[PATCH net 0/7] Netfilter fixes for net

[PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

This patchset contains Netfilter fixes for net:

1) Reduce number of hardware offload retries from flowtable datapath
   which might hog system with retries, from Felix Fietkau.

2) Skip neighbour lookup for PPPoE device, fill_forward_path() already
   provides this and set on destination address from fill_forward_path for
   PPPoE device, also from Felix.

4) When combining PPPoE on top of a VLAN device, set info->outdev to the
   PPPoE device so software offload works, from Felix.

5) Fix TCP teardown flowtable state, races with conntrack gc might result
   in resetting the state to ESTABLISHED and the time to one day. Joint
   work with Oz Shlomo and Sven Auhagen.

6) Call dst_check() from flowtable datapath to check if dst is stale
   instead of doing it from garbage collector path.

7) Disable register tracking infrastructure, either user-space or
   kernel need to pre-fetch keys inconditionally, otherwise register
   tracking assumes data is already available in register that might
   not well be there, leading to incorrect reductions.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit f3f19f939c11925dadd3f4776f99f8c278a7017b:

  Merge tag 'net-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net (2022-05-12 11:51:45 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 9e539c5b6d9c5b996e45105921ee9dd955c0f535:

  netfilter: nf_tables: disable expression reduction infra (2022-05-18 17:34:26 +0200)

----------------------------------------------------------------
Felix Fietkau (4):
      netfilter: flowtable: fix excessive hw offload attempts after failure
      netfilter: nft_flow_offload: skip dst neigh lookup for ppp devices
      net: fix dev_fill_forward_path with pppoe + bridge
      netfilter: nft_flow_offload: fix offload with pppoe + vlan

Pablo Neira Ayuso (2):
      netfilter: flowtable: fix TCP flow teardown
      netfilter: nf_tables: disable expression reduction infra

Ritaro Takenaka (1):
      netfilter: flowtable: move dst_check to packet path

 drivers/net/ppp/pppoe.c            |  1 +
 include/linux/netdevice.h          |  2 +-
 net/core/dev.c                     |  2 +-
 net/netfilter/nf_flow_table_core.c | 60 +++++++-------------------------------
 net/netfilter/nf_flow_table_ip.c   | 19 ++++++++++++
 net/netfilter/nf_tables_api.c      | 11 +------
 net/netfilter/nft_flow_offload.c   | 28 +++++++++++-------
 7 files changed, 51 insertions(+), 72 deletions(-)

[PATCH net 1/7] netfilter: flowtable: fix excessive hw offload attempts after failure

[Pablo Neira Ayuso]

From: Felix Fietkau <nbd@nbd.name>

If a flow cannot be offloaded, the code currently repeatedly tries again as
quickly as possible, which can significantly increase system load.
Fix this by limiting flow timeout update and hardware offload retry to once
per second.

Fixes: c07531c01d82 ("netfilter: flowtable: Remove redundant hw refresh bit")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_flow_table_core.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 3db256da919b..20b4a14e5d4e 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -335,8 +335,10 @@ void flow_offload_refresh(struct nf_flowtable *flow_table,
 	u32 timeout;
 
 	timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow);
-	if (READ_ONCE(flow->timeout) != timeout)
+	if (timeout - READ_ONCE(flow->timeout) > HZ)
 		WRITE_ONCE(flow->timeout, timeout);
+	else
+		return;
 
 	if (likely(!nf_flowtable_hw_offload(flow_table)))
 		return;
-- 
2.30.2

[PATCH net 2/7] netfilter: nft_flow_offload: skip dst neigh lookup for ppp devices

[Pablo Neira Ayuso]

From: Felix Fietkau <nbd@nbd.name>

The dst entry does not contain a valid hardware address, so skip the lookup
in order to avoid running into errors here.
The proper hardware address is filled in from nft_dev_path_info

Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nft_flow_offload.c | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index 900d48c810a1..d88de26aad75 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -36,6 +36,15 @@ static void nft_default_forward_path(struct nf_flow_route *route,
 	route->tuple[dir].xmit_type	= nft_xmit_type(dst_cache);
 }
 
+static bool nft_is_valid_ether_device(const struct net_device *dev)
+{
+	if (!dev || (dev->flags & IFF_LOOPBACK) || dev->type != ARPHRD_ETHER ||
+	    dev->addr_len != ETH_ALEN || !is_valid_ether_addr(dev->dev_addr))
+		return false;
+
+	return true;
+}
+
 static int nft_dev_fill_forward_path(const struct nf_flow_route *route,
 				     const struct dst_entry *dst_cache,
 				     const struct nf_conn *ct,
@@ -47,6 +56,9 @@ static int nft_dev_fill_forward_path(const struct nf_flow_route *route,
 	struct neighbour *n;
 	u8 nud_state;
 
+	if (!nft_is_valid_ether_device(dev))
+		goto out;
+
 	n = dst_neigh_lookup(dst_cache, daddr);
 	if (!n)
 		return -1;
@@ -60,6 +72,7 @@ static int nft_dev_fill_forward_path(const struct nf_flow_route *route,
 	if (!(nud_state & NUD_VALID))
 		return -1;
 
+out:
 	return dev_fill_forward_path(dev, ha, stack);
 }
 
@@ -78,15 +91,6 @@ struct nft_forward_info {
 	enum flow_offload_xmit_type xmit_type;
 };
 
-static bool nft_is_valid_ether_device(const struct net_device *dev)
-{
-	if (!dev || (dev->flags & IFF_LOOPBACK) || dev->type != ARPHRD_ETHER ||
-	    dev->addr_len != ETH_ALEN || !is_valid_ether_addr(dev->dev_addr))
-		return false;
-
-	return true;
-}
-
 static void nft_dev_path_info(const struct net_device_path_stack *stack,
 			      struct nft_forward_info *info,
 			      unsigned char *ha, struct nf_flowtable *flowtable)
-- 
2.30.2

[PATCH net 3/7] net: fix dev_fill_forward_path with pppoe + bridge

[Pablo Neira Ayuso]

From: Felix Fietkau <nbd@nbd.name>

When calling dev_fill_forward_path on a pppoe device, the provided destination
address is invalid. In order for the bridge fdb lookup to succeed, the pppoe
code needs to update ctx->daddr to the correct value.
Fix this by storing the address inside struct net_device_path_ctx

Fixes: f6efc675c9dd ("net: ppp: resolve forwarding path for bridge pppoe devices")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 drivers/net/ppp/pppoe.c   | 1 +
 include/linux/netdevice.h | 2 +-
 net/core/dev.c            | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c
index 3619520340b7..e172743948ed 100644
--- a/drivers/net/ppp/pppoe.c
+++ b/drivers/net/ppp/pppoe.c
@@ -988,6 +988,7 @@ static int pppoe_fill_forward_path(struct net_device_path_ctx *ctx,
 	path->encap.proto = htons(ETH_P_PPP_SES);
 	path->encap.id = be16_to_cpu(po->num);
 	memcpy(path->encap.h_dest, po->pppoe_pa.remote, ETH_ALEN);
+	memcpy(ctx->daddr, po->pppoe_pa.remote, ETH_ALEN);
 	path->dev = ctx->dev;
 	ctx->dev = dev;
 
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index b1fbe21650bb..f736c020cde2 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -900,7 +900,7 @@ struct net_device_path_stack {
 
 struct net_device_path_ctx {
 	const struct net_device *dev;
-	const u8		*daddr;
+	u8			daddr[ETH_ALEN];
 
 	int			num_vlans;
 	struct {
diff --git a/net/core/dev.c b/net/core/dev.c
index 1461c2d9dec8..2771fd22dc6a 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -681,11 +681,11 @@ int dev_fill_forward_path(const struct net_device *dev, const u8 *daddr,
 	const struct net_device *last_dev;
 	struct net_device_path_ctx ctx = {
 		.dev	= dev,
-		.daddr	= daddr,
 	};
 	struct net_device_path *path;
 	int ret = 0;
 
+	memcpy(ctx.daddr, daddr, sizeof(ctx.daddr));
 	stack->num_paths = 0;
 	while (ctx.dev && ctx.dev->netdev_ops->ndo_fill_forward_path) {
 		last_dev = ctx.dev;
-- 
2.30.2

[PATCH net 4/7] netfilter: nft_flow_offload: fix offload with pppoe + vlan

[Pablo Neira Ayuso]

From: Felix Fietkau <nbd@nbd.name>

When running a combination of PPPoE on top of a VLAN, we need to set
info->outdev to the PPPoE device, otherwise PPPoE encap is skipped
during software offload.

Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nft_flow_offload.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index d88de26aad75..187b8cb9a510 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -123,7 +123,8 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack,
 				info->indev = NULL;
 				break;
 			}
-			info->outdev = path->dev;
+			if (!info->outdev)
+				info->outdev = path->dev;
 			info->encap[info->num_encaps].id = path->encap.id;
 			info->encap[info->num_encaps].proto = path->encap.proto;
 			info->num_encaps++;
-- 
2.30.2

[PATCH net 5/7] netfilter: flowtable: fix TCP flow teardown

[Pablo Neira Ayuso]

This patch addresses three possible problems:

1. ct gc may race to undo the timeout adjustment of the packet path, leaving
   the conntrack entry in place with the internal offload timeout (one day).

2. ct gc removes the ct because the IPS_OFFLOAD_BIT is not set and the CLOSE
   timeout is reached before the flow offload del.

3. tcp ct is always set to ESTABLISHED with a very long timeout
   in flow offload teardown/delete even though the state might be already
   CLOSED. Also as a remark we cannot assume that the FIN or RST packet
   is hitting flow table teardown as the packet might get bumped to the
   slow path in nftables.

This patch resets IPS_OFFLOAD_BIT from flow_offload_teardown(), so
conntrack handles the tcp rst/fin packet which triggers the CLOSE/FIN
state transition.

Moreover, teturn the connection's ownership to conntrack upon teardown
by clearing the offload flag and fixing the established timeout value.
The flow table GC thread will asynchonrnously free the flow table and
hardware offload entries.

Before this patch, the IPS_OFFLOAD_BIT remained set for expired flows on
which is also misleading since the flow is back to classic conntrack
path.

If nf_ct_delete() removes the entry from the conntrack table, then it
calls nf_ct_put() which decrements the refcnt. This is not a problem
because the flowtable holds a reference to the conntrack object from
flow_offload_alloc() path which is released via flow_offload_free().

This patch also updates nft_flow_offload to skip packets in SYN_RECV
state. Since we might miss or bump packets to slow path, we do not know
what will happen there while we are still in SYN_RECV, this patch
postpones offload up to the next packet which also aligns to the
existing behaviour in tc-ct.

flow_offload_teardown() does not reset the existing tcp state from
flow_offload_fixup_tcp() to ESTABLISHED anymore, packets bump to slow
path might have already update the state to CLOSE/FIN.

Joint work with Oz and Sven.

Fixes: 1e5b2471bcc4 ("netfilter: nf_flow_table: teardown flow timeout race")
Signed-off-by: Oz Shlomo <ozsh@nvidia.com>
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_flow_table_core.c | 33 +++++++-----------------------
 net/netfilter/nft_flow_offload.c   |  3 ++-
 2 files changed, 9 insertions(+), 27 deletions(-)

diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 20b4a14e5d4e..ebdf5332e838 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -179,12 +179,11 @@ EXPORT_SYMBOL_GPL(flow_offload_route_init);
 
 static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp)
 {
-	tcp->state = TCP_CONNTRACK_ESTABLISHED;
 	tcp->seen[0].td_maxwin = 0;
 	tcp->seen[1].td_maxwin = 0;
 }
 
