diff options
26 files changed, 231 insertions, 94 deletions
diff --git a/Patchlist.changelog b/Patchlist.changelog index 5b272a52a..b75b5dcea 100644 --- a/Patchlist.changelog +++ b/Patchlist.changelog @@ -1,3 +1,9 @@ +https://gitlab.com/cki-project/kernel-ark/-/commit/d334145759adb9d064c94828fe534b78d6d8ca3a + d334145759adb9d064c94828fe534b78d6d8ca3a netfilter: nat: force port remap to prevent shadowing well-known ports + +https://gitlab.com/cki-project/kernel-ark/-/commit/ff45edcc5c5fd94937474616c9a1c6ed8331e6ce + ff45edcc5c5fd94937474616c9a1c6ed8331e6ce netfilter: conntrack: tag conntracks picked up in local out hook + https://gitlab.com/cki-project/kernel-ark/-/commit/f1cc8d1b733c14b152da07eeab09ae0ffb541ef1 f1cc8d1b733c14b152da07eeab09ae0ffb541ef1 iwlwifi: mvm: Increase the scan timeout guard to 30 seconds diff --git a/kernel-aarch64-debug-fedora.config b/kernel-aarch64-debug-fedora.config index 2d20e58ad..20dc6cd61 100644 --- a/kernel-aarch64-debug-fedora.config +++ b/kernel-aarch64-debug-fedora.config @@ -1303,9 +1303,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_CHACHA20_NEON=y -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32_ARM_CE=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1424,8 +1424,8 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_POLY1305_NEON=y +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4734,7 +4734,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/kernel-aarch64-debug-rhel.config b/kernel-aarch64-debug-rhel.config index d624bf422..f0f33bda6 100644 --- a/kernel-aarch64-debug-rhel.config +++ b/kernel-aarch64-debug-rhel.config @@ -972,9 +972,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_CHACHA20_NEON=y -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32_ARM64_CE=m # CONFIG_CRYPTO_CRC32C_VPMSUM is not set @@ -1056,8 +1056,8 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_POLY1305_NEON=y +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m diff --git a/kernel-aarch64-fedora.config b/kernel-aarch64-fedora.config index 3d06fd64d..bf5f88774 100644 --- a/kernel-aarch64-fedora.config +++ b/kernel-aarch64-fedora.config @@ -1303,9 +1303,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_CHACHA20_NEON=y -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32_ARM_CE=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1424,8 +1424,8 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_POLY1305_NEON=y +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4710,7 +4710,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/kernel-aarch64-rhel.config b/kernel-aarch64-rhel.config index 1b203ba06..d19c656a1 100644 --- a/kernel-aarch64-rhel.config +++ b/kernel-aarch64-rhel.config @@ -972,9 +972,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_CHACHA20_NEON=y -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32_ARM64_CE=m # CONFIG_CRYPTO_CRC32C_VPMSUM is not set @@ -1056,8 +1056,8 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_POLY1305_NEON=y +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m diff --git a/kernel-armv7hl-debug-fedora.config b/kernel-armv7hl-debug-fedora.config index 2e14cfb96..09b59602e 100644 --- a/kernel-armv7hl-debug-fedora.config +++ b/kernel-armv7hl-debug-fedora.config @@ -1296,9 +1296,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_CHACHA20_NEON=y -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32_ARM_CE=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1420,7 +1420,7 @@ CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m CONFIG_CRYPTO_POLY1305_ARM=y -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4806,7 +4806,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/kernel-armv7hl-fedora.config b/kernel-armv7hl-fedora.config index 48ffcb496..9449a93f2 100644 --- a/kernel-armv7hl-fedora.config +++ b/kernel-armv7hl-fedora.config @@ -1296,9 +1296,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_CHACHA20_NEON=y -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32_ARM_CE=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1420,7 +1420,7 @@ CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m CONFIG_CRYPTO_POLY1305_ARM=y -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4783,7 +4783,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/kernel-armv7hl-lpae-debug-fedora.config b/kernel-armv7hl-lpae-debug-fedora.config index 571b0f7e8..d525e9e2c 100644 --- a/kernel-armv7hl-lpae-debug-fedora.config +++ b/kernel-armv7hl-lpae-debug-fedora.config @@ -1267,9 +1267,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_CHACHA20_NEON=y -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32_ARM_CE=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1390,7 +1390,7 @@ CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m CONFIG_CRYPTO_POLY1305_ARM=y -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4704,7 +4704,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/kernel-armv7hl-lpae-fedora.config b/kernel-armv7hl-lpae-fedora.config index 5c261af7c..dfa908c95 100644 --- a/kernel-armv7hl-lpae-fedora.config +++ b/kernel-armv7hl-lpae-fedora.config @@ -1267,9 +1267,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m CONFIG_CRYPTO_CHACHA20_NEON=y -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32_ARM_CE=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1390,7 +1390,7 @@ CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m CONFIG_CRYPTO_POLY1305_ARM=y -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4681,7 +4681,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/kernel-i686-debug-fedora.config b/kernel-i686-debug-fedora.config index c93da919b..ffa5c44b4 100644 --- a/kernel-i686-debug-fedora.config +++ b/kernel-i686-debug-fedora.config @@ -1045,8 +1045,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_INTEL=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1131,7 +1131,7 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4318,7 +4318,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/kernel-i686-fedora.config b/kernel-i686-fedora.config index d3229929e..585b49862 100644 --- a/kernel-i686-fedora.config +++ b/kernel-i686-fedora.config @@ -1044,8 +1044,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_INTEL=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1130,7 +1130,7 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4295,7 +4295,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/kernel-ppc64le-debug-fedora.config b/kernel-ppc64le-debug-fedora.config index 8740dd7bc..7b97aa692 100644 --- a/kernel-ppc64le-debug-fedora.config +++ b/kernel-ppc64le-debug-fedora.config @@ -992,8 +992,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_VPMSUM=m CONFIG_CRYPTO_CRC32C=y @@ -1071,7 +1071,7 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4052,7 +4052,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/kernel-ppc64le-debug-rhel.config b/kernel-ppc64le-debug-rhel.config index cf769a5b2..3768b580d 100644 --- a/kernel-ppc64le-debug-rhel.config +++ b/kernel-ppc64le-debug-rhel.config @@ -822,8 +822,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y # CONFIG_CRYPTO_CRC32C_VPMSUM is not set CONFIG_CRYPTO_CRC32C=y @@ -903,7 +903,7 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m diff --git a/kernel-ppc64le-fedora.config b/kernel-ppc64le-fedora.config index bff21d8e2..3f6abee85 100644 --- a/kernel-ppc64le-fedora.config +++ b/kernel-ppc64le-fedora.config @@ -991,8 +991,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_VPMSUM=m CONFIG_CRYPTO_CRC32C=y @@ -1070,7 +1070,7 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4028,7 +4028,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/kernel-ppc64le-rhel.config b/kernel-ppc64le-rhel.config index 96477f0c2..418f2e9b0 100644 --- a/kernel-ppc64le-rhel.config +++ b/kernel-ppc64le-rhel.config @@ -822,8 +822,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y # CONFIG_CRYPTO_CRC32C_VPMSUM is not set CONFIG_CRYPTO_CRC32C=y @@ -903,7 +903,7 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m diff --git a/kernel-s390x-debug-fedora.config b/kernel-s390x-debug-fedora.config index 371f0a752..87972fbf4 100644 --- a/kernel-s390x-debug-fedora.config +++ b/kernel-s390x-debug-fedora.config @@ -1000,8 +1000,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_VPMSUM=m CONFIG_CRYPTO_CRC32C=y @@ -1074,7 +1074,7 @@ CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PAES_S390=m CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4032,7 +4032,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/kernel-s390x-debug-rhel.config b/kernel-s390x-debug-rhel.config index 73fdf8403..74cf67f09 100644 --- a/kernel-s390x-debug-rhel.config +++ b/kernel-s390x-debug-rhel.config @@ -824,8 +824,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y # CONFIG_CRYPTO_CRC32C_VPMSUM is not set CONFIG_CRYPTO_CRC32C=y @@ -902,7 +902,7 @@ CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PAES_S390=m CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m diff --git a/kernel-s390x-fedora.config b/kernel-s390x-fedora.config index fcf1ac318..04b77fbec 100644 --- a/kernel-s390x-fedora.config +++ b/kernel-s390x-fedora.config @@ -999,8 +999,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_VPMSUM=m CONFIG_CRYPTO_CRC32C=y @@ -1073,7 +1073,7 @@ CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PAES_S390=m CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4008,7 +4008,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/kernel-s390x-rhel.config b/kernel-s390x-rhel.config index 4010f8548..a41c44546 100644 --- a/kernel-s390x-rhel.config +++ b/kernel-s390x-rhel.config @@ -824,8 +824,8 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y # CONFIG_CRYPTO_CRC32C_VPMSUM is not set CONFIG_CRYPTO_CRC32C=y @@ -902,7 +902,7 @@ CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PAES_S390=m CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m diff --git a/kernel-x86_64-debug-fedora.config b/kernel-x86_64-debug-fedora.config index b1cb32cda..58217d3af 100644 --- a/kernel-x86_64-debug-fedora.config +++ b/kernel-x86_64-debug-fedora.config @@ -1070,9 +1070,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y CONFIG_CRYPTO_CHACHA20_X86_64=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_INTEL=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1163,8 +1163,8 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_POLY1305_X86_64=y +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4362,7 +4362,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/kernel-x86_64-debug-rhel.config b/kernel-x86_64-debug-rhel.config index a204e74e1..0fb97249f 100644 --- a/kernel-x86_64-debug-rhel.config +++ b/kernel-x86_64-debug-rhel.config @@ -862,9 +862,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y CONFIG_CRYPTO_CHACHA20_X86_64=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_INTEL=m # CONFIG_CRYPTO_CRC32C_VPMSUM is not set @@ -957,8 +957,8 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_POLY1305_X86_64=y +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m diff --git a/kernel-x86_64-fedora.config b/kernel-x86_64-fedora.config index 64ec4a0b8..00fac72bb 100644 --- a/kernel-x86_64-fedora.config +++ b/kernel-x86_64-fedora.config @@ -1069,9 +1069,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y CONFIG_CRYPTO_CHACHA20_X86_64=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_INTEL=m CONFIG_CRYPTO_CRC32C_VPMSUM=m @@ -1162,8 +1162,8 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_POLY1305_X86_64=y +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m @@ -4339,7 +4339,7 @@ CONFIG_NF_CONNTRACK_TFTP=m # CONFIG_NF_CONNTRACK_TIMEOUT is not set CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_ZONES=y -# CONFIG_NFC_PN532_UART is not set +CONFIG_NFC_PN532_UART=m CONFIG_NFC_PN533_I2C=m CONFIG_NFC_PN533=m CONFIG_NFC_PN533_USB=m