Hi,
The following patchset contains Netfilter updates for net-next. Mostly
nf_tables updates with two patches for connlabel and br_netfilter.
1) Rename function name to perform on-demand GC for rbtree elements,
and replace async GC in rbtree by sync GC. Patches from Florian Westphal.
2) Use commit_mutex for NFT_MSG_GETRULE_RESET to ensure that two
concurrent threads invoking this command do not underrun stateful
objects. Patches from Phil Sutter.
3) Use single hook to deal with IP and ARP packets in br_netfilter.
Patch from Florian Westphal.
4) Use atomic_t in netns->connlabel use counter instead of using a
spinlock, also patch from Florian.
5) Cleanups for stateful objects infrastructure in nf_tables.
Patches from Phil Sutter.
6) Flush path uses opaque set element offered by the iterator, instead of
calling pipapo_deactivate() which looks up for it again.
7) Set backend .flush interface always succeeds, make it return void
instead.
8) Add struct nft_elem_priv placeholder structure and use it by replacing
void * to pass opaque set element representation from backend to frontend
which defeats compiler type checks.
9) Shrink memory consumption of set element transactions, by reducing
struct nft_trans_elem object size and reducing stack memory usage.
10) Use struct nft_elem_priv also for set backend .insert operation too.
11) Carry reset flag in nft_set_dump_ctx structure, instead of passing it
as a function argument, from Phil Sutter.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git nf-next-23-10-25
Thanks.
----------------------------------------------------------------
The following changes since commit 5e3704030b240ab6878c32abdc2e38b6bac9dfb8:
Merge branch 'bnxt_en-next' (2023-10-22 11:41:46 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git nf-next-23-10-25
for you to fetch changes up to 9cdee063476988102bbc5e0e9551e10c5ed00d3e:
netfilter: nf_tables: Carry reset boolean in nft_set_dump_ctx (2023-10-24 15:48:30 +0200)
----------------------------------------------------------------
netfilter pull request 23-10-25
----------------------------------------------------------------
Florian Westphal (4):
netfilter: nft_set_rbtree: rename gc deactivate+erase function
netfilter: nft_set_rbtree: prefer sync gc to async worker
br_netfilter: use single forward hook for ip and arp
netfilter: conntrack: switch connlabels to atomic_t
Pablo Neira Ayuso (5):
netfilter: nft_set_pipapo: no need to call pipapo_deactivate() from flush
netfilter: nf_tables: set backend .flush always succeeds
netfilter: nf_tables: expose opaque set element as struct nft_elem_priv
netfilter: nf_tables: shrink memory consumption of set elements
netfilter: nf_tables: set->ops->insert returns opaque set element in case of EEXIST
Phil Sutter (10):
netfilter: nf_tables: Open-code audit log call in nf_tables_getrule()
netfilter: nf_tables: Introduce nf_tables_getrule_single()
netfilter: nf_tables: Add locking for NFT_MSG_GETRULE_RESET requests
netfilter: nf_tables: Drop pointless memset in nf_tables_dump_obj
netfilter: nf_tables: Unconditionally allocate nft_obj_filter
netfilter: nf_tables: A better name for nft_obj_filter
netfilter: nf_tables: Carry s_idx in nft_obj_dump_ctx
netfilter: nf_tables: nft_obj_filter fits into cb->ctx
netfilter: nf_tables: Carry reset boolean in nft_obj_dump_ctx
netfilter: nf_tables: Carry reset boolean in nft_set_dump_ctx
include/net/netfilter/nf_conntrack_labels.h | 2 +-
include/net/netfilter/nf_tables.h | 60 ++--
include/net/netns/conntrack.h | 2 +-
net/bridge/br_netfilter_hooks.c | 72 +++--
net/netfilter/nf_conntrack_labels.c | 17 +-
net/netfilter/nf_tables_api.c | 445 +++++++++++++++-------------
net/netfilter/nft_dynset.c | 23 +-
net/netfilter/nft_set_bitmap.c | 53 ++--
net/netfilter/nft_set_hash.c | 109 +++----
net/netfilter/nft_set_pipapo.c | 73 ++---
net/netfilter/nft_set_pipapo.h | 4 +-
net/netfilter/nft_set_rbtree.c | 200 ++++++-------
12 files changed, 558 insertions(+), 502 deletions(-)