-static void flow_offload_fixup_ct_timeout(struct nf_conn *ct)
+static void flow_offload_fixup_ct(struct nf_conn *ct)
 {
 	struct net *net = nf_ct_net(ct);
 	int l4num = nf_ct_protonum(ct);
@@ -193,7 +192,9 @@ static void flow_offload_fixup_ct_timeout(struct nf_conn *ct)
 	if (l4num == IPPROTO_TCP) {
 		struct nf_tcp_net *tn = nf_tcp_pernet(net);
 
-		timeout = tn->timeouts[TCP_CONNTRACK_ESTABLISHED];
+		flow_offload_fixup_tcp(&ct->proto.tcp);
+
+		timeout = tn->timeouts[ct->proto.tcp.state];
 		timeout -= tn->offload_timeout;
 	} else if (l4num == IPPROTO_UDP) {
 		struct nf_udp_net *tn = nf_udp_pernet(net);
@@ -211,18 +212,6 @@ static void flow_offload_fixup_ct_timeout(struct nf_conn *ct)
 		WRITE_ONCE(ct->timeout, nfct_time_stamp + timeout);
 }
 
-static void flow_offload_fixup_ct_state(struct nf_conn *ct)
-{
-	if (nf_ct_protonum(ct) == IPPROTO_TCP)
-		flow_offload_fixup_tcp(&ct->proto.tcp);
-}
-
-static void flow_offload_fixup_ct(struct nf_conn *ct)
-{
-	flow_offload_fixup_ct_state(ct);
-	flow_offload_fixup_ct_timeout(ct);
-}
-
 static void flow_offload_route_release(struct flow_offload *flow)
 {
 	nft_flow_dst_release(flow, FLOW_OFFLOAD_DIR_ORIGINAL);
@@ -361,22 +350,14 @@ static void flow_offload_del(struct nf_flowtable *flow_table,
 	rhashtable_remove_fast(&flow_table->rhashtable,
 			       &flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].node,
 			       nf_flow_offload_rhash_params);
-
-	clear_bit(IPS_OFFLOAD_BIT, &flow->ct->status);
-
-	if (nf_flow_has_expired(flow))
-		flow_offload_fixup_ct(flow->ct);
-	else
-		flow_offload_fixup_ct_timeout(flow->ct);
-
 	flow_offload_free(flow);
 }
 
 void flow_offload_teardown(struct flow_offload *flow)
 {
+	clear_bit(IPS_OFFLOAD_BIT, &flow->ct->status);
 	set_bit(NF_FLOW_TEARDOWN, &flow->flags);
-
-	flow_offload_fixup_ct_state(flow->ct);
+	flow_offload_fixup_ct(flow->ct);
 }
 EXPORT_SYMBOL_GPL(flow_offload_teardown);
 
@@ -466,7 +447,7 @@ static void nf_flow_offload_gc_step(struct nf_flowtable *flow_table,
 	if (nf_flow_has_expired(flow) ||
 	    nf_ct_is_dying(flow->ct) ||
 	    nf_flow_has_stale_dst(flow))
-		set_bit(NF_FLOW_TEARDOWN, &flow->flags);
+		flow_offload_teardown(flow);
 
 	if (test_bit(NF_FLOW_TEARDOWN, &flow->flags)) {
 		if (test_bit(NF_FLOW_HW, &flow->flags)) {
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index 187b8cb9a510..6f0b07fe648d 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -298,7 +298,8 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
 	case IPPROTO_TCP:
 		tcph = skb_header_pointer(pkt->skb, nft_thoff(pkt),
 					  sizeof(_tcph), &_tcph);
-		if (unlikely(!tcph || tcph->fin || tcph->rst))
+		if (unlikely(!tcph || tcph->fin || tcph->rst ||
+			     !nf_conntrack_tcp_established(ct)))
 			goto out;
 		break;
 	case IPPROTO_UDP:
-- 
2.30.2

[PATCH net 6/7] netfilter: flowtable: move dst_check to packet path

[Pablo Neira Ayuso]

From: Ritaro Takenaka <ritarot634@gmail.com>

Fixes sporadic IPv6 packet loss when flow offloading is enabled.

IPv6 route GC and flowtable GC are not synchronized.
When dst_cache becomes stale and a packet passes through the flow before
the flowtable GC teardowns it, the packet can be dropped.
So, it is necessary to check dst every time in packet path.

Fixes: 227e1e4d0d6c ("netfilter: nf_flowtable: skip device lookup from interface index")
Signed-off-by: Ritaro Takenaka <ritarot634@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_flow_table_core.c | 23 +----------------------
 net/netfilter/nf_flow_table_ip.c   | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+), 22 deletions(-)

diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index ebdf5332e838..f2def06d1070 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -421,32 +421,11 @@ nf_flow_table_iterate(struct nf_flowtable *flow_table,
 	return err;
 }
 
-static bool flow_offload_stale_dst(struct flow_offload_tuple *tuple)
-{
-	struct dst_entry *dst;
-
-	if (tuple->xmit_type == FLOW_OFFLOAD_XMIT_NEIGH ||
-	    tuple->xmit_type == FLOW_OFFLOAD_XMIT_XFRM) {
-		dst = tuple->dst_cache;
-		if (!dst_check(dst, tuple->dst_cookie))
-			return true;
-	}
-
-	return false;
-}
-
-static bool nf_flow_has_stale_dst(struct flow_offload *flow)
-{
-	return flow_offload_stale_dst(&flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple) ||
-	       flow_offload_stale_dst(&flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple);
-}
-
 static void nf_flow_offload_gc_step(struct nf_flowtable *flow_table,
 				    struct flow_offload *flow, void *data)
 {
 	if (nf_flow_has_expired(flow) ||
-	    nf_ct_is_dying(flow->ct) ||
-	    nf_flow_has_stale_dst(flow))
+	    nf_ct_is_dying(flow->ct))
 		flow_offload_teardown(flow);
 
 	if (test_bit(NF_FLOW_TEARDOWN, &flow->flags)) {
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 32c0eb1b4821..b350fe9d00b0 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -248,6 +248,15 @@ static bool nf_flow_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
 	return true;
 }
 
