[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 70af65df4198c58f99a333748faa39b39ad1c3c4

public inbox for ipfire-scm@lists.ipfire.org
 help / color / mirror / Atom feed

* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 70af65df4198c58f99a333748faa39b39ad1c3c4
@ 2020-03-11 22:00 Arne Fitzenreiter
  0 siblings, 0 replies; only message in thread
From: Arne Fitzenreiter @ 2020-03-11 22:00 UTC (permalink / raw)
  To: ipfire-scm

[-- Attachment #1: Type: text/plain, Size: 6359 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  70af65df4198c58f99a333748faa39b39ad1c3c4 (commit)
      from  1c8e09379de62867a96ff0406f7a75841623efb8 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 70af65df4198c58f99a333748faa39b39ad1c3c4
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date:   Wed Mar 11 22:59:38 2020 +0100

    kernel: update to 4.14.173
    
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 lfs/linux                                          | 13 ++--
 ...nux-5.0-netfilter-conntrack-resolve-clash.patch | 75 ----------------------
 2 files changed, 5 insertions(+), 83 deletions(-)
 delete mode 100644 src/patches/linux/linux-5.0-netfilter-conntrack-resolve-clash.patch

Difference in files:
diff --git a/lfs/linux b/lfs/linux
index 9db2efb35..4d24752e3 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -24,8 +24,8 @@
 
 include Config
 
-VER         = 4.14.171
-ARM_PATCHES = 4.14.171-ipfire0
+VER         = 4.14.173
+ARM_PATCHES = 4.14.173-ipfire0
 
 THISAPP    = linux-$(VER)
 DL_FILE    = linux-$(VER).tar.xz
@@ -34,7 +34,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
 CFLAGS     =
 CXXFLAGS   =
 
-PAK_VER    = 93
+PAK_VER    = 94
 DEPS	   = ""
 
 HEADERS_ARCH  = $(BUILD_PLATFORM)
@@ -82,8 +82,8 @@ objects =$(DL_FILE) \
 $(DL_FILE)					= $(URL_IPFIRE)/$(DL_FILE)
 arm-multi-patches-$(ARM_PATCHES).patch.xz	= $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
 
-$(DL_FILE)_MD5					= b9b2c64eb3ae7fa6023d2b8c981b5ac4
-arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5	= f1d5d1dcb1d60c6f8476938070a65112
+$(DL_FILE)_MD5					= 450adc5d8dc77bd2d89a4d7098f0abac
+arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5	= 3072dd813363b20361f80ecc748a1084
 
 install : $(TARGET)
 
@@ -143,9 +143,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# Fix uevent PHYSDEVDRIVER
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-2.6.32.27_mcs7830-fix-driver-name.patch
 
-	# Fix for netfilter nf_conntrack: resolve clash for matching conntracks
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.0-netfilter-conntrack-resolve-clash.patch
-
 ifeq "$(KCFG)" "-kirkwood"
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14.40-kirkwood-dtb.patch
 endif
diff --git a/src/patches/linux/linux-5.0-netfilter-conntrack-resolve-clash.patch b/src/patches/linux/linux-5.0-netfilter-conntrack-resolve-clash.patch
deleted file mode 100644
index 914cd0675..000000000
--- a/src/patches/linux/linux-5.0-netfilter-conntrack-resolve-clash.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-commit ed07d9a021df6da53456663a76999189badc432a
-Author: Martynas Pumputis <martynas(a)weave.works>
-Date:   Mon Jul 2 16:52:14 2018 +0200
-
-    netfilter: nf_conntrack: resolve clash for matching conntracks
-    
-    This patch enables the clash resolution for NAT (disabled in
-    "590b52e10d41") if clashing conntracks match (i.e. both tuples are equal)
-    and a protocol allows it.
-    
-    The clash might happen for a connections-less protocol (e.g. UDP) when
-    two threads in parallel writes to the same socket and consequent calls
-    to "get_unique_tuple" return the same tuples (incl. reply tuples).
-    
-    In this case it is safe to perform the resolution, as the losing CT
-    describes the same mangling as the winning CT, so no modifications to
-    the packet are needed, and the result of rules traversal for the loser's
-    packet stays valid.
-    
-    Signed-off-by: Martynas Pumputis <martynas(a)weave.works>
-    Signed-off-by: Pablo Neira Ayuso <pablo(a)netfilter.org>
-
-diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
-index 5123e91b1982..4ced7c7102b6 100644
---- a/net/netfilter/nf_conntrack_core.c
-+++ b/net/netfilter/nf_conntrack_core.c
-@@ -632,6 +632,18 @@ nf_ct_key_equal(struct nf_conntrack_tuple_hash *h,
- 	       net_eq(net, nf_ct_net(ct));
- }
- 
-+static inline bool
-+nf_ct_match(const struct nf_conn *ct1, const struct nf_conn *ct2)
-+{
-+	return nf_ct_tuple_equal(&ct1->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
-+				 &ct2->tuplehash[IP_CT_DIR_ORIGINAL].tuple) &&
-+	       nf_ct_tuple_equal(&ct1->tuplehash[IP_CT_DIR_REPLY].tuple,
-+				 &ct2->tuplehash[IP_CT_DIR_REPLY].tuple) &&
-+	       nf_ct_zone_equal(ct1, nf_ct_zone(ct2), IP_CT_DIR_ORIGINAL) &&
-+	       nf_ct_zone_equal(ct1, nf_ct_zone(ct2), IP_CT_DIR_REPLY) &&
-+	       net_eq(nf_ct_net(ct1), nf_ct_net(ct2));
-+}
-+
- /* caller must hold rcu readlock and none of the nf_conntrack_locks */
- static void nf_ct_gc_expired(struct nf_conn *ct)
- {
-@@ -825,19 +837,21 @@ static int nf_ct_resolve_clash(struct net *net, struct sk_buff *skb,
- 	/* This is the conntrack entry already in hashes that won race. */
- 	struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
- 	const struct nf_conntrack_l4proto *l4proto;
-+	enum ip_conntrack_info oldinfo;
-+	struct nf_conn *loser_ct = nf_ct_get(skb, &oldinfo);
- 
- 	l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
- 	if (l4proto->allow_clash &&
--	    ((ct->status & IPS_NAT_DONE_MASK) == 0) &&
- 	    !nf_ct_is_dying(ct) &&
- 	    atomic_inc_not_zero(&ct->ct_general.use)) {
--		enum ip_conntrack_info oldinfo;
--		struct nf_conn *loser_ct = nf_ct_get(skb, &oldinfo);
--
--		nf_ct_acct_merge(ct, ctinfo, loser_ct);
--		nf_conntrack_put(&loser_ct->ct_general);
--		nf_ct_set(skb, ct, oldinfo);
--		return NF_ACCEPT;
-+		if (((ct->status & IPS_NAT_DONE_MASK) == 0) ||
-+		    nf_ct_match(ct, loser_ct)) {
-+			nf_ct_acct_merge(ct, ctinfo, loser_ct);
-+			nf_conntrack_put(&loser_ct->ct_general);
-+			nf_ct_set(skb, ct, oldinfo);
-+			return NF_ACCEPT;
-+		}
-+		nf_ct_put(ct);
- 	}
- 	NF_CT_STAT_INC(net, drop);
- 	return NF_DROP;


hooks/post-receive
--
IPFire 2.x development tree

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2020-03-11 22:00 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-11 22:00 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 70af65df4198c58f99a333748faa39b39ad1c3c4 Arne Fitzenreiter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox