Hi,
The following patchset contains Netfilter fixes for net:
1) Ignores ifindex for types other than mcast/linklocal in ipv6 frag
reasm, from Tom Hughes.
2) Initialize extack for begin/end netlink message marker in batch,
from Donald Hunter.
3) Initialize extack for flowtable offload support, also from Donald.
4) Dropped packets with cloned unconfirmed conntracks in nfqueue,
later it should be possible to explore lookup after reinject but
Florian prefers this approach at this stage. From Florian Westphal.
5) Add selftest for cloned unconfirmed conntracks in nfqueue for
previous update.
6) Audit after filling netlink header successfully in object dump,
from Phil Sutter.
7-8) Fix concurrent dump and reset which could result in underflow
counter / quota objects.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-08-15
Thanks.
----------------------------------------------------------------
The following changes since commit a2cbb1603943281a604f5adc48079a148db5cb0d:
tcp: Update window clamping condition (2024-08-14 10:50:49 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-08-15
for you to fetch changes up to bd662c4218f9648e888bebde9468146965f3f8a0:
netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests (2024-08-14 23:44:55 +0200)
----------------------------------------------------------------
netfilter pull request 24-08-15
----------------------------------------------------------------
Donald Hunter (2):
netfilter: nfnetlink: Initialise extack before use in ACKs
netfilter: flowtable: initialise extack before use
Florian Westphal (2):
netfilter: nf_queue: drop packets with cloned unconfirmed conntracks
selftests: netfilter: add test for br_netfilter+conntrack+queue combination
Phil Sutter (3):
netfilter: nf_tables: Audit log dump reset after the fact
netfilter: nf_tables: Introduce nf_tables_getobj_single
netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests
Tom Hughes (1):
netfilter: allow ipv6 fragments to arrive on different devices
net/bridge/br_netfilter_hooks.c | 6 +-
net/ipv6/netfilter/nf_conntrack_reasm.c | 4 +
net/netfilter/nf_flow_table_offload.c | 2 +-
net/netfilter/nf_tables_api.c | 147 ++++++++++++++-------
net/netfilter/nfnetlink.c | 5 +-
net/netfilter/nfnetlink_queue.c | 35 ++++-
tools/testing/selftests/net/netfilter/Makefile | 1 +
.../selftests/net/netfilter/br_netfilter_queue.sh | 78 +++++++++++
8 files changed, 228 insertions(+), 50 deletions(-)
create mode 100755 tools/testing/selftests/net/netfilter/br_netfilter_queue.sh