From: Greg Kroah-Hartman Date: Tue, 20 Nov 2012 19:35:08 +0000 (-0800) Subject: 3.6-stable patches X-Git-Tag: v3.0.53~23^2~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8ff1d950bad00a57b89caab7be5b56ce5da5f489;p=thirdparty%2Fkernel%2Fstable-queue.git 3.6-stable patches added patches: netfilter-nf_conntrack-fix-rt_gateway-checks-for-h.323-helper.patch netfilter-nf_nat-don-t-check-for-port-change-on-icmp-tuples.patch netfilter-xt_tee-don-t-use-destination-address-found-in-header.patch r8169-allow-multicast-packets-on-sub-8168f-chipset.patch r8169-fix-wol-on-rtl8168d-8111d.patch --- diff --git a/queue-3.6/netfilter-nf_conntrack-fix-rt_gateway-checks-for-h.323-helper.patch b/queue-3.6/netfilter-nf_conntrack-fix-rt_gateway-checks-for-h.323-helper.patch new file mode 100644 index 00000000000..ff936f99812 --- /dev/null +++ b/queue-3.6/netfilter-nf_conntrack-fix-rt_gateway-checks-for-h.323-helper.patch @@ -0,0 +1,51 @@ +From bbb5823cf742a7e955f35c7d891e4e936944c33a Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Tue, 9 Oct 2012 13:00:47 +0000 +Subject: netfilter: nf_conntrack: fix rt_gateway checks for H.323 helper + +From: Julian Anastasov + +commit bbb5823cf742a7e955f35c7d891e4e936944c33a upstream. + +After the change "Adjust semantics of rt->rt_gateway" +(commit f8126f1d51) we should properly match the nexthop when +destinations are directly connected because rt_gateway can be 0. + +The rt_gateway checks in H.323 helper try to avoid the creation +of an unnecessary expectation in this call-forwarding case: + +http://people.netfilter.org/zhaojingmin/h323_conntrack_nat_helper/#_Toc133598073 + +However, the existing code fails to avoid that in many cases, +see this thread: + +http://marc.info/?l=linux-netdev&m=135043175028620&w=2 + +It seems it is not trivial to know from the kernel if two hosts +have to go through the firewall to communicate each other, which +is the main point of the call-forwarding filter code to avoid +creating unnecessary expectations. + +So this patch just gets things the way they were as before +commit f8126f1d51. + +Signed-off-by: Julian Anastasov +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_h323_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_conntrack_h323_main.c ++++ b/net/netfilter/nf_conntrack_h323_main.c +@@ -733,7 +733,8 @@ static int callforward_do_filter(const u + flowi4_to_flowi(&fl1), false)) { + if (!afinfo->route(&init_net, (struct dst_entry **)&rt2, + flowi4_to_flowi(&fl2), false)) { +- if (rt1->rt_gateway == rt2->rt_gateway && ++ if (rt_nexthop(rt1, fl1.daddr) == ++ rt_nexthop(rt2, fl2.daddr) && + rt1->dst.dev == rt2->dst.dev) + ret = 1; + dst_release(&rt2->dst); diff --git a/queue-3.6/netfilter-nf_nat-don-t-check-for-port-change-on-icmp-tuples.patch b/queue-3.6/netfilter-nf_nat-don-t-check-for-port-change-on-icmp-tuples.patch new file mode 100644 index 00000000000..d1018ae2575 --- /dev/null +++ b/queue-3.6/netfilter-nf_nat-don-t-check-for-port-change-on-icmp-tuples.patch @@ -0,0 +1,45 @@ +From 38fe36a248ec3228f8e6507955d7ceb0432d2000 Mon Sep 17 00:00:00 2001 +From: Ulrich Weber +Date: Thu, 25 Oct 2012 05:34:45 +0000 +Subject: netfilter: nf_nat: don't check for port change on ICMP tuples + +From: Ulrich Weber + +commit 38fe36a248ec3228f8e6507955d7ceb0432d2000 upstream. + +ICMP tuples have id in src and type/code in dst. +So comparing src.u.all with dst.u.all will always fail here +and ip_xfrm_me_harder() is called for every ICMP packet, +even if there was no NAT. + +Signed-off-by: Ulrich Weber +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + + +--- + net/ipv4/netfilter/nf_nat_standalone.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/ipv4/netfilter/nf_nat_standalone.c ++++ b/net/ipv4/netfilter/nf_nat_standalone.c +@@ -194,7 +194,8 @@ nf_nat_out(unsigned int hooknum, + + if ((ct->tuplehash[dir].tuple.src.u3.ip != + ct->tuplehash[!dir].tuple.dst.u3.ip) || +- (ct->tuplehash[dir].tuple.src.u.all != ++ (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP && ++ ct->tuplehash[dir].tuple.src.u.all != + ct->tuplehash[!dir].tuple.dst.u.all) + ) + return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP; +@@ -230,7 +231,8 @@ nf_nat_local_fn(unsigned int hooknum, + ret = NF_DROP; + } + #ifdef CONFIG_XFRM +- else if (ct->tuplehash[dir].tuple.dst.u.all != ++ else if (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP && ++ ct->tuplehash[dir].tuple.dst.u.all != + ct->tuplehash[!dir].tuple.src.u.all) + if (ip_xfrm_me_harder(skb)) + ret = NF_DROP; diff --git a/queue-3.6/netfilter-xt_tee-don-t-use-destination-address-found-in-header.patch b/queue-3.6/netfilter-xt_tee-don-t-use-destination-address-found-in-header.patch new file mode 100644 index 00000000000..acb842217d6 --- /dev/null +++ b/queue-3.6/netfilter-xt_tee-don-t-use-destination-address-found-in-header.patch @@ -0,0 +1,41 @@ +From 2ad5b9e4bd314fc685086b99e90e5de3bc59e26b Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 16 Oct 2012 22:33:29 +0000 +Subject: netfilter: xt_TEE: don't use destination address found in header + +From: Eric Dumazet + +commit 2ad5b9e4bd314fc685086b99e90e5de3bc59e26b upstream. + +Torsten Luettgert bisected TEE regression starting with commit +f8126f1d5136be1 (ipv4: Adjust semantics of rt->rt_gateway.) + +The problem is that it tries to ARP-lookup the original destination +address of the forwarded packet, not the address of the gateway. + +Fix this using FLOWI_FLAG_KNOWN_NH Julian added in commit +c92b96553a80c1 (ipv4: Add FLOWI_FLAG_KNOWN_NH), so that known +nexthop (info->gw.ip) has preference on resolving. + +Reported-by: Torsten Luettgert +Bisected-by: Torsten Luettgert +Tested-by: Torsten Luettgert +Cc: Julian Anastasov +Signed-off-by: Eric Dumazet +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/xt_TEE.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netfilter/xt_TEE.c ++++ b/net/netfilter/xt_TEE.c +@@ -70,6 +70,7 @@ tee_tg_route4(struct sk_buff *skb, const + fl4.daddr = info->gw.ip; + fl4.flowi4_tos = RT_TOS(iph->tos); + fl4.flowi4_scope = RT_SCOPE_UNIVERSE; ++ fl4.flowi4_flags = FLOWI_FLAG_KNOWN_NH; + rt = ip_route_output_key(net, &fl4); + if (IS_ERR(rt)) + return false; diff --git a/queue-3.6/r8169-allow-multicast-packets-on-sub-8168f-chipset.patch