[PATCH 02/15] mISDN: Add support for group membership check

[PATCH 02/15] mISDN: Add support for group membership check

[Jiri Slaby]

From: Jeff Mahoney <jeffm@suse.com>

This patch adds a module parameter to allow a group access to the
mISDN devices. Otherwise, unpriviledged users on systems with ISDN
hardware have the ability to dial out, potentially causing expensive
bills.

Based on a different implementation by Patrick Koppen <isdn4linux@koppen.de>

We (at suse) have this patch in our trees at least since 2009 and want
to push it upstream now.

Acked-by: Jeff Mahoney <jeffm@suse.com>
Cc: Patrick Koppen <isdn4linux@koppen.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Karsten Keil <isdn@linux-pingi.de>
Cc: netdev@vger.kernel.org
Cc: "David S. Miller" <davem@davemloft.net>
---
 drivers/isdn/mISDN/core.c   | 3 +++
 drivers/isdn/mISDN/core.h   | 1 +
 drivers/isdn/mISDN/socket.c | 8 ++++++++
 3 files changed, 12 insertions(+)

diff --git a/drivers/isdn/mISDN/core.c b/drivers/isdn/mISDN/core.c
index da30c5c..a7050c3 100644
--- a/drivers/isdn/mISDN/core.c
+++ b/drivers/isdn/mISDN/core.c
@@ -21,10 +21,13 @@
 #include "core.h"
 
 static u_int debug;
+u_int misdn_permitted_gid;
 
 MODULE_AUTHOR("Karsten Keil");
 MODULE_LICENSE("GPL");
 module_param(debug, uint, S_IRUGO | S_IWUSR);
+module_param_named(gid, misdn_permitted_gid, uint, 0);
+MODULE_PARM_DESC(gid, "Unix group for accessing misdn socket (default 0)");
 
 static u64		device_ids;
 #define MAX_DEVICE_ID	63
diff --git a/drivers/isdn/mISDN/core.h b/drivers/isdn/mISDN/core.h
index 52695bb..6ea673f 100644
--- a/drivers/isdn/mISDN/core.h
+++ b/drivers/isdn/mISDN/core.h
@@ -17,6 +17,7 @@
 
 extern struct mISDNdevice	*get_mdevice(u_int);
 extern int			get_mdevice_count(void);
+extern u_int misdn_permitted_gid;
 
 /* stack status flag */
 #define mISDN_STACK_ACTION_MASK		0x0000ffff
diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c
index e47dcb9..71f4986 100644
--- a/drivers/isdn/mISDN/socket.c
+++ b/drivers/isdn/mISDN/socket.c
@@ -612,6 +612,10 @@ data_sock_create(struct net *net, struct socket *sock, int protocol)
 {
 	struct sock *sk;
 
+	if(!capable(CAP_SYS_ADMIN) && (misdn_permitted_gid != current_gid())
+		&& (!in_group_p(misdn_permitted_gid)))
+			return -EPERM;
+
 	if (sock->type != SOCK_DGRAM)
 		return -ESOCKTNOSUPPORT;
 
@@ -694,6 +698,10 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 	case IMSETDEVNAME:
 	{
 		struct mISDN_devrename dn;
+		if(!capable(CAP_SYS_ADMIN)
+			&& (misdn_permitted_gid != current_gid())
+			&& (!in_group_p(misdn_permitted_gid)))
+				return -EPERM;
 		if (copy_from_user(&dn, (void __user *)arg,
 				   sizeof(dn))) {
 			err = -EFAULT;
-- 
1.8.2.1

[PATCH 03/15] ehea: add alias entry for portN properties

[Jiri Slaby]

From: Olaf Hering <ohering@suse.com>

Use separate table for alias entries in the ehea module,
otherwise the probe() function will operate on the separate ports
instead of the lhea-"root" entry of the device-tree

References: https://bugzilla.novell.com/show_bug.cgi?id=435215
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Olaf Hering <ohering@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Thadeu Lima de Souza Cascardo <cascardo@linux.vnet.ibm.com>
Cc: netdev@vger.kernel.org
Cc: "David S. Miller" <davem@davemloft.net>
---
 drivers/net/ethernet/ibm/ehea/ehea_main.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c
index 90ea0b1..1114418 100644
--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c
+++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c
@@ -103,6 +103,19 @@ static int ehea_probe_adapter(struct platform_device *dev,
 
 static int ehea_remove(struct platform_device *dev);
 