+static inline bool nf_flow_dst_check(struct flow_offload_tuple *tuple)
+{
+	if (tuple->xmit_type != FLOW_OFFLOAD_XMIT_NEIGH &&
+	    tuple->xmit_type != FLOW_OFFLOAD_XMIT_XFRM)
+		return true;
+
+	return dst_check(tuple->dst_cache, tuple->dst_cookie);
+}
+
 static unsigned int nf_flow_xmit_xfrm(struct sk_buff *skb,
 				      const struct nf_hook_state *state,
 				      struct dst_entry *dst)
@@ -367,6 +376,11 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
 	if (nf_flow_state_check(flow, iph->protocol, skb, thoff))
 		return NF_ACCEPT;
 
+	if (!nf_flow_dst_check(&tuplehash->tuple)) {
+		flow_offload_teardown(flow);
+		return NF_ACCEPT;
+	}
+
 	if (skb_try_make_writable(skb, thoff + hdrsize))
 		return NF_DROP;
 
@@ -624,6 +638,11 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
 	if (nf_flow_state_check(flow, ip6h->nexthdr, skb, thoff))
 		return NF_ACCEPT;
 
+	if (!nf_flow_dst_check(&tuplehash->tuple)) {
+		flow_offload_teardown(flow);
+		return NF_ACCEPT;
+	}
+
 	if (skb_try_make_writable(skb, thoff + hdrsize))
 		return NF_DROP;
 
-- 
2.30.2

[PATCH net 7/7] netfilter: nf_tables: disable expression reduction infra

[Pablo Neira Ayuso]

Either userspace or kernelspace need to pre-fetch keys inconditionally
before comparisons for this to work. Otherwise, register tracking data
is misleading and it might result in reducing expressions which are not
yet registers.

First expression is also guaranteed to be evaluated always, however,
certain expressions break before writing data to registers, before
comparing the data, leaving the register in undetermined state.

This patch disables this infrastructure by now.

Fixes: b2d306542ff9 ("netfilter: nf_tables: do not reduce read-only expressions")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_tables_api.c | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 16c3a39689f4..a096b9fbbbdf 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8342,16 +8342,7 @@ EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);
 static bool nft_expr_reduce(struct nft_regs_track *track,
 			    const struct nft_expr *expr)
 {
-	if (!expr->ops->reduce) {
-		pr_warn_once("missing reduce for expression %s ",
-			     expr->ops->type->name);
-		return false;
-	}
-
-	if (nft_reduce_is_readonly(expr))
-		return false;
-
-	return expr->ops->reduce(track, expr);
+	return false;
 }
 
 static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)
-- 
2.30.2

Re: [PATCH net 1/7] netfilter: flowtable: fix excessive hw offload attempts after failure

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (master)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Wed, 18 May 2022 23:38:35 +0200 you wrote:
> From: Felix Fietkau <nbd@nbd.name>
> 
> If a flow cannot be offloaded, the code currently repeatedly tries again as
> quickly as possible, which can significantly increase system load.
> Fix this by limiting flow timeout update and hardware offload retry to once
> per second.
> 
> [...]

Here is the summary with links:
  - [net,1/7] netfilter: flowtable: fix excessive hw offload attempts after failure
    https://git.kernel.org/netdev/net/c/396ef64113a8
  - [net,2/7] netfilter: nft_flow_offload: skip dst neigh lookup for ppp devices
    https://git.kernel.org/netdev/net/c/45ca3e61999e
  - [net,3/7] net: fix dev_fill_forward_path with pppoe + bridge
    https://git.kernel.org/netdev/net/c/cf2df74e202d
  - [net,4/7] netfilter: nft_flow_offload: fix offload with pppoe + vlan
    https://git.kernel.org/netdev/net/c/245607493500
  - [net,5/7] netfilter: flowtable: fix TCP flow teardown
    https://git.kernel.org/netdev/net/c/e5eaac2beb54
  - [net,6/7] netfilter: flowtable: move dst_check to packet path
    https://git.kernel.org/netdev/net/c/2738d9d963bd
  - [net,7/7] netfilter: nf_tables: disable expression reduction infra
    https://git.kernel.org/netdev/net/c/9e539c5b6d9c

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

On Thu, Apr 11, 2024 at 01:58:37PM +0200, Paolo Abeni wrote:
> On Thu, 2024-04-11 at 13:42 +0200, Pablo Neira Ayuso wrote:
> > On Thu, Apr 11, 2024 at 01:39:30PM +0200, Paolo Abeni wrote:
> > > On Thu, 2024-04-11 at 13:28 +0200, Pablo Neira Ayuso wrote:
> > > > Hi,
> > > > 
> > > > The following patchset contains Netfilter fixes for net:
> > > > 
> > > > Patches #1 and #2 add missing rcu read side lock when iterating over
> > > > expression and object type list which could race with module removal.
> > > > 
> > > > Patch #3 prevents promisc packet from visiting the bridge/input hook
> > > > 	 to amend a recent fix to address conntrack confirmation race
> > > > 	 in br_netfilter and nf_conntrack_bridge.
> > > > 
> > > > Patch #4 adds and uses iterate decorator type to fetch the current
> > > > 	 pipapo set backend datastructure view when netlink dumps the
> > > > 	 set elements.
> > > > 
> > > > Patch #5 fixes removal of duplicate elements in the pipapo set backend.
> > > > 
> > > > Patch #6 flowtable validates pppoe header before accessing it.
> > > > 
> > > > Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup
> > > >          fails and pppoe packets follow classic path.
> > > > 
> > > > Please, pull these changes from:
> > > > 
> > > >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11
> > > > 
> > > > Thanks.
> > > > 
> > > > ----------------------------------------------------------------
> > > > 
> > > > The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d:
> > > > 
> > > >   r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100)
> > > > 
> > > > are available in the Git repository at:
> > > > 
> > > >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11
> > > > 
> > > > for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27:
> > > > 
> > > >   netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200)
> > > > 
> > > > ----------------------------------------------------------------
> > > > netfilter pull request 24-04-11
> > > > 
> > > > ----------------------------------------------------------------
> > > > Florian Westphal (1):
> > > >       netfilter: nft_set_pipapo: do not free live element
> > > > 
> > > > Pablo Neira Ayuso (4):
> > > >       netfilter: br_netfilter: skip conntrack input hook for promisc packets
> > > >       netfilter: nft_set_pipapo: walk over current view on netlink dump
> > > >       netfilter: flowtable: validate pppoe header
> > > >       netfilter: flowtable: incorrect pppoe tuple
> > > > 
> > > > Ziyang Xuan (2):
> > > >       netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
> > > >       netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> > > > 
> > > >  include/net/netfilter/nf_flow_table.h      | 12 +++++++++++-
> > > >  include/net/netfilter/nf_tables.h          | 14 ++++++++++++++
> > > >  net/bridge/br_input.c                      | 15 +++++++++++----
> > > >  net/bridge/br_netfilter_hooks.c            |  6 ++++++
> > > >  net/bridge/br_private.h                    |  1 +
> > > >  net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++----
> > > >  net/netfilter/nf_flow_table_inet.c         |  3 ++-
> > > >  net/netfilter/nf_flow_table_ip.c           | 10 ++++++----
> > > >  net/netfilter/nf_tables_api.c              | 22 ++++++++++++++++++----
> > > >  net/netfilter/nft_set_pipapo.c             | 19 ++++++++++++-------
> > > >  10 files changed, 91 insertions(+), 25 deletions(-)
> > > 
> > > Whoops, I'm finishing testing right now todays PR, I hope it's not a
> > > big issue if this lands later?
> > 
> > Apologies, I am working at full steam here, I could not deliver any sooner.
> 
> I'm sorry, I was likely unclear, the above was just a question (not a
> complain): do you have strong preference for these fixes to land into
> today's PR? (the answer is unclear to me)

