[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 80745fb58f832ce4cd7476ab9d7aaf96dd8c8203 - IPFire-SCM

13 Jun 2022

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
       via  80745fb58f832ce4cd7476ab9d7aaf96dd8c8203 (commit)
       via  0360d235c8c4ab2d672b40d745c1b1dc14becadb (commit)
       via  84d6e931508cf0c2b31a0b1b7923d6bda84414c2 (commit)
       via  d90b39982baff221ff52ac97cdc9acb1f29e3d82 (commit)
       via  cf7f5004ac116d90be07e4da36887efc8ef69552 (commit)
       via  b41631c1904690c3a6075dc5572a24f39aee2dd4 (commit)
       via  17aaad5d968e8486dc83cd65cddb1cc1a7ff5211 (commit)
       via  1fad035a1f20771740faf0dd5e0802d779370b94 (commit)
       via  883e29630cb1f5b16c8508b585c32d7f54a86e1a (commit)
       via  9b28e9d02be9c0e0c488434cfd731d47bb227838 (commit)
       via  db8639bbfa41f34fcc33345648d3100ac5da001d (commit)
      from  0d84103c04f67d913ee5cd0187f49ab178fb33e1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 80745fb58f832ce4cd7476ab9d7aaf96dd8c8203
Author: Peter Müller peter.mueller@ipfire.org
Date:   Tue Jun 7 20:22:30 2022 +0000
unbound.conf: Aggressive NSEC is enabled by default since Unbound 1.15.0
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 0360d235c8c4ab2d672b40d745c1b1dc14becadb
Author: Peter Müller peter.mueller@ipfire.org
Date:   Mon Jun 13 15:49:40 2022 +0000
Core Update 169: Ship and apply sysctl changes
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 84d6e931508cf0c2b31a0b1b7923d6bda84414c2
Author: Peter Müller peter.mueller@ipfire.org
Date:   Tue Jun 7 20:09:07 2022 +0000
sysctl: For the sake of completeness, do not accept IPv6 redirects
While IPFire 2.x' web interface does not support IPv6, users can
    technically run it with IPv6 by conducting the necessary configuration
    changes manually.
To provide these systems as well, we should disable acceptance of ICMPv6
    redirect packets - which is apparently not default in Linux, yet. :-/
Signed-off-by: Peter Müller peter.mueller@ipfire.org
    Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit d90b39982baff221ff52ac97cdc9acb1f29e3d82
Author: Peter Müller peter.mueller@ipfire.org
Date:   Mon Jun 13 15:48:13 2022 +0000
Core Update 169: Ship localnet initscript
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit cf7f5004ac116d90be07e4da36887efc8ef69552
Author: Peter Müller peter.mueller@ipfire.org
Date:   Tue Jun 7 19:31:57 2022 +0000
localnet: Add "edns0" to /etc/resolv.conf options for RFC 2671 support
Signed-off-by: Peter Müller peter.mueller@ipfire.org
    Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit b41631c1904690c3a6075dc5572a24f39aee2dd4
Author: Peter Müller peter.mueller@ipfire.org
Date:   Mon Jun 13 15:46:50 2022 +0000
Core Updatw 169: Ship and apply updated Linux kernel
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 17aaad5d968e8486dc83cd65cddb1cc1a7ff5211
Author: Peter Müller peter.mueller@ipfire.org
Date:   Sat Jun 11 06:47:49 2022 +0000
flash-images: Harden mount options of /boot
Signed-off-by: Peter Müller peter.mueller@ipfire.org
    Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 1fad035a1f20771740faf0dd5e0802d779370b94
Author: Peter Müller peter.mueller@ipfire.org
Date:   Sat Jun 11 18:42:08 2022 +0000
Kernel: Mitigate Straight-Line-Speculation on x86_64
See https://lwn.net/Articles/877845/ for the rationale behind this. The
    feature is currently only available on the x86_64 platform.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
    Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 883e29630cb1f5b16c8508b585c32d7f54a86e1a
Author: Peter Müller peter.mueller@ipfire.org
Date:   Sat Jun 11 18:47:31 2022 +0000
Kernel: Disable support for RPC dprintk debugging
This is solely needed for debugging of NFS issues. Due to the attack
    surface it introduces, grsecurity recommends to disable it; as we do not
    have a strict necessity for this feature, it is best to follow that
    recommendation for security reasons.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
    Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 9b28e9d02be9c0e0c488434cfd731d47bb227838
Author: Peter Müller peter.mueller@ipfire.org
Date:   Sat Jun 11 18:53:10 2022 +0000
Kernel: Enable YAMA support
See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for
    the upstream rationale. Enabling YAMA gives us the benefit of additional
    hardening options available, without any obvious downsides.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
    Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit db8639bbfa41f34fcc33345648d3100ac5da001d
Author: Peter Müller peter.mueller@ipfire.org
Date:   Sat Jun 11 18:13:57 2022 +0000
linux: Update to 5.15.46
Please refer to https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.46
    for the changelog of this version.