+static struct of_device_id ehea_module_device_table[] = {
+	{
+		.name = "lhea",
+		.compatible = "IBM,lhea",
+	},
+	{
+		.type = "network",
+		.compatible = "IBM,lhea-ethernet",
+	},
+	{},
+};
+MODULE_DEVICE_TABLE(of, ehea_module_device_table);
+
 static struct of_device_id ehea_device_table[] = {
 	{
 		.name = "lhea",
@@ -110,7 +123,6 @@ static struct of_device_id ehea_device_table[] = {
 	},
 	{},
 };
-MODULE_DEVICE_TABLE(of, ehea_device_table);
 
 static struct of_platform_driver ehea_driver = {
 	.driver = {
-- 
1.8.2.1

[PATCH 05/15] connection tracking helper for SLP

[Jiri Slaby]

From: Jiri Bohac <jbohac@suse.cz>

A simple connection tracking helper for SLP. Marks replies to a
SLP broadcast query as ESTABLISHED to allow them to pass through the
firewall.

Signed-off-by: Jiri Bohac <jbohac@suse.cz>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: netfilter-devel@vger.kernel.org
Cc: netfilter@vger.kernel.org
Cc: coreteam@netfilter.org
Cc: netdev@vger.kernel.org
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/Kconfig            |  15 +++++
 net/netfilter/Makefile           |   1 +
 net/netfilter/nf_conntrack_slp.c | 131 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 147 insertions(+)
 create mode 100644 net/netfilter/nf_conntrack_slp.c

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 56d22ca..ec61b30 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -320,6 +320,21 @@ config NF_CONNTRACK_TFTP
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config NF_CONNTRACK_SLP
+	tristate "SLP protocol support"
+	depends on NF_CONNTRACK
+	depends on NETFILTER_ADVANCED
+	help
+	  SLP queries are sometimes sent as broadcast messages from an
+	  unprivileged port and responded to with unicast messages to the
+	  same port. This make them hard to firewall properly because connection
+	  tracking doesn't deal with broadcasts. This helper tracks locally
+	  originating broadcast SLP queries and the corresponding
+	  responses. It relies on correct IP address configuration, specifically
+	  netmask and broadcast address.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config NF_CT_NETLINK
 	tristate 'Connection tracking netlink interface'
 	select NETFILTER_NETLINK
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index a1abf87..aa7d5f1 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -43,6 +43,7 @@ obj-$(CONFIG_NF_CONNTRACK_PPTP) += nf_conntrack_pptp.o
 obj-$(CONFIG_NF_CONNTRACK_SANE) += nf_conntrack_sane.o
 obj-$(CONFIG_NF_CONNTRACK_SIP) += nf_conntrack_sip.o
 obj-$(CONFIG_NF_CONNTRACK_TFTP) += nf_conntrack_tftp.o
+obj-$(CONFIG_NF_CONNTRACK_SLP) += nf_conntrack_slp.o
 
