kernel: update to 4.14.173 core142 master v2.25-core142
authorArne Fitzenreiter <arne_f@ipfire.org>
Wed, 11 Mar 2020 21:59:38 +0000 (22:59 +0100)
committerArne Fitzenreiter <arne_f@ipfire.org>
Wed, 11 Mar 2020 21:59:38 +0000 (22:59 +0100)
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
lfs/linux
src/patches/linux/linux-5.0-netfilter-conntrack-resolve-clash.patch [deleted file]

index 9db2efb..4d24752 100644 (file)
--- a/lfs/linux
+++ b/lfs/linux
@@ -24,8 +24,8 @@
 
 include Config
 
-VER         = 4.14.171
-ARM_PATCHES = 4.14.171-ipfire0
+VER         = 4.14.173
+ARM_PATCHES = 4.14.173-ipfire0
 
 THISAPP    = linux-$(VER)
 DL_FILE    = linux-$(VER).tar.xz
@@ -34,7 +34,7 @@ DIR_APP    = $(DIR_SRC)/$(THISAPP)
 CFLAGS     =
 CXXFLAGS   =
 
-PAK_VER    = 93
+PAK_VER    = 94
 DEPS      = ""
 
 HEADERS_ARCH  = $(BUILD_PLATFORM)
@@ -82,8 +82,8 @@ objects =$(DL_FILE) \
 $(DL_FILE)                                     = $(URL_IPFIRE)/$(DL_FILE)
 arm-multi-patches-$(ARM_PATCHES).patch.xz      = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
 
-$(DL_FILE)_MD5                                 = b9b2c64eb3ae7fa6023d2b8c981b5ac4
-arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5  = f1d5d1dcb1d60c6f8476938070a65112
+$(DL_FILE)_MD5                                 = 450adc5d8dc77bd2d89a4d7098f0abac
+arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5  = 3072dd813363b20361f80ecc748a1084
 
 install : $(TARGET)
 
@@ -143,9 +143,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        # Fix uevent PHYSDEVDRIVER
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-2.6.32.27_mcs7830-fix-driver-name.patch
 
-       # Fix for netfilter nf_conntrack: resolve clash for matching conntracks
-       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-5.0-netfilter-conntrack-resolve-clash.patch
-
 ifeq "$(KCFG)" "-kirkwood"
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux/linux-4.14.40-kirkwood-dtb.patch
 endif
diff --git a/src/patches/linux/linux-5.0-netfilter-conntrack-resolve-clash.patch b/src/patches/linux/linux-5.0-netfilter-conntrack-resolve-clash.patch
deleted file mode 100644 (file)
index 914cd06..0000000
+++ /dev/null
@@ -1,75 +0,0 @@
-commit ed07d9a021df6da53456663a76999189badc432a
-Author: Martynas Pumputis <martynas@weave.works>
-Date:   Mon Jul 2 16:52:14 2018 +0200
-
-    netfilter: nf_conntrack: resolve clash for matching conntracks
-    
-    This patch enables the clash resolution for NAT (disabled in
-    "590b52e10d41") if clashing conntracks match (i.e. both tuples are equal)
-    and a protocol allows it.
-    
-    The clash might happen for a connections-less protocol (e.g. UDP) when
-    two threads in parallel writes to the same socket and consequent calls
-    to "get_unique_tuple" return the same tuples (incl. reply tuples).
-    
-    In this case it is safe to perform the resolution, as the losing CT
-    describes the same mangling as the winning CT, so no modifications to
-    the packet are needed, and the result of rules traversal for the loser's
-    packet stays valid.
-    
-    Signed-off-by: Martynas Pumputis <martynas@weave.works>
-    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
-diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
-index 5123e91b1982..4ced7c7102b6 100644
---- a/net/netfilter/nf_conntrack_core.c
-+++ b/net/netfilter/nf_conntrack_core.c
-@@ -632,6 +632,18 @@ nf_ct_key_equal(struct nf_conntrack_tuple_hash *h,
-              net_eq(net, nf_ct_net(ct));
- }
-+static inline bool
-+nf_ct_match(const struct nf_conn *ct1, const struct nf_conn *ct2)
-+{
-+      return nf_ct_tuple_equal(&ct1->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
-+                               &ct2->tuplehash[IP_CT_DIR_ORIGINAL].tuple) &&
-+             nf_ct_tuple_equal(&ct1->tuplehash[IP_CT_DIR_REPLY].tuple,
-+                               &ct2->tuplehash[IP_CT_DIR_REPLY].tuple) &&
-+             nf_ct_zone_equal(ct1, nf_ct_zone(ct2), IP_CT_DIR_ORIGINAL) &&
-+             nf_ct_zone_equal(ct1, nf_ct_zone(ct2), IP_CT_DIR_REPLY) &&
-+             net_eq(nf_ct_net(ct1), nf_ct_net(ct2));
-+}
-+
- /* caller must hold rcu readlock and none of the nf_conntrack_locks */
- static void nf_ct_gc_expired(struct nf_conn *ct)
- {
-@@ -825,19 +837,21 @@ static int nf_ct_resolve_clash(struct net *net, struct sk_buff *skb,
-       /* This is the conntrack entry already in hashes that won race. */
-       struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
-       const struct nf_conntrack_l4proto *l4proto;
-+      enum ip_conntrack_info oldinfo;
-+      struct nf_conn *loser_ct = nf_ct_get(skb, &oldinfo);
-       l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
-       if (l4proto->allow_clash &&
--          ((ct->status & IPS_NAT_DONE_MASK) == 0) &&
-           !nf_ct_is_dying(ct) &&
-           atomic_inc_not_zero(&ct->ct_general.use)) {
--              enum ip_conntrack_info oldinfo;
--              struct nf_conn *loser_ct = nf_ct_get(skb, &oldinfo);
--
--              nf_ct_acct_merge(ct, ctinfo, loser_ct);
--              nf_conntrack_put(&loser_ct->ct_general);
--              nf_ct_set(skb, ct, oldinfo);
--              return NF_ACCEPT;
-+              if (((ct->status & IPS_NAT_DONE_MASK) == 0) ||
-+                  nf_ct_match(ct, loser_ct)) {
-+                      nf_ct_acct_merge(ct, ctinfo, loser_ct);
-+                      nf_conntrack_put(&loser_ct->ct_general);
-+                      nf_ct_set(skb, ct, oldinfo);
-+                      return NF_ACCEPT;
-+              }
-+              nf_ct_put(ct);
-       }
-       NF_CT_STAT_INC(net, drop);
-       return NF_DROP;