From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com, fw@strlen.de
Subject: [PATCH net-next 00/17] Netfilter updates for net-next
Date: Sun, 12 May 2024 18:14:19 +0200 [thread overview]
Message-ID: <20240512161436.168973-1-pablo@netfilter.org> (raw)
Hi,
The following patchset contains Netfilter updates for net-next:
Patch #1 skips transaction if object type provides no .update interface.
Patch #2 skips NETDEV_CHANGENAME which is unused.
Patch #3 enables conntrack to handle Multicast Router Advertisements and
Multicast Router Solicitations from the Multicast Router Discovery
protocol (RFC4286) as untracked opposed to invalid packets.
From Linus Luessing.
Patch #4 updates DCCP conntracker to mark invalid as invalid, instead of
dropping them, from Jason Xing.
Patch #5 uses NF_DROP instead of -NF_DROP since NF_DROP is 0, also from Jason.
Patch #6 removes reference in netfilter's sysctl documentation on pickup
entries which were already removed by Florian Westphal.
Patch #7 removes check for IPS_OFFLOAD flag to disable early drop which allows
to evict entries from the conntrack table, also from Florian.
Patches #8 to #16 updates nf_tables pipapo set backend to allocate the
datastructure copy on-demand from preparation phase, to better deal
with OOM situations where .commit step is too late to fail.
Series from Florian Westphal.
Patch #17 adds a selftest with packetdrill to cover conntrack TCP state
transitions, also from Florian.
Patch #18 use GFP_KERNEL to clone elements from control plane to avoid
quick atomic reserves exhaustion with large sets, reporter refers
to million entries magnitude.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git nf-next-24-05-12
Thanks.
----------------------------------------------------------------
The following changes since commit cdc74c9d06e72addde01092d09f13bb86d3ed7d0:
Merge branch 'gve-queue-api' (2024-05-05 14:35:48 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git nf-next-24-05-12
for you to fetch changes up to fa23e0d4b756d25829e124d6b670a4c6bbd4bf7e:
netfilter: nf_tables: allow clone callbacks to sleep (2024-05-10 11:13:45 +0200)
----------------------------------------------------------------
netfilter pull request 24-05-12
----------------------------------------------------------------
Florian Westphal (12):
netfilter: conntrack: documentation: remove reference to non-existent sysctl
netfilter: conntrack: remove flowtable early-drop test
netfilter: nft_set_pipapo: move prove_locking helper around
netfilter: nft_set_pipapo: make pipapo_clone helper return NULL
netfilter: nft_set_pipapo: prepare destroy function for on-demand clone
netfilter: nft_set_pipapo: prepare walk function for on-demand clone
netfilter: nft_set_pipapo: merge deactivate helper into caller
netfilter: nft_set_pipapo: prepare pipapo_get helper for on-demand clone
netfilter: nft_set_pipapo: move cloning of match info to insert/removal path
netfilter: nft_set_pipapo: remove dirty flag
selftests: netfilter: add packetdrill based conntrack tests
netfilter: nf_tables: allow clone callbacks to sleep
Jason Xing (2):
netfilter: conntrack: dccp: try not to drop skb in conntrack
netfilter: use NF_DROP instead of -NF_DROP
Linus Lüssing (1):
netfilter: conntrack: fix ct-state for ICMPv6 Multicast Router Discovery
Pablo Neira Ayuso (2):
netfilter: nf_tables: skip transaction if update object is not implemented
netfilter: nf_tables: remove NETDEV_CHANGENAME from netdev chain event handler
Documentation/networking/nf_conntrack-sysctl.rst | 4 +-
include/net/netfilter/nf_tables.h | 4 +-
include/uapi/linux/icmpv6.h | 1 +
net/ipv4/netfilter/iptable_filter.c | 2 +-
net/ipv6/netfilter/ip6table_filter.c | 2 +-
net/netfilter/nf_conntrack_core.c | 4 +-
net/netfilter/nf_conntrack_proto_dccp.c | 4 +-
net/netfilter/nf_conntrack_proto_icmpv6.c | 4 +-
net/netfilter/nf_tables_api.c | 16 +-
net/netfilter/nft_chain_filter.c | 6 +-
net/netfilter/nft_connlimit.c | 4 +-
net/netfilter/nft_counter.c | 4 +-
net/netfilter/nft_dynset.c | 2 +-
net/netfilter/nft_last.c | 4 +-
net/netfilter/nft_limit.c | 14 +-
net/netfilter/nft_quota.c | 4 +-
net/netfilter/nft_set_pipapo.c | 258 ++++++++++-----------
