-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEN9lkrMBJgcdVAPub1V2XiooUIOQFAmb1P8AACgkQ1V2XiooU
IOT2KQ/9Gpf66VH41Byae9qzpgS+iRWUkN3Apn/5m7io/v0AuEmDfDRCPcOH/k8N
61m5RGBzuZETR3YhmlzzvMv5WXmHJmUCGjWm5M2b6Byji13GsdgTqJ3VXwgQXINI
tuE2bRTRzm5oBOsJvTENb5X7A3Bmjnk93N4jJSQgQNzO+fTNgiUQxszrUc2llQLS
D85VC94AtNu3fKbv+sv76yWGdR+srq2ePeN+6lDT/Hx6sqnU+uWziYaSXLTmWd9S
va+yOgi2t0gJkCZqfR/Aw8fQJSpCLWFIy4LBJa1fFX6ni462w2c7VOMPHnJ3PlOy
QG+UAH2brpRyIVn3IBzEeBDb1ZhrsHKsEaUz84LHs22XbZCCZ4xAfe0DsFmxC0o3
TW9f0RA9geRlnZOxHJRHc8I6Edi4B3oBcvbEe6PaoHeQJCUqfVJp8dgkLT0IvySJ
TWYQEx8A/fSBKmr8QQ9L/wEomTTnvLuW5GW4dyOsfoyS7DKd9wgIycujakqmowIA
ZnaXmosCtopNGrf5lxKsWYDac4VKLJufzjCj/4b7Q1BBaJXmSj0xVD0/0fSJeijk
t9nfvvOwBKBYOoZOwYK2KD+YmMwxSuHz48yE0WZANoRnTP/gwFhY9bDmonqOi7+e
L5Vbtv6QZtnChnHCSkRzXEkmKUIlzMoi607suV1jYmmDiEQoa+A=
=a9OT
-----END PGP SIGNATURE-----
Merge tag 'nf-24-09-26' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
v2: with kdoc fixes per Paolo Abeni.
The following patchset contains Netfilter fixes for net:
Patch #1 and #2 handle an esoteric scenario: Given two tasks sending UDP
packets to one another, two packets of the same flow in each direction
handled by different CPUs that result in two conntrack objects in NEW
state, where reply packet loses race. Then, patch #3 adds a testcase for
this scenario. Series from Florian Westphal.
1) NAT engine can falsely detect a port collision if it happens to pick
up a reply packet as NEW rather than ESTABLISHED. Add extra code to
detect this and suppress port reallocation in this case.
2) To complete the clash resolution in the reply direction, extend conntrack
logic to detect clashing conntrack in the reply direction to existing entry.
3) Adds a test case.
Then, an assorted list of fixes follow:
4) Add a selftest for tproxy, from Antonio Ojea.
5) Guard ctnetlink_*_size() functions under
#if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS)
From Andy Shevchenko.
6) Use -m socket --transparent in iptables tproxy documentation.
From XIE Zhibang.
7) Call kfree_rcu() when releasing flowtable hooks to address race with
netlink dump path, from Phil Sutter.
8) Fix compilation warning in nf_reject with CONFIG_BRIDGE_NETFILTER=n.
From Simon Horman.
9) Guard ctnetlink_label_size() under CONFIG_NF_CONNTRACK_EVENTS which
is its only user, to address a compilation warning. From Simon Horman.
10) Use rcu-protected list iteration over basechain hooks from netlink
dump path.
11) Fix memcg for nf_tables, use GFP_KERNEL_ACCOUNT is not complete.
12) Remove old nfqueue conntrack clash resolution. Instead trying to
use same destination address consistently which requires double DNAT,
use the existing clash resolution which allows clashing packets
go through with different destination. Antonio Ojea originally
reported an issue from the postrouting chain, I proposed a fix:
https://lore.kernel.org/netfilter-devel/ZuwSwAqKgCB2a51-@calendula/T/
which he reported it did not work for him.
13) Adds a selftest for patch 12.
14) Fixes ipvs.sh selftest.
netfilter pull request 24-09-26
* tag 'nf-24-09-26' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
selftests: netfilter: Avoid hanging ipvs.sh
kselftest: add test for nfqueue induced conntrack race
netfilter: nfnetlink_queue: remove old clash resolution logic
netfilter: nf_tables: missing objects with no memcg accounting
netfilter: nf_tables: use rcu chain hook list iterator from netlink dump path
netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS
netfilter: nf_reject: Fix build warning when CONFIG_BRIDGE_NETFILTER=n
netfilter: nf_tables: Keep deleted flowtable hooks until after RCU
docs: tproxy: ignore non-transparent sockets in iptables
netfilter: ctnetlink: Guard possible unused functions
selftests: netfilter: nft_tproxy.sh: add tcp tests
selftests: netfilter: add reverse-clash resolution test case
netfilter: conntrack: add clash resolution for reverse collisions
netfilter: nf_nat: don't try nat source port reallocation for reverse dir clash
====================
Link: https://patch.msgid.link/20240926110717.102194-1-pablo@netfilter.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
aef3a58b06