No problem Paolo, I can miss this flight, it is OK.

Re: [PATCH net 0/7] Netfilter fixes for net

[Paolo Abeni]

On Thu, 2024-04-11 at 13:42 +0200, Pablo Neira Ayuso wrote:
> On Thu, Apr 11, 2024 at 01:39:30PM +0200, Paolo Abeni wrote:
> > On Thu, 2024-04-11 at 13:28 +0200, Pablo Neira Ayuso wrote:
> > > Hi,
> > > 
> > > The following patchset contains Netfilter fixes for net:
> > > 
> > > Patches #1 and #2 add missing rcu read side lock when iterating over
> > > expression and object type list which could race with module removal.
> > > 
> > > Patch #3 prevents promisc packet from visiting the bridge/input hook
> > > 	 to amend a recent fix to address conntrack confirmation race
> > > 	 in br_netfilter and nf_conntrack_bridge.
> > > 
> > > Patch #4 adds and uses iterate decorator type to fetch the current
> > > 	 pipapo set backend datastructure view when netlink dumps the
> > > 	 set elements.
> > > 
> > > Patch #5 fixes removal of duplicate elements in the pipapo set backend.
> > > 
> > > Patch #6 flowtable validates pppoe header before accessing it.
> > > 
> > > Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup
> > >          fails and pppoe packets follow classic path.
> > > 
> > > Please, pull these changes from:
> > > 
> > >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11
> > > 
> > > Thanks.
> > > 
> > > ----------------------------------------------------------------
> > > 
> > > The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d:
> > > 
> > >   r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100)
> > > 
> > > are available in the Git repository at:
> > > 
> > >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11
> > > 
> > > for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27:
> > > 
> > >   netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200)
> > > 
> > > ----------------------------------------------------------------
> > > netfilter pull request 24-04-11
> > > 
> > > ----------------------------------------------------------------
> > > Florian Westphal (1):
> > >       netfilter: nft_set_pipapo: do not free live element
> > > 
> > > Pablo Neira Ayuso (4):
> > >       netfilter: br_netfilter: skip conntrack input hook for promisc packets
> > >       netfilter: nft_set_pipapo: walk over current view on netlink dump
> > >       netfilter: flowtable: validate pppoe header
> > >       netfilter: flowtable: incorrect pppoe tuple
> > > 
> > > Ziyang Xuan (2):
> > >       netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
> > >       netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> > > 
> > >  include/net/netfilter/nf_flow_table.h      | 12 +++++++++++-
> > >  include/net/netfilter/nf_tables.h          | 14 ++++++++++++++
> > >  net/bridge/br_input.c                      | 15 +++++++++++----
> > >  net/bridge/br_netfilter_hooks.c            |  6 ++++++
> > >  net/bridge/br_private.h                    |  1 +
> > >  net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++----
> > >  net/netfilter/nf_flow_table_inet.c         |  3 ++-
> > >  net/netfilter/nf_flow_table_ip.c           | 10 ++++++----
> > >  net/netfilter/nf_tables_api.c              | 22 ++++++++++++++++++----
> > >  net/netfilter/nft_set_pipapo.c             | 19 ++++++++++++-------
> > >  10 files changed, 91 insertions(+), 25 deletions(-)
> > 
> > Whoops, I'm finishing testing right now todays PR, I hope it's not a
> > big issue if this lands later?
> 
> Apologies, I am working at full steam here, I could not deliver any sooner.

I'm sorry, I was likely unclear, the above was just a question (not a
complain): do you have strong preference for these fixes to land into
today's PR? (the answer is unclear to me)

Thanks!