b/queue-3.6/r8169-allow-multicast-packets-on-sub-8168f-chipset.patch new file mode 100644 index 00000000000..233062ebd0d --- /dev/null +++ b/queue-3.6/r8169-allow-multicast-packets-on-sub-8168f-chipset.patch @@ -0,0 +1,33 @@ +From 0481776b7a70f09acf7d9d97c288c3a8403fbfe4 Mon Sep 17 00:00:00 2001 +From: Nathan Walp +Date: Thu, 1 Nov 2012 12:08:47 +0000 +Subject: r8169: allow multicast packets on sub-8168f chipset. + +From: Nathan Walp + +commit 0481776b7a70f09acf7d9d97c288c3a8403fbfe4 upstream. + +RTL_GIGA_MAC_VER_35 includes no multicast hardware filter. + +Signed-off-by: Nathan Walp +Suggested-by: Hayes Wang +Acked-by: Francois Romieu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/realtek/r8169.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -4526,6 +4526,9 @@ static void rtl_set_rx_mode(struct net_d + mc_filter[1] = swab32(data); + } + ++ if (tp->mac_version == RTL_GIGA_MAC_VER_35) ++ mc_filter[1] = mc_filter[0] = 0xffffffff; ++ + RTL_W32(MAR0 + 4, mc_filter[1]); + RTL_W32(MAR0 + 0, mc_filter[0]); + diff --git a/queue-3.6/r8169-fix-wol-on-rtl8168d-8111d.patch b/queue-3.6/r8169-fix-wol-on-rtl8168d-8111d.patch new file mode 100644 index 00000000000..83e1df57ad6 --- /dev/null +++ b/queue-3.6/r8169-fix-wol-on-rtl8168d-8111d.patch @@ -0,0 +1,41 @@ +From b00e69dee4ccbb3a19989e3d4f1385bc2e3406cd Mon Sep 17 00:00:00 2001 +From: Cyril Brulebois +Date: Wed, 31 Oct 2012 14:00:46 +0000 +Subject: r8169: Fix WoL on RTL8168d/8111d. + +From: Cyril Brulebois + +commit b00e69dee4ccbb3a19989e3d4f1385bc2e3406cd upstream. + +This regression was spotted between Debian squeeze and Debian wheezy +kernels (respectively based on 2.6.32 and 3.2). More info about +Wake-on-LAN issues with Realtek's 816x chipsets can be found in the +following thread: http://marc.info/?t=132079219400004 + +Probable regression from d4ed95d796e5126bba51466dc07e287cebc8bd19; +more chipsets are likely affected. + +Tested on top of a 3.2.23 kernel. + +Reported-by: Florent Fourcot +Tested-by: Florent Fourcot +Hinted-by: Francois Romieu +Signed-off-by: Cyril Brulebois +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/realtek/r8169.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -3832,6 +3832,8 @@ static void rtl_wol_suspend_quirk(struct + void __iomem *ioaddr = tp->mmio_addr; + + switch (tp->mac_version) { ++ case RTL_GIGA_MAC_VER_25: ++ case RTL_GIGA_MAC_VER_26: + case RTL_GIGA_MAC_VER_29: + case RTL_GIGA_MAC_VER_30: + case RTL_GIGA_MAC_VER_32: diff --git a/queue-3.6/series b/queue-3.6/series index 71e92eaa4fd..7ce7e13bee2 100644 --- a/queue-3.6/series +++ b/queue-3.6/series @@ -44,3 +44,8 @@ r8169-use-unlimited-dma-burst-for-tx.patch xen-events-fix-rcu-warning-or-call-idle-notifier-after-irq_enter.patch scsi-isci-allow-ssp-tasks-into-the-task-management-path.patch tg3-unconditionally-select-hwmon-support-when-tg3-is-enabled.patch +r8169-fix-wol-on-rtl8168d-8111d.patch +r8169-allow-multicast-packets-on-sub-8168f-chipset.patch +netfilter-nf_nat-don-t-check-for-port-change-on-icmp-tuples.patch +netfilter-xt_tee-don-t-use-destination-address-found-in-header.patch +netfilter-nf_conntrack-fix-rt_gateway-checks-for-h.323-helper.patch