github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-13 00:28:54 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
b42f68cf04
linux/include
History
Jakub Kicinski 2ab02ac411 netfilter pull request 26-05-01 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEjF9xRqF1emXiQiqU1w0aZmrPKyEFAmn0hZ8ACgkQ1w0aZmrP
 KyFzNg//ZVbSZyMag+CJoIJv3sMFDJ7uLSEko9mR0nNvo6hPZDWAysCNychhPCDl
 w9yiar5wM9W1zcSWvtlBFozZUcS55mQbcqCHNEyJdSjQ1zTr7C9Dl9zDU3jDJEoK
 aplUk5VvFYFqEp4Bqy7EA1VGY5uc2WzmbsCAf9Z2pjprTQKD/E5tzyx0RFEPksKU
 0pSvsC8VfOES6mJs3KIng6TfvnaC/TWilOtjXC/1y1jl+WftXgwb0gwIVnWKjZnc
 yEJ6h4VOiW2NjwcW+gcaaqvt0c1T4EO/bDvuVnCJzwxDZKI2W9KOs8yQytO2hNTo
 jrAyjTB0F3yDxcnDP1AO8ipkJzu42wOfZblrZKvSmC4Kwwqq8QlsXqD1HMh3oMqv
 JGNJSB8rNbIqt9RTMB+A5wiAZvZbSGZc3qH+y7Z5z/2Zl7u0+Zwl20YZ1r7RqM9Z
 Ay/+QzZIyRAyKmQDr8nSoqmBy2i0wfw79NovvhgPDl9qak8Cfc8Df8wkd59t3z33
 0VzPO9kieTWW6aqW19l88C7dtspsd93IsMZz3He3Lvy5e4dpPG+2OdLKpPkTYHBg
 17KY4Qs7gYM0m5baHlcmana4bZHWcBz146dmIMUuhoj3gPyjgV+s/Hum3YxD/P43
 PNA6X8pI38R8O97VkPXYg1aoQIRLt9YsGwVTYxPXv2gZgLD0Acw=
 =ASC0
 -----END PGP SIGNATURE-----

Merge tag 'nf-26-05-01' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following batch contains Netfilter fixes for net:

1) Replace skb_try_make_writable() by skb_ensure_writable() in
   nft_fwd_netdev and the flowtable to deal with uncloned packets
   having their network header in paged fragments.

2) Drop packet if output device does not exist and ensure sufficient
   headroom in nft_fwd_netdev before transmitting the skb.

3) Use the existing dup recursion counter in nft_fwd_netdev for the
   neigh_xmit variant, from Weiming Shi.

4) Add .check_hooks interface to x_tables to detach the control plane
   hook check based on the match/target configuration. Then, update
   nft_compat to use .check_hooks from .validate path, this fixes a
   lack of hook validation for several match/targets.

5) Fix incorrect .usersize in xt_CT, from Florian Westphal.

6) Fix a memleak with netdev tables in dormant state,
   from Florian Westphal.

7) Several patches to check if the packet is a fragment, then skip
   layer 4 inspection, for x_tables and nf_tables; as well as common
   nf_socket infrastructure. The xt_hashlimit match drops fragments
   to stay consistent with the existing approach when failing to parse
   the layer 4 protocol header.

8) Ensure sufficient headroom in the flowtable before transmitting
   the skb.

9) Fix the flowtable inline vlan approach for double-tagged vlan:
   Reverse the iteration over .encap[] since it represents the
   encapsulation as seen from the ingress path. Postpone pushing
   layer 2 header so output device is available to calculate needed
   headroom. Finally, add and use nf_flow_vlan_push() to fix it.

10) Fix flowtable inline pppoe with GSO packets. Moreover, use
    FLOW_OFFLOAD_XMIT_DIRECT to fill up destination hardware
    address since neighbour cache does not exist in pppoe.

11) Use skb_pull_rcsum() to decapsulate vlan and pppoe headers, for
    double-tagged vlan in particular this should provide some benefits
    in certain scenarios.

More notes regarding 9-11):

- sashiko is also signalling to use it for IPIP headers, but that needs
  more adjustments such setting skb->protocol after removing the IPIP
  header, will follow up in a separated patch.
- I plan to submit selftests to cover double-tagged-vlan. As for pppoe,
  it should be possible but that would mandate a few userspace dependencies.
  This has been semi-automatically  tested by me and reporters describing
  broken double-vlan-tagged and pppoe currently in the flowtable.

* tag 'nf-26-05-01' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: flowtable: use skb_pull_rcsum() to pop vlan/pppoe header
  netfilter: flowtable: fix inline pppoe encapsulation in xmit path
  netfilter: flowtable: fix inline vlan encapsulation in xmit path
  netfilter: flowtable: ensure sufficient headroom in xmit path
  netfilter: xtables: fix L4 header parsing for non-first fragments
  netfilter: nf_tables: skip L4 header parsing for non-first fragments
  netfilter: nf_socket: skip socket lookup for non-first fragments
  netfilter: nf_tables: fix netdev hook allocation memleak with dormant tables
  netfilter: xt_CT: fix usersize for v1 and v2 revision
  netfilter: nft_compat: run xt_check_hooks_{match,target}() from .validate
  netfilter: x_tables: add .check_hooks to matches and targets
  netfilter: nft_fwd_netdev: use recursion counter in neigh egress path
  netfilter: nft_fwd_netdev: add device and headroom validate with neigh forwarding
  netfilter: replace skb_try_make_writable() by skb_ensure_writable()
====================

Link: https://patch.msgid.link/20260501122237.296262-1-pablo@netfilter.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-05-01 16:45:42 -07:00
..
acpi
asm-generic hyperv-next for v7.1 2026-04-22 09:50:46 -07:00
clocksource
crypto This update includes the following changes: 2026-04-15 15:22:26 -07:00
cxl
drm Char/Misc/IIO/and others driver updates for 7.1-rc1 2026-04-24 13:23:50 -07:00
dt-bindings We've finally gotten rid of the struct clk_ops::round_rate() code after months 2026-04-21 08:33:26 -07:00
hyperv x86/hyperv: Skip LP/VP creation on kexec 2026-04-22 06:23:25 +00:00
keys
kunit
kvm
linux netfilter pull request 26-05-01 2026-05-01 16:45:42 -07:00
math-emu
media
memory
misc
net netfilter pull request 26-05-01 2026-05-01 16:45:42 -07:00
pcmcia
ras
rdma
rv
scsi
soc
sound ASoC: Fixes for v7.1 2026-04-23 09:34:28 +02:00
target
trace NFS client updates for Linux 7.1 2026-04-24 14:20:03 -07:00
uapi Delete some obsolete networking code 2026-04-24 09:41:58 -07:00
ufs
vdso
video
xen
Kbuild