mbox

[net,0/8] Netfilter fixes for net

Message ID 20240814222042.150590-1-pablo@netfilter.org (mailing list archive)
State Accepted
Delegated to: Netdev Maintainers
Headers show

Pull-request

git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-08-15

Message

Pablo Neira Ayuso Aug. 14, 2024, 10:20 p.m. UTC
Hi,

The following patchset contains Netfilter fixes for net:

1) Ignores ifindex for types other than mcast/linklocal in ipv6 frag
   reasm, from Tom Hughes.

2) Initialize extack for begin/end netlink message marker in batch,
   from Donald Hunter.

3) Initialize extack for flowtable offload support, also from Donald.

4) Dropped packets with cloned unconfirmed conntracks in nfqueue,
   later it should be possible to explore lookup after reinject but
   Florian prefers this approach at this stage. From Florian Westphal.

5) Add selftest for cloned unconfirmed conntracks in nfqueue for
   previous update.

6) Audit after filling netlink header successfully in object dump,
   from Phil Sutter.

7-8) Fix concurrent dump and reset which could result in underflow
     counter / quota objects.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-08-15

Thanks.

----------------------------------------------------------------

The following changes since commit a2cbb1603943281a604f5adc48079a148db5cb0d:

  tcp: Update window clamping condition (2024-08-14 10:50:49 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-08-15

for you to fetch changes up to bd662c4218f9648e888bebde9468146965f3f8a0:

  netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests (2024-08-14 23:44:55 +0200)

----------------------------------------------------------------
netfilter pull request 24-08-15

----------------------------------------------------------------
Donald Hunter (2):
      netfilter: nfnetlink: Initialise extack before use in ACKs
      netfilter: flowtable: initialise extack before use

Florian Westphal (2):
      netfilter: nf_queue: drop packets with cloned unconfirmed conntracks
      selftests: netfilter: add test for br_netfilter+conntrack+queue combination

Phil Sutter (3):
      netfilter: nf_tables: Audit log dump reset after the fact
      netfilter: nf_tables: Introduce nf_tables_getobj_single
      netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests

Tom Hughes (1):
      netfilter: allow ipv6 fragments to arrive on different devices

 net/bridge/br_netfilter_hooks.c                    |   6 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c            |   4 +
 net/netfilter/nf_flow_table_offload.c              |   2 +-
 net/netfilter/nf_tables_api.c                      | 147 ++++++++++++++-------
 net/netfilter/nfnetlink.c                          |   5 +-
 net/netfilter/nfnetlink_queue.c                    |  35 ++++-
 tools/testing/selftests/net/netfilter/Makefile     |   1 +
 .../selftests/net/netfilter/br_netfilter_queue.sh  |  78 +++++++++++
 8 files changed, 228 insertions(+), 50 deletions(-)
 create mode 100755 tools/testing/selftests/net/netfilter/br_netfilter_queue.sh