[PATCH 00/13] Netfilter updates for net-next

[Pablo Neira Ayuso <pablo@netfilter.org>]

Hi,

The following patchset contains Netfilter updates for net-next:

1) Rewrite inner header IPv6 in ICMPv6 messages in ip6t_NPT,
   from Michael Zhou.

2) do_ip_vs_set_ctl() dereferences uninitialized value,
   from Peilin Ye.

3) Support for userdata in tables, from Jose M. Guisado.

4) Do not increment ct error and invalid stats at the same time,
   from Florian Westphal.

5) Remove ct ignore stats, also from Florian.

6) Add ct stats for clash resolution, from Florian Westphal.

7) Bump reference counter bump on ct clash resolution only,
   this is safe because bucket lock is held, again from Florian.

8) Use ip_is_fragment() in xt_HMARK, from YueHaibing.

9) Add wildcard support for nft_socket, from Balazs Scheidler.

10) Remove superfluous IPVS dependency on iptables, from
    Yaroslav Bolyukin.

11) Remove unused definition in ebt_stp, from Wang Hai.

12) Replace CONFIG_NFT_CHAIN_NAT_{IPV4,IPV6} by CONFIG_NFT_NAT
    in selftests/net, from Fabian Frederick.

13) Add userdata support for nft_object, from Jose M. Guisado.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

Thank you.

----------------------------------------------------------------

The following changes since commit 0f091e43310f5c292b7094f9f115e651358e8053:

  netlabel: remove unused param from audit_log_format() (2020-08-28 09:08:51 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD

for you to fetch changes up to b131c96496b369c7b14125e7c50e89ac7cec8051:

  netfilter: nf_tables: add userdata support for nft_object (2020-09-08 16:35:38 +0200)

----------------------------------------------------------------
Balazs Scheidler (1):
      netfilter: nft_socket: add wildcard support

Fabian Frederick (1):
      selftests/net: replace obsolete NFT_CHAIN configuration

Florian Westphal (4):
      netfilter: conntrack: do not increment two error counters at same time
      netfilter: conntrack: remove ignore stats
      netfilter: conntrack: add clash resolution stat counter
      netfilter: conntrack: remove unneeded nf_ct_put

Jose M. Guisado Gomez (2):
      netfilter: nf_tables: add userdata attributes to nft_table
      netfilter: nf_tables: add userdata support for nft_object

Michael Zhou (1):
      netfilter: ip6t_NPT: rewrite addresses in ICMPv6 original packet

Peilin Ye (1):
      ipvs: Fix uninit-value in do_ip_vs_set_ctl()

Wang Hai (1):
      netfilter: ebt_stp: Remove unused macro BPDU_TYPE_TCN

Yaroslav Bolyukin (1):
      ipvs: remove dependency on ip6_tables

YueHaibing (1):
      netfilter: xt_HMARK: Use ip_is_fragment() helper

 include/linux/netfilter/nf_conntrack_common.h      |  2 +-
 include/net/ip_vs.h                                |  3 --
 include/net/netfilter/nf_tables.h                  |  4 ++
 include/uapi/linux/netfilter/nf_tables.h           |  6 +++
 include/uapi/linux/netfilter/nfnetlink_conntrack.h |  3 +-
 net/bridge/netfilter/ebt_stp.c                     |  1 -
 net/ipv6/netfilter/ip6t_NPT.c                      | 39 +++++++++++++++
 net/netfilter/ipvs/Kconfig                         |  1 -
 net/netfilter/ipvs/ip_vs_ctl.c                     |  7 +--
 net/netfilter/nf_conntrack_core.c                  | 25 ++++------
 net/netfilter/nf_conntrack_netlink.c               |  5 +-
 net/netfilter/nf_conntrack_standalone.c            |  4 +-
 net/netfilter/nf_tables_api.c                      | 57 ++++++++++++++++++----
 net/netfilter/nft_socket.c                         | 27 ++++++++++
 net/netfilter/xt_HMARK.c                           |  2 +-
 tools/testing/selftests/net/config                 |  3 +-
 16 files changed, 148 insertions(+), 41 deletions(-)