Merge tag 'nf-24-02-15' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following batch contains Netfilter fixes for net: 1) Missing : in kdoc field in nft_set_pipapo. 2) Restore default DNAT behavior When a DNAT rule is configured via iptables with different port ranges, from Kyle Swenson. 3) Restore flowtable hardware offload for bidirectional flows by setting NF_FLOW_HW_BIDIRECTIONAL flag, from Felix Fietkau. netfilter pull request 24-02-15 * tag 'nf-24-02-15' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nf_tables: fix bidirectional offload regression netfilter: nat: restore default DNAT behavior netfilter: nft_set_pipapo: fix missing : in kdoc ==================== Link: https://lore.kernel.org/r/20240214233818.7946-1-pablo@netfilter.orgSigned-off-by: Paolo Abeni <pabeni@redhat.com>

Merge tag 'nf-24-02-15' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following batch contains Netfilter fixes for net: 1) Missing : in kdoc field in nft_set_pipapo. 2) Restore default DNAT behavior When a DNAT rule is configured via iptables with different port ranges, from Kyle Swenson. 3) Restore flowtable hardware offload for bidirectional flows by setting NF_FLOW_HW_BIDIRECTIONAL flag, from Felix Fietkau. netfilter pull request 24-02-15 * tag 'nf-24-02-15' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nf_tables: fix bidirectional offload regression netfilter: nat: restore default DNAT behavior netfilter: nft_set_pipapo: fix missing : in kdoc ==================== Link: https://lore.kernel.org/r/20240214233818.7946-1-pablo@netfilter.orgSigned-off-by: Paolo Abeni <pabeni@redhat.com>
d74b23d0 · Paolo Abeni · f3ac28e1 · 84443741 · d74b23d0 · d74b23d0
Commit d74b23d0 authored Feb 15, 2024 by Paolo Abeni
Showing with 7 additions and 3 deletions

net/netfilter/nf_nat_core.c net/netfilter/nf_nat_core.c +4 -1

net/netfilter/nft_flow_offload.c net/netfilter/nft_flow_offload.c +1 -0

net/netfilter/nft_set_pipapo.h net/netfilter/nft_set_pipapo.h +2 -2

No files found.
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -551,8 +551,11 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
 find_free_id:
 	if (range->flags & NF_NAT_RANGE_PROTO_OFFSET)
 		off = (ntohs(*keyptr) - ntohs(range->base_proto.all));
-	else
+	else if ((range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL) ||
+		 maniptype != NF_NAT_MANIP_DST)
 		off = get_random_u16();
+	else
+		off = 0;
 	attempts = range_size;
 	if (attempts > NF_NAT_MAX_ATTEMPTS)

--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -361,6 +361,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
 		ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
 	}
+	__set_bit(NF_FLOW_HW_BIDIRECTIONAL, &flow->flags);
 	ret = flow_offload_add(flowtable, flow);
 	if (ret < 0)
 		goto err_flow_add;

--- a/net/netfilter/nft_set_pipapo.h
+++ b/net/netfilter/nft_set_pipapo.h
@@ -144,10 +144,10 @@ struct nft_pipapo_scratch {
 /**
 * struct nft_pipapo_match - Data used for lookup and matching
- * @field_count		Amount of fields in set
+ * @field_count:	Amount of fields in set
 * @scratch:		Preallocated per-CPU maps for partial matching results
 * @bsize_max:		Maximum lookup table bucket size of all fields, in longs
- * @rcu			Matching data is swapped on commits
+ * @rcu:		Matching data is swapped on commits
 * @f:			Fields, with lookup and mapping tables
 */
 struct nft_pipapo_match {