Paolo

Re: [PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

On Thu, Apr 11, 2024 at 01:39:30PM +0200, Paolo Abeni wrote:
> On Thu, 2024-04-11 at 13:28 +0200, Pablo Neira Ayuso wrote:
> > Hi,
> > 
> > The following patchset contains Netfilter fixes for net:
> > 
> > Patches #1 and #2 add missing rcu read side lock when iterating over
> > expression and object type list which could race with module removal.
> > 
> > Patch #3 prevents promisc packet from visiting the bridge/input hook
> > 	 to amend a recent fix to address conntrack confirmation race
> > 	 in br_netfilter and nf_conntrack_bridge.
> > 
> > Patch #4 adds and uses iterate decorator type to fetch the current
> > 	 pipapo set backend datastructure view when netlink dumps the
> > 	 set elements.
> > 
> > Patch #5 fixes removal of duplicate elements in the pipapo set backend.
> > 
> > Patch #6 flowtable validates pppoe header before accessing it.
> > 
> > Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup
> >          fails and pppoe packets follow classic path.
> > 
> > Please, pull these changes from:
> > 
> >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11
> > 
> > Thanks.
> > 
> > ----------------------------------------------------------------
> > 
> > The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d:
> > 
> >   r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100)
> > 
> > are available in the Git repository at:
> > 
> >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11
> > 
> > for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27:
> > 
> >   netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200)
> > 
> > ----------------------------------------------------------------
> > netfilter pull request 24-04-11
> > 
> > ----------------------------------------------------------------
> > Florian Westphal (1):
> >       netfilter: nft_set_pipapo: do not free live element
> > 
> > Pablo Neira Ayuso (4):
> >       netfilter: br_netfilter: skip conntrack input hook for promisc packets
> >       netfilter: nft_set_pipapo: walk over current view on netlink dump
> >       netfilter: flowtable: validate pppoe header
> >       netfilter: flowtable: incorrect pppoe tuple
> > 
> > Ziyang Xuan (2):
> >       netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
> >       netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> > 
> >  include/net/netfilter/nf_flow_table.h      | 12 +++++++++++-
> >  include/net/netfilter/nf_tables.h          | 14 ++++++++++++++
> >  net/bridge/br_input.c                      | 15 +++++++++++----
> >  net/bridge/br_netfilter_hooks.c            |  6 ++++++
> >  net/bridge/br_private.h                    |  1 +
> >  net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++----
> >  net/netfilter/nf_flow_table_inet.c         |  3 ++-
> >  net/netfilter/nf_flow_table_ip.c           | 10 ++++++----
> >  net/netfilter/nf_tables_api.c              | 22 ++++++++++++++++++----
> >  net/netfilter/nft_set_pipapo.c             | 19 ++++++++++++-------
> >  10 files changed, 91 insertions(+), 25 deletions(-)
> 
> Whoops, I'm finishing testing right now todays PR, I hope it's not a
> big issue if this lands later?

Apologies, I am working at full steam here, I could not deliver any sooner.

Re: [PATCH net 0/7] Netfilter fixes for net

[Paolo Abeni]

On Thu, 2024-04-11 at 13:28 +0200, Pablo Neira Ayuso wrote:
> Hi,
> 
> The following patchset contains Netfilter fixes for net:
> 
> Patches #1 and #2 add missing rcu read side lock when iterating over
> expression and object type list which could race with module removal.
> 
> Patch #3 prevents promisc packet from visiting the bridge/input hook
> 	 to amend a recent fix to address conntrack confirmation race
> 	 in br_netfilter and nf_conntrack_bridge.
> 
> Patch #4 adds and uses iterate decorator type to fetch the current
> 	 pipapo set backend datastructure view when netlink dumps the
> 	 set elements.
> 
> Patch #5 fixes removal of duplicate elements in the pipapo set backend.
> 
> Patch #6 flowtable validates pppoe header before accessing it.
> 
> Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup
>          fails and pppoe packets follow classic path.
> 
> Please, pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11
> 
> Thanks.
> 
> ----------------------------------------------------------------
> 
> The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d:
> 
>   r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100)
> 
> are available in the Git repository at:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11
> 
> for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27:
> 
>   netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200)
> 
> ----------------------------------------------------------------
> netfilter pull request 24-04-11
> 
> ----------------------------------------------------------------
> Florian Westphal (1):
>       netfilter: nft_set_pipapo: do not free live element
> 
> Pablo Neira Ayuso (4):
>       netfilter: br_netfilter: skip conntrack input hook for promisc packets
>       netfilter: nft_set_pipapo: walk over current view on netlink dump
>       netfilter: flowtable: validate pppoe header
>       netfilter: flowtable: incorrect pppoe tuple
> 
> Ziyang Xuan (2):
>       netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
>       netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> 
>  include/net/netfilter/nf_flow_table.h      | 12 +++++++++++-
>  include/net/netfilter/nf_tables.h          | 14 ++++++++++++++
>  net/bridge/br_input.c                      | 15 +++++++++++----
>  net/bridge/br_netfilter_hooks.c            |  6 ++++++
>  net/bridge/br_private.h                    |  1 +
>  net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++----
>  net/netfilter/nf_flow_table_inet.c         |  3 ++-
>  net/netfilter/nf_flow_table_ip.c           | 10 ++++++----
>  net/netfilter/nf_tables_api.c              | 22 ++++++++++++++++++----
>  net/netfilter/nft_set_pipapo.c             | 19 ++++++++++++-------
>  10 files changed, 91 insertions(+), 25 deletions(-)

Whoops, I'm finishing testing right now todays PR, I hope it's not a
big issue if this lands later?

Thanks,

Paolo

[PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

Patches #1 and #2 add missing rcu read side lock when iterating over
expression and object type list which could race with module removal.

Patch #3 prevents promisc packet from visiting the bridge/input hook
	 to amend a recent fix to address conntrack confirmation race
	 in br_netfilter and nf_conntrack_bridge.

Patch #4 adds and uses iterate decorator type to fetch the current
	 pipapo set backend datastructure view when netlink dumps the
	 set elements.

Patch #5 fixes removal of duplicate elements in the pipapo set backend.

Patch #6 flowtable validates pppoe header before accessing it.

Patch #7 fixes flowtable datapath for pppoe packets, otherwise lookup
         fails and pppoe packets follow classic path.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-11

Thanks.