Due to operational constraints, ARM rootfile changes are simulated.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
    Reviewed-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes:
 config/etc/sysctl.conf                             |  4 ++
 config/kernel/kernel.config.aarch64-ipfire         |  5 +-
 config/kernel/kernel.config.armv6l-ipfire          |  5 +-
 config/kernel/kernel.config.riscv64-ipfire         |  5 +-
 config/kernel/kernel.config.x86_64-ipfire          |  7 +-
 config/rootfiles/common/aarch64/linux              |  5 +-
 config/rootfiles/common/armv6l/linux               |  4 +-
 config/rootfiles/common/x86_64/linux               |  6 +-
 .../124 => core/169}/filelists/aarch64/linux       |  0
 .../159 => core/169}/filelists/armv6l/linux        |  0
 config/rootfiles/core/169/filelists/files          |  2 +
 .../100 => core/169}/filelists/x86_64/linux        |  0
 config/rootfiles/core/169/update.sh                | 67 ++++++++++++++++++
 config/unbound/unbound.conf                        |  1 -
 lfs/flash-images                                   |  4 +-
 lfs/linux                                          |  6 +-
 src/initscripts/system/localnet                    |  2 +-
 ....17-layer7.patch => linux-5.15.46-layer7.patch} | 82 +++++++++++-----------
 18 files changed, 134 insertions(+), 71 deletions(-)
 copy config/rootfiles/{oldcore/124 => core/169}/filelists/aarch64/linux (100%)
 copy config/rootfiles/{oldcore/159 => core/169}/filelists/armv6l/linux (100%)
 copy config/rootfiles/{oldcore/100 => core/169}/filelists/x86_64/linux (100%)
 rename src/patches/linux/{linux-5.15.17-layer7.patch => linux-5.15.46-layer7.patch} (94%)
Difference in files:

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index 7fe397bb7..6bf3bc887 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -31,6 +31,10 @@ vm.min_free_kbytes = 8192
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
+# However, enable some IPv6 hardening sysctl's in case this system is run customly _with_ IPv6.
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
 # Enable netfilter accounting
 net.netfilter.nf_conntrack_acct = 1
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 6dfeae595..f2bdf2a3d 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -7433,7 +7433,6 @@ CONFIG_NFS_V4_SECURITY_LABEL=y
 CONFIG_NFS_FSCACHE=y
 # CONFIG_NFS_USE_LEGACY_DNS is not set
 CONFIG_NFS_USE_KERNEL_DNS=y
-CONFIG_NFS_DEBUG=y
 CONFIG_NFS_DISABLE_UDP_SUPPORT=y
 # CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFSD=m
@@ -7457,7 +7456,7 @@ CONFIG_SUNRPC_GSS=m
 CONFIG_SUNRPC_BACKCHANNEL=y
 CONFIG_RPCSEC_GSS_KRB5=m
 # CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES is not set
-CONFIG_SUNRPC_DEBUG=y
+# CONFIG_SUNRPC_DEBUG is not set
 # CONFIG_CEPH_FS is not set
 CONFIG_CIFS=m
 # CONFIG_CIFS_STATS2 is not set
@@ -7555,7 +7554,7 @@ CONFIG_FORTIFY_SOURCE=y
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
-# CONFIG_SECURITY_YAMA is not set
+CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index 1bb745a87..3fb7b98a2 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -7439,7 +7439,6 @@ CONFIG_NFS_V4_SECURITY_LABEL=y
 CONFIG_NFS_FSCACHE=y
 # CONFIG_NFS_USE_LEGACY_DNS is not set
 CONFIG_NFS_USE_KERNEL_DNS=y
-CONFIG_NFS_DEBUG=y
 CONFIG_NFS_DISABLE_UDP_SUPPORT=y
 # CONFIG_NFS_V4_2_READ_PLUS is not set
 CONFIG_NFSD=m
@@ -7463,7 +7462,7 @@ CONFIG_SUNRPC_GSS=m
 CONFIG_SUNRPC_BACKCHANNEL=y
 CONFIG_RPCSEC_GSS_KRB5=m
 # CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES is not set
-CONFIG_SUNRPC_DEBUG=y
+# CONFIG_SUNRPC_DEBUG is not set
 # CONFIG_CEPH_FS is not set
 CONFIG_CIFS=m
 # CONFIG_CIFS_STATS2 is not set
@@ -7561,7 +7560,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
-# CONFIG_SECURITY_YAMA is not set
+CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index 2d1fdbd28..f1364d143 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6071,7 +6071,6 @@ CONFIG_NFS_V4_SECURITY_LABEL=y
 CONFIG_NFS_FSCACHE=y
 # CONFIG_NFS_USE_LEGACY_DNS is not set
 CONFIG_NFS_USE_KERNEL_DNS=y
-CONFIG_NFS_DEBUG=y
 CONFIG_NFS_DISABLE_UDP_SUPPORT=y
 CONFIG_NFS_V4_2_READ_PLUS=y
 CONFIG_NFSD=m
@@ -6095,7 +6094,7 @@ CONFIG_SUNRPC_GSS=m
 CONFIG_SUNRPC_BACKCHANNEL=y
 CONFIG_RPCSEC_GSS_KRB5=m
 # CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES is not set
-CONFIG_SUNRPC_DEBUG=y
+# CONFIG_SUNRPC_DEBUG is not set
 # CONFIG_CEPH_FS is not set
 CONFIG_CIFS=m
 # CONFIG_CIFS_STATS2 is not set
@@ -6193,7 +6192,7 @@ CONFIG_FORTIFY_SOURCE=y
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
-# CONFIG_SECURITY_YAMA is not set
+CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index b84698235..68c6e7b34 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -322,6 +322,8 @@ CONFIG_X86_X2APIC=y
