Re: [linux-yocto] [yocto-kernel-cache][yocto-5.10][PATCH v2] nf: drop merged patch

2021-08-22 Thread Bruce Ashfield 
merged.

Bruce

In message: [linux-yocto] [yocto-kernel-cache][yocto-5.10][PATCH v2] nf: drop 
merged patch
on 20/08/2021 Naveen Saini wrote:

> From: Bruce Ashfield 
> 
> Ref:
> https://github.com/torvalds/linux/commit/5d1549847c76b1ffcf8e388ef4d0f229bdd1d7e8
> https://git.yoctoproject.org/cgit/cgit.cgi/yocto-kernel-cache/commit/?h=yocto-5.13=b085ea380cfe6101f56665de6b2362b66fcef9eb
> 
> Signed-off-by: Bruce Ashfield 
> Signed-off-by: Naveen Saini 
> ---
>  features/net/net.scc  |  1 -
>  ...emainder-of-pseudo-header-protocol-0.patch | 92 ---
>  2 files changed, 93 deletions(-)
>  delete mode 100644 
> features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
> 
> diff --git a/features/net/net.scc b/features/net/net.scc
> index a907e016..606aaa91 100644
> --- a/features/net/net.scc
> +++ b/features/net/net.scc
> @@ -1,4 +1,3 @@
>  # SPDX-License-Identifier: MIT
>  
>  kconf hardware net.cfg
> -patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
> diff --git 
> a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch 
> b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
> deleted file mode 100644
> index d1fdbf98..
> --- a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
> +++ /dev/null
> @@ -1,92 +0,0 @@
> -From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001
> -From: He Zhe 
> -Date: Tue, 25 Jun 2019 18:15:50 +0800
> -Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Since v5.1-rc1, some types of packets do not get unreachable reply with the
> -following iptables setting. Fox example,
> -
> -$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
> -$ ping 127.0.0.1 -c 1
> -PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
> -— 127.0.0.1 ping statistics —
> -1 packets transmitted, 0 received, 100% packet loss, time 0ms
> -
> -We should have got the following reply from command line, but we did not.
> -From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
> -
> -Yi Zhao reported it and narrowed it down to:
> -7fc38225363d ("netfilter: reject: skip csum verification for protocols that 
> don't support it"),
> -
> -This is because nf_ip_checksum still expects pseudo-header protocol type 0 
> for
> -packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
> -treated as TCP/UDP.
> -
> -This patch corrects the conditions in nf_ip_checksum and all other places 
> that
> -still call it with protocol 0.
> -
> -Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for 
> protocols that don't support it")
> -Reported-by: Yi Zhao 
> -Signed-off-by: He Zhe 
> -Signed-off-by: Bruce Ashfield 
> 
> - net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
> - net/netfilter/nf_nat_proto.c| 2 +-
> - net/netfilter/utils.c   | 5 +++--
> - 3 files changed, 5 insertions(+), 4 deletions(-)
> -
> -diff --git a/net/netfilter/nf_conntrack_proto_icmp.c 
> b/net/netfilter/nf_conntrack_proto_icmp.c
> -index a824367ed518..dd53e2b20f6b 100644
>  a/net/netfilter/nf_conntrack_proto_icmp.c
> -+++ b/net/netfilter/nf_conntrack_proto_icmp.c
> -@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
> - /* See ip_conntrack_proto_tcp.c */
> - if (state->net->ct.sysctl_checksum &&
> - state->hook == NF_INET_PRE_ROUTING &&
> --nf_ip_checksum(skb, state->hook, dataoff, 0)) {
> -+nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
> - icmp_error_log(skb, state, "bad hw icmp checksum");
> - return -NF_ACCEPT;
> - }
> -diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
> -index 07da07788f6b..83a24cc5753b 100644
>  a/net/netfilter/nf_nat_proto.c
> -+++ b/net/netfilter/nf_nat_proto.c
> -@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
> - 
> - if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
> - return 0;
> --if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
> -+if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
> - return 0;
> - 
> - inside = (void *)skb->data + hdrlen;
> -diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
> -index 06dc55590441..51b454d8fa9c 100644
>  a/net/netfilter/utils.c
> -+++ b/net/netfilter/utils.c
> -@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int 
> hook,
> - case CHECKSUM_COMPLETE:
> -

[linux-yocto] [yocto-kernel-cache][yocto-5.10][PATCH v2] nf: drop merged patch

2021-08-19 Thread Naveen Saini 
From: Bruce Ashfield 

Ref:
https://github.com/torvalds/linux/commit/5d1549847c76b1ffcf8e388ef4d0f229bdd1d7e8
https://git.yoctoproject.org/cgit/cgit.cgi/yocto-kernel-cache/commit/?h=yocto-5.13=b085ea380cfe6101f56665de6b2362b66fcef9eb

