--- /dev/null
+From bbb5823cf742a7e955f35c7d891e4e936944c33a Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Tue, 9 Oct 2012 13:00:47 +0000
+Subject: netfilter: nf_conntrack: fix rt_gateway checks for H.323 helper
+
+From: Julian Anastasov <ja@ssi.bg>
+
+commit bbb5823cf742a7e955f35c7d891e4e936944c33a upstream.
+
+After the change "Adjust semantics of rt->rt_gateway"
+(commit f8126f1d51) we should properly match the nexthop when
+destinations are directly connected because rt_gateway can be 0.
+
+The rt_gateway checks in H.323 helper try to avoid the creation
+of an unnecessary expectation in this call-forwarding case:
+
+http://people.netfilter.org/zhaojingmin/h323_conntrack_nat_helper/#_Toc133598073
+
+However, the existing code fails to avoid that in many cases,
+see this thread:
+
+http://marc.info/?l=linux-netdev&m=135043175028620&w=2
+
+It seems it is not trivial to know from the kernel if two hosts
+have to go through the firewall to communicate each other, which
+is the main point of the call-forwarding filter code to avoid
+creating unnecessary expectations.
+
+So this patch just gets things the way they were as before
+commit f8126f1d51.
+
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_h323_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_h323_main.c
++++ b/net/netfilter/nf_conntrack_h323_main.c
+@@ -733,7 +733,8 @@ static int callforward_do_filter(const u
+ flowi4_to_flowi(&fl1), false)) {
+ if (!afinfo->route(&init_net, (struct dst_entry **)&rt2,
+ flowi4_to_flowi(&fl2), false)) {
+- if (rt1->rt_gateway == rt2->rt_gateway &&
++ if (rt_nexthop(rt1, fl1.daddr) ==
++ rt_nexthop(rt2, fl2.daddr) &&
+ rt1->dst.dev == rt2->dst.dev)
+ ret = 1;
+ dst_release(&rt2->dst);
--- /dev/null
+From 38fe36a248ec3228f8e6507955d7ceb0432d2000 Mon Sep 17 00:00:00 2001
+From: Ulrich Weber <ulrich.weber@sophos.com>
+Date: Thu, 25 Oct 2012 05:34:45 +0000
+Subject: netfilter: nf_nat: don't check for port change on ICMP tuples
+
+From: Ulrich Weber <ulrich.weber@sophos.com>
+
+commit 38fe36a248ec3228f8e6507955d7ceb0432d2000 upstream.
+
+ICMP tuples have id in src and type/code in dst.
+So comparing src.u.all with dst.u.all will always fail here
+and ip_xfrm_me_harder() is called for every ICMP packet,
+even if there was no NAT.
+
+Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ net/ipv4/netfilter/nf_nat_standalone.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/netfilter/nf_nat_standalone.c
++++ b/net/ipv4/netfilter/nf_nat_standalone.c
+@@ -194,7 +194,8 @@ nf_nat_out(unsigned int hooknum,
+
+ if ((ct->tuplehash[dir].tuple.src.u3.ip !=
+ ct->tuplehash[!dir].tuple.dst.u3.ip) ||
+- (ct->tuplehash[dir].tuple.src.u.all !=
++ (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
++ ct->tuplehash[dir].tuple.src.u.all !=
+ ct->tuplehash[!dir].tuple.dst.u.all)
+ )
+ return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP;
+@@ -230,7 +231,8 @@ nf_nat_local_fn(unsigned int hooknum,
+ ret = NF_DROP;
+ }
+ #ifdef CONFIG_XFRM
+- else if (ct->tuplehash[dir].tuple.dst.u.all !=
++ else if (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
++ ct->tuplehash[dir].tuple.dst.u.all !=
+ ct->tuplehash[!dir].tuple.src.u.all)
+ if (ip_xfrm_me_harder(skb))
+ ret = NF_DROP;
--- /dev/null
+From 2ad5b9e4bd314fc685086b99e90e5de3bc59e26b Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Tue, 16 Oct 2012 22:33:29 +0000
+Subject: netfilter: xt_TEE: don't use destination address found in header
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 2ad5b9e4bd314fc685086b99e90e5de3bc59e26b upstream.
+
+Torsten Luettgert bisected TEE regression starting with commit
+f8126f1d5136be1 (ipv4: Adjust semantics of rt->rt_gateway.)
+
+The problem is that it tries to ARP-lookup the original destination
+address of the forwarded packet, not the address of the gateway.
+
+Fix this using FLOWI_FLAG_KNOWN_NH Julian added in commit
+c92b96553a80c1 (ipv4: Add FLOWI_FLAG_KNOWN_NH), so that known
+nexthop (info->gw.ip) has preference on resolving.
