Hi, The following patchset contains Netfilter/IPVS updates for net-next: 1) Rename mss field to mss_option field in synproxy, from Fernando Mancera. 2) Use SYSCTL_{ZERO,ONE} definitions in conntrack, from Matteo Croce. 3) More strict validation of IPVS sysctl values, from Junwei Hu. 4) Remove unnecessary spaces after on the right hand side of assignments, from yangxingwu. 5) Add offload support for bitwise operation. 6) Extend the nft_offload_reg structure to store immediate date. 7) Collapse several ip_set header files into ip_set.h, from Jeremy Sowden. 8) Make netfilter headers compile with CONFIG_KERNEL_HEADER_TEST=y, from Jeremy Sowden. 9) Fix several sparse warnings due to missing prototypes, from Valdis Kletnieks. 10) Use static lock initialiser to ensure connlabel spinlock is initialized on boot time to fix sched/act_ct.c, patch from Florian Westphal. You can pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git Thanks. ---------------------------------------------------------------- The following changes since commit 4de97b0c86fcf9a225dff465f1614c834c2eeea6: Merge branch 'enetc-PCIe-MDIO' (2019-08-02 18:22:18 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD for you to fetch changes up to 105333435b4f3b21ffc325f32fae17719310db64: netfilter: connlabels: prefer static lock initialiser (2019-08-13 12:15:45 +0200) ---------------------------------------------------------------- Fernando Fernandez Mancera (1): netfilter: synproxy: rename mss synproxy_options field Florian Westphal (1): netfilter: connlabels: prefer static lock initialiser Jeremy Sowden (8): netfilter: inline four headers files into another one. netfilter: add missing includes to a number of header-files. netfilter: add missing IS_ENABLED(CONFIG_BRIDGE_NETFILTER) checks to header-file. netfilter: add missing IS_ENABLED(CONFIG_NF_TABLES) check to header-file. netfilter: add missing IS_ENABLED(CONFIG_NF_CONNTRACK) checks to some header-files. netfilter: add missing IS_ENABLED(CONFIG_NETFILTER) checks to some header-files. netfilter: remove "#ifdef __KERNEL__" guards from some headers. kbuild: remove all netfilter headers from header-test blacklist. Junwei Hu (1): ipvs: Improve robustness to the ipvs sysctl Matteo Croce (1): netfilter: conntrack: use shared sysctl constants Pablo Neira Ayuso (2): netfilter: nft_bitwise: add offload support netfilter: nf_tables: store data in offload context registers Valdis Kletnieks (2): netfilter: nf_tables: add missing prototypes. netfilter: nf_nat_proto: make tables static yangxingwu (1): netfilter: remove unnecessary spaces include/Kbuild | 74 ------- include/linux/netfilter/ipset/ip_set.h | 238 ++++++++++++++++++++++- include/linux/netfilter/ipset/ip_set_comment.h | 73 ------- include/linux/netfilter/ipset/ip_set_counter.h | 84 -------- include/linux/netfilter/ipset/ip_set_getport.h | 4 + include/linux/netfilter/ipset/ip_set_skbinfo.h | 42 ---- include/linux/netfilter/ipset/ip_set_timeout.h | 77 -------- include/linux/netfilter/nf_conntrack_amanda.h | 4 + include/linux/netfilter/nf_conntrack_dccp.h | 3 - include/linux/netfilter/nf_conntrack_ftp.h | 8 +- include/linux/netfilter/nf_conntrack_h323.h | 11 +- include/linux/netfilter/nf_conntrack_h323_asn1.h | 2 + include/linux/netfilter/nf_conntrack_irc.h | 5 +- include/linux/netfilter/nf_conntrack_pptp.h | 12 +- include/linux/netfilter/nf_conntrack_proto_gre.h | 2 - include/linux/netfilter/nf_conntrack_sane.h | 4 - include/linux/netfilter/nf_conntrack_sip.h | 6 +- include/linux/netfilter/nf_conntrack_snmp.h | 3 + include/linux/netfilter/nf_conntrack_tftp.h | 5 + include/linux/netfilter/x_tables.h | 6 + include/linux/netfilter_arp/arp_tables.h | 2 + include/linux/netfilter_bridge/ebtables.h | 2 + include/linux/netfilter_ipv4/ip_tables.h | 4 + include/linux/netfilter_ipv6/ip6_tables.h | 2 + include/net/netfilter/br_netfilter.h | 12 ++ include/net/netfilter/ipv4/nf_dup_ipv4.h | 3 + include/net/netfilter/ipv6/nf_defrag_ipv6.h | 4 +- include/net/netfilter/ipv6/nf_dup_ipv6.h | 2 + include/net/netfilter/nf_conntrack.h | 10 + include/net/netfilter/nf_conntrack_acct.h | 13 ++ include/net/netfilter/nf_conntrack_bridge.h | 6 + include/net/netfilter/nf_conntrack_core.h | 3 + include/net/netfilter/nf_conntrack_count.h | 3 + include/net/netfilter/nf_conntrack_l4proto.h | 4 + include/net/netfilter/nf_conntrack_synproxy.h | 2 +- include/net/netfilter/nf_conntrack_timestamp.h | 6 + include/net/netfilter/nf_conntrack_tuple.h | 2 + include/net/netfilter/nf_dup_netdev.h | 2 + include/net/netfilter/nf_flow_table.h | 5 + include/net/netfilter/nf_nat.h | 4 + include/net/netfilter/nf_nat_helper.h | 4 +- include/net/netfilter/nf_nat_redirect.h | 3 + include/net/netfilter/nf_queue.h | 7 + include/net/netfilter/nf_reject.h | 3 + include/net/netfilter/nf_synproxy.h | 4 + include/net/netfilter/nf_tables.h | 12 ++ include/net/netfilter/nf_tables_ipv6.h | 1 + include/net/netfilter/nf_tables_offload.h | 1 + include/net/netfilter/nft_fib.h | 2 + include/net/netfilter/nft_meta.h | 2 + include/net/netfilter/nft_reject.h | 5 + include/uapi/linux/netfilter/xt_policy.h | 1 + net/ipv4/netfilter/ipt_SYNPROXY.c | 4 +- net/ipv6/netfilter/ip6t_SYNPROXY.c | 4 +- net/netfilter/ipset/ip_set_hash_gen.h | 4 +- net/netfilter/ipset/ip_set_list_set.c | 2 +- net/netfilter/ipvs/ip_vs_core.c | 2 +- net/netfilter/ipvs/ip_vs_ctl.c | 69 +++---- net/netfilter/ipvs/ip_vs_mh.c | 4 +- net/netfilter/ipvs/ip_vs_proto_tcp.c | 2 +- net/netfilter/nf_conntrack_ftp.c | 2 +- net/netfilter/nf_conntrack_labels.c | 3 +- net/netfilter/nf_conntrack_proto_tcp.c | 2 +- net/netfilter/nf_conntrack_standalone.c | 34 ++-- net/netfilter/nf_nat_proto.c | 4 +- net/netfilter/nf_synproxy_core.c | 8 +- net/netfilter/nfnetlink_log.c | 4 +- net/netfilter/nfnetlink_queue.c | 4 +- net/netfilter/nft_bitwise.c | 19 ++ net/netfilter/nft_immediate.c | 24 ++- net/netfilter/nft_set_bitmap.c | 2 +- net/netfilter/nft_set_hash.c | 2 +- net/netfilter/nft_set_rbtree.c | 2 +- net/netfilter/nft_synproxy.c | 4 +- net/netfilter/xt_IDLETIMER.c | 2 +- net/netfilter/xt_set.c | 1 - 76 files changed, 527 insertions(+), 480 deletions(-) delete mode 100644 include/linux/netfilter/ipset/ip_set_comment.h delete mode 100644 include/linux/netfilter/ipset/ip_set_counter.h delete mode 100644 include/linux/netfilter/ipset/ip_set_skbinfo.h delete mode 100644 include/linux/netfilter/ipset/ip_set_timeout.h