From: Jakub Kicinski <kuba@kernel.org>
Date: Thu, 9 Apr 2026 01:58:08 +0000 (-0700)
Subject: Merge tag 'nf-next-26-04-08' of https://git.kernel.org/pub/scm/linux/kernel/git/netfi... 
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1795654f000568d36ff170a17f5b56df3503ada5;p=thirdparty%2Fkernel%2Flinux.git

Merge tag 'nf-next-26-04-08' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next

Florian Westphal says:

====================
netfilter: updates for net-next

1) Fix ancient sparse warnings in nf conntrack nat modules, from
   Sun Jian.

2) Fix typo in enum description, from Jelle van der Waa.

3) remove redundant refetch of netns pointer in nf_conntrack_sip.

4) add a deprecation warning for dccp match.
   We can extend the deadline later if needed, but plan atm is to
   remove the feature.

5) remove nf_conntrack_h323 debug code that can read out-of-bounds
   with malformed messages. This code was commented out, but better
   remove this.

6+7) add more netlink policy validations in netfilter.
   This could theoretically cause issues when a client sends e.g.
   unsupported feature flags that were previously ignored, so we
   may have to relax some changes. For now, try to be stricter and
   reject upfront.

8+9) minor code cleanup in nft_set_pipapo (an nftables set backend).

10) Add nftables matching support fro double-tagged vlan and pppoe
    frames, from Pablo Neira Ayuso.

11) Fix up indentation of debug messages in nf_conntrack_h323 conntrack
    helper, from David Laight.

12) Add a helper to iterate to next flow action and bail out if the
    maximum number of actions is reached, also from Pablo.

* tag 'nf-next-26-04-08' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
  netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use it
  netfilter: nf_conntrack_h323: Correct indentation when H323_TRACE defined
  netfilter: nft_meta: add double-tagged vlan and pppoe support
  netfilter: nft_set_pipapo_avx2: remove redundant loop in lookup_slow
  netfilter: nft_set_pipapo: increment data in one step
  netfilter: nf_tables: add netlink policy based cap on registers
  netfilter: add more netlink-based policy range checks
  netfilter: nf_conntrack_h323: remove unreliable debug code in decode_octstr
  netfilter: add deprecation warning for dccp support
  netfilter: nf_conntrack_sip: remove net variable shadowing
  netfilter: nf_tables: Fix typo in enum description
  netfilter: use function typedefs for __rcu NAT helper hook pointers
====================

Link: https://patch.msgid.link/20260408060419.25258-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---

1795654f000568d36ff170a17f5b56df3503ada5