 CONFIG_X86_MPPARSE=y
 # CONFIG_GOLDFISH is not set
 CONFIG_RETPOLINE=y
+CONFIG_CC_HAS_SLS=y
+CONFIG_SLS=y
 # CONFIG_X86_CPU_RESCTRL is not set
 CONFIG_X86_EXTENDED_PLATFORM=y
 # CONFIG_X86_VSMP is not set
@@ -6847,7 +6849,6 @@ CONFIG_NFS_V4_SECURITY_LABEL=y
 CONFIG_NFS_FSCACHE=y
 # CONFIG_NFS_USE_LEGACY_DNS is not set
 CONFIG_NFS_USE_KERNEL_DNS=y
-CONFIG_NFS_DEBUG=y
 CONFIG_NFS_DISABLE_UDP_SUPPORT=y
 CONFIG_NFS_V4_2_READ_PLUS=y
 CONFIG_NFSD=m
@@ -6871,7 +6872,7 @@ CONFIG_SUNRPC_GSS=m
 CONFIG_SUNRPC_BACKCHANNEL=y
 CONFIG_RPCSEC_GSS_KRB5=m
 # CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES is not set
-CONFIG_SUNRPC_DEBUG=y
+# CONFIG_SUNRPC_DEBUG is not set
 # CONFIG_CEPH_FS is not set
 CONFIG_CIFS=m
 # CONFIG_CIFS_STATS2 is not set
@@ -6971,7 +6972,7 @@ CONFIG_FORTIFY_SOURCE=y
 # CONFIG_SECURITY_TOMOYO is not set
 # CONFIG_SECURITY_APPARMOR is not set
 # CONFIG_SECURITY_LOADPIN is not set
-# CONFIG_SECURITY_YAMA is not set
+CONFIG_SECURITY_YAMA=y
 # CONFIG_SECURITY_SAFESETID is not set
 CONFIG_SECURITY_LOCKDOWN_LSM=y
 CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux
index a88af0a37..73177bd71 100644
--- a/config/rootfiles/common/aarch64/linux
+++ b/config/rootfiles/common/aarch64/linux
@@ -6878,6 +6878,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/CC_CAN_LINK
 #lib/modules/KVER-ipfire/build/include/config/CC_CAN_LINK_STATIC
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO
+#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_TIED_OUTPUT
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_OUTPUT
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_INLINE
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_BRANCH_PROT_PAC_RET
@@ -7107,7 +7108,6 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_KPP2
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_AES
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_ARC4
-#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_BLAKE2S
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_BLAKE2S_GENERIC
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA20POLY1305
@@ -15293,7 +15293,6 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/trace/events/qdisc.h
 #lib/modules/KVER-ipfire/build/include/trace/events/qla.h
 #lib/modules/KVER-ipfire/build/include/trace/events/qrtr.h
-#lib/modules/KVER-ipfire/build/include/trace/events/random.h
 #lib/modules/KVER-ipfire/build/include/trace/events/rcu.h
 #lib/modules/KVER-ipfire/build/include/trace/events/rdma.h
 #lib/modules/KVER-ipfire/build/include/trace/events/rdma_core.h
@@ -20520,8 +20519,6 @@ lib/modules/KVER-ipfire/kernel
 #lib/modules/KVER-ipfire/kernel/lib/crc8.ko.xz
 #lib/modules/KVER-ipfire/kernel/lib/crypto
 #lib/modules/KVER-ipfire/kernel/lib/crypto/libarc4.ko.xz
-#lib/modules/KVER-ipfire/kernel/lib/crypto/libblake2s-generic.ko.xz
-#lib/modules/KVER-ipfire/kernel/lib/crypto/libblake2s.ko.xz
 #lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha.ko.xz
 #lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha20poly1305.ko.xz
 #lib/modules/KVER-ipfire/kernel/lib/crypto/libcurve25519-generic.ko.xz
diff --git a/config/rootfiles/common/armv6l/linux b/config/rootfiles/common/armv6l/linux
index 11da0fb3c..e8e10463c 100644
--- a/config/rootfiles/common/armv6l/linux
+++ b/config/rootfiles/common/armv6l/linux
@@ -7317,6 +7317,7 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/CC_CAN_LINK
 #lib/modules/KVER-ipfire/build/include/config/CC_CAN_LINK_STATIC
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO
+#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_TIED_OUTPUT
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_OUTPUT
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_INLINE
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_KASAN_GENERIC
@@ -7569,7 +7570,6 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_KPP2
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_AES
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_ARC4
-#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_BLAKE2S
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA20POLY1305
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA_GENERIC
@@ -15743,7 +15743,6 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/trace/events/qdisc.h
 #lib/modules/KVER-ipfire/build/include/trace/events/qla.h
 #lib/modules/KVER-ipfire/build/include/trace/events/qrtr.h
-#lib/modules/KVER-ipfire/build/include/trace/events/random.h
 #lib/modules/KVER-ipfire/build/include/trace/events/rcu.h
 #lib/modules/KVER-ipfire/build/include/trace/events/rdma.h
 #lib/modules/KVER-ipfire/build/include/trace/events/rdma_core.h
@@ -20739,7 +20738,6 @@ lib/modules/KVER-ipfire/kernel