 nf_nat-y	:= nf_nat_core.o nf_nat_proto_unknown.o nf_nat_proto_common.o \
 		   nf_nat_proto_udp.o nf_nat_proto_tcp.o nf_nat_helper.o
diff --git a/net/netfilter/nf_conntrack_slp.c b/net/netfilter/nf_conntrack_slp.c
new file mode 100644
index 0000000..0174dd0
--- /dev/null
+++ b/net/netfilter/nf_conntrack_slp.c
@@ -0,0 +1,131 @@
+/*
+ *      NetBIOS name service broadcast connection tracking helper
+ *
+ *      (c) 2007 Jiri Bohac <jbohac@suse.cz>
+ *      (c) 2005 Patrick McHardy <kaber@trash.net>
+ *
+ *      This program is free software; you can redistribute it and/or
+ *      modify it under the terms of the GNU General Public License
+ *      as published by the Free Software Foundation; either version
+ *      2 of the License, or (at your option) any later version.
+ */
+/*
+ *      This helper tracks locally originating NetBIOS name service
+ *      requests by issuing permanent expectations (valid until
+ *      timing out) matching all reply connections from the
+ *      destination network. The only NetBIOS specific thing is
+ *      actually the port number.
+ */
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/init.h>
+#include <linux/skbuff.h>
+#include <linux/netdevice.h>
+#include <linux/inetdevice.h>
+#include <linux/if_addr.h>
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <linux/netfilter.h>
+#include <net/route.h>
+
+#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_helper.h>
+#include <net/netfilter/nf_conntrack_expect.h>
+
+#define SLP_PORT	427
+
+MODULE_AUTHOR("Jiri Bohac <jbohac@suse.cz>");
+MODULE_DESCRIPTION("SLP broadcast connection tracking helper");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ip_conntrack_slp");
+
+static unsigned int timeout __read_mostly = 3;
+module_param(timeout, uint, 0400);
+MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds");
+
+static int help(struct sk_buff *skb, unsigned int protoff,
+		struct nf_conn *ct, enum ip_conntrack_info ctinfo)
+{
+	struct nf_conntrack_expect *exp;
+	struct rtable *rt = skb_rtable(skb);
+	struct in_device *in_dev;
+	__be32 mask = 0;
+	__be32 src = 0;
+
+	/* we're only interested in locally generated packets */
+	if (skb->sk == NULL)
+		goto out;
+	if (rt == NULL || !(rt->rt_flags & (RTCF_MULTICAST|RTCF_BROADCAST)))
+		goto out;
+	if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
+		goto out;
+
+	rcu_read_lock();
+	in_dev = __in_dev_get_rcu(rt->dst.dev);
+	if (in_dev != NULL) {
+		for_primary_ifa(in_dev) {
+			/* this is a hack as slp uses multicast we can't match
+			 * the destination address to some broadcast address. So
+			 * just take the first one. Better would be to install
+			 * expectations for all addresses */
+			mask = ifa->ifa_mask;
+			src = ifa->ifa_broadcast;
+			break;
+		} endfor_ifa(in_dev);
+	}
+	rcu_read_unlock();
+
+	if (mask == 0 || src == 0)
+		goto out;
+
+	exp = nf_ct_expect_alloc(ct);
+	if (exp == NULL)
+		goto out;
+
+	exp->tuple                = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
+	exp->tuple.src.u3.ip      = src;
+	exp->tuple.src.u.udp.port = htons(SLP_PORT);
+
+	exp->mask.src.u3.ip       = mask;
+	exp->mask.src.u.udp.port  = htons(0xFFFF);
+
+	exp->expectfn             = NULL;
+	exp->flags                = NF_CT_EXPECT_PERMANENT;
+	exp->class		  = NF_CT_EXPECT_CLASS_DEFAULT;
+	exp->helper               = NULL;
+
+	nf_ct_expect_related(exp);
+	nf_ct_expect_put(exp);
+
+	nf_ct_refresh(ct, skb, timeout * HZ);
+out:
+	return NF_ACCEPT;
+}
+
+static struct nf_conntrack_expect_policy exp_policy = {
+	.max_expected	= 1,
+};
+
+static struct nf_conntrack_helper helper __read_mostly = {
+	.name			= "slp",
+	.tuple.src.l3num	= AF_INET,
+	.tuple.src.u.udp.port	= __constant_htons(SLP_PORT),
+	.tuple.dst.protonum	= IPPROTO_UDP,
+	.me			= THIS_MODULE,
+	.help			= help,
+	.expect_policy		= &exp_policy,
+};
+
+static int __init nf_conntrack_slp_init(void)
+{
+	exp_policy.timeout = timeout;
+	return nf_conntrack_helper_register(&helper);
+}
+
+static void __exit nf_conntrack_slp_fini(void)
+{
+	nf_conntrack_helper_unregister(&helper);
+}
+
+module_init(nf_conntrack_slp_init);
+module_exit(nf_conntrack_slp_fini);
-- 
1.8.2.1

[PATCH 06/15] netfilter: Implement RFC 1123 for FTP conntrack

[Jiri Slaby]

From: Jeff Mahoney <jeffm@suse.com>

 The FTP conntrack code currently only accepts the following format for
 the 227 response for PASV:
 227 Entering Passive Mode (148,100,81,40,31,161).

