This pull request contains updates for your *net-next* tree: 1. Prefer KMEM_CACHE() macro to create kmem caches, from Kunwu Chan. Patches 2 and 3 consolidate nf_log NULL checks and introduces extra boundary checks on family and type to make it clear that no out of bounds access will happen. No in-tree user currently passes such values, but thats not clear from looking at the function. >From Pablo Neira Ayuso. Patch 4, also from Pablo, gets rid of unneeded conditional in nft_osf init function. Patch 5, from myself, fixes erroneous Kconfig dependencies that came in an earlier net-next pull request. This should get rid of the xtables related build failure reports. Patches 6 to 10 are an update to nftables' concatenated-ranges set type to speed up element insertions. This series also compacts a few data structures and cleans up a few oddities such as reliance on ZERO_SIZE_PTR when asking to allocate a set with no elements. From myself. Patches 11 moves the nf_reinject function from the netfilter core (vmlinux) into the nfnetlink_queue backend, the only location where this is called from. Also from myself. Patch 12, from Kees Cook, switches xtables' compat layer to use unsafe_memcpy because xt_entry_target cannot easily get converted to a real flexible array (its UAPI and used inside other structs). The following changes since commit b0117d136bb9e4a1facb7ce354e0580dde876f6b: Merge branch 'net-constify-device_type' (2024-02-21 09:45:24 +0000) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-24-02-21 for you to fetch changes up to 26f4dac11775a1ca24e2605cb30e828d4dbdea93: netfilter: x_tables: Use unsafe_memcpy() for 0-sized destination (2024-02-21 12:03:22 +0100) ---------------------------------------------------------------- netfilter pr 2024-21-02 ---------------------------------------------------------------- Florian Westphal (7): netfilter: xtables: fix up kconfig dependencies netfilter: nft_set_pipapo: constify lookup fn args where possible netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR netfilter: nft_set_pipapo: shrink data structures netfilter: nft_set_pipapo: speed up bulk element insertions netfilter: nft_set_pipapo: use GFP_KERNEL for insertions netfilter: move nf_reinject into nfnetlink_queue modules Kees Cook (1): netfilter: x_tables: Use unsafe_memcpy() for 0-sized destination Kunwu Chan (1): netfilter: expect: Simplify the allocation of slab caches in nf_conntrack_expect_init Pablo Neira Ayuso (3): netfilter: nf_log: consolidate check for NULL logger in lookup function netfilter: nf_log: validate nf_logger_find_get() netfilter: nft_osf: simplify init path include/linux/netfilter.h | 1 - include/net/netfilter/nf_queue.h | 1 - net/ipv4/netfilter/Kconfig | 3 +- net/netfilter/nf_conntrack_expect.c | 4 +- net/netfilter/nf_log.c | 9 +- net/netfilter/nf_queue.c | 106 -------------------- net/netfilter/nfnetlink_queue.c | 142 ++++++++++++++++++++++++++ net/netfilter/nft_osf.c | 11 +- net/netfilter/nft_set_pipapo.c | 193 ++++++++++++++++++++++++++---------- net/netfilter/nft_set_pipapo.h | 37 +++---- net/netfilter/nft_set_pipapo_avx2.c | 59 ++++++----- net/netfilter/utils.c | 37 ------- net/netfilter/x_tables.c | 3 +- 13 files changed, 346 insertions(+), 260 deletions(-)
