Hi,
The following patchset contains Netfilter fixes for net:
1) refcount_inc_not_zero() is not semantically equivalent to
atomic_int_not_zero(), from Florian Westphal. My understanding was
that refcount_*() API provides a wrapper to easier debugging of
reference count leaks, however, there are semantic differences
between these two APIs, where refcount_inc_not_zero() needs a barrier.
Reason for this subtle difference to me is unknown.
2) packet logging is not correct for ARP and IP packets, from the
ARP family and netdev/egress respectively. Use skb_network_offset()
to reach the headers accordingly.
3) set element extension length have been growing over time, replace
a BUG_ON by EINVAL which might be triggerable from userspace.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 280e3a857d96f9ca8e24632788e1e7a0fec4e9f7:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf (2022-07-03 12:29:18 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to c39ba4de6b0a843bec5d46c2b6f2064428dada5e:
netfilter: nf_tables: replace BUG_ON by element length check (2022-07-09 16:25:09 +0200)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: conntrack: fix crash due to confirmed bit load reordering
Pablo Neira Ayuso (2):
netfilter: nf_log: incorrect offset to network header
netfilter: nf_tables: replace BUG_ON by element length check
include/net/netfilter/nf_tables.h | 14 ++++---
net/netfilter/nf_conntrack_core.c | 22 ++++++++++
net/netfilter/nf_conntrack_netlink.c | 1 +
net/netfilter/nf_conntrack_standalone.c | 3 ++
net/netfilter/nf_log_syslog.c | 8 ++--
net/netfilter/nf_tables_api.c | 72 +++++++++++++++++++++++----------
6 files changed, 90 insertions(+), 30 deletions(-)