net/netfilter/nft_set_pipapo.h | 2 -
tools/testing/selftests/net/netfilter/Makefile | 2 +
tools/testing/selftests/net/netfilter/config | 1 +
.../net/netfilter/nf_conntrack_packetdrill.sh | 71 ++++++
.../selftests/net/netfilter/packetdrill/common.sh | 33 +++
.../packetdrill/conntrack_ack_loss_stall.pkt | 118 ++++++++++
.../packetdrill/conntrack_inexact_rst.pkt | 62 +++++
.../packetdrill/conntrack_rst_invalid.pkt | 59 +++++
.../packetdrill/conntrack_syn_challenge_ack.pkt | 44 ++++
.../netfilter/packetdrill/conntrack_synack_old.pkt | 51 ++++
.../packetdrill/conntrack_synack_reuse.pkt | 34 +++
28 files changed, 639 insertions(+), 175 deletions(-)
create mode 100755 tools/testing/selftests/net/netfilter/nf_conntrack_packetdrill.sh
create mode 100755 tools/testing/selftests/net/netfilter/packetdrill/common.sh
create mode 100644 tools/testing/selftests/net/netfilter/packetdrill/conntrack_ack_loss_stall.pkt
create mode 100644 tools/testing/selftests/net/netfilter/packetdrill/conntrack_inexact_rst.pkt
create mode 100644 tools/testing/selftests/net/netfilter/packetdrill/conntrack_rst_invalid.pkt
create mode 100644 tools/testing/selftests/net/netfilter/packetdrill/conntrack_syn_challenge_ack.pkt
create mode 100644 tools/testing/selftests/net/netfilter/packetdrill/conntrack_synack_old.pkt
create mode 100644 tools/testing/selftests/net/netfilter/packetdrill/conntrack_synack_reuse.pkt
next reply other threads:[~2024-05-12 16:14 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-12 16:14 Pablo Neira Ayuso [this message]
2024-05-12 16:14 ` [PATCH net-next 01/17] netfilter: nf_tables: skip transaction if update object is not implemented Pablo Neira Ayuso
2024-05-13 20:40 ` patchwork-bot+netdevbpf
2024-05-12 16:14 ` [PATCH net-next 02/17] netfilter: nf_tables: remove NETDEV_CHANGENAME from netdev chain event handler Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 03/17] netfilter: conntrack: fix ct-state for ICMPv6 Multicast Router Discovery Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 04/17] netfilter: conntrack: dccp: try not to drop skb in conntrack Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 05/17] netfilter: use NF_DROP instead of -NF_DROP Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 06/17] netfilter: conntrack: documentation: remove reference to non-existent sysctl Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 07/17] netfilter: conntrack: remove flowtable early-drop test Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 08/17] netfilter: nft_set_pipapo: move prove_locking helper around Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 09/17] netfilter: nft_set_pipapo: make pipapo_clone helper return NULL Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 10/17] netfilter: nft_set_pipapo: prepare destroy function for on-demand clone Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 11/17] netfilter: nft_set_pipapo: prepare walk " Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 12/17] netfilter: nft_set_pipapo: merge deactivate helper into caller Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 13/17] netfilter: nft_set_pipapo: prepare pipapo_get helper for on-demand clone Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 14/17] netfilter: nft_set_pipapo: move cloning of match info to insert/removal path Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 15/17] netfilter: nft_set_pipapo: remove dirty flag Pablo Neira Ayuso
2024-05-12 16:14 ` [PATCH net-next 16/17] selftests: netfilter: add packetdrill based conntrack tests Pablo Neira Ayuso
2024-05-13 18:46 ` Jakub Kicinski
2024-05-13 20:03 ` Florian Westphal
2024-05-13 21:41 ` Jakub Kicinski
2024-05-14 5:09 ` Florian Westphal
2024-05-14 13:36 ` Jakub Kicinski
2024-05-12 16:14 ` [PATCH net-next 17/17] netfilter: nf_tables: allow clone callbacks to sleep Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2022-05-13 21:43 [PATCH net-next 00/17] Netfilter updates for net-next Pablo Neira Ayuso
2022-05-10 12:21 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240512161436.168973-1-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).