 It doesn't accept the following format from an obscure server:
 227 Data transfer will passively listen to 67,218,99,134,50,144

 From RFC 1123:
 The format of the 227 reply to a PASV command is not
 well standardized.  In particular, an FTP client cannot
 assume that the parentheses shown on page 40 of RFC-959
 will be present (and in fact, Figure 3 on page 43 omits
 them).  Therefore, a User-FTP program that interprets
 the PASV reply must scan the reply for the first digit
 of the host and port numbers.

 This patch adds support for the RFC 1123 clarification by:
 - Allowing a search filter to specify NUL as the terminator so that
   try_number will return successfully if the array of numbers has been
   filled when an unexpected character is encountered.
 - Using space as the separator for the 227 reply and then scanning for
   the first digit of the number sequence. The number sequence is parsed
   out using the existing try_rfc959 but with a NUL terminator.

References: https://bugzilla.novell.com/show_bug.cgi?id=466279
References: http://bugzilla.netfilter.org/show_bug.cgi?id=574
Reported-by: Mark Post <mpost@novell.com>
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Patrick McHardy <kaber@trash.net>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: netfilter-devel@vger.kernel.org
Cc: netfilter@vger.kernel.org
Cc: coreteam@netfilter.org
Cc: netdev@vger.kernel.org
---
 net/netfilter/nf_conntrack_ftp.c | 73 +++++++++++++++++++++++++++++-----------
 1 file changed, 54 insertions(+), 19 deletions(-)

diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 6b21707..b8a0924 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -55,10 +55,14 @@ unsigned int (*nf_nat_ftp_hook)(struct sk_buff *skb,
 				struct nf_conntrack_expect *exp);
 EXPORT_SYMBOL_GPL(nf_nat_ftp_hook);
 
-static int try_rfc959(const char *, size_t, struct nf_conntrack_man *, char);
-static int try_eprt(const char *, size_t, struct nf_conntrack_man *, char);
+static int try_rfc959(const char *, size_t, struct nf_conntrack_man *,
+		      char, unsigned int *);
+static int try_rfc1123(const char *, size_t, struct nf_conntrack_man *,
+		       char, unsigned int *);
+static int try_eprt(const char *, size_t, struct nf_conntrack_man *,
+		    char, unsigned int *);
 static int try_epsv_response(const char *, size_t, struct nf_conntrack_man *,
-			     char);
+			     char, unsigned int *);
 
 static struct ftp_search {
 	const char *pattern;
@@ -66,7 +70,7 @@ static struct ftp_search {
 	char skip;
 	char term;
 	enum nf_ct_ftp_type ftptype;
-	int (*getnum)(const char *, size_t, struct nf_conntrack_man *, char);
+	int (*getnum)(const char *, size_t, struct nf_conntrack_man *, char, unsigned int *);
 } search[IP_CT_DIR_MAX][2] = {
 	[IP_CT_DIR_ORIGINAL] = {
 		{
@@ -90,10 +94,8 @@ static struct ftp_search {
 		{
 			.pattern	= "227 ",
 			.plen		= sizeof("227 ") - 1,
-			.skip		= '(',
-			.term		= ')',
 			.ftptype	= NF_CT_FTP_PASV,
-			.getnum		= try_rfc959,
+			.getnum		= try_rfc1123,
 		},
 		{
 			.pattern	= "229 ",
@@ -132,8 +134,9 @@ static int try_number(const char *data, size_t dlen, u_int32_t array[],
 			i++;
 		else {
 			/* Unexpected character; true if it's the
-			   terminator and we're finished. */
-			if (*data == term && i == array_size - 1)
+			   terminator (or we don't care about one)
+			   and we're finished. */
+			if ((*data == term || !term) && i == array_size - 1)
 				return len;
 
 			pr_debug("Char %u (got %u nums) `%u' unexpected\n",
@@ -148,7 +151,8 @@ static int try_number(const char *data, size_t dlen, u_int32_t array[],
 
