Hi, The following patchset contains Netfilter fixes for net: 1) Protect nft_ct template with global mutex, from Pavel Skripkin. 2) Two recent commits switched inet rt and nexthop exception hashes from jhash to siphash. If those two spots are problematic then conntrack is affected as well, so switch voer to siphash too. While at it, add a hard upper limit on chain lengths and reject insertion if this is hit. Patches from Florian Westphal. 3) Fix use-after-scope in nf_socket_ipv6 reported by KASAN, from Benjamin Hesmans. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Thanks. ---------------------------------------------------------------- The following changes since commit 519133debcc19f5c834e7e28480b60bdc234fe02: net: bridge: fix memleak in br_add_if() (2021-08-10 13:25:14 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD for you to fetch changes up to 730affed24bffcd1eebd5903171960f5ff9f1f22: netfilter: socket: icmp6: fix use-after-scope (2021-09-03 18:25:31 +0200) ---------------------------------------------------------------- Benjamin Hesmans (1): netfilter: socket: icmp6: fix use-after-scope Florian Westphal (3): netfilter: conntrack: sanitize table size default settings netfilter: conntrack: switch to siphash netfilter: refuse insertion if chain has grown too large Pavel Skripkin (1): netfilter: nft_ct: protect nft_ct_pcpu_template_refcnt with mutex Documentation/networking/nf_conntrack-sysctl.rst | 13 ++- include/linux/netfilter/nf_conntrack_common.h | 1 + include/uapi/linux/netfilter/nfnetlink_conntrack.h | 1 + net/ipv6/netfilter/nf_socket_ipv6.c | 4 +- net/netfilter/nf_conntrack_core.c | 103 ++++++++++++++------- net/netfilter/nf_conntrack_expect.c | 25 +++-- net/netfilter/nf_conntrack_netlink.c | 4 +- net/netfilter/nf_conntrack_standalone.c | 4 +- net/netfilter/nf_nat_core.c | 18 +++- net/netfilter/nft_ct.c | 9 +- 10 files changed, 123 insertions(+), 59 deletions(-)