pm24.git/include/uapi/linux/netfilter, branch v6.12 Unnamed repository; edit this file 'description' to name the repository. https://git.kobert.dev/pm24.git/atom?h=v6.12 2024-09-26T15:14:35Z netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED 2024-09-26T15:14:35Z Phil Sutter phil@nwl.cc 2024-09-25T18:01:20Z urn:sha1:76f1ed087b562a469f2153076f179854b749c09a Fix the comment which incorrectly defines it as NLA_U32. Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nf_tables: zero timeout means element never times out 2024-09-03T16:19:40Z Pablo Neira Ayuso pablo@netfilter.org 2024-09-02T23:09:27Z urn:sha1:8bfb74ae12fa4cd3c9b49bb5913610b5709bffd7 This patch uses zero as timeout marker for those elements that never expire when the element is created. If userspace provides no timeout for an element, then the default set timeout applies. However, if no default set timeout is specified and timeout flag is set on, then timeout extension is allocated and timeout is set to zero to allow for future updates. Use of zero a never timeout marker has been suggested by Phil Sutter. Note that, in older kernels, it is already possible to define elements that never expire by declaring a set with the set timeout flag set on and no global set timeout, in this case, new element with no explicit timeout never expire do not allocate the timeout extension, hence, they never expire. This approach makes it complicated to accomodate element timeout update, because element extensions do not support reallocations. Therefore, allocate the timeout extension and use the new marker for this case, but do not expose it to userspace to retain backward compatibility in the set listing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nf_tables: rise cap on SELinux secmark context 2024-06-25T22:54:53Z Pablo Neira Ayuso pablo@netfilter.org 2024-06-03T18:16:59Z urn:sha1:e29630247be24c3987e2b048f8e152771b32d38b secmark context is artificially limited 256 bytes, rise it to 4Kbytes. Fixes: fb961945457f ("netfilter: nf_tables: add SECMARK support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-02-08T23:30:33Z Jakub Kicinski kuba@kernel.org 2024-02-08T23:20:37Z urn:sha1:3be042cf46feeedf664152d063376b5c17026d1d Cross-merge networking fixes after downstream PR. No conflicts. Adjacent changes: drivers/net/ethernet/stmicro/stmmac/common.h 38cc3c6dcc09 ("net: stmmac: protect updates of 64-bit statistics counters") fd5a6a71313e ("net: stmmac: est: Per Tx-queue error count for HLBF") c5c3e1bfc9e0 ("net: stmmac: Offload queueMaxSDU from tc-taprio") drivers/net/wireless/microchip/wilc1000/netdev.c c9013880284d ("wifi: fill in MODULE_DESCRIPTION()s for wilc1000") 328efda22af8 ("wifi: wilc1000: do not realloc workqueue everytime an interface is added") net/unix/garbage.c 11498715f266 ("af_unix: Remove io_uring code for GC.") 1279f9d9dec2 ("af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.") Signed-off-by: Jakub Kicinski <kuba@kernel.org> netfilter: nft_compat: reject unused compat flag 2024-02-07T21:02:51Z Pablo Neira Ayuso pablo@netfilter.org 2024-02-01T22:33:29Z urn:sha1:292781c3c5485ce33bd22b2ef1b2bed709b4d672 Flag (1 << 0) is ignored is set, never used, reject it it with EINVAL instead. Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nf_tables: Introduce NFT_TABLE_F_PERSIST 2024-01-29T14:43:20Z Phil Sutter phil@nwl.cc 2023-12-21T13:31:58Z urn:sha1:da5141bbe0c2693d85f14a89ee991921904f4d0c This companion flag to NFT_TABLE_F_OWNER requests the kernel to keep the table around after the process has exited. It marks such table as orphaned (by dropping OWNER flag but keeping PERSIST flag in place), which opens it for other processes to manipulate. For the sake of simplicity, PERSIST flag may not be altered though. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de> netfilter: uapi: Document NFT_TABLE_F_OWNER flag 2024-01-29T14:43:20Z Phil Sutter phil@nwl.cc 2023-12-21T13:31:57Z urn:sha1:941988af572434e4aa93fb0f2f509f92adfd691a Add at least this one-liner describing the obvious. Fixes: 6001a930ce03 ("netfilter: nftables: introduce table ownership") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de> netfilter: nf_tables: uapi: Describe NFTA_RULE_CHAIN_ID 2023-09-06T16:09:12Z Phil Sutter phil@nwl.cc 2023-09-01T12:15:16Z urn:sha1:fdc04cc2d5fd0bb9c17f36d0a895cf3e151109e6 Add a brief description to the enum's comment. Fixes: 837830a4b439 ("netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de> netfilter: nf_tables: Introduce NFT_MSG_GETSETELEM_RESET 2023-06-26T06:05:57Z Phil Sutter phil@nwl.cc 2023-06-15T14:31:40Z urn:sha1:079cd633219d7298d087cd115c17682264244c18 Analogous to NFT_MSG_GETOBJ_RESET, but for set elements with a timeout or attached stateful expressions like counters or quotas - reset them all at once. Respect a per element timeout value if present to reset the 'expires' value to. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nft_exthdr: add boolean DCCP option matching 2023-05-18T06:48:54Z Jeremy Sowden jeremy@azazel.net 2023-05-09T21:19:45Z urn:sha1:b9f9a485fb0eb80b0e2b90410b28cbb9b0e85687 The xt_dccp iptables module supports the matching of DCCP packets based on the presence or absence of DCCP options. Extend nft_exthdr to add this functionality to nftables. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=930 Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Florian Westphal <fw@strlen.de>