 /* Returns 0, or length of numbers: 192,168,1,1,5,6 */
 static int try_rfc959(const char *data, size_t dlen,
-		      struct nf_conntrack_man *cmd, char term)
+		      struct nf_conntrack_man *cmd, char term,
+		      unsigned int *offset)
 {
 	int length;
 	u_int32_t array[6];
@@ -163,6 +167,33 @@ static int try_rfc959(const char *data, size_t dlen,
 	return length;
 }
 
+/*
+ * From RFC 1123:
+ * The format of the 227 reply to a PASV command is not
+ * well standardized.  In particular, an FTP client cannot
+ * assume that the parentheses shown on page 40 of RFC-959
+ * will be present (and in fact, Figure 3 on page 43 omits
+ * them).  Therefore, a User-FTP program that interprets
+ * the PASV reply must scan the reply for the first digit
+ * of the host and port numbers.
+ */
+static int try_rfc1123(const char *data, size_t dlen,
+		       struct nf_conntrack_man *cmd, char term,
+		       unsigned int *offset)
+{
+	int i;
+	for (i = 0; i < dlen; i++)
+		if (isdigit(data[i]))
+			break;
+
+	if (i == dlen)
+		return 0;
+
+	*offset += i;
+
+	return try_rfc959(data + i, dlen - i, cmd, 0, offset);
+}
+
 /* Grab port: number up to delimiter */
 static int get_port(const char *data, int start, size_t dlen, char delim,
 		    __be16 *port)
@@ -191,7 +222,7 @@ static int get_port(const char *data, int start, size_t dlen, char delim,
 
 /* Returns 0, or length of numbers: |1|132.235.1.2|6275| or |2|3ffe::1|6275| */
 static int try_eprt(const char *data, size_t dlen, struct nf_conntrack_man *cmd,
-		    char term)
+		    char term, unsigned int *offset)
 {
 	char delim;
 	int length;
@@ -239,7 +270,8 @@ static int try_eprt(const char *data, size_t dlen, struct nf_conntrack_man *cmd,
 
 /* Returns 0, or length of numbers: |||6446| */
 static int try_epsv_response(const char *data, size_t dlen,
-			     struct nf_conntrack_man *cmd, char term)
+			     struct nf_conntrack_man *cmd, char term,
+			     unsigned int *offset)
 {
 	char delim;
 
@@ -261,9 +293,10 @@ static int find_pattern(const char *data, size_t dlen,
 			unsigned int *numlen,
 			struct nf_conntrack_man *cmd,
 			int (*getnum)(const char *, size_t,
-				      struct nf_conntrack_man *, char))
+				      struct nf_conntrack_man *, char,
+				      unsigned int *))
 {
-	size_t i;
+	size_t i = plen;
 
 	pr_debug("find_pattern `%s': dlen = %Zu\n", pattern, dlen);
 	if (dlen == 0)
@@ -293,16 +326,18 @@ static int find_pattern(const char *data, size_t dlen,
 	pr_debug("Pattern matches!\n");
 	/* Now we've found the constant string, try to skip
 	   to the 'skip' character */
-	for (i = plen; data[i] != skip; i++)
-		if (i == dlen - 1) return -1;
+	if (skip) {
+		for (i = plen; data[i] != skip; i++)
+			if (i == dlen - 1) return -1;
 
-	/* Skip over the last character */
-	i++;
+		/* Skip over the last character */
+		i++;
+	}
 
 	pr_debug("Skipped up to `%c'!\n", skip);
 
 	*numoff = i;
-	*numlen = getnum(data + i, dlen - i, cmd, term);
+	*numlen = getnum(data + i, dlen - i, cmd, term, numoff);
 	if (!*numlen)
 		return -1;
 
-- 
1.8.2.1

[PATCH 15/15] ptp: PTP_1588_CLOCK_PCH depends on x86

[Jiri Slaby]