 #lib/modules/KVER-ipfire/kernel/lib/crc8.ko.xz
 #lib/modules/KVER-ipfire/kernel/lib/crypto
 #lib/modules/KVER-ipfire/kernel/lib/crypto/libarc4.ko.xz
-#lib/modules/KVER-ipfire/kernel/lib/crypto/libblake2s.ko.xz
 #lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha.ko.xz
 #lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha20poly1305.ko.xz
 #lib/modules/KVER-ipfire/kernel/lib/crypto/libcurve25519-generic.ko.xz
diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux
index a578435d3..04e636046 100644
--- a/config/rootfiles/common/x86_64/linux
+++ b/config/rootfiles/common/x86_64/linux
@@ -6780,12 +6780,14 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/CC_CAN_LINK_STATIC
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_OUTPUT
+#lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_GOTO_TIED_OUTPUT
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ASM_INLINE
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_INT128
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_KASAN_GENERIC
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_NO_PROFILE_FN_ATTR
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_SANCOV_TRACE_PC
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_SANE_STACKPROTECTOR
+#lib/modules/KVER-ipfire/build/include/config/CC_HAS_SLS
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_WORKING_NOSANITIZE_ADDRESS
 #lib/modules/KVER-ipfire/build/include/config/CC_HAS_ZERO_CALL_USED_REGS
 #lib/modules/KVER-ipfire/build/include/config/CC_IS_GCC
@@ -6999,7 +7001,6 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_KPP2
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_AES
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_ARC4
-#lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_BLAKE2S
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_BLAKE2S_GENERIC
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA
 #lib/modules/KVER-ipfire/build/include/config/CRYPTO_LIB_CHACHA20POLY1305
@@ -15730,7 +15731,6 @@ etc/modprobe.d/ipv6.conf
 #lib/modules/KVER-ipfire/build/include/trace/events/qdisc.h
 #lib/modules/KVER-ipfire/build/include/trace/events/qla.h
 #lib/modules/KVER-ipfire/build/include/trace/events/qrtr.h
-#lib/modules/KVER-ipfire/build/include/trace/events/random.h
 #lib/modules/KVER-ipfire/build/include/trace/events/rcu.h
 #lib/modules/KVER-ipfire/build/include/trace/events/rdma.h
 #lib/modules/KVER-ipfire/build/include/trace/events/rdma_core.h
@@ -21621,8 +21621,6 @@ lib/modules/KVER-ipfire/kernel
 #lib/modules/KVER-ipfire/kernel/lib/crc8.ko.xz
 #lib/modules/KVER-ipfire/kernel/lib/crypto
 #lib/modules/KVER-ipfire/kernel/lib/crypto/libarc4.ko.xz
-#lib/modules/KVER-ipfire/kernel/lib/crypto/libblake2s-generic.ko.xz
-#lib/modules/KVER-ipfire/kernel/lib/crypto/libblake2s.ko.xz
 #lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha.ko.xz
 #lib/modules/KVER-ipfire/kernel/lib/crypto/libchacha20poly1305.ko.xz
 #lib/modules/KVER-ipfire/kernel/lib/crypto/libcurve25519-generic.ko.xz
diff --git a/config/rootfiles/core/169/filelists/aarch64/linux b/config/rootfiles/core/169/filelists/aarch64/linux
new file mode 120000
index 000000000..3a2532bc7
--- /dev/null
+++ b/config/rootfiles/core/169/filelists/aarch64/linux
@@ -0,0 +1 @@
+../../../../common/aarch64/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/169/filelists/armv6l/linux b/config/rootfiles/core/169/filelists/armv6l/linux
new file mode 120000
index 000000000..aee1f4d73
--- /dev/null
+++ b/config/rootfiles/core/169/filelists/armv6l/linux
@@ -0,0 +1 @@
+../../../../common/armv6l/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/169/filelists/files b/config/rootfiles/core/169/filelists/files
index 0eee92b92..5bc109be4 100644
--- a/config/rootfiles/core/169/filelists/files
+++ b/config/rootfiles/core/169/filelists/files
@@ -3,6 +3,8 @@ etc/rc.d/helper/azure-setup
 etc/rc.d/helper/aws-setup
 etc/rc.d/helper/exoscale-setup
 etc/rc.d/helper/gcp-setup
+etc/rc.d/init.d/localnet
+etc/sysctl.conf
 opt/pakfire/etc/pakfire.conf
 srv/web/ipfire/cgi-bin/ovpnmain.cgi
 srv/web/ipfire/html/themes/ipfire/include/functions.pl
diff --git a/config/rootfiles/core/169/filelists/x86_64/linux b/config/rootfiles/core/169/filelists/x86_64/linux
new file mode 120000
index 000000000..0615b5b9a
--- /dev/null
+++ b/config/rootfiles/core/169/filelists/x86_64/linux
@@ -0,0 +1 @@
+../../../../common/x86_64/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/169/update.sh b/config/rootfiles/core/169/update.sh
index ca50723cb..ad118cdf9 100644
--- a/config/rootfiles/core/169/update.sh
+++ b/config/rootfiles/core/169/update.sh
@@ -26,6 +26,18 @@
core=169
+exit_with_error() {
+    # Set last succesfull installed core.