Signed-off-by: Bruce Ashfield 
Signed-off-by: Naveen Saini 
---
 features/net/net.scc  |  1 -
 ...emainder-of-pseudo-header-protocol-0.patch | 92 ---
 2 files changed, 93 deletions(-)
 delete mode 100644 
features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch

diff --git a/features/net/net.scc b/features/net/net.scc
index a907e016..606aaa91 100644
--- a/features/net/net.scc
+++ b/features/net/net.scc
@@ -1,4 +1,3 @@
 # SPDX-License-Identifier: MIT
 
 kconf hardware net.cfg
-patch netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
diff --git 
a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch 
b/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
deleted file mode 100644
index d1fdbf98..
--- a/features/net/netfilter-Fix-remainder-of-pseudo-header-protocol-0.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From b383959122e464ccdc21f6b37af88152d29cdf95 Mon Sep 17 00:00:00 2001
-From: He Zhe 
-Date: Tue, 25 Jun 2019 18:15:50 +0800
-Subject: [PATCH] netfilter: Fix remainder of pseudo-header protocol 0
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Since v5.1-rc1, some types of packets do not get unreachable reply with the
-following iptables setting. Fox example,
-
-$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
-$ ping 127.0.0.1 -c 1
-PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
-— 127.0.0.1 ping statistics —
-1 packets transmitted, 0 received, 100% packet loss, time 0ms
-
-We should have got the following reply from command line, but we did not.
-From 127.0.0.1 icmp_seq=1 Destination Port Unreachable
-
-Yi Zhao reported it and narrowed it down to:
-7fc38225363d ("netfilter: reject: skip csum verification for protocols that 
don't support it"),
-
-This is because nf_ip_checksum still expects pseudo-header protocol type 0 for
-packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
-treated as TCP/UDP.
-
-This patch corrects the conditions in nf_ip_checksum and all other places that
-still call it with protocol 0.
-
-Fixes: 7fc38225363d ("netfilter: reject: skip csum verification for protocols 
that don't support it")
-Reported-by: Yi Zhao 
-Signed-off-by: He Zhe 
-Signed-off-by: Bruce Ashfield 

- net/netfilter/nf_conntrack_proto_icmp.c | 2 +-
- net/netfilter/nf_nat_proto.c| 2 +-
- net/netfilter/utils.c   | 5 +++--
- 3 files changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/net/netfilter/nf_conntrack_proto_icmp.c 
b/net/netfilter/nf_conntrack_proto_icmp.c
-index a824367ed518..dd53e2b20f6b 100644
 a/net/netfilter/nf_conntrack_proto_icmp.c
-+++ b/net/netfilter/nf_conntrack_proto_icmp.c
-@@ -218,7 +218,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
-   /* See ip_conntrack_proto_tcp.c */
-   if (state->net->ct.sysctl_checksum &&
-   state->hook == NF_INET_PRE_ROUTING &&
--  nf_ip_checksum(skb, state->hook, dataoff, 0)) {
-+  nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
-   icmp_error_log(skb, state, "bad hw icmp checksum");
-   return -NF_ACCEPT;
-   }
-diff --git a/net/netfilter/nf_nat_proto.c b/net/netfilter/nf_nat_proto.c
-index 07da07788f6b..83a24cc5753b 100644
 a/net/netfilter/nf_nat_proto.c
-+++ b/net/netfilter/nf_nat_proto.c
-@@ -564,7 +564,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
- 
-   if (!skb_make_writable(skb, hdrlen + sizeof(*inside)))
-   return 0;
--  if (nf_ip_checksum(skb, hooknum, hdrlen, 0))
-+  if (nf_ip_checksum(skb, hooknum, hdrlen, IPPROTO_ICMP))
-   return 0;
- 
-   inside = (void *)skb->data + hdrlen;
-diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
-index 06dc55590441..51b454d8fa9c 100644
 a/net/netfilter/utils.c
-+++ b/net/netfilter/utils.c
-@@ -17,7 +17,8 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int 
hook,
-   case CHECKSUM_COMPLETE:
-   if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
-   break;
--  if ((protocol == 0 && !csum_fold(skb->csum)) ||
-+  if ((protocol != IPPROTO_TCP && protocol != IPPROTO_UDP &&
-+  !csum_fold(skb->csum)) ||
-   !csum_tcpudp_magic(iph->saddr, iph->daddr,
-  skb->len - dataoff, protocol,
-  skb->csum)) {
-@@ -26,7 +27,7 @@ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int 
hook,
-   }
-   /* fall through */
-   case CHECKSUM_NONE:
--  if (protocol == 0)
-+  if (protocol != IPPROTO_TCP && protocol !=