[PATCH net-next 00/12] netfilter updates for net-next
From: Florian Westphal <fw@strlen.de>
Date: 2024-02-21 11:29:49
Also in:
netfilter-devel
This pull request contains updates for your *net-next* tree: 1. Prefer KMEM_CACHE() macro to create kmem caches, from Kunwu Chan. Patches 2 and 3 consolidate nf_log NULL checks and introduces extra boundary checks on family and type to make it clear that no out of bounds access will happen. No in-tree user currently passes such values, but thats not clear from looking at the function. From Pablo Neira Ayuso. Patch 4, also from Pablo, gets rid of unneeded conditional in nft_osf init function. Patch 5, from myself, fixes erroneous Kconfig dependencies that came in an earlier net-next pull request. This should get rid of the xtables related build failure reports. Patches 6 to 10 are an update to nftables' concatenated-ranges set type to speed up element insertions. This series also compacts a few data structures and cleans up a few oddities such as reliance on ZERO_SIZE_PTR when asking to allocate a set with no elements. From myself. Patches 11 moves the nf_reinject function from the netfilter core (vmlinux) into the nfnetlink_queue backend, the only location where this is called from. Also from myself. Patch 12, from Kees Cook, switches xtables' compat layer to use unsafe_memcpy because xt_entry_target cannot easily get converted to a real flexible array (its UAPI and used inside other structs). The following changes since commit b0117d136bb9e4a1facb7ce354e0580dde876f6b: Merge branch 'net-constify-device_type' (2024-02-21 09:45:24 +0000) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-24-02-21 for you to fetch changes up to 26f4dac11775a1ca24e2605cb30e828d4dbdea93: netfilter: x_tables: Use unsafe_memcpy() for 0-sized destination (2024-02-21 12:03:22 +0100) ---------------------------------------------------------------- netfilter pr 2024-21-02 ---------------------------------------------------------------- Florian Westphal (7): netfilter: xtables: fix up kconfig dependencies netfilter: nft_set_pipapo: constify lookup fn args where possible netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR netfilter: nft_set_pipapo: shrink data structures netfilter: nft_set_pipapo: speed up bulk element insertions netfilter: nft_set_pipapo: use GFP_KERNEL for insertions netfilter: move nf_reinject into nfnetlink_queue modules Kees Cook (1): netfilter: x_tables: Use unsafe_memcpy() for 0-sized destination Kunwu Chan (1): netfilter: expect: Simplify the allocation of slab caches in nf_conntrack_expect_init Pablo Neira Ayuso (3): netfilter: nf_log: consolidate check for NULL logger in lookup function netfilter: nf_log: validate nf_logger_find_get() netfilter: nft_osf: simplify init path include/linux/netfilter.h | 1 - include/net/netfilter/nf_queue.h | 1 - net/ipv4/netfilter/Kconfig | 3 +- net/netfilter/nf_conntrack_expect.c | 4 +- net/netfilter/nf_log.c | 9 +- net/netfilter/nf_queue.c | 106 -------------------- net/netfilter/nfnetlink_queue.c | 142 ++++++++++++++++++++++++++ net/netfilter/nft_osf.c | 11 +- net/netfilter/nft_set_pipapo.c | 193 ++++++++++++++++++++++++++---------- net/netfilter/nft_set_pipapo.h | 37 +++---- net/netfilter/nft_set_pipapo_avx2.c | 59 ++++++----- net/netfilter/utils.c | 37 ------- net/netfilter/x_tables.c | 3 +- 13 files changed, 346 insertions(+), 260 deletions(-)