[PATCH nf-next 0/7] Netfilter updates for net-next

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Tue, 6 May 2025 01:41:44 +0200

Hi,

The following patchset contains Netfilter updates for net-next:

1) Apparently, nf_conntrack_bridge changes the way in which fragments
   are handled, dealing to packet drop. From Huajian Yang.

2) Add a selftest to stress the conntrack subsystem, from Florian Westphal.

3) nft_quota depletion is off-by-one byte, Zhongqiu Duan.

4) Rewrites the procfs to read the conntrack table to speed it up,
   from Florian Westphal.

5) Two patches to prevent overflow in nft_pipapo lookup table and to
   clamp the maximum bucket size.

6) Update nft_fib selftest to check for loopback packet bypass.
   From Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git nf-next-25-05-06

Thanks.

----------------------------------------------------------------

The following changes since commit 836b313a14a316290886dcc2ce7e78bf5ecc8658:

  ipv4: Honor "ignore_routes_with_linkdown" sysctl in nexthop selection (2025-05-03 21:52:38 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-25-05-06

for you to fetch changes up to fc91d5e6d948733773af35ef3b95504d8e588e4f:

  selftests: netfilter: nft_fib.sh: check lo packets bypass fib lookup (2025-05-05 13:17:32 +0200)

----------------------------------------------------------------
netfilter pull request 25-05-06

----------------------------------------------------------------
Florian Westphal (3):
      selftests: netfilter: add conntrack stress test
      netfilter: nf_conntrack: speed up reads from nf_conntrack proc file
      selftests: netfilter: nft_fib.sh: check lo packets bypass fib lookup

Huajian Yang (1):
      netfilter: bridge: Move specific fragmented packet to slow_path instead of dropping it

Pablo Neira Ayuso (2):
      netfilter: nft_set_pipapo: prevent overflow in lookup table allocation
      netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX

Zhongqiu Duan (1):
      netfilter: nft_quota: match correctly when the quota just depleted

 net/bridge/netfilter/nf_conntrack_bridge.c         |  12 +-
 net/ipv6/netfilter.c                               |  12 +-
 net/netfilter/nf_conntrack_standalone.c            |  88 +++--
 net/netfilter/nft_quota.c                          |  20 +-
 net/netfilter/nft_set_pipapo.c                     |  64 +++-
 tools/testing/selftests/net/netfilter/Makefile     |   1 +
 tools/testing/selftests/net/netfilter/config       |   1 +
 .../selftests/net/netfilter/conntrack_resize.sh    | 406 +++++++++++++++++++++
 tools/testing/selftests/net/netfilter/nft_fib.sh   |  23 ++
 9 files changed, 559 insertions(+), 68 deletions(-)
 create mode 100755 tools/testing/selftests/net/netfilter/conntrack_resize.sh