[packages/kernel] fix nftables regression by adding missing commit
atler
atler at pld-linux.org
Fri Feb 27 22:51:59 CET 2026
commit 0160e9fdcdb5d881e16e4510ae3686b8d2984a05
Author: Jan Palus <atler at pld-linux.org>
Date: Fri Feb 27 22:47:40 2026 +0100
fix nftables regression by adding missing commit
kernel.spec | 2 ++
netfilter-fix.patch | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 81 insertions(+)
---
diff --git a/kernel.spec b/kernel.spec
index c94d66bf..a0621c2e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -133,6 +133,7 @@ Source44: kernel-rt.config
Source58: kernel-inittmpfs.config
+Patch1: netfilter-fix.patch
Patch2: android-enable-building-binder-as-module.patch
# http://dev.gentoo.org/~spock/projects/fbcondecor/archive/fbcondecor-0.9.4-2.6.25-rc6.patch
Patch3: kernel-fbcondecor.patch
@@ -545,6 +546,7 @@ cd linux-%{basever}
%endif
%if %{without vanilla}
+%patch -P1 -p1
%patch -P2 -p1
%if %{with fbcondecor}
diff --git a/netfilter-fix.patch b/netfilter-fix.patch
new file mode 100644
index 00000000..ac8cb431
--- /dev/null
+++ b/netfilter-fix.patch
@@ -0,0 +1,79 @@
+From f175b46d9134f708358b5404730c6dfa200fbf3c Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo at netfilter.org>
+Date: Wed, 21 Jan 2026 01:08:44 +0100
+Subject: netfilter: nf_tables: add .abort_skip_removal flag for set types
+
+The pipapo set backend is the only user of the .abort interface so far.
+To speed up pipapo abort path, removals are skipped.
+
+The follow up patch updates the rbtree to use to build an array of
+ordered elements, then use binary search. This needs a new .abort
+interface but, unlike pipapo, it also need to undo/remove elements.
+
+Add a flag and use it from the pipapo set backend.
+
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+Signed-off-by: Florian Westphal <fw at strlen.de>
+---
+ include/net/netfilter/nf_tables.h | 2 ++
+ net/netfilter/nf_tables_api.c | 3 ++-
+ net/netfilter/nft_set_pipapo.c | 2 ++
+ 3 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
+index 2597077442e557..31906f90706e9a 100644
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -451,6 +451,7 @@ struct nft_set_ext;
+ * @init: initialize private data of new set instance
+ * @destroy: destroy private data of set instance
+ * @gc_init: initialize garbage collection
++ * @abort_skip_removal: skip removal of elements from abort path
+ * @elemsize: element private size
+ *
+ * Operations lookup, update and delete have simpler interfaces, are faster
+@@ -508,6 +509,7 @@ struct nft_set_ops {
+ const struct nft_set *set);
+ void (*gc_init)(const struct nft_set *set);
+
++ bool abort_skip_removal;
+ unsigned int elemsize;
+ };
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index e7247363c643e4..be4924aeaf0e46 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -7807,7 +7807,8 @@ static bool nft_trans_elems_new_abort(const struct nft_ctx *ctx,
+ continue;
+ }
+
+- if (!te->set->ops->abort || nft_setelem_is_catchall(te->set, te->elems[i].priv))
++ if (!te->set->ops->abort_skip_removal ||
++ nft_setelem_is_catchall(te->set, te->elems[i].priv))
+ nft_setelem_remove(ctx->net, te->set, te->elems[i].priv);
+
+ if (!nft_setelem_is_catchall(te->set, te->elems[i].priv))
+diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
+index 6d77a5f0088ad0..18e1903b1d3d0b 100644
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -2370,6 +2370,7 @@ const struct nft_set_type nft_set_pipapo_type = {
+ .gc_init = nft_pipapo_gc_init,
+ .commit = nft_pipapo_commit,
+ .abort = nft_pipapo_abort,
++ .abort_skip_removal = true,
+ .elemsize = offsetof(struct nft_pipapo_elem, ext),
+ },
+ };
+@@ -2394,6 +2395,7 @@ const struct nft_set_type nft_set_pipapo_avx2_type = {
+ .gc_init = nft_pipapo_gc_init,
+ .commit = nft_pipapo_commit,
+ .abort = nft_pipapo_abort,
++ .abort_skip_removal = true,
+ .elemsize = offsetof(struct nft_pipapo_elem, ext),
+ },
+ };
+--
+cgit 1.2.3-korg
+
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/kernel.git/commitdiff/0160e9fdcdb5d881e16e4510ae3686b8d2984a05
More information about the pld-cvs-commit
mailing list