Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=master 2026-04-10T10:16:27+00:00 2026-04-10T10:16:27+00:00 Zhengchuan Liang zcliangcn@gmail.com 2026-04-04T09:39:48+00:00 urn:sha1:62443dc21114c0bbc476fa62973db89743f2f137 `ip6t_eui64`, `xt_mac`, the `bitmap:ip,mac`, `hash:ip,mac`, and `hash:mac` ipset types, and `nf_log_syslog` access `eth_hdr(skb)` after either assuming that the skb is associated with an Ethernet device or checking only that the `ETH_HLEN` bytes at `skb_mac_header(skb)` lie between `skb->head` and `skb->data`. Make these paths first verify that the skb is associated with an Ethernet device, that the MAC header was set, and that it spans at least a full Ethernet header before accessing `eth_hdr(skb)`. Suggested-by: Florian Westphal <fw@strlen.de> Tested-by: Ren Wei <enjou1224z@gmail.com> Signed-off-by: Zhengchuan Liang <zcliangcn@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Florian Westphal <fw@strlen.de> 2026-04-10T10:16:27+00:00 Florian Westphal fw@strlen.de 2026-04-09T11:30:41+00:00 urn:sha1:1dfd95bdf4d18d263aa8fad06bfb9f4d9c992b18 Drop packets if their ttl/hl is too small for forwarding. Fixes: d32de98ea70f ("netfilter: nft_fwd_netdev: allow to forward packets via neighbour layer") Signed-off-by: Florian Westphal <fw@strlen.de> 2026-04-10T10:16:27+00:00 Gustavo A. R. Silva gustavoars@kernel.org 2026-04-09T22:34:43+00:00 urn:sha1:f30e5a7291a879deeeb6b9ba92b12c9be1ee5f29 -Wflex-array-member-not-at-end was introduced in GCC-14, and we are getting ready to enable it, globally. Use the TRAILING_OVERLAP() helper to fix the following warnings: 1 net/netfilter/x_tables.c:816:39: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] 1 net/netfilter/x_tables.c:811:39: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] This helper creates a union between a flexible-array member (FAM) and a set of members that would otherwise follow it. This overlays the trailing members onto the FAM while preserving the original memory layout. Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Signed-off-by: Florian Westphal <fw@strlen.de> 2026-04-10T10:16:26+00:00 Fernando Fernandez Mancera fmancera@suse.de 2026-03-30T15:19:34+00:00 urn:sha1:84dee05d9d61884ee0986f5b4f3d69886f7dfeb0 UDP-Lite (RFC 3828) socket support was recently retired from the core networking stack. As a follow-up of that, drop the connection tracker and NAT support for UDP-Lite in Netfilter. This patch removes CONFIG_NF_CT_PROTO_UDPLITE and scrubs UDP-Lite awareness from the conntrack core, NAT core, nft_ct, and ctnetlink. Please note that stateless packet inspection, matching, ipsets or logging support for IPPROTO_UDPLITE is preserved. As conntrack no longer extracts UDP-Lite ports or tracks its L4 state, when performing NAT the UDP-Lite checksum cannot be updated anymore. That is an expected and acceptable consequence of removing UDP-Lite conntrack module. Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de> Signed-off-by: Florian Westphal <fw@strlen.de> 2026-04-10T10:16:26+00:00 Florian Westphal fw@strlen.de 2026-04-04T10:12:59+00:00 urn:sha1:542be3fa5aff54210a02954c38f07e53ea9bdafd Originally this did not matter because defrag was enabled once per netns and only disabled again on netns dismantle. When this got changed I should have adjusted checkentry to not leave defrag enabled on error. Fixes: de8c12110a13 ("netfilter: disable defrag once its no longer needed") Signed-off-by: Florian Westphal <fw@strlen.de> 2026-04-10T10:16:26+00:00 Marino Dzalto marino.dzalto@gmail.com 2026-04-03T20:59:07+00:00 urn:sha1:24bd5c2679caf8a228d90cafa221da4b47fd6642 Add pr_fmt to prefix log messages with the module name for easier debugging in dmesg. Add checkentry functions for IPv4 (ttl_mt_check) and IPv6 (hl_mt6_check) to validate the match mode at rule registration time, rejecting invalid modes with -EINVAL. The evaluation function returns false in case the mode is unknown, so this is a cleanup, not a bug fix. Signed-off-by: Marino Dzalto <marino.dzalto@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> 2026-04-10T10:16:26+00:00 Florian Westphal fw@strlen.de 2026-04-04T10:09:05+00:00 urn:sha1:74feb7d373b32a63d7986a2caf9689c860c9a761 This adds implicit DEBUG_WARN_ON_ONCE for debug configurations. No other changes intended. Signed-off-by: Florian Westphal <fw@strlen.de> 2026-04-10T10:16:26+00:00 Florian Westphal fw@strlen.de 2026-03-28T22:00:31+00:00 urn:sha1:8df772afc9d016b597d22a1431e7011b90ce1fb3 Reject names that lack a \0 character and reject the empty string as well. iptables allows this but it fails to re-parse iptables-save output that contain such rules. Signed-off-by: Florian Westphal <fw@strlen.de> 2026-04-10T10:16:26+00:00 Julian Anastasov ja@ssi.bg 2026-04-04T15:34:39+00:00 urn:sha1:8d7de5477e47525c870b599fb2de06ef8af63466 Allow the default load factor for the connection and service tables to be configured. Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Florian Westphal <fw@strlen.de> 2026-04-10T10:16:25+00:00 Julian Anastasov ja@ssi.bg 2026-04-04T15:34:38+00:00 urn:sha1:9a9ccef907a7a8722ed27013c925baf68b7c0506 Add /proc/net/ip_vs_status to show current state of IPVS. The motivation for this new /proc interface is to provide the output for the users to help them decide when to tune the load factor for hash tables, which is possible with the new sysctl knobs coming in followup patch. The output also includes information for the kthreads used for stats. Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Florian Westphal <fw@strlen.de>