+    echo $(($core-1)) > /opt/pakfire/db/core/mine
+    # force fsck at next boot, this may fix free space on xfs
+    touch /forcefsck
+    # don't start pakfire again at error
+    killall -KILL pak_update
+    /usr/bin/logger -p syslog.emerg -t ipfire \
+	"core-update-${core}: $1"
+    exit $2
+}
+
 # Remove old core updates from pakfire cache to save space...
 for (( i=1; i<=$core; i++ )); do
    rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
@@ -36,6 +48,44 @@ done
 /etc/init.d/squid stop
 /etc/init.d/apache stop
+KVER="xxxKVERxxx"
+
+# Backup uEnv.txt if exist
+if [ -e /boot/uEnv.txt ]; then
+    cp -vf /boot/uEnv.txt /boot/uEnv.txt.org
+fi
+
+# Do some sanity checks prior to the kernel update
+case $(uname -r) in
+    *-ipfire*)
+	# Ok.
+	;;
+    *)
+	exit_with_error "ERROR cannot update. No IPFire Kernel." 1
+	;;
+esac
+
+# Check diskspace on root
+ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+
+if [ $ROOTSPACE -lt 100000 ]; then
+    exit_with_error "ERROR cannot update because not enough free space on root." 2
+    exit 2
+fi
+
+# Remove the old kernel
+rm -rvf \
+	/boot/System.map-* \
+	/boot/config-* \
+	/boot/ipfirerd-* \
+	/boot/initramfs-* \
+	/boot/vmlinuz-* \
+	/boot/uImage-* \
+	/boot/zImage-* \
+	/boot/uInit-* \
+	/boot/dtb-* \
+	/lib/modules
+
 # Remove files
 rm -rvf \
    /lib/libxtables.so.12.4.0 \
@@ -61,6 +111,9 @@ ldconfig
 # Filesytem cleanup
 /usr/local/bin/filesystem-cleanup
+# Apply sysctl changes
+/etc/init.d/sysctl start
+
 # Start services
 telinit u
 /etc/init.d/firewall restart
@@ -75,6 +128,20 @@ touch /var/run/need_reboot
 /etc/init.d/fireinfo start
 sendprofile
+# remove lm_sensor config after collectd was started
+# to reserch sensors at next boot with updated kernel
+rm -f  /etc/sysconfig/lm_sensors
+
+# Upadate Kernel version in uEnv.txt
+if [ -e /boot/uEnv.txt ]; then
+    sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt
+fi
+
+# Call user update script (needed for some ARM boards)
+if [ -e /boot/pakfire-kernel-update ]; then
+    /boot/pakfire-kernel-update ${KVER}
+fi
+
 # Update grub config to display new core version
 if [ -e /boot/grub/grub.cfg ]; then
    grub-mkconfig -o /boot/grub/grub.cfg
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 9d5e840dd..012beab54 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -39,7 +39,6 @@ server:
    # Hardening Options
    harden-large-queries: yes
    harden-referral-path: yes
-	aggressive-nsec: yes
# TLS
    tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
diff --git a/lfs/flash-images b/lfs/flash-images
index 3cf81fb6d..8a033c310 100644
--- a/lfs/flash-images
+++ b/lfs/flash-images
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2021  IPFire Team  info@ipfire.org                     #
+# Copyright (C) 2007-2022  IPFire Team  info@ipfire.org                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -167,7 +167,7 @@ endif
# Create /etc/fstab
    printf "$(FSTAB_FMT)" "$$(blkid -o value -s UUID $(PART_BOOT))" "/boot" \
-		"auto" "defaults" 1 2 >  $(MNThdd)/etc/fstab
+		"auto" "defaults,nodev,noexec,nosuid" 1 2 >  $(MNThdd)/etc/fstab
 ifeq "$(EFI)" "1"
    printf "$(FSTAB_FMT)" "$$(blkid -o value -s UUID $(PART_EFI))" "/boot/efi" \
    	"auto" "defaults" 1 2 >> $(MNThdd)/etc/fstab
diff --git a/lfs/linux b/lfs/linux
index d9637ef94..df3b348d4 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -24,7 +24,7 @@
include Config
-VER         = 5.15.35
+VER         = 5.15.46
 ARM_PATCHES = 5.15-ipfire5
THISAPP    = linux-$(VER)
@@ -78,7 +78,7 @@ objects =$(DL_FILE) \
 $(DL_FILE)					= $(URL_IPFIRE)/$(DL_FILE)