----------------------------------------------------------------

The following changes since commit 19fa4f2a85d777a8052e869c1b892a2f7556569d:

  r8169: fix LED-related deadlock on module removal (2024-04-10 10:44:29 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-11

for you to fetch changes up to 6db5dc7b351b9569940cd1cf445e237c42cd6d27:

  netfilter: flowtable: incorrect pppoe tuple (2024-04-11 12:14:10 +0200)

----------------------------------------------------------------
netfilter pull request 24-04-11

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nft_set_pipapo: do not free live element

Pablo Neira Ayuso (4):
      netfilter: br_netfilter: skip conntrack input hook for promisc packets
      netfilter: nft_set_pipapo: walk over current view on netlink dump
      netfilter: flowtable: validate pppoe header
      netfilter: flowtable: incorrect pppoe tuple

Ziyang Xuan (2):
      netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
      netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()

 include/net/netfilter/nf_flow_table.h      | 12 +++++++++++-
 include/net/netfilter/nf_tables.h          | 14 ++++++++++++++
 net/bridge/br_input.c                      | 15 +++++++++++----
 net/bridge/br_netfilter_hooks.c            |  6 ++++++
 net/bridge/br_private.h                    |  1 +
 net/bridge/netfilter/nf_conntrack_bridge.c | 14 ++++++++++----
 net/netfilter/nf_flow_table_inet.c         |  3 ++-
 net/netfilter/nf_flow_table_ip.c           | 10 ++++++----
 net/netfilter/nf_tables_api.c              | 22 ++++++++++++++++++----
 net/netfilter/nft_set_pipapo.c             | 19 ++++++++++++-------
 10 files changed, 91 insertions(+), 25 deletions(-)

[PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Use signed integer in ipv6_skip_exthdr() called from nf_confirm().
   Reported by static analysis tooling, patch from Florian Westphal.

2) Missing set type checks in nf_tables: Validate that set declaration
   matches the an existing set type, otherwise bail out with EEXIST.
   Currently, nf_tables silently accepts the re-declaration with a
   different type but it bails out later with EINVAL when the user adds
   entries to the set. This fix is relatively large because it requires
   two preparation patches that are included in this batch.

3) Do not ignore updates of timeout and gc_interval parameters in
   existing sets.

4) Fix a hang when 0/0 subnets is added to a hash:net,port,net type of
   ipset. Except hash:net,port,net and hash:net,iface, the set types don't
   support 0/0 and the auxiliary functions rely on this fact. So 0/0 needs
   a special handling in hash:net,port,net which was missing (hash:net,iface
   was not affected by this bug), from Jozsef Kadlecsik.

5) When adding/deleting large number of elements in one step in ipset,
   it can take a reasonable amount of time and can result in soft lockup
   errors. This patch is a complete rework of the previous version in order
   to use a smaller internal batch limit and at the same time removing
   the external hard limit to add arbitrary number of elements in one step.
   Also from Jozsef Kadlecsik.

Except for patch #1, which fixes a bug introduced in the previous net-next
development cycle, anything else has been broken for several releases.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 19e72b064fc32cd58f6fc0b1eb64ac2e4f770e76:

  net: fec: check the return value of build_skb() (2022-12-20 11:33:24 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 5e29dc36bd5e2166b834ceb19990d9e68a734d7d:

  netfilter: ipset: Rework long task execution when adding/deleting entries (2023-01-02 15:10:05 +0100)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: conntrack: fix ipv6 exthdr error check

Jozsef Kadlecsik (2):
      netfilter: ipset: fix hash:net,port,net hang with /0 subnet
      netfilter: ipset: Rework long task execution when adding/deleting entries

Pablo Neira Ayuso (4):
      netfilter: nf_tables: consolidate set description
      netfilter: nf_tables: add function to create set stateful expressions
      netfilter: nf_tables: perform type checking for existing sets
      netfilter: nf_tables: honor set timeout and garbage collection updates

 include/linux/netfilter/ipset/ip_set.h       |   2 +-
 include/net/netfilter/nf_tables.h            |  25 ++-
 net/netfilter/ipset/ip_set_core.c            |   7 +-
 net/netfilter/ipset/ip_set_hash_ip.c         |  14 +-
 net/netfilter/ipset/ip_set_hash_ipmark.c     |  13 +-
 net/netfilter/ipset/ip_set_hash_ipport.c     |  13 +-
 net/netfilter/ipset/ip_set_hash_ipportip.c   |  13 +-
 net/netfilter/ipset/ip_set_hash_ipportnet.c  |  13 +-
 net/netfilter/ipset/ip_set_hash_net.c        |  17 +-
 net/netfilter/ipset/ip_set_hash_netiface.c   |  15 +-
 net/netfilter/ipset/ip_set_hash_netnet.c     |  23 +--
 net/netfilter/ipset/ip_set_hash_netport.c    |  19 +-
 net/netfilter/ipset/ip_set_hash_netportnet.c |  40 ++--
 net/netfilter/nf_conntrack_proto.c           |   7 +-
 net/netfilter/nf_tables_api.c                | 261 ++++++++++++++++++---------
 15 files changed, 293 insertions(+), 189 deletions(-)

[PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix NAT support for NFPROTO_INET without layer 3 address,
   from Florian Westphal.

2) Use kfree_rcu(ptr, rcu) variant in nf_tables clean_net path.

3) Use list to collect flowtable hooks to be deleted.

4) Initialize list of hook field in flowtable transaction.

5) Release hooks on error for flowtable updates.

6) Memleak in hardware offload rule commit and abort paths.

