++++----------
 net/netfilter/nft_compat.c        |  8 ++++----
 net/netfilter/nft_ct.c            |  6 ++++--
 5 files changed, 27 insertions(+), 19 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following batch contains Netfilter fixes for net:

1) conncount incorrectly removes element for non-dynamic sets,
   these elements represent a static control plane configuration,
   leave them in place.

2) syzbot found a way to unregister a basechain that has been never
   registered from the chain update path, fix from Florian Westphal.

3) Fix incorrect pointer arithmetics in geneve support for tunnel,
   from Lin Ma.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-04-03

Thanks.

----------------------------------------------------------------

The following changes since commit ed3ba9b6e280e14cc3148c1b226ba453f02fa76c:

  net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF. (2025-03-21 22:10:06 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-25-04-03

for you to fetch changes up to 1b755d8eb1ace3870789d48fbd94f386ad6e30be:

  netfilter: nft_tunnel: fix geneve_opt type confusion addition (2025-04-03 13:32:03 +0200)

----------------------------------------------------------------
netfilter pull request 25-04-03

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nf_tables: don't unregister hook when table is dormant

Lin Ma (1):
      netfilter: nft_tunnel: fix geneve_opt type confusion addition

Pablo Neira Ayuso (1):
      netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only

 net/netfilter/nf_tables_api.c | 4 ++--
 net/netfilter/nft_set_hash.c  | 3 ++-
 net/netfilter/nft_tunnel.c    | 4 ++--
 3 files changed, 6 insertions(+), 5 deletions(-)

[PATCH net 0/3] Netfilter fixes for net

[Florian Westphal]

The following patchset contains Netfilter fixes for *net*:

1) I managed to add a null dereference crash in nft_set_pipapo
   in the current development cycle, was not caught by CI
   because the avx2 implementation is fine, but selftest
   splats when run on non-avx2 host.

2) Fix the ipvs estimater kthread affinity, was incorrect
   since 6.14. From Frederic Weisbecker.

3) nf_tables should not allow to add a device to a flowtable
   or netdev chain more than once -- reject this.
   From Pablo Neira Ayuso.  This has been broken for long time,
   blamed commit dates from v5.8.

Please, pull these changes from:
The following changes since commit d7e82594a45c5cb270940ac469846e8026c7db0f:

  selftests: tls: test TCP stealing data from under the TLS socket (2025-08-12 18:59:06 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-25-08-13

for you to fetch changes up to cf5fb87fcdaaaafec55dcc0dc5a9e15ead343973:

  netfilter: nf_tables: reject duplicate device on updates (2025-08-13 08:34:55 +0200)

----------------------------------------------------------------
netfilter pull request nf-25-08-13

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nft_set_pipapo: fix null deref for empty set

Frederic Weisbecker (1):
      ipvs: Fix estimator kthreads preferred affinity

Pablo Neira Ayuso (1):
      netfilter: nf_tables: reject duplicate device on updates

 include/net/ip_vs.h            | 13 +++++++++++++
 kernel/kthread.c               |  1 +
 net/netfilter/ipvs/ip_vs_est.c |  3 ++-
 net/netfilter/nf_tables_api.c  | 30 ++++++++++++++++++++++++++++++
 net/netfilter/nft_set_pipapo.c |  5 ++---
 5 files changed, 48 insertions(+), 4 deletions(-)
-- 
2.49.1