diff --git a/kernel-x86_64-rhel.config b/kernel-x86_64-rhel.config index 3e7902171..76006d1f0 100644 --- a/kernel-x86_64-rhel.config +++ b/kernel-x86_64-rhel.config @@ -862,9 +862,9 @@ CONFIG_CRYPTO_CAST6=m CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_CCM=y CONFIG_CRYPTO_CFB=y -CONFIG_CRYPTO_CHACHA20=m -CONFIG_CRYPTO_CHACHA20POLY1305=m +CONFIG_CRYPTO_CHACHA20POLY1305=y CONFIG_CRYPTO_CHACHA20_X86_64=y +CONFIG_CRYPTO_CHACHA20=y CONFIG_CRYPTO_CMAC=y CONFIG_CRYPTO_CRC32C_INTEL=m # CONFIG_CRYPTO_CRC32C_VPMSUM is not set @@ -957,8 +957,8 @@ CONFIG_CRYPTO_NULL=y CONFIG_CRYPTO_OFB=y CONFIG_CRYPTO_PCBC=m CONFIG_CRYPTO_PCRYPT=m -CONFIG_CRYPTO_POLY1305=m CONFIG_CRYPTO_POLY1305_X86_64=y +CONFIG_CRYPTO_POLY1305=y CONFIG_CRYPTO_RMD128=m CONFIG_CRYPTO_RMD160=m CONFIG_CRYPTO_RMD256=m diff --git a/kernel.spec b/kernel.spec index ccf0ecd37..db751ebf0 100755 --- a/kernel.spec +++ b/kernel.spec @@ -2977,6 +2977,11 @@ fi # # %changelog +* Sun Jan 16 2022 Justin M. Forbes <jforbes@fedoraproject.org> [5.15.15-0] +- netfilter: nat: force port remap to prevent shadowing well-known ports (Florian Westphal) +- netfilter: conntrack: tag conntracks picked up in local out hook (Florian Westphal) +- configs/fedora: Enable CONFIG_NFC_PN532_UART for use PN532 NFC module (Ziqian SUN (Zamir)) + * Tue Jan 11 2022 Justin M. Forbes <jforbes@fedoraproject.org> [5.15.14-0] - Fix up changelog (Justin M. Forbes) diff --git a/patch-5.15-redhat.patch b/patch-5.15-redhat.patch index 867962f63..292d02fdf 100644 --- a/patch-5.15-redhat.patch +++ b/patch-5.15-redhat.patch @@ -41,14 +41,18 @@ include/linux/random.h | 7 ++ include/linux/rmi.h | 1 + include/linux/security.h | 5 + + include/net/netfilter/nf_conntrack.h | 1 + init/Kconfig | 2 +- kernel/module_signing.c | 9 +- + net/netfilter/nf_conntrack_core.c | 3 + + net/netfilter/nf_nat_core.c | 43 ++++++- scripts/tags.sh | 2 + security/integrity/platform_certs/load_uefi.c | 6 +- security/lockdown/Kconfig | 13 +++ security/lockdown/lockdown.c | 1 + security/security.c | 6 + - 50 files changed, 753 insertions(+), 202 deletions(-) + tools/testing/selftests/netfilter/nft_nat.sh | 5 +- + 54 files changed, 800 insertions(+), 207 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 8ff6dafafdf8..e3f786336cf9 100644 @@ -71,7 +75,7 @@ index 8ff6dafafdf8..e3f786336cf9 100644 This is normally done in pci_enable_device(), so this option is a temporary workaround diff --git a/Makefile b/Makefile -index a469670e7675..cf656b40117c 100644 +index aed26e228dde..543979497d37 100644 --- a/Makefile +++ b/Makefile @@ -18,6 +18,10 @@ $(if $(filter __%, $(MAKECMDGOALS)), \ @@ -683,7 +687,7 @@ index fe91090e04a4..f00bc6886913 100644 rv = ipmi_register_driver(); mutex_unlock(&ipmi_interfaces_mutex); diff --git a/drivers/char/random.c b/drivers/char/random.c -index 605969ed0f96..4d51f1c67675 100644 +index 7470ee24db2f..a3ac18f64ba7 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -335,6 +335,7 @@ @@ -706,7 +710,7 @@ index 605969ed0f96..4d51f1c67675 100644 /* * Configuration information */ -@@ -481,6 +487,9 @@ static int ratelimit_disable __read_mostly; +@@ -482,6 +488,9 @@ static int ratelimit_disable __read_mostly; module_param_named(ratelimit_disable, ratelimit_disable, int, 0644); MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression"); @@ -716,7 +720,7 @@ index 605969ed0f96..4d51f1c67675 100644 /********************************************************************** * * OS independent entropy store. Here are the functions which handle -@@ -1858,6 +1867,13 @@ random_poll(struct file *file, poll_table * wait) +@@ -1878,6 +1887,13 @@ random_poll(struct file *file, poll_table * wait) return mask; } @@ -730,7 +734,7 @@ index 605969ed0f96..4d51f1c67675 100644 static int write_pool(struct entropy_store *r, const char __user *buffer, size_t count) { -@@ -1961,7 +1977,58 @@ static int random_fasync(int fd, struct file *filp, int on) +@@ -1981,7 +1997,58 @@ static int random_fasync(int fd, struct file *filp, int on) return fasync_helper(fd, filp, on, &fasync); } @@ -789,7 +793,7 @@ index 605969ed0f96..4d51f1c67675 100644 .read = random_read, .write = random_write, .poll = random_poll, -@@ -1972,6 +2039,7 @@ const struct file_operations random_fops = { +@@ -1992,6 +2059,7 @@ const struct file_operations random_fops = { }; const struct file_operations urandom_fops = { @@ -797,7 +801,7 @@ index 605969ed0f96..4d51f1c67675 100644 .read = urandom_read, .write = random_write, .unlocked_ioctl = random_ioctl, -@@ -1980,9 +2048,31 @@ const struct file_operations urandom_fops = { +@@ -2000,9 +2068,31 @@ const struct file_operations urandom_fops = { .llseek = noop_llseek, }; @@ -829,7 +833,7 @@ index 605969ed0f96..4d51f1c67675 100644 int ret; if (flags & ~(GRND_NONBLOCK|GRND_RANDOM|GRND_INSECURE)) -@@ -1998,6 +2088,18 @@ SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, +@@ -2018,6 +2108,18 @@ SYSCALL_DEFINE3(getrandom, char __user *, buf, size_t, count, if (count > INT_MAX) count = INT_MAX; @@ -848,7 +852,7 @@ index 605969ed0f96..4d51f1c67675 100644 if (!(flags & GRND_INSECURE) && !crng_ready()) { if (flags & GRND_NONBLOCK) return -EAGAIN; -@@ -2303,3 +2405,16 @@ void add_bootloader_randomness(const void *buf, unsigned int size) +@@ -2324,3 +2426,16 @@ void add_bootloader_randomness(const void *buf, unsigned int size) add_device_randomness(buf, size); } EXPORT_SYMBOL_GPL(add_bootloader_randomness); @@ -1666,7 +1670,7 @@ index 3dc055ce6e61..bb56640eb31f 100644 static inline bool tpacpi_is_led_restricted(const unsigned int led) { diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c -index 00070a8a6507..e9e0ffa990cd 100644 +index 3bc4a86c3d0a..e346da4f58f2 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -5666,6 +5666,13 @@ static void hub_event(struct work_struct *work) @@ -1841,6 +1845,18 @@ index 46a02ce34d00..37e991a10d70 100644 #endif /* CONFIG_SECURITY */ #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) +diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h +index d24b0a34c8f0..871489df63c6 100644 +--- a/include/net/netfilter/nf_conntrack.h ++++ b/include/net/netfilter/nf_conntrack.h +@@ -95,6 +95,7 @@ struct nf_conn { + unsigned long status; + + u16 cpu; ++ u16 local_origin:1; + possible_net_t ct_net; + + #if IS_ENABLED(CONFIG_NF_NAT) diff --git a/init/Kconfig b/init/Kconfig index 11f8a845f259..9b94cc1b5546 100644 --- a/init/Kconfig @@ -1875,6 +1891,100 @@ index 8723ae70ea1f..fb2d773498c2 100644 + } + return ret; } +diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c +index 4712a90a1820..208abc729302 100644 +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -1749,6 +1749,9 @@ resolve_normal_ct(struct nf_conn *tmpl, + return 0; + if (IS_ERR(h)) + return PTR_ERR(h); ++ ++ ct = nf_ct_tuplehash_to_ctrack(h); ++ ct->local_origin = state->hook == NF_INET_LOCAL_OUT; + } + ct = nf_ct_tuplehash_to_ctrack(h); + +diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c +index 273117683922..21ec0c3d1d47 100644 +--- a/net/netfilter/nf_nat_core.c ++++ b/net/netfilter/nf_nat_core.c +@@ -494,6 +494,38 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple, + goto another_round; + } + ++static bool tuple_force_port_remap(const struct nf_conntrack_tuple *tuple) ++{ ++ u16 sp, dp; ++ ++ switch (tuple->dst.protonum) { ++ case IPPROTO_TCP: ++ sp = ntohs(tuple->src.u.tcp.port); ++ dp = ntohs(tuple->dst.u.tcp.port); ++ break; ++ case IPPROTO_UDP: ++ case IPPROTO_UDPLITE: ++ sp = ntohs(tuple->src.u.udp.port); ++ dp = ntohs(tuple->dst.u.udp.port); ++ break; ++ default: ++ return false; ++ } ++ ++ /* IANA: System port range: 1-1023, ++ * user port range: 1024-49151, ++ * private port range: 49152-65535. ++ * ++ * Linux default ephemeral port range is 32768-60999. ++ * ++ * Enforce port remapping if sport is significantly lower ++ * than dport to prevent NAT port shadowing, i.e. ++ * accidental match of 'new' inbound connection vs. ++ * existing outbound one. ++ */ ++ return sp < 16384 && dp >= 32768; ++} ++ + /* Manipulate the tuple into the range given. For NF_INET_POST_ROUTING, + * we change the source to map into the range. For NF_INET_PRE_ROUTING + * and NF_INET_LOCAL_OUT, we change the destination to map into the +@@ -507,11 +539,17 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, + struct nf_conn *ct, + enum nf_nat_manip_type maniptype) + { ++ bool random_port = range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL; + const struct nf_conntrack_zone *zone; + struct net *net = nf_ct_net(ct); + + zone = nf_ct_zone(ct); + ++ if (maniptype == NF_NAT_MANIP_SRC && ++ !random_port && ++ !ct->local_origin) ++ random_port = tuple_force_port_remap(orig_tuple); ++ + /* 1) If this srcip/proto/src-proto-part is currently mapped, + * and that same mapping gives a unique tuple within the given + * range, use that. +@@ -520,8 +558,7 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, + * So far, we don't do local source mappings, so multiple + * manips not an issue. + */ +- if (maniptype == NF_NAT_MANIP_SRC && +- !(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) { ++ if (maniptype == NF_NAT_MANIP_SRC && !random_port) { + /* try the original tuple first */ + if (in_range(orig_tuple, range)) { + if (!nf_nat_used_tuple(orig_tuple, ct)) { +@@ -545,7 +582,7 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, + */ + + /* Only bother mapping if it's not already in range and unique */ +- if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) { ++ if (!random_port) { + if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { + if (!(range->flags & NF_NAT_RANGE_PROTO_OFFSET) && + l4proto_in_range(tuple, maniptype, diff --git a/scripts/tags.sh b/scripts/tags.sh index db8ba411860a..2294fb0f17a9 100755 --- a/scripts/tags.sh @@ -1965,3 +2075,19 @@ index 67264cb08fb3..85a0227bfac1 100644 #ifdef CONFIG_PERF_EVENTS int security_perf_event_open(struct perf_event_attr *attr, int type) { +diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh +index da1c1e4b6c86..6a08644d501e 100755 +--- a/tools/testing/selftests/netfilter/nft_nat.sh ++++ b/tools/testing/selftests/netfilter/nft_nat.sh +@@ -867,8 +867,9 @@ EOF + return $ksft_skip + fi + +- # test default behaviour. Packet from ns1 to ns0 is redirected to ns2. +- test_port_shadow "default" "CLIENT" ++ # test default behaviour. Packet from ns1 to ns0 is not redirected ++ # due to automatic port translation. ++ test_port_shadow "default" "ROUTER" + + # test packet filter based mitigation: prevent forwarding of + # packets claiming to come from the service port. @@ -1,4 +1,4 @@ SHA512 (kernel-abi-whitelists-5.13.19-200.tar.bz2) = 7d28816c431019c9f09b7bcda4eb43ed2c3a7cbb8199af0fecccf16bff3ac992e2c9ed3acc2d06d7c8ebec3dc9ad76d0975cc179d2e4b7541af2af05f7e35de6 -SHA512 (linux-5.15.14.tar.xz) = 68808e62a14cc4247f0b1a1657a07cd227ac2809c03fa511d7f34b797cd1f470748009dd68e3e0b260177b105151d06a96d14655b163f4efb0733359c01c0dcb -SHA512 (kernel-abi-stablelists-5.15.14-100.tar.bz2) = a999a55cf0afad4cad4165840489a5f68c6c0fe0308140f031ad5419d345162aae005d44a15c923e6dc7df6b9c3e14d82cb355d5e9c4d12d12c25bd53d7a2f39 -SHA512 (kernel-kabi-dw-5.15.14-100.tar.bz2) = 9edfce3d218388876825ae4120aa4f6ab032e51b0c8f7635ed443e8655adc9e26c49f227653f7cf460a60a6df90313b0ed6fc201456fd86a165a303ee8595675 +SHA512 (linux-5.15.15.tar.xz) = 5dfc8616da24fd314b3d278bdaac2d6e95ac6bec21f624189cc0f3a71f6e2351aedc7a1e2887fe41e7469897558eb81ca835fda8084ca0cbf0bc66acf1b9cf07 +SHA512 (kernel-abi-stablelists-5.15.15-100.tar.bz2) = 939736964028892fb34c03659c6b34395fc163d3c4f010757650f286cecd4fbec4903663c7d8cd864f6554e9ef1b937990b9b05221caa0c5d12a8a42038c07f7 +SHA512 (kernel-kabi-dw-5.15.15-100.tar.bz2) = 27206d327a588cca4830c4a26f88f60e0ebf010cbc5ec0f3acf57a264a8818f99deae12e9af64b670850e1db6133a3e11bf64dd00b2c4ae6826fe10e0ee07512 |