-----BEGIN PGP SIGNATURE-----
iQJdBAABCABHFiEEgKkgxbID4Gn1hq6fcJGo2a1f9gAFAmnYzgIbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMiwyDRxmd0BzdHJsZW4uZGUACgkQcJGo2a1f9gCfDw/+
KWf9fUlsE3uaxK889hfR0QU5ANQ03Ix1eVvr6Vh0Y5Za1glZDUuls0EsH0ej7/36
ZQqAu2vaevHTVZl3EhAS1vu8KBcldl36YEtvJsQXFkFuOoO3F/dBdttwAif2tzv8
ammqXOKicRHok1A3cy8R1fkGFAHpfn5BjBc68A0+SY1N2NFVdVNS9BP4p7tuSdkk
JCj3TdDmBcddZ3SnY/z27S4+8jUL3e7HEAbsMApzIERcxe1w/6gEbb5Oa6AUwtHT
2SwQlUyhBa6gx2tARgUsHcck5QiW8b1tX7y1tzyo2q6rw78m1Eublib5nYCav/w8
9pSjRLlzSYBQ22e3wz7WqFXZRaM5+O38s3Moxfn/xrQblTk8CyW/5zGQJKivW9oG
LEirCPbL6U6ZB/2Uy+3EvzG5TBP3cppB5sXaQfMdSQ03wvYFXMN35hb54ePZW6CX
Db3lCwimOuXq+hkjVzZIU9ZmGr03oNohFX1GA0gDqrWtc9KsEKW8/KQvX61N8QK3
YEMIZ6fbMkstCY98fS3j6r6+V1he6wzcZpsqjd9FACYXtf8LQbPvoMA4BfcGR8+X
iQVEZcrvdGa39VH1TQFlXJIe/Pv+9tZ+CF44MsrNyYH0mD4gTInajklO3lkw/YQj
RQTHJLal9RCF9gVZRqHgkpE8vUj0mtUkp6Atz6En4mU=
=C/nr
-----END PGP SIGNATURE-----
Merge tag 'nf-next-26-04-10' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next
Florian Westphal says:
====================
netfilter: updates for net-next
1-3) IPVS updates from Julian Anastasov to enhance visibility into
IPVS internal state by exposing hash size, load factor etc and
allows userspace to tune the load factor used for resizing hash
tables.
4) reject empty/not nul terminated device names from xt_physdev.
This isn't a bug fix; existing code doesn't require a c-string.
But clean this up anyway because conceptually the interface name
definitely should be a c-string.
5) Switch nfnetlink to skb_mac_header helpers that didn't exist back
when this code was written. This gives us additional debug checks
but is not intended to change functionality.
6) Let the xt ttl/hoplimit match reject unknown operator modes.
This is a cleanup, the evaluation function simply returns false when
the mode is out of range. From Marino Dzalto.
7) xt_socket match should enable defrag after all other checks. This
bug is harmless, historically defrag could not be disabled either
except by rmmod.
8) remove UDP-Lite conntrack support, from Fernando Fernandez Mancera.
9) Avoid a couple -Wflex-array-member-not-at-end warnings in the old
xtables 32bit compat code, from Gustavo A. R. Silva.
10) nftables fwd expression should drop packets when their ttl/hl has
expired. This is a bug fix deferred, its not deemed important
enough for -rc8.
11) Add additional checks before assuming the mac header is an ethernet
header, from Zhengchuan Liang.
* tag 'nf-next-26-04-10' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
netfilter: require Ethernet MAC header before using eth_hdr()
netfilter: nft_fwd_netdev: check ttl/hl before forwarding
netfilter: x_tables: Avoid a couple -Wflex-array-member-not-at-end warnings
netfilter: conntrack: remove UDP-Lite conntrack support
netfilter: xt_socket: enable defrag after all other checks
netfilter: xt_HL: add pr_fmt and checkentry validation
netfilter: nfnetlink: prefer skb_mac_header helpers
netfilter: x_physdev: reject empty or not-nul terminated device names
ipvs: add conn_lfactor and svc_lfactor sysctl vars
ipvs: add ip_vs_status info
ipvs: show the current conn_tab size to users
====================
Link: https://patch.msgid.link/20260410112352.23599-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
03a1569c2b
