Hi,
The following patchset contains Netfilter fixes for net:
Patch #1 reject destroy chain command to delete device hooks in netdev
family, hence, only delchain commands are allowed.
Patch #2 reject table flag update interference with netdev basechain
hook updates, this can leave hooks in inconsistent
registration/unregistration state.
Patch #3 do not unregister netdev basechain hooks if table is dormant.
Otherwise, splat with double unregistration is possible.
Patch #4 fixes Kconfig to allow to restore IP_NF_ARPTABLES,
from Kuniyuki Iwashima.
There are a more fixes still in progress on my side that need more work.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-03-28
Thanks.
----------------------------------------------------------------
The following changes since commit d24b03535e5eb82e025219c2f632b485409c898f:
nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet (2024-03-22 09:41:39 +0000)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-03-28
for you to fetch changes up to 15fba562f7a9f04322b8bfc8f392e04bb93d81be:
netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c (2024-03-28 03:54:02 +0100)
----------------------------------------------------------------
netfilter pull request 24-03-28
----------------------------------------------------------------
Kuniyuki Iwashima (1):
netfilter: arptables: Select NETFILTER_FAMILY_ARP when building arp_tables.c
Pablo Neira Ayuso (3):
netfilter: nf_tables: reject destroy command to remove basechain hooks
netfilter: nf_tables: reject table flag and netdev basechain updates
netfilter: nf_tables: skip netdev hook unregistration if table is dormant
net/ipv4/netfilter/Kconfig | 1 +
net/netfilter/nf_tables_api.c | 50 ++++++++++++++++++++++++++++++++++++-------
2 files changed, 43 insertions(+), 8 deletions(-)
