netfilter 00/09: netfilter fixes/trivial patches

netfilter 00/09: netfilter fixes/trivial patches

[Patrick McHardy]

Hi Dave,

the following patches contain fixes for a number of netfilter bugs:

- Herbert's patches to fix VLAN/PPPoE handling in bridge netfilter

- a fix for an iptables regression in 2.6.28, breaking revision queries
  for match and target revisions

- a fix for an ebtables regression in 2.6.28, which inverted the
  meaning of match result codes

- a fix for a problem with the ICMP/ICMPv6 conntrack timeout sysctls
  on big-endian

Additionally it includes four trivial patches that don't seem worth
queueing for the next merge window:

- removal of the "happy cracking" and similar messages

- simplification of nf_conntrack_alloc() error handling

- addition of an informational message to the xt_time match

- reordering of struct xt_match to make it fit into a 128 byte cacheline

Feel free to ignore the last four patches in case you'd prefer to receive
them in the next merge window. The full patchset is also available in a
git tree at:

git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.git

Please apply or pull, thanks.


 include/linux/netfilter/x_tables.h             |    2 +-
 net/bridge/br_netfilter.c                      |   18 ++++++++++++------
 net/bridge/netfilter/ebtables.c                |    2 +-
 net/ipv4/netfilter/iptable_filter.c            |    7 +------
 net/ipv4/netfilter/iptable_mangle.c            |    6 +-----
 net/ipv4/netfilter/iptable_raw.c               |    6 +-----
 net/ipv4/netfilter/iptable_security.c          |    6 +-----
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |    5 +----
 net/ipv4/netfilter/nf_conntrack_proto_icmp.c   |    2 +-
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |    2 +-
 net/netfilter/nf_conntrack_core.c              |    4 ++--
 net/netfilter/nf_conntrack_netlink.c           |    2 +-
 net/netfilter/x_tables.c                       |    8 ++++++++
 net/netfilter/xt_time.c                        |   11 +++++++++++
 14 files changed, 43 insertions(+), 38 deletions(-)

Herbert Xu (2):
      netfilter: bridge: Fix handling of non-IP packets in FORWARD/POST_ROUTING
      netfilter: bridge: Disable PPPOE/VLAN processing by default

Jan Engelhardt (2):
      netfilter: ebtables: fix inversion in match code
      netfilter: xt_time: print timezone for user information

Julia Lawall (1):
      netfilter: simplify nf_conntrack_alloc() error handling

Patrick McHardy (3):
      netfilter: remove "happy cracking" message
      netfilter: x_tables: fix match/target revision lookup
      netfilter: nf_conntrack: fix ICMP/ICMPv6 timeout sysctls on big-endian

Richard Kennedy (1):
      netfilter: remove padding from struct xt_match on 64bit builds

netfilter 01/09: remove "happy cracking" message

[Patrick McHardy]

commit ea1926cabd0076846119a7e10f29070907fc296c
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Jan 12 06:01:48 2009 +0100

    netfilter: remove "happy cracking" message
    
    Don't spam logs for locally generated short packets. these can only
    be generated by root.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index c922431..52cb693 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -93,13 +93,8 @@ ipt_local_out_hook(unsigned int hook,
 {
 	/* root is playing with raw sockets. */
 	if (skb->len < sizeof(struct iphdr) ||
-	    ip_hdrlen(skb) < sizeof(struct iphdr)) {
-		if (net_ratelimit())
-			printk("iptable_filter: ignoring short SOCK_RAW "
-			       "packet.\n");
+	    ip_hdrlen(skb) < sizeof(struct iphdr))
 		return NF_ACCEPT;
-	}
-
 	return ipt_do_table(skb, hook, in, out,
 			    dev_net(out)->ipv4.iptable_filter);
 }
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 69f2c42..3929d20 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -132,12 +132,8 @@ ipt_local_hook(unsigned int hook,
 
 	/* root is playing with raw sockets. */
 	if (skb->len < sizeof(struct iphdr)
-	    || ip_hdrlen(skb) < sizeof(struct iphdr)) {
-		if (net_ratelimit())
-			printk("iptable_mangle: ignoring short SOCK_RAW "
-			       "packet.\n");
+	    || ip_hdrlen(skb) < sizeof(struct iphdr))
 		return NF_ACCEPT;
-	}
 
