Hi,
This batch contains Netfilter fixes for net:
1) Restrict hashlimit size to 1048576, from Cong Wang.
2) Check for offload flags from nf_flow_table_offload_setup(),
this fixes a crash in case the hardware offload is disabled.
From Florian Westphal.
3) Three preparation patches to extend the conntrack clash resolution,
from Florian.
4) Extend clash resolution to deal with DNS packets from the same flow
racing to set up the NAT configuration.
5) Small documentation fix in pipapo, from Stefano Brivio.
6) Remove misleading unlikely() from pipapo_refill(), also from Stefano.
7) Reduce hashlimit mutex scope, from Cong Wang. This patch is actually
triggering another problem, still under discussion, another patch to
fix this will follow up.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 259039fa30457986929a324d769f543c1509987f:
Merge branch 'stmmac-fixes' (2020-02-07 11:36:22 +0100)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 9a7712048f9d43da5022e75eca3d6b81080e76d3:
netfilter: nft_set_pipapo: Don't abuse unlikely() in pipapo_refill() (2020-02-18 22:07:09 +0100)
----------------------------------------------------------------
Cong Wang (2):
netfilter: xt_hashlimit: reduce hashlimit_mutex scope for htable_put()
netfilter: xt_hashlimit: limit the max size of hashtable
Florian Westphal (5):
netfilter: flowtable: skip offload setup if disabled
netfilter: conntrack: remove two args from resolve_clash
netfilter: conntrack: place confirm-bit setting in a helper
netfilter: conntrack: split resolve_clash function
netfilter: conntrack: allow insertion of clashing entries
Stefano Brivio (2):
netfilter: nft_set_pipapo: Fix mapping table example in comments
netfilter: nft_set_pipapo: Don't abuse unlikely() in pipapo_refill()
include/linux/rculist_nulls.h | 7 +
include/uapi/linux/netfilter/nf_conntrack_common.h | 12 +-
net/netfilter/nf_conntrack_core.c | 192 ++++++++++++++++++---
net/netfilter/nf_conntrack_proto_udp.c | 20 ++-
net/netfilter/nf_flow_table_offload.c | 6 +-
net/netfilter/nft_set_pipapo.c | 6 +-
net/netfilter/xt_hashlimit.c | 22 ++-
7 files changed, 220 insertions(+), 45 deletions(-)