From: Jeff Mahoney <jeffm@suse.com>

The PCH EG20T is only compatible with Intel Atom processors so it
should depend on x86.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: netdev@vger.kernel.org
---
 drivers/ptp/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/ptp/Kconfig b/drivers/ptp/Kconfig
index 1ea6f1d..e02b7d4 100644
--- a/drivers/ptp/Kconfig
+++ b/drivers/ptp/Kconfig
@@ -72,6 +72,7 @@ config DP83640_PHY
 
 config PTP_1588_CLOCK_PCH
 	tristate "Intel PCH EG20T as PTP clock"
+	depends on X86
 	select PTP_1588_CLOCK
 	help
 	  This driver adds support for using the PCH EG20T as a PTP
-- 
1.8.2.1

Re: [PATCH 15/15] ptp: PTP_1588_CLOCK_PCH depends on x86

[Richard Cochran]

On Tue, May 07, 2013 at 04:18:23PM +0200, Jiri Slaby wrote:
> From: Jeff Mahoney <jeffm@suse.com>
> 
> The PCH EG20T is only compatible with Intel Atom processors so it
> should depend on x86.

This patch has been submitted before,

   https://patchwork.kernel.org/patch/2069071/

and at that time the reaction was that it is good to have drivers
cross-compiled, if only for code quality reasons.

Thanks,
Richard

Re: [PATCH 05/15] connection tracking helper for SLP

[Pablo Neira Ayuso]

On Tue, May 07, 2013 at 04:18:13PM +0200, Jiri Slaby wrote:
> From: Jiri Bohac <jbohac@suse.cz>
> 
> A simple connection tracking helper for SLP. Marks replies to a
> SLP broadcast query as ESTABLISHED to allow them to pass through the
> firewall.
> 
> Signed-off-by: Jiri Bohac <jbohac@suse.cz>
> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
> Cc: netfilter-devel@vger.kernel.org
> Cc: netfilter@vger.kernel.org
> Cc: coreteam@netfilter.org
> Cc: netdev@vger.kernel.org
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Patrick McHardy <kaber@trash.net>
> Cc: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
>  net/netfilter/Kconfig            |  15 +++++
>  net/netfilter/Makefile           |   1 +
>  net/netfilter/nf_conntrack_slp.c | 131 +++++++++++++++++++++++++++++++++++++++
>  3 files changed, 147 insertions(+)
>  create mode 100644 net/netfilter/nf_conntrack_slp.c
> 
> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> index 56d22ca..ec61b30 100644
> --- a/net/netfilter/Kconfig
> +++ b/net/netfilter/Kconfig
> @@ -320,6 +320,21 @@ config NF_CONNTRACK_TFTP
>  
>  	  To compile it as a module, choose M here.  If unsure, say N.
>  
> +config NF_CONNTRACK_SLP
> +	tristate "SLP protocol support"
> +	depends on NF_CONNTRACK
> +	depends on NETFILTER_ADVANCED
> +	help
> +	  SLP queries are sometimes sent as broadcast messages from an
> +	  unprivileged port and responded to with unicast messages to the
> +	  same port. This make them hard to firewall properly because connection
> +	  tracking doesn't deal with broadcasts. This helper tracks locally
> +	  originating broadcast SLP queries and the corresponding
> +	  responses. It relies on correct IP address configuration, specifically
> +	  netmask and broadcast address.

We have the user-space helper infrastructure in the conntrack-tools,
this helper has to go there.

Re: [PATCH 15/15] ptp: PTP_1588_CLOCK_PCH depends on x86

[Jiri Slaby]

On 05/07/2013 09:29 PM, Richard Cochran wrote:
> On Tue, May 07, 2013 at 04:18:23PM +0200, Jiri Slaby wrote:
>> From: Jeff Mahoney <jeffm@suse.com>
>>
>> The PCH EG20T is only compatible with Intel Atom processors so it
>> should depend on x86.
> 
> This patch has been submitted before,
> 
>    https://patchwork.kernel.org/patch/2069071/
> 
> and at that time the reaction was that it is good to have drivers
> cross-compiled, if only for code quality reasons.

Hmm, then it depends whether the kernel is for users or for developers.
I, as a user, do not really want to compile drivers with allmodconfig
which I have no way to load/use.

And allmodconfig is basically what we, users (SUSE distributors in this
case) do. So having this driver being built makes our life harder (in
the meaning we have to have specific rules about disabling unwanted
drivers from configs).