 	/* Save things which could affect route */
 	mark = skb->mark;
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 8faebfe..7f65d18 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -65,12 +65,8 @@ ipt_local_hook(unsigned int hook,
 {
 	/* root is playing with raw sockets. */
 	if (skb->len < sizeof(struct iphdr) ||
-	    ip_hdrlen(skb) < sizeof(struct iphdr)) {
-		if (net_ratelimit())
-			printk("iptable_raw: ignoring short SOCK_RAW "
-			       "packet.\n");
+	    ip_hdrlen(skb) < sizeof(struct iphdr))
 		return NF_ACCEPT;
-	}
 	return ipt_do_table(skb, hook, in, out,
 			    dev_net(out)->ipv4.iptable_raw);
 }
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index 36f3be3..a52a35f 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -96,12 +96,8 @@ ipt_local_out_hook(unsigned int hook,
 {
 	/* Somebody is playing with raw sockets. */
 	if (skb->len < sizeof(struct iphdr)
-	    || ip_hdrlen(skb) < sizeof(struct iphdr)) {
-		if (net_ratelimit())
-			printk(KERN_INFO "iptable_security: ignoring short "
-			       "SOCK_RAW packet.\n");
+	    || ip_hdrlen(skb) < sizeof(struct iphdr))
 		return NF_ACCEPT;
-	}
 	return ipt_do_table(skb, hook, in, out,
 			    dev_net(out)->ipv4.iptable_security);
 }
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index b2141e1..4beb04f 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -145,11 +145,8 @@ static unsigned int ipv4_conntrack_local(unsigned int hooknum,
 {
 	/* root is playing with raw sockets. */
 	if (skb->len < sizeof(struct iphdr) ||
-	    ip_hdrlen(skb) < sizeof(struct iphdr)) {
-		if (net_ratelimit())
-			printk("ipt_hook: happy cracking.\n");
+	    ip_hdrlen(skb) < sizeof(struct iphdr))
 		return NF_ACCEPT;
-	}
 	return nf_conntrack_in(dev_net(out), PF_INET, hooknum, skb);
 }
 

netfilter 02/09: bridge: Fix handling of non-IP packets in FORWARD/POST_ROUTING

[Patrick McHardy]

commit 9fa76a65a6b84254d31a8f8f5274c130737b4233
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Mon Jan 12 06:25:50 2009 +0100

    netfilter: bridge: Fix handling of non-IP packets in FORWARD/POST_ROUTING
    
    Currently the bridge FORWARD/POST_ROUTING chains treats all
    non-IPv4 packets as IPv6.  This packet fixes that by returning
    NF_ACCEPT on non-IP packets instead, just as is done in PRE_ROUTING.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index a65e43a..9a1cd75 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -686,8 +686,11 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
 	if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) ||
 	    IS_PPPOE_IP(skb))
 		pf = PF_INET;
-	else
+	else if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
+		 IS_PPPOE_IPV6(skb))
 		pf = PF_INET6;
+	else
+		return NF_ACCEPT;
 
 	nf_bridge_pull_encap_header(skb);
 
@@ -828,8 +831,11 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
 	if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) ||
 	    IS_PPPOE_IP(skb))
 		pf = PF_INET;
-	else
+	else if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) ||
+		 IS_PPPOE_IPV6(skb))
 		pf = PF_INET6;
+	else
+		return NF_ACCEPT;
 
 #ifdef CONFIG_NETFILTER_DEBUG
 	if (skb->dst == NULL) {

netfilter 03/09: bridge: Disable PPPOE/VLAN processing by default

[Patrick McHardy]

commit 12eda8e57aaca177ed94db3d9883873cd4522c99
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Mon Jan 12 06:28:48 2009 +0100

    netfilter: bridge: Disable PPPOE/VLAN processing by default
    
    The PPPOE/VLAN processing code in the bridge netfilter is broken
    by design.  The VLAN tag and the PPPOE session ID are an integral
    part of the packet flow information, yet they're completely
    ignored by the bridge netfilter.  This is potentially a security
    hole as it treats all VLANs and PPPOE sessions as the same.
    
    What's more, it's actually broken for PPPOE as the bridge netfilter
    tries to trim the packets to the IP length without adjusting the
    PPPOE header (and adjusting the PPPOE header isn't much better
    since the PPPOE peer may require the padding to be present).
    
    Therefore we should disable this by default.
    
    It does mean that people relying on this feature may lose networking
    depending on how their bridge netfilter rules are configured.
    However, IMHO the problems this code causes are serious enough to
    warrant this.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 9a1cd75..cf754ac 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -58,11 +58,11 @@ static struct ctl_table_header *brnf_sysctl_header;
 static int brnf_call_iptables __read_mostly = 1;
 static int brnf_call_ip6tables __read_mostly = 1;
 static int brnf_call_arptables __read_mostly = 1;
-static int brnf_filter_vlan_tagged __read_mostly = 1;
-static int brnf_filter_pppoe_tagged __read_mostly = 1;
+static int brnf_filter_vlan_tagged __read_mostly = 0;
+static int brnf_filter_pppoe_tagged __read_mostly = 0;
 #else
-#define brnf_filter_vlan_tagged 1
-#define brnf_filter_pppoe_tagged 1
+#define brnf_filter_vlan_tagged 0
+#define brnf_filter_pppoe_tagged 0
 #endif
 
