git.ipfire.org Git - thirdparty/kernel/stable.git/commit

Merge tag 'nf-25-10-29' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Florian Westphal says:

====================
netfilter: updates for net

1) its not possible to attach conntrack labels via ctnetlink
   unless one creates a dummy 'ct labels set' rule in nftables.
   This is an oversight, the 'ruleset tests presence, userspace
   (netlink) sets' use-case is valid and should 'just work'.
   Always broken since this got added in Linux 4.7.

2) nft_connlimit reads count value without holding the relevant
   lock, add a READ_ONCE annotation.  From Fernando Fernandez Mancera.

3) There is a long-standing bug (since 4.12) in nftables helper infra
   when NAT is in use: if the helper gets assigned after the nat binding
   was set up, we fail to initialise the 'seqadj' extension, which is
   needed in case NAT payload rewrites need to add (or remove) from the
   packet payload.  Fix from Andrii Melnychenko.

* tag 'nf-25-10-29' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: nft_ct: add seqadj extension for natted connections
  netfilter: nft_connlimit: fix possible data race on connection count
  netfilter: nft_ct: enable labels for get case too
====================

Link: https://patch.msgid.link/20251029135617.18274-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

author	Jakub Kicinski <kuba@kernel.org>
	Thu, 30 Oct 2025 01:25:12 +0000 (18:25 -0700)
committer	Jakub Kicinski <kuba@kernel.org>
	Thu, 30 Oct 2025 01:25:12 +0000 (18:25 -0700)
commit	e98cda764aa9c27f6810d08bd7bf2e8071535990
tree	ce37aecd93756967c4bd456e69c9b7019bb4886b	tree \| snapshot
parent	298574936a6c4ebbe655e15d971ddb1a96c7dc0b	commit \| diff
parent	90918e3b6404c2a37837b8f11692471b4c512de2	commit \| diff