openwrt/target/linux/brcm2708/patches-4.14/950-0318-netfilter-ip6t_MAS...

From af4dba1b5d3cbd0bc724fca24d3d01d2878406df Mon Sep 17 00:00:00 2001
From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Date: Mon, 11 Dec 2017 18:19:33 +0300
Subject: [PATCH 318/454] netfilter: ip6t_MASQUERADE: add dependency on
 conntrack module

commit 23715275e4fb6f64358a499d20928a9e93819f2f upstream.

After commit 4d3a57f23dec ("netfilter: conntrack: do not enable connection
tracking unless needed") conntrack is disabled by default unless some
module explicitly declares dependency in particular network namespace.

Fixes: a357b3f80bc8 ("netfilter: nat: add dependencies on conntrack module")
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/ipv6/netfilter/ip6t_MASQUERADE.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/net/ipv6/netfilter/ip6t_MASQUERADE.c
+++ b/net/ipv6/netfilter/ip6t_MASQUERADE.c
@@ -33,13 +33,19 @@ static int masquerade_tg6_checkentry(con
 
 	if (range->flags & NF_NAT_RANGE_MAP_IPS)
 		return -EINVAL;
-	return 0;
+	return nf_ct_netns_get(par->net, par->family);
+}
+
+static void masquerade_tg6_destroy(const struct xt_tgdtor_param *par)
+{
+	nf_ct_netns_put(par->net, par->family);
 }
 
 static struct xt_target masquerade_tg6_reg __read_mostly = {
 	.name		= "MASQUERADE",
 	.family		= NFPROTO_IPV6,
 	.checkentry	= masquerade_tg6_checkentry,
+	.destroy	= masquerade_tg6_destroy,
 	.target		= masquerade_tg6,
 	.targetsize	= sizeof(struct nf_nat_range),
 	.table		= "nat",
brcm2708: add kernel 4.14 support Patch generation process: - rebase rpi/rpi-4.14.y on v4.14.89 from linux-stable - git format-patch v4.14.89 Patches skipped during rebase: - lan78xx: Read MAC address from DT if present - lan78xx: Enable LEDs and auto-negotiation - Revert "softirq: Let ksoftirqd do its job" - sc16is7xx: Fix for multi-channel stall - lan78xx: Ignore DT MAC address if already valid - lan78xx: Simple patch to prevent some crashes - tcp_write_queue_purge clears all the SKBs in the write queue - Revert "lan78xx: Simple patch to prevent some crashes" - lan78xx: Connect phy early - Arm: mm: ftrace: Only set text back to ro after kernel has been marked ro - Revert "Revert "softirq: Let ksoftirqd do its job"" - ASoC: cs4265: SOC_SINGLE register value error fix - Revert "ASoC: cs4265: SOC_SINGLE register value error fix" - Revert "net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends" - Revert "Revert "net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends"" Patches dropped after rebase: - net: Add non-mainline source for rtl8192cu wlan - net: Fix rtl8192cu build errors on other platforms - brcm: adds support for BCM43341 wifi - brcmfmac: Mute expected startup 'errors' - ARM64: Fix build break for RTL8187/RTL8192CU wifi - ARM64: Enable RTL8187/RTL8192CU wifi in build config - This is the driver for Sony CXD2880 DVB-T2/T tuner + demodulator - brcmfmac: add CLM download support - brcmfmac: request_firmware_direct is quieter - Sets the BCDC priority to constant 0 - brcmfmac: Disable ARP offloading when promiscuous - brcmfmac: Avoid possible out-of-bounds read - brcmfmac: Delete redundant length check - net: rtl8192cu: Normalize indentation - net: rtl8192cu: Fix implicit fallthrough warnings - Revert "Sets the BCDC priority to constant 0" - media: cxd2880: Bump to match 4.18.y version - media: cxd2880-spi: Bump to match 4.18.y version - Revert "mm: alloc_contig: re-allow CMA to compact FS pages" - Revert "Revert "mm: alloc_contig: re-allow CMA to compact FS pages"" - cxd2880: CXD2880_SPI_DRV should select DVB_CXD2880 with MEDIA_SUBDRV_AUTOSELECT - 950-0421-HID-hid-bigbenff-driver-for-BigBen-Interactive-PS3OF.patch - 950-0453-Add-hid-bigbenff-to-list-of-have_special_driver-for-.patch Make I2C built-in instead of modular as in upstream defconfig; also the easiest way to get MFD_ARIZONA enabled, which is required by kmod-sound-soc-rpi-cirrus. Add missing compatible strings from 4.9/960-add-rasbperrypi-compatible.patch, using upstream names for compute modules. Add extra patch to enable the LEDs on lan78xx. Compile-tested: bcm2708, bcm2709, bcm2710 (with CONFIG_ALL_KMODS=y) Runtime-tested: bcm2708, bcm2710 Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> 6 years ago			`From af4dba1b5d3cbd0bc724fca24d3d01d2878406df Mon Sep 17 00:00:00 2001`
			`From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>`
			`Date: Mon, 11 Dec 2017 18:19:33 +0300`
			`Subject: [PATCH 318/454] netfilter: ip6t_MASQUERADE: add dependency on`
			`conntrack module`

			`commit 23715275e4fb6f64358a499d20928a9e93819f2f upstream.`

			`After commit 4d3a57f23dec ("netfilter: conntrack: do not enable connection`
			`tracking unless needed") conntrack is disabled by default unless some`
			`module explicitly declares dependency in particular network namespace.`

			`Fixes: a357b3f80bc8 ("netfilter: nat: add dependencies on conntrack module")`
			`Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>`
			`Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>`
			`---`
			`net/ipv6/netfilter/ip6t_MASQUERADE.c \| 8 +++++++-`
			`1 file changed, 7 insertions(+), 1 deletion(-)`

			`--- a/net/ipv6/netfilter/ip6t_MASQUERADE.c`
			`+++ b/net/ipv6/netfilter/ip6t_MASQUERADE.c`
			`@@ -33,13 +33,19 @@ static int masquerade_tg6_checkentry(con`

			`if (range->flags & NF_NAT_RANGE_MAP_IPS)`
			`return -EINVAL;`
			`- return 0;`
			`+ return nf_ct_netns_get(par->net, par->family);`
			`+}`
			`+`
			`+static void masquerade_tg6_destroy(const struct xt_tgdtor_param *par)`
			`+{`
			`+ nf_ct_netns_put(par->net, par->family);`
			`}`

			`static struct xt_target masquerade_tg6_reg __read_mostly = {`
			`.name = "MASQUERADE",`
			`.family = NFPROTO_IPV6,`
			`.checkentry = masquerade_tg6_checkentry,`
			`+ .destroy = masquerade_tg6_destroy,`
			`.target = masquerade_tg6,`
			`.targetsize = sizeof(struct nf_nat_range),`
			`.table = "nat",`