Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'nf-next-25-10-30' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next
Florian Westphal says:
====================
netfilter: updates for net-next
1) Convert nf_tables 'nft_set_iter' usage to use C99 struct
initialization, from Fernando Fernandez Mancera.
2) Disallow nf_conntrack_max=0. This was an (undocumented)
historic inheritance from ip_conntrack (ipv4 only nf_conntrack
predecessor). Doing so will simplify future changes to make
this pernet-tuneable.
3) Fix a typo in conntrack.h comment, from Weibiao Tu.
* tag 'nf-next-25-10-30' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
netfilter: fix typo in nf_conntrack_l4proto.h comment
netfilter: conntrack: disable 0 value for conntrack_max setting
netfilter: nf_tables: use C99 struct initializer for nft_set_iter
====================
Link: https://patch.msgid.link/20251030121954.29175-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+25
-30
+1
-1
include/net/netfilter/nf_conntrack_l4proto.h
+1
-1
include/net/netfilter/nf_conntrack_l4proto.h
···
30
30
/* called by gc worker if table is full */
31
31
bool (*can_early_drop)(const struct nf_conn *ct);
32
32
33
-
/* convert protoinfo to nfnetink attributes */
33
+
/* convert protoinfo to nfnetlink attributes */
34
34
int (*to_nlattr)(struct sk_buff *skb, struct nlattr *nla,
35
35
struct nf_conn *ct, bool destroy);
36
36
+1
-1
net/netfilter/nf_conntrack_core.c
+1
-1
net/netfilter/nf_conntrack_core.c
···
1668
1668
/* We don't want any race condition at early drop stage */
1669
1669
ct_count = atomic_inc_return(&cnet->count);
1670
1670
1671
-
if (nf_conntrack_max && unlikely(ct_count > nf_conntrack_max)) {
1671
+
if (unlikely(ct_count > nf_conntrack_max)) {
1672
1672
if (!early_drop(net, hash)) {
1673
1673
if (!conntrack_gc_work.early_drop)
1674
1674
conntrack_gc_work.early_drop = true;
+2
-2
net/netfilter/nf_conntrack_standalone.c
+2
-2
net/netfilter/nf_conntrack_standalone.c
···
648
648
.maxlen = sizeof(int),
649
649
.mode = 0644,
650
650
.proc_handler = proc_dointvec_minmax,
651
-
.extra1 = SYSCTL_ZERO,
651
+
.extra1 = SYSCTL_ONE,
652
652
.extra2 = SYSCTL_INT_MAX,
653
653
},
654
654
[NF_SYSCTL_CT_COUNT] = {
···
929
929
.maxlen = sizeof(int),
930
930
.mode = 0644,
931
931
.proc_handler = proc_dointvec_minmax,
932
-
.extra1 = SYSCTL_ZERO,
932
+
.extra1 = SYSCTL_ONE,
933
933
.extra2 = SYSCTL_INT_MAX,
934
934
},
935
935
};
+16
-18
net/netfilter/nf_tables_api.c
+16
-18
net/netfilter/nf_tables_api.c
···
5770
5770
struct nft_set_binding *binding)
5771
5771
{
5772
5772
struct nft_set_binding *i;
5773
-
struct nft_set_iter iter;
5773
+
struct nft_set_iter iter = {
5774
+
.genmask = nft_genmask_next(ctx->net),
5775
+
.type = NFT_ITER_UPDATE,
5776
+
.fn = nf_tables_bind_check_setelem,
5777
+
};
5774
5778
5775
5779
if (!list_empty(&set->bindings) && nft_set_is_anonymous(set))
5776
5780
return -EBUSY;
···
5788
5784
i->chain == binding->chain)
5789
5785
goto bind;
5790
5786
}
5791
-
5792
-
iter.genmask = nft_genmask_next(ctx->net);
5793
-
iter.type = NFT_ITER_UPDATE;
5794
-
iter.skip = 0;
5795
-
iter.count = 0;
5796
-
iter.err = 0;
5797
-
iter.fn = nf_tables_bind_check_setelem;
5798
5787
5799
5788
set->ops->walk(ctx, set, &iter);
5800
5789
if (!iter.err)
···
6192
6195
struct nftables_pernet *nft_net;
6193
6196
struct nft_table *table;
6194
6197
struct nft_set *set;
6195
-
struct nft_set_dump_args args;
6198
+
struct nft_set_dump_args args = {
6199
+
.cb = cb,
6200
+
.skb = skb,
6201
+
.reset = dump_ctx->reset,
6202
+
.iter = {
6203
+
.genmask = nft_genmask_cur(net),
6204
+
.type = NFT_ITER_READ,
6205
+
.skip = cb->args[0],
6206
+
.fn = nf_tables_dump_setelem,
6207
+
},
6208
+
};
6196
6209
bool set_found = false;
6197
6210
struct nlmsghdr *nlh;
6198
6211
struct nlattr *nest;
···
6253
6246
if (nest == NULL)
6254
6247
goto nla_put_failure;
6255
6248
6256
-
args.cb = cb;
6257
-
args.skb = skb;
6258
-
args.reset = dump_ctx->reset;
6259
-
args.iter.genmask = nft_genmask_cur(net);
6260
-
args.iter.type = NFT_ITER_READ;
6261
-
args.iter.skip = cb->args[0];
6262
-
args.iter.count = 0;
6263
-
args.iter.err = 0;
6264
-
args.iter.fn = nf_tables_dump_setelem;
6265
6249
set->ops->walk(&dump_ctx->ctx, set, &args.iter);
6266
6250
6267
6251
if (!args.iter.err && args.iter.count == cb->args[0])
+5
-8
net/netfilter/nft_lookup.c
+5
-8
net/netfilter/nft_lookup.c
···
246
246
const struct nft_expr *expr)
247
247
{
248
248
const struct nft_lookup *priv = nft_expr_priv(expr);
249
-
struct nft_set_iter iter;
249
+
struct nft_set_iter iter = {
250
+
.genmask = nft_genmask_next(ctx->net),
251
+
.type = NFT_ITER_UPDATE,
252
+
.fn = nft_setelem_validate,
253
+
};
250
254
251
255
if (!(priv->set->flags & NFT_SET_MAP) ||
252
256
priv->set->dtype != NFT_DATA_VERDICT)
253
257
return 0;
254
-
255
-
iter.genmask = nft_genmask_next(ctx->net);
256
-
iter.type = NFT_ITER_UPDATE;
257
-
iter.skip = 0;
258
-
iter.count = 0;
259
-
iter.err = 0;
260
-
iter.fn = nft_setelem_validate;
261
258
262
259
priv->set->ops->walk(ctx, priv->set, &iter);
263
260
if (!iter.err)