netfilter pull request 24-02-15

-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEN9lkrMBJgcdVAPub1V2XiooUIOQFAmXNTiwACgkQ1V2XiooU
 IORw4RAAmr6WYYKyKL9TLXtdxp2c5Aj2BClIrMS/mtLBT9RKjxvL5/m2ePFCvz7N
 /i7Om+dquZ4m5bS8Dk6MO61fhaKEmNWYigvfIYs4fc4qYj5WTV6XMzhY2lCRIgns
 UQXZ0zbb2+BbmsXL/izYcXwM3VMp2l8PLhb/OeGtUtLDMZXF+INXrn3krYLc3TxS
 4UEeLiCwxy8hgGCyS1w73GctfkznQ5vd2Zb6sD6TJ0pG1H4LmhxGDaQPMEtR9DaV
 l+gxC9+Igw6r1Gmv9c1QZ//dvw4Jb+0ZuYEifeD/xqT//M56AKh8UB1/Nil6Kazq
 r/VroMxQcuTJIPcx72F14U94M6r1BVRDIpBjVcpWBCrWjkgaJZkl2tcwfmn8Cihb
 GWRy0zGbYoBynlsseSQUWvfJBGn0D8aFCaoroHYkFfg67Gj8aom5/hIuP2OblN3a
 d+9VQ9FbEkoddv/JAF0Dp6+VVPi6DRxUOj8zC9+Ynl/+AMtx8xZ9B4yUf3n8pEag
 7+OWDEnVHV7aFyfSeBETUQOPLSi+k4wpvp02QilbKIJ8s7Pp4v9KKw3CvHD59nrI
 Ci9Z7PhWICoh+cZXYgradZVbyoJ6iRv2LskG/RlRpHxilZ5os+pcOiUR7dEARX05
 tPRLagMiHsMsy7lsYhe+YBKtYZ1FMxGU+5p63hpkSDUVvOoV+R4=
 =G4r8
 -----END PGP SIGNATURE-----

Merge tag 'nf-24-02-15' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following batch contains Netfilter fixes for net:

1) Missing : in kdoc field in nft_set_pipapo.

2) Restore default DNAT behavior When a DNAT rule is configured via
   iptables with different port ranges, from Kyle Swenson.

3) Restore flowtable hardware offload for bidirectional flows
   by setting NF_FLOW_HW_BIDIRECTIONAL flag, from Felix Fietkau.

netfilter pull request 24-02-15

* tag 'nf-24-02-15' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: nf_tables: fix bidirectional offload regression
  netfilter: nat: restore default DNAT behavior
  netfilter: nft_set_pipapo: fix missing : in kdoc
====================

Link: https://lore.kernel.org/r/20240214233818.7946-1-pablo@netfilter.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This commit is contained in:
Paolo Abeni 2024-02-15 12:48:56 +01:00
commit d74b23d0c2
3 changed files with 7 additions and 3 deletions

View File

@ -551,8 +551,11 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
find_free_id:
if (range->flags & NF_NAT_RANGE_PROTO_OFFSET)
off = (ntohs(*keyptr) - ntohs(range->base_proto.all));
else
else if ((range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL) ||
maniptype != NF_NAT_MANIP_DST)
off = get_random_u16();
else
off = 0;
attempts = range_size;
if (attempts > NF_NAT_MAX_ATTEMPTS)

View File

@ -361,6 +361,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
}
__set_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags);
ret = flow_offload_add(flowtable, flow);
if (ret < 0)
goto err_flow_add;

View File

@ -144,10 +144,10 @@ struct nft_pipapo_scratch {
/**
* struct nft_pipapo_match - Data used for lookup and matching
* @field_count Amount of fields in set
* @field_count: Amount of fields in set
* @scratch: Preallocated per-CPU maps for partial matching results
* @bsize_max: Maximum lookup table bucket size of all fields, in longs
* @rcu Matching data is swapped on commits
* @rcu: Matching data is swapped on commits
* @f: Fields, with lookup and mapping tables
*/
struct nft_pipapo_match {