All of lore.kernel.org
 help / color / mirror / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
	pabeni@redhat.com, edumazet@google.com, fw@strlen.de,
	kadlec@netfilter.org
Subject: [PATCH net,v2 00/13] Netfilter fixes for net
Date: Thu,  8 Feb 2024 12:28:21 +0100	[thread overview]
Message-ID: <20240208112834.1433-1-pablo@netfilter.org> (raw)

This v2 including changes requested by Paolo Abeni.

-o-

Hi,

The following patchset contains Netfilter fixes for net:

1) Narrow down target/match revision to u8 in nft_compat.

2) Bail out with unused flags in nft_compat.

3) Restrict layer 4 protocol to u16 in nft_compat.

4) Remove static in pipapo get command that slipped through when
   reducing set memory footprint.

5) Follow up incremental fix for the ipset performance regression,
   this includes the missing gc cancellation, from Jozsef Kadlecsik.

6) Allow to filter by zone 0 in ctnetlink, do not interpret zone 0
   as no filtering, from Felix Huettner.

7) Reject direction for NFT_CT_ID.

8) Use timestamp to check for set element expiration while transaction
   is handled to prevent garbage collection from removing set elements
   that were just added by this transaction. Packet path and netlink
   dump/get path still use current time to check for expiration.

9) Restore NF_REPEAT in nfnetlink_queue, from Florian Westphal.

10) map_index needs to be percpu and per-set, not just percpu.
    At this time its possible for a pipapo set to fill the all-zero part
    with ones and take the 'might have bits set' as 'start-from-zero' area.
    From Florian Westphal. This includes three patches:

    - Change scratchpad area to a structure that provides space for a
      per-set-and-cpu toggle and uses it of the percpu one.

    - Add a new free helper to prepare for the next patch.

    - Remove the scratch_aligned pointer and makes AVX2 implementation
      use the exact same memory addresses for read/store of the matching
      state.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-02-08

Thanks.

----------------------------------------------------------------

The following changes since commit eef00a82c568944f113f2de738156ac591bbd5cd:

  inet: read sk->sk_family once in inet_recv_error() (2024-02-04 16:06:53 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-02-08

for you to fetch changes up to 5a8cdf6fd860ac5e6d08d72edbcecee049a7fec4:

  netfilter: nft_set_pipapo: remove scratch_aligned pointer (2024-02-08 12:24:02 +0100)

----------------------------------------------------------------
netfilter pull request 24-02-08

----------------------------------------------------------------
Felix Huettner (1):
      netfilter: ctnetlink: fix filtering for zone 0

Florian Westphal (4):
      netfilter: nfnetlink_queue: un-break NF_REPEAT
      netfilter: nft_set_pipapo: store index in scratch maps
      netfilter: nft_set_pipapo: add helper to release pcpu scratch area
      netfilter: nft_set_pipapo: remove scratch_aligned pointer

Jozsef Kadlecsik (1):
      netfilter: ipset: Missing gc cancellations fixed

Pablo Neira Ayuso (7):
      netfilter: nft_compat: narrow down revision to unsigned 8-bits
      netfilter: nft_compat: reject unused compat flag
      netfilter: nft_compat: restrict match/target protocol to u16
      netfilter: nft_set_pipapo: remove static in nft_pipapo_get()
      netfilter: nft_ct: reject direction for ct id
      netfilter: nf_tables: use timestamp to check for set element timeout
      netfilter: nft_set_rbtree: skip end interval element from gc

 include/net/netfilter/nf_tables.h                  |  16 ++-
 include/uapi/linux/netfilter/nf_tables.h           |   2 +
 net/netfilter/ipset/ip_set_core.c                  |   2 +
 net/netfilter/ipset/ip_set_hash_gen.h              |   4 +-
 net/netfilter/nf_conntrack_netlink.c               |  12 +-
 net/netfilter/nf_tables_api.c                      |   4 +-
 net/netfilter/nfnetlink_queue.c                    |  13 ++-
 net/netfilter/nft_compat.c                         |  17 ++-
 net/netfilter/nft_ct.c                             |   3 +
 net/netfilter/nft_set_hash.c                       |   8 +-
 net/netfilter/nft_set_pipapo.c                     | 128 +++++++++++----------
 net/netfilter/nft_set_pipapo.h                     |  18 ++-
 net/netfilter/nft_set_pipapo_avx2.c                |  17 ++-
 net/netfilter/nft_set_rbtree.c                     |  17 +--
 .../selftests/netfilter/conntrack_dump_flush.c     |  43 ++++++-
 15 files changed, 202 insertions(+), 102 deletions(-)

             reply	other threads:[~2024-02-08 11:28 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-08 11:28 Pablo Neira Ayuso [this message]
2024-02-08 11:28 ` [PATCH net 01/13] netfilter: nft_compat: narrow down revision to unsigned 8-bits Pablo Neira Ayuso
2024-02-08 12:30   ` patchwork-bot+netdevbpf
2024-02-08 14:51     ` Paolo Abeni
2024-02-08 11:28 ` [PATCH net 02/13] netfilter: nft_compat: reject unused compat flag Pablo Neira Ayuso
2024-02-08 11:28 ` [PATCH net 03/13] netfilter: nft_compat: restrict match/target protocol to u16 Pablo Neira Ayuso
2024-02-08 11:28 ` [PATCH net 04/13] netfilter: nft_set_pipapo: remove static in nft_pipapo_get() Pablo Neira Ayuso
2024-02-08 11:28 ` [PATCH net 05/13] netfilter: ipset: Missing gc cancellations fixed Pablo Neira Ayuso
2024-02-08 11:28 ` [PATCH net 06/13] netfilter: ctnetlink: fix filtering for zone 0 Pablo Neira Ayuso
2024-02-08 11:28 ` [PATCH net 07/13] netfilter: nft_ct: reject direction for ct id Pablo Neira Ayuso
2024-02-08 11:28 ` [PATCH net 08/13] netfilter: nf_tables: use timestamp to check for set element timeout Pablo Neira Ayuso
2024-02-08 11:28 ` [PATCH net 09/13] netfilter: nfnetlink_queue: un-break NF_REPEAT Pablo Neira Ayuso
2024-02-08 11:28 ` [PATCH net 10/13] netfilter: nft_set_rbtree: skip end interval element from gc Pablo Neira Ayuso
2024-02-08 11:28 ` [PATCH net 11/13] netfilter: nft_set_pipapo: store index in scratch maps Pablo Neira Ayuso
2024-02-08 11:28 ` [PATCH net 12/13] netfilter: nft_set_pipapo: add helper to release pcpu scratch area Pablo Neira Ayuso
2024-02-08 11:28 ` [PATCH net 13/13] netfilter: nft_set_pipapo: remove scratch_aligned pointer Pablo Neira Ayuso
  -- strict thread matches above, loose matches on Subject: below --
2024-01-18 16:17 [PATCH net,v2 00/13] Netfilter fixes for net Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240208112834.1433-1-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=fw@strlen.de \
    --cc=kadlec@netfilter.org \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.