And, developers should have a testbed where they build 32bit configs.
And we actually have that for -next AFAIU.

thanks,
-- 
js
suse labs

Re: [PATCH 15/15] ptp: PTP_1588_CLOCK_PCH depends on x86

[Ben Hutchings]

On Tue, May 14, 2013 at 04:20:09PM +0200, Jiri Slaby wrote:
> On 05/07/2013 09:29 PM, Richard Cochran wrote:
> > On Tue, May 07, 2013 at 04:18:23PM +0200, Jiri Slaby wrote:
> >> From: Jeff Mahoney <jeffm@suse.com>
> >>
> >> The PCH EG20T is only compatible with Intel Atom processors so it
> >> should depend on x86.
> > 
> > This patch has been submitted before,
> > 
> >    https://patchwork.kernel.org/patch/2069071/
> > 
> > and at that time the reaction was that it is good to have drivers
> > cross-compiled, if only for code quality reasons.
> 
> Hmm, then it depends whether the kernel is for users or for developers.
> I, as a user, do not really want to compile drivers with allmodconfig
> which I have no way to load/use.
> 
> And allmodconfig is basically what we, users (SUSE distributors in this
> case) do. So having this driver being built makes our life harder (in
> the meaning we have to have specific rules about disabling unwanted
> drivers from configs).

Wearing my Debian hat, I agree with this.  Perhaps we could define a
CONFIG_BUILD_TEST symbol for people who want to do that, and then
make drivers for hardware that's only found in x86 systems (for
example) depend on X86 || BUILD_TEST.

Ben.

> And, developers should have a testbed where they build 32bit configs.
> And we actually have that for -next AFAIU.

-- 
Ben Hutchings
We get into the habit of living before acquiring the habit of thinking.
                                                              - Albert Camus

RE: [PATCH 15/15] ptp: PTP_1588_CLOCK_PCH depends on x86

[Keller, Jacob E]

> -----Original Message-----
> From: netdev-owner@vger.kernel.org [mailto:netdev-
> owner@vger.kernel.org] On Behalf Of Ben Hutchings
> Sent: Tuesday, May 14, 2013 11:13 AM
> To: Jiri Slaby
> Cc: Richard Cochran; Jiri Slaby; linux-kernel@vger.kernel.org; Jeff
> Mahoney; netdev@vger.kernel.org
> Subject: Re: [PATCH 15/15] ptp: PTP_1588_CLOCK_PCH depends on x86
> 
> On Tue, May 14, 2013 at 04:20:09PM +0200, Jiri Slaby wrote:
> > On 05/07/2013 09:29 PM, Richard Cochran wrote:
> > > On Tue, May 07, 2013 at 04:18:23PM +0200, Jiri Slaby wrote:
> > >> From: Jeff Mahoney <jeffm@suse.com>
> > >>
> > >> The PCH EG20T is only compatible with Intel Atom processors so it
> > >> should depend on x86.
> > >
> > > This patch has been submitted before,
> > >
> > >    https://patchwork.kernel.org/patch/2069071/
> > >
> > > and at that time the reaction was that it is good to have drivers
> > > cross-compiled, if only for code quality reasons.
> >
> > Hmm, then it depends whether the kernel is for users or for
> developers.
> > I, as a user, do not really want to compile drivers with allmodconfig
> > which I have no way to load/use.
> >
> > And allmodconfig is basically what we, users (SUSE distributors in this
> > case) do. So having this driver being built makes our life harder (in
> > the meaning we have to have specific rules about disabling unwanted
> > drivers from configs).
> 
> Wearing my Debian hat, I agree with this.  Perhaps we could define a
> CONFIG_BUILD_TEST symbol for people who want to do that, and then
> make drivers for hardware that's only found in x86 systems (for
> example) depend on X86 || BUILD_TEST.
> 
> Ben.
> 

I agree with this.

- Jake Keller

> > And, developers should have a testbed where they build 32bit configs.
> > And we actually have that for -next AFAIU.
> > --
> Ben Hutchings
> We get into the habit of living before acquiring the habit of thinking.
>                                                               - Albert Camus
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html