 static inline __be16 vlan_proto(const struct sk_buff *skb)

netfilter 04/09: x_tables: fix match/target revision lookup

[Patrick McHardy]

commit 8005c00a9f53d2a3da11fa1083ae00d06f22f500
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Jan 12 08:47:25 2009 +0100

    netfilter: x_tables: fix match/target revision lookup
    
    Commit 55b69e91 (netfilter: implement NFPROTO_UNSPEC as a wildcard
    for extensions) broke revision probing for matches and targets that
    are registered with NFPROTO_UNSPEC.
    
    Fix by continuing the search on the NFPROTO_UNSPEC list if nothing
    is found on the af-specific lists.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 89837a4..bfbf521 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -273,6 +273,10 @@ static int match_revfn(u8 af, const char *name, u8 revision, int *bestp)
 				have_rev = 1;
 		}
 	}
+
+	if (af != NFPROTO_UNSPEC && !have_rev)
+		return match_revfn(NFPROTO_UNSPEC, name, revision, bestp);
+
 	return have_rev;
 }
 
@@ -289,6 +293,10 @@ static int target_revfn(u8 af, const char *name, u8 revision, int *bestp)
 				have_rev = 1;
 		}
 	}
+
+	if (af != NFPROTO_UNSPEC && !have_rev)
+		return target_revfn(NFPROTO_UNSPEC, name, revision, bestp);
+
 	return have_rev;
 }
 

netfilter 05/09: ebtables: fix inversion in match code

[Patrick McHardy]

commit c6b52c688ecf03adb82724299b97701528821ca5
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Mon Jan 12 08:52:08 2009 +0100

    netfilter: ebtables: fix inversion in match code
    
    Commit 8cc784ee (netfilter: change return types of match functions
    for ebtables extensions) broke ebtables matches by inverting the
    sense of match/nomatch.
    
    Reported-by: Matt Cross <matthltc@us.ibm.com>
    Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 8a8743d..820252a 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -79,7 +79,7 @@ static inline int ebt_do_match (struct ebt_entry_match *m,
 {
 	par->match     = m->u.match;
 	par->matchinfo = m->data;
-	return m->u.match->match(skb, par);
+	return m->u.match->match(skb, par) ? EBT_MATCH : EBT_NOMATCH;
 }
 
 static inline int ebt_dev_check(char *entry, const struct net_device *device)

netfilter 06/09: nf_conntrack: fix ICMP/ICMPv6 timeout sysctls on big-endian

[Patrick McHardy]

commit 8bc192edb227774abd2146b2c9cd21efb03533df
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Jan 12 09:44:00 2009 +0100

    netfilter: nf_conntrack: fix ICMP/ICMPv6 timeout sysctls on big-endian
    
    An old bug crept back into the ICMP/ICMPv6 conntrack protocols: the timeout
    values are defined as unsigned longs, the sysctl's maxsize is set to
    sizeof(unsigned int). Use unsigned int for the timeout values as in the
    other conntrack protocols.
    
    Reported-by: Jean-Mickael Guerin <jean-mickael.guerin@6wind.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 1fd3ef7..2a8bee2 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -20,7 +20,7 @@
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_log.h>
 
-static unsigned long nf_ct_icmp_timeout __read_mostly = 30*HZ;
+static unsigned int nf_ct_icmp_timeout __read_mostly = 30*HZ;
 
 static bool icmp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
 			      struct nf_conntrack_tuple *tuple)
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index bd52151..c455cf4 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -26,7 +26,7 @@
 #include <net/netfilter/ipv6/nf_conntrack_icmpv6.h>
 #include <net/netfilter/nf_log.h>
 
-static unsigned long nf_ct_icmpv6_timeout __read_mostly = 30*HZ;
+static unsigned int nf_ct_icmpv6_timeout __read_mostly = 30*HZ;
 
 static bool icmpv6_pkt_to_tuple(const struct sk_buff *skb,
 				unsigned int dataoff,

netfilter 07/09: simplify nf_conntrack_alloc() error handling

[Patrick McHardy]

commit 74259cac7b03c2db8d046aa70aa53f4633290fd9
Author: Julia Lawall <julia@diku.dk>
Date:   Mon Jan 12 10:50:52 2009 +0100

    netfilter: simplify nf_conntrack_alloc() error handling
    
    nf_conntrack_alloc cannot return NULL, so there is no need to check for
    NULL before using the value.  I have also removed the initialization of ct
    to NULL in nf_conntrack_alloc, since the value is never used, and since
    perhaps it might lead one to think that return ct at the end might return
    NULL.
    
    The semantic patch that