7) Early bail out in case device does not support for hardware offload.
   This adds a new interface to net/core/flow_offload.c to check if the
   flow indirect block list is empty.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 0a375c822497ed6ad6b5da0792a12a6f1af10c0b:

  tcp: tcp_rtx_synack() can be called from process context (2022-05-31 21:40:10 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 3a41c64d9c1185a2f3a184015e2a9b78bfc99c71:

  netfilter: nf_tables: bail out early if hardware offload is not supported (2022-06-06 19:19:15 +0200)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nat: really support inet nat without l3 address

Pablo Neira Ayuso (6):
      netfilter: nf_tables: use kfree_rcu(ptr, rcu) to release hooks in clean_net path
      netfilter: nf_tables: delete flowtable hooks via transaction list
      netfilter: nf_tables: always initialize flowtable hook list in transaction
      netfilter: nf_tables: release new hooks on unsupported flowtable flags
      netfilter: nf_tables: memleak flow rule from commit path
      netfilter: nf_tables: bail out early if hardware offload is not supported

 include/net/flow_offload.h                   |  1 +
 include/net/netfilter/nf_tables.h            |  1 -
 include/net/netfilter/nf_tables_offload.h    |  2 +-
 net/core/flow_offload.c                      |  6 ++++
 net/netfilter/nf_tables_api.c                | 54 ++++++++++++----------------
 net/netfilter/nf_tables_offload.c            | 23 +++++++++++-
 net/netfilter/nft_nat.c                      |  3 +-
 tools/testing/selftests/netfilter/nft_nat.sh | 43 ++++++++++++++++++++++
 8 files changed, 98 insertions(+), 35 deletions(-)

[PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix bogus compilter warning in nfnetlink_queue, from Florian Westphal.

2) Don't run conntrack on vrf with !dflt qdisc, from Nicolas Dichtel.

3) Fix nft_pipapo bucket load in AVX2 lookup routine for six 8-bit
   groups, from Stefano Brivio.

4) Break rule evaluation on malformed TCP options.

5) Use socat instead of nc in selftests/netfilter/nft_zones_many.sh,
   also from Florian

6) Fix KCSAN data-race in conntrack timeout updates, from Eric Dumazet.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 34d8778a943761121f391b7921f79a7adbe1feaf:

  MAINTAINERS: s390/net: add Alexandra and Wenjia as maintainer (2021-11-30 12:20:07 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 802a7dc5cf1bef06f7b290ce76d478138408d6b1:

  netfilter: conntrack: annotate data-races around ct->timeout (2021-12-08 01:29:15 +0100)

----------------------------------------------------------------
Eric Dumazet (1):
      netfilter: conntrack: annotate data-races around ct->timeout

Florian Westphal (2):
      netfilter: nfnetlink_queue: silence bogus compiler warning
      selftests: netfilter: switch zone stress to socat

Nicolas Dichtel (1):
      vrf: don't run conntrack on vrf with !dflt qdisc

Pablo Neira Ayuso (1):
      netfilter: nft_exthdr: break evaluation if setting TCP option fails

Stefano Brivio (2):
      nft_set_pipapo: Fix bucket load in AVX2 lookup routine for six 8-bit groups
      selftests: netfilter: Add correctness test for mac,net set type

 drivers/net/vrf.c                                  |  8 +++---
 include/net/netfilter/nf_conntrack.h               |  6 ++---
 net/netfilter/nf_conntrack_core.c                  |  6 ++---
 net/netfilter/nf_conntrack_netlink.c               |  2 +-
 net/netfilter/nf_flow_table_core.c                 |  4 +--
 net/netfilter/nfnetlink_queue.c                    |  2 +-
 net/netfilter/nft_exthdr.c                         | 11 +++++---
 net/netfilter/nft_set_pipapo_avx2.c                |  2 +-
 tools/testing/selftests/netfilter/conntrack_vrf.sh | 30 +++++++++++++++++++---
 .../selftests/netfilter/nft_concat_range.sh        | 24 ++++++++++++++---
 .../testing/selftests/netfilter/nft_zones_many.sh  | 19 +++++++++-----
 11 files changed, 82 insertions(+), 32 deletions(-)

[PATCH net 0/7] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix NAT IPv6 offload in the flowtable.

2) icmpv6 is printed as unknown in /proc/net/nf_conntrack.

3) Use div64_u64() in nft_limit, from Eric Dumazet.

4) Use pre_exit to unregister ebtables and arptables hooks,
   from Florian Westphal.

5) Fix out-of-bound memset in x_tables compat match/target,
   also from Florian.

6) Clone set elements expression to ensure proper initialization.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit 9adc89af724f12a03b47099cd943ed54e877cd59:

  net: let skb_orphan_partial wake-up waiters. (2021-03-30 13:57:28 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 4d8f9065830e526c83199186c5f56a6514f457d2:

  netfilter: nftables: clone set element expression template (2021-04-13 00:19:05 +0200)

----------------------------------------------------------------
Eric Dumazet (1):
      netfilter: nft_limit: avoid possible divide error in nft_limit_init

Florian Westphal (3):
      netfilter: bridge: add pre_exit hooks for ebtable unregistration
      netfilter: arp_tables: add pre_exit hook for table unregister
      netfilter: x_tables: fix compat match/target pad out-of-bound write

Pablo Neira Ayuso (3):
      netfilter: flowtable: fix NAT IPv6 offload mangling
      netfilter: conntrack: do not print icmpv6 as unknown via /proc
      netfilter: nftables: clone set element expression template

 include/linux/netfilter_arp/arp_tables.h  |  5 ++--
 include/linux/netfilter_bridge/ebtables.h |  5 ++--
 net/bridge/netfilter/ebtable_broute.c     |  8 +++++-
 net/bridge/netfilter/ebtable_filter.c     |  8 +++++-
 net/bridge/netfilter/ebtable_nat.c        |  8 +++++-
 net/bridge/netfilter/ebtables.c           | 30 ++++++++++++++++++--
 net/ipv4/netfilter/arp_tables.c           | 11 ++++++--
 net/ipv4/netfilter/arptable_filter.c      | 10 ++++++-
 net/ipv4/netfilter/ip_tables.c            |  2 ++
 net/ipv6/netfilter/ip6_tables.c           |  2 ++
 net/netfilter/nf_conntrack_standalone.c   |  1 +
 net/netfilter/nf_flow_table_offload.c     |  6 ++--
 net/netfilter/nf_tables_api.c             | 46 +++++++++++++++++++++++--------
 net/netfilter/nft_limit.c                 |  4 +--
 net/netfilter/x_tables.c                  | 10 ++-----
 15 files changed, 118 insertions(+), 38 deletions(-)