 arm-multi-patches-$(ARM_PATCHES).patch.xz	= $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
-$(DL_FILE)_BLAKE2 = 15f1af609ae4a233dc6bdae84c1231c2335be6320ddbb9a5d76c7983498a9ca72c13b55cc1408dac477f707fb84df99435994c1a7eeb91396481c2f7b11ecc2e
+$(DL_FILE)_BLAKE2 = 26fdc4bbed153f7a5a511b7c1a804f794dd6e4b8b44d0317a4cad304b2c824183fd6054b7ca94f22b3e49e22a13ec9dbd24373b628b01bdcdb5392eafe6b3dbe
 arm-multi-patches-$(ARM_PATCHES).patch.xz_BLAKE2 = 58a70e757a9121a0aac83604a37aa787ec7ac0ee4970c5a3ac3bcb2dbaca32b00089cae6c0da5cf2fe0a2e156427b5165c6a86e0371a3e896f4c7cdd699c34a0
install : $(TARGET)
@@ -116,7 +116,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
    ln -svf linux-$(VER) $(DIR_SRC)/linux
# Layer7-patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.17-layer7.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.15.46-layer7.patch
# DVB Patches
    cd $(DIR_APP) && patch -Np2 < $(DIR_SRC)/src/patches/v4l-dvb_fix_tua6034_pll.patch
diff --git a/src/initscripts/system/localnet b/src/initscripts/system/localnet
index f260a1f29..ffa05e397 100644
--- a/src/initscripts/system/localnet
+++ b/src/initscripts/system/localnet
@@ -26,7 +26,7 @@ write_resolv_conf() {
    (
    	[ -n "${DOMAINNAME}" ] && echo "search ${DOMAINNAME}"
    	echo "nameserver 127.0.0.1"
-		echo "options trust-ad"
+		echo "options edns0 trust-ad"
    ) > /etc/resolv.conf
 }
diff --git a/src/patches/linux/linux-5.15.17-layer7.patch b/src/patches/linux/linux-5.15.46-layer7.patch
similarity index 94%
rename from src/patches/linux/linux-5.15.17-layer7.patch
rename to src/patches/linux/linux-5.15.46-layer7.patch
index 0dafa16c7..d6b46142c 100644
--- a/src/patches/linux/linux-5.15.17-layer7.patch
+++ b/src/patches/linux/linux-5.15.46-layer7.patch
@@ -1,6 +1,6 @@
-diff -Naur a/include/linux/skbuff.h b/include/linux/skbuff.h
---- a/include/linux/skbuff.h	2022-01-27 10:05:44.000000000 +0000
-+++ b/include/linux/skbuff.h	2022-01-29 08:04:32.984637671 +0000
+diff -Naur linux-5.15.46.orig/include/linux/skbuff.h linux-5.15.46/include/linux/skbuff.h
+--- linux-5.15.46.orig/include/linux/skbuff.h	2022-06-11 14:51:47.639775333 +0000
++++ linux-5.15.46/include/linux/skbuff.h	2022-06-11 14:53:07.977494189 +0000
 @@ -772,6 +772,9 @@
  #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
    unsigned long		 _nfct;
@@ -11,10 +11,10 @@ diff -Naur a/include/linux/skbuff.h b/include/linux/skbuff.h
    unsigned int		len,
    			data_len;
    __u16			mac_len,
-diff -Naur a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
---- a/include/net/netfilter/nf_conntrack.h	2022-01-27 10:05:44.000000000 +0000
-+++ b/include/net/netfilter/nf_conntrack.h	2022-01-29 08:04:32.984637671 +0000
-@@ -117,6 +117,23 @@
+diff -Naur linux-5.15.46.orig/include/net/netfilter/nf_conntrack.h linux-5.15.46/include/net/netfilter/nf_conntrack.h
+--- linux-5.15.46.orig/include/net/netfilter/nf_conntrack.h	2022-06-11 14:51:48.471834543 +0000
++++ linux-5.15.46/include/net/netfilter/nf_conntrack.h	2022-06-11 14:53:07.977494189 +0000
+@@ -119,6 +119,23 @@
    /* Extensions */
    struct nf_ct_ext *ext;
@@ -38,9 +38,9 @@ diff -Naur a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_con
    /* Storage reserved for other modules, must be the last member */
    union nf_conntrack_proto proto;
  };
-diff -Naur a/include/uapi/linux/netfilter/xt_layer7.h b/include/uapi/linux/netfilter/xt_layer7.h
---- a/include/uapi/linux/netfilter/xt_layer7.h	1970-01-01 00:00:00.000000000 +0000
-+++ b/include/uapi/linux/netfilter/xt_layer7.h	2022-01-29 08:04:32.984637671 +0000
+diff -Naur linux-5.15.46.orig/include/uapi/linux/netfilter/xt_layer7.h linux-5.15.46/include/uapi/linux/netfilter/xt_layer7.h
