Re: [PATCH v2] netfilter: Replace HTTP links with HTTPS ones

2020-07-29 Thread Pablo Neira Ayuso 
On Sat, Jul 25, 2020 at 07:02:25PM +0200, Alexander A. Klimov wrote:
> Rationale:
> Reduces attack surface on kernel devs opening the links for MITM
> as HTTPS traffic is much harder to manipulate.

Applied.

[PATCH v2] netfilter: Replace HTTP links with HTTPS ones

2020-07-25 Thread Alexander A. Klimov 
Rationale:
Reduces attack surface on kernel devs opening the links for MITM
as HTTPS traffic is much harder to manipulate.

Deterministic algorithm:
For each file:
  If not .svg:
For each line:
  If doesn't contain `\bxmlns\b`:
For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
  If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`:
If both the HTTP and HTTPS versions
return 200 OK and serve the same content:
  Replace HTTP with HTTPS.

Signed-off-by: Alexander A. Klimov 
---
 v2: Included other netfilter patch.

 include/uapi/linux/netfilter/xt_connmark.h | 2 +-
 net/decnet/netfilter/dn_rtmsg.c| 2 +-
 net/netfilter/Kconfig  | 2 +-
 net/netfilter/nfnetlink_acct.c | 2 +-
 net/netfilter/nft_set_pipapo.c | 4 ++--
 net/netfilter/xt_CONNSECMARK.c | 2 +-
 net/netfilter/xt_connmark.c| 2 +-
 net/netfilter/xt_nfacct.c  | 2 +-
 net/netfilter/xt_time.c| 2 +-
 9 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/include/uapi/linux/netfilter/xt_connmark.h 
b/include/uapi/linux/netfilter/xt_connmark.h
index 1aa5c955ee1e..f01c19b83a2b 100644
--- a/include/uapi/linux/netfilter/xt_connmark.h
+++ b/include/uapi/linux/netfilter/xt_connmark.h
@@ -4,7 +4,7 @@
 
 #include 
 
-/* Copyright (C) 2002,2004 MARA Systems AB 
+/* Copyright (C) 2002,2004 MARA Systems AB 
  * by Henrik Nordstrom 
  *
  * This program is free software; you can redistribute it and/or modify
diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c
index dc705769acc9..26a9193df783 100644
--- a/net/decnet/netfilter/dn_rtmsg.c
+++ b/net/decnet/netfilter/dn_rtmsg.c
@@ -6,7 +6,7 @@
  *
  *  DECnet Routing Message Grabulator
  *
- *  (C) 2000 ChyGwyn Limited  -  http://www.chygwyn.com/
+ *  (C) 2000 ChyGwyn Limited  -  https://www.chygwyn.com/
  *
  * Author:  Steven Whitehouse 
  */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 0ffe2b8723c4..25313c29d799 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -447,7 +447,7 @@ config NF_TABLES
  replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
  provides a pseudo-state machine with an extensible instruction-set
  (also known as expressions) that the userspace 'nft' utility
- (http://www.netfilter.org/projects/nftables) uses to build the
+ (https://www.netfilter.org/projects/nftables) uses to build the
  rule-set. It also comes with the generic set infrastructure that
  allows you to construct mappings between matchings and actions
  for performance lookups.
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index 5827117f2635..5bfec829c12f 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-or-later
 /*
  * (C) 2011 Pablo Neira Ayuso 
- * (C) 2011 Intra2net AG 
+ * (C) 2011 Intra2net AG 
  */
 #include 
 #include 
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index 8c04388296b0..78070aa65f62 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -312,7 +312,7 @@
  *  Jay Ligatti, Josh Kuhn, and Chris Gage.
  *  Proceedings of the IEEE International Conference on Computer
  *  Communication Networks (ICCCN), August 2010.
- *  http://www.cse.usf.edu/~ligatti/papers/grouper-conf.pdf
+ *  https://www.cse.usf.edu/~ligatti/papers/grouper-conf.pdf
  *
  * [Rottenstreich 2010]
  *  Worst-Case TCAM Rule Expansion
@@ -325,7 +325,7 @@
  *  Kirill Kogan, Sergey Nikolenko, Ori Rottenstreich, William Culhane,
  *  and Patrick Eugster.
  *  Proceedings of the 2014 ACM conference on SIGCOMM, August 2014.
- *  
http://www.sigcomm.org/sites/default/files/ccr/papers/2014/August/2619239-2626294.pdf
+ *  
https://www.sigcomm.org/sites/default/files/ccr/papers/2014/August/2619239-2626294.pdf
  */
 
 #include 
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index a5c8b653476a..76acecf3e757 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -6,7 +6,7 @@
  * with the SECMARK target and state match.
  *
  * Based somewhat on CONNMARK:
- *   Copyright (C) 2002,2004 MARA Systems AB 
+ *   Copyright (C) 2002,2004 MARA Systems AB 
  *by Henrik Nordstrom 
  *
  * (C) 2006,2008 Red Hat, Inc., James Morris 
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index eec2f3a88d73..e5ebc0810675 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -2,7 +2,7 @@
 /*
  * xt_connmark - Netfilter module to operat