+
+Reported-by: Torsten Luettgert <ml-netfilter@enda.eu>
+Bisected-by: Torsten Luettgert <ml-netfilter@enda.eu>
+Tested-by: Torsten Luettgert <ml-netfilter@enda.eu>
+Cc: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_TEE.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/netfilter/xt_TEE.c
++++ b/net/netfilter/xt_TEE.c
+@@ -70,6 +70,7 @@ tee_tg_route4(struct sk_buff *skb, const
+ fl4.daddr = info->gw.ip;
+ fl4.flowi4_tos = RT_TOS(iph->tos);
+ fl4.flowi4_scope = RT_SCOPE_UNIVERSE;
++ fl4.flowi4_flags = FLOWI_FLAG_KNOWN_NH;
+ rt = ip_route_output_key(net, &fl4);
+ if (IS_ERR(rt))
+ return false;
--- /dev/null
+From 0481776b7a70f09acf7d9d97c288c3a8403fbfe4 Mon Sep 17 00:00:00 2001
+From: Nathan Walp <faceprint@faceprint.com>
+Date: Thu, 1 Nov 2012 12:08:47 +0000
+Subject: r8169: allow multicast packets on sub-8168f chipset.
+
+From: Nathan Walp <faceprint@faceprint.com>
+
+commit 0481776b7a70f09acf7d9d97c288c3a8403fbfe4 upstream.
+
+RTL_GIGA_MAC_VER_35 includes no multicast hardware filter.
+
+Signed-off-by: Nathan Walp <faceprint@faceprint.com>
+Suggested-by: Hayes Wang <hayeswang@realtek.com>
+Acked-by: Francois Romieu <romieu@fr.zoreil.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/realtek/r8169.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -4526,6 +4526,9 @@ static void rtl_set_rx_mode(struct net_d
+ mc_filter[1] = swab32(data);
+ }
+
++ if (tp->mac_version == RTL_GIGA_MAC_VER_35)
++ mc_filter[1] = mc_filter[0] = 0xffffffff;
++
+ RTL_W32(MAR0 + 4, mc_filter[1]);
+ RTL_W32(MAR0 + 0, mc_filter[0]);
+
--- /dev/null
+From b00e69dee4ccbb3a19989e3d4f1385bc2e3406cd Mon Sep 17 00:00:00 2001
+From: Cyril Brulebois <kibi@debian.org>
+Date: Wed, 31 Oct 2012 14:00:46 +0000
+Subject: r8169: Fix WoL on RTL8168d/8111d.
+
+From: Cyril Brulebois <kibi@debian.org>
+
+commit b00e69dee4ccbb3a19989e3d4f1385bc2e3406cd upstream.
+
+This regression was spotted between Debian squeeze and Debian wheezy
+kernels (respectively based on 2.6.32 and 3.2). More info about
+Wake-on-LAN issues with Realtek's 816x chipsets can be found in the
+following thread: http://marc.info/?t=132079219400004
+
+Probable regression from d4ed95d796e5126bba51466dc07e287cebc8bd19;
+more chipsets are likely affected.
+
+Tested on top of a 3.2.23 kernel.
+
+Reported-by: Florent Fourcot <florent.fourcot@enst-bretagne.fr>
+Tested-by: Florent Fourcot <florent.fourcot@enst-bretagne.fr>
+Hinted-by: Francois Romieu <romieu@fr.zoreil.com>
+Signed-off-by: Cyril Brulebois <kibi@debian.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/realtek/r8169.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -3832,6 +3832,8 @@ static void rtl_wol_suspend_quirk(struct
+ void __iomem *ioaddr = tp->mmio_addr;
+
+ switch (tp->mac_version) {
++ case RTL_GIGA_MAC_VER_25:
++ case RTL_GIGA_MAC_VER_26:
+ case RTL_GIGA_MAC_VER_29:
+ case RTL_GIGA_MAC_VER_30:
+ case RTL_GIGA_MAC_VER_32:
xen-events-fix-rcu-warning-or-call-idle-notifier-after-irq_enter.patch
scsi-isci-allow-ssp-tasks-into-the-task-management-path.patch
tg3-unconditionally-select-hwmon-support-when-tg3-is-enabled.patch
+r8169-fix-wol-on-rtl8168d-8111d.patch
+r8169-allow-multicast-packets-on-sub-8168f-chipset.patch
+netfilter-nf_nat-don-t-check-for-port-change-on-icmp-tuples.patch
+netfilter-xt_tee-don-t-use-destination-address-found-in-header.patch
+netfilter-nf_conntrack-fix-rt_gateway-checks-for-h.323-helper.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
