[PATCH net 0/7] Netfilter fixes for net

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Mon, 6 Jun 2022 23:20:48 +0200

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix NAT support for NFPROTO_INET without layer 3 address,
   from Florian Westphal.

2) Use kfree_rcu(ptr, rcu) variant in nf_tables clean_net path.

3) Use list to collect flowtable hooks to be deleted.

4) Initialize list of hook field in flowtable transaction.

5) Release hooks on error for flowtable updates.

6) Memleak in hardware offload rule commit and abort paths.

7) Early bail out in case device does not support for hardware offload.
   This adds a new interface to net/core/flow_offload.c to check if the
   flow indirect block list is empty.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 0a375c822497ed6ad6b5da0792a12a6f1af10c0b:

  tcp: tcp_rtx_synack() can be called from process context (2022-05-31 21:40:10 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to 3a41c64d9c1185a2f3a184015e2a9b78bfc99c71:

  netfilter: nf_tables: bail out early if hardware offload is not supported (2022-06-06 19:19:15 +0200)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nat: really support inet nat without l3 address

Pablo Neira Ayuso (6):
      netfilter: nf_tables: use kfree_rcu(ptr, rcu) to release hooks in clean_net path
      netfilter: nf_tables: delete flowtable hooks via transaction list
      netfilter: nf_tables: always initialize flowtable hook list in transaction
      netfilter: nf_tables: release new hooks on unsupported flowtable flags
      netfilter: nf_tables: memleak flow rule from commit path
      netfilter: nf_tables: bail out early if hardware offload is not supported

 include/net/flow_offload.h                   |  1 +
 include/net/netfilter/nf_tables.h            |  1 -
 include/net/netfilter/nf_tables_offload.h    |  2 +-
 net/core/flow_offload.c                      |  6 ++++
 net/netfilter/nf_tables_api.c                | 54 ++++++++++++----------------
 net/netfilter/nf_tables_offload.c            | 23 +++++++++++-
 net/netfilter/nft_nat.c                      |  3 +-
 tools/testing/selftests/netfilter/nft_nat.sh | 43 ++++++++++++++++++++++
 8 files changed, 98 insertions(+), 35 deletions(-)