+--- linux-5.15.46.orig/include/uapi/linux/netfilter/xt_layer7.h	1970-01-01 00:00:00.000000000 +0000
++++ linux-5.15.46/include/uapi/linux/netfilter/xt_layer7.h	2022-06-11 14:53:07.977494189 +0000
 @@ -0,0 +1,13 @@
 +#ifndef _XT_LAYER7_H
 +#define _XT_LAYER7_H
@@ -55,9 +55,9 @@ diff -Naur a/include/uapi/linux/netfilter/xt_layer7.h b/include/uapi/linux/netfi
 +};
 +
 +#endif /* _XT_LAYER7_H */
-diff -Naur a/net/netfilter/Kconfig b/net/netfilter/Kconfig
---- a/net/netfilter/Kconfig	2022-01-27 10:05:44.000000000 +0000
-+++ b/net/netfilter/Kconfig	2022-01-29 08:04:32.988637605 +0000
+diff -Naur linux-5.15.46.orig/net/netfilter/Kconfig linux-5.15.46/net/netfilter/Kconfig
+--- linux-5.15.46.orig/net/netfilter/Kconfig	2022-06-11 14:51:48.599843652 +0000
++++ linux-5.15.46/net/netfilter/Kconfig	2022-06-11 14:53:07.977494189 +0000
 @@ -1389,6 +1389,26 @@
To compile it as a module, choose M here. If unsure, say N.
@@ -85,9 +85,9 @@ diff -Naur a/net/netfilter/Kconfig b/net/netfilter/Kconfig
  config NETFILTER_XT_MATCH_LENGTH
    tristate '"length" match support'
    depends on NETFILTER_ADVANCED
-diff -Naur a/net/netfilter/Makefile b/net/netfilter/Makefile
---- a/net/netfilter/Makefile	2022-01-27 10:05:44.000000000 +0000
-+++ b/net/netfilter/Makefile	2022-01-29 08:04:32.988637605 +0000
+diff -Naur linux-5.15.46.orig/net/netfilter/Makefile linux-5.15.46/net/netfilter/Makefile
+--- linux-5.15.46.orig/net/netfilter/Makefile	2022-06-11 14:51:48.599843652 +0000
++++ linux-5.15.46/net/netfilter/Makefile	2022-06-11 14:53:07.981494474 +0000
 @@ -201,6 +201,7 @@
  obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
  obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) += xt_socket.o
@@ -96,10 +96,10 @@ diff -Naur a/net/netfilter/Makefile b/net/netfilter/Makefile
  obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o
  obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o
  obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
-diff -Naur a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
---- a/net/netfilter/nf_conntrack_core.c	2022-01-27 10:05:44.000000000 +0000
-+++ b/net/netfilter/nf_conntrack_core.c	2022-01-29 08:04:32.992637539 +0000
-@@ -636,6 +636,11 @@
+diff -Naur linux-5.15.46.orig/net/netfilter/nf_conntrack_core.c linux-5.15.46/net/netfilter/nf_conntrack_core.c
+--- linux-5.15.46.orig/net/netfilter/nf_conntrack_core.c	2022-06-11 14:51:48.599843652 +0000
++++ linux-5.15.46/net/netfilter/nf_conntrack_core.c	2022-06-11 14:53:07.981494474 +0000
+@@ -648,6 +648,11 @@
     */
    nf_ct_remove_expectations(ct);
@@ -111,24 +111,24 @@ diff -Naur a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core
    nf_ct_del_from_dying_or_unconfirmed_list(ct);
local_bh_enable();
-diff -Naur a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
---- a/net/netfilter/nf_conntrack_standalone.c	2022-01-27 10:05:44.000000000 +0000
-+++ b/net/netfilter/nf_conntrack_standalone.c	2022-01-29 08:04:32.992637539 +0000
+diff -Naur linux-5.15.46.orig/net/netfilter/nf_conntrack_standalone.c linux-5.15.46/net/netfilter/nf_conntrack_standalone.c
+--- linux-5.15.46.orig/net/netfilter/nf_conntrack_standalone.c	2022-06-11 14:51:48.603843938 +0000
++++ linux-5.15.46/net/netfilter/nf_conntrack_standalone.c	2022-06-11 14:54:23.322859367 +0000
 @@ -370,6 +370,11 @@
    ct_show_zone(s, ct, NF_CT_DEFAULT_ZONE_DIR);
    ct_show_delta_time(s, ct);
-+#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
++	#if defined(CONFIG_NETFILTER_XT_MATCH_LAYER7) || defined(CONFIG_NETFILTER_XT_MATCH_LAYER7_MODULE)
 +	if(ct->layer7.app_proto)
