diff options
| author | Jakub Kicinski <[email protected]> | 2023-05-18 14:05:48 -0700 |
|---|---|---|
| committer | Jakub Kicinski <[email protected]> | 2023-05-18 14:05:49 -0700 |
| commit | 1ecaf17d097c91a7bd2979c57f7c81c5eeaf526b (patch) | |
| tree | 379efe7cfe3b5acbb01658200c423c15aa6d7d3f /include/uapi/linux | |
| parent | 02f8fc1a67c160b2faab2c9e9439026deb076971 (diff) | |
| parent | e05b5362166b18a224c30502e81416e4d622d3e4 (diff) | |
Merge tag 'nf-next-2023-05-18' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next
Florian Westphal says:
====================
Netfilter updates for net-next
nftables updates:
1. Allow key existence checks with maps.
At the moment the kernel requires userspace to pass a destination
register for the associated value, make this optional so userspace
can query if the key exists, just like with normal sets.
2. nftables maintains a counter per set that holds the number of
elements. This counter gets decremented on element removal,
but its only incremented if the set has a upper maximum value.
Increment unconditionally, this will allow us to update the
maximum value later on.
3. At DCCP option maching, from Jeremy Sowden.
4. use struct_size macro, from Christophe JAILLET.
Conntrack:
5. Squash holes in struct nf_conntrack_expect, also Christophe JAILLET.
6. Allow clash resolution for GRE Protocol to avoid a packet drop,
from Faicker Mo.
Flowtable:
Simplify route logic and split large functions into smaller
chunks, from Pablo Neira Ayuso.
* tag 'nf-next-2023-05-18' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
netfilter: flowtable: split IPv6 datapath in helper functions
netfilter: flowtable: split IPv4 datapath in helper functions
netfilter: flowtable: simplify route logic
netfilter: conntrack: allow insertion clash of gre protocol
netfilter: nft_set_pipapo: Use struct_size()
netfilter: Reorder fields in 'struct nf_conntrack_expect'
netfilter: nft_exthdr: add boolean DCCP option matching
netfilter: nf_tables: always increment set element count
netfilter: nf_tables: relax set/map validation checks
====================
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Jakub Kicinski <[email protected]>
Diffstat (limited to 'include/uapi/linux')
| -rw-r--r-- | include/uapi/linux/netfilter/nf_tables.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index c4d4d8e42dc8..e059dc2644df 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -859,12 +859,14 @@ enum nft_exthdr_flags { * @NFT_EXTHDR_OP_TCP: match against tcp options * @NFT_EXTHDR_OP_IPV4: match against ipv4 options * @NFT_EXTHDR_OP_SCTP: match against sctp chunks + * @NFT_EXTHDR_OP_DCCP: match against dccp otions */ enum nft_exthdr_op { NFT_EXTHDR_OP_IPV6, NFT_EXTHDR_OP_TCPOPT, NFT_EXTHDR_OP_IPV4, NFT_EXTHDR_OP_SCTP, + NFT_EXTHDR_OP_DCCP, __NFT_EXTHDR_OP_MAX }; #define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1) |