 +		seq_printf(s, "l7proto=%s ", ct->layer7.app_proto);
-+#endif
++	#endif
 +
- 	seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use));
+ 	seq_printf(s, "use=%u\n", refcount_read(&ct->ct_general.use));
if (seq_has_overflowed(s))
-diff -Naur a/net/netfilter/regexp/regexp.c b/net/netfilter/regexp/regexp.c
---- a/net/netfilter/regexp/regexp.c	1970-01-01 00:00:00.000000000 +0000
-+++ b/net/netfilter/regexp/regexp.c	2022-01-29 08:04:32.992637539 +0000
+diff -Naur linux-5.15.46.orig/net/netfilter/regexp/regexp.c linux-5.15.46/net/netfilter/regexp/regexp.c
+--- linux-5.15.46.orig/net/netfilter/regexp/regexp.c	1970-01-01 00:00:00.000000000 +0000
++++ linux-5.15.46/net/netfilter/regexp/regexp.c	2022-06-11 14:53:07.985494758 +0000
 @@ -0,0 +1,1197 @@
 +/*
 + * regcomp and regexec -- regsub and regerror are elsewhere
@@ -1327,9 +1327,9 @@ diff -Naur a/net/netfilter/regexp/regexp.c b/net/netfilter/regexp/regexp.c
 +#endif
 +
 +
-diff -Naur a/net/netfilter/regexp/regexp.h b/net/netfilter/regexp/regexp.h
---- a/net/netfilter/regexp/regexp.h	1970-01-01 00:00:00.000000000 +0000
-+++ b/net/netfilter/regexp/regexp.h	2022-01-29 08:04:32.992637539 +0000
+diff -Naur linux-5.15.46.orig/net/netfilter/regexp/regexp.h linux-5.15.46/net/netfilter/regexp/regexp.h
+--- linux-5.15.46.orig/net/netfilter/regexp/regexp.h	1970-01-01 00:00:00.000000000 +0000
++++ linux-5.15.46/net/netfilter/regexp/regexp.h	2022-06-11 14:53:07.985494758 +0000
 @@ -0,0 +1,41 @@
 +/*
 + * Definitions etc. for regexp(3) routines.
@@ -1372,18 +1372,18 @@ diff -Naur a/net/netfilter/regexp/regexp.h b/net/netfilter/regexp/regexp.h
 +void regerror(char *s);
 +
 +#endif
-diff -Naur a/net/netfilter/regexp/regmagic.h b/net/netfilter/regexp/regmagic.h
---- a/net/netfilter/regexp/regmagic.h	1970-01-01 00:00:00.000000000 +0000
-+++ b/net/netfilter/regexp/regmagic.h	2022-01-29 08:04:32.992637539 +0000
+diff -Naur linux-5.15.46.orig/net/netfilter/regexp/regmagic.h linux-5.15.46/net/netfilter/regexp/regmagic.h
+--- linux-5.15.46.orig/net/netfilter/regexp/regmagic.h	1970-01-01 00:00:00.000000000 +0000
++++ linux-5.15.46/net/netfilter/regexp/regmagic.h	2022-06-11 14:53:07.985494758 +0000
 @@ -0,0 +1,5 @@
 +/*
 + * The first byte of the regexp internal "program" is actually this magic
 + * number; the start node begins in the second byte.
 + */
 +#define	MAGIC	0234
-diff -Naur a/net/netfilter/regexp/regsub.c b/net/netfilter/regexp/regsub.c
---- a/net/netfilter/regexp/regsub.c	1970-01-01 00:00:00.000000000 +0000
-+++ b/net/netfilter/regexp/regsub.c	2022-01-29 08:04:32.992637539 +0000
+diff -Naur linux-5.15.46.orig/net/netfilter/regexp/regsub.c linux-5.15.46/net/netfilter/regexp/regsub.c
+--- linux-5.15.46.orig/net/netfilter/regexp/regsub.c	1970-01-01 00:00:00.000000000 +0000
++++ linux-5.15.46/net/netfilter/regexp/regsub.c	2022-06-11 14:53:07.985494758 +0000
 @@ -0,0 +1,95 @@
 +/*
 + * regsub
@@ -1480,9 +1480,9 @@ diff -Naur a/net/netfilter/regexp/regsub.c b/net/netfilter/regexp/regsub.c
 +	}
 +	*dst++ = '\0';
 +}
-diff -Naur a/net/netfilter/xt_layer7.c b/net/netfilter/xt_layer7.c
---- a/net/netfilter/xt_layer7.c	1970-01-01 00:00:00.000000000 +0000
-+++ b/net/netfilter/xt_layer7.c	2022-01-29 08:04:32.992637539 +0000
+diff -Naur linux-5.15.46.orig/net/netfilter/xt_layer7.c linux-5.15.46/net/netfilter/xt_layer7.c
+--- linux-5.15.46.orig/net/netfilter/xt_layer7.c	1970-01-01 00:00:00.000000000 +0000
++++ linux-5.15.46/net/netfilter/xt_layer7.c	2022-06-11 14:53:07.985494758 +0000
 @@ -0,0 +1,666 @@
 +/*
 +  Kernel module to match application layer (OSI layer 7) data in connections.
hooks/post-receive
--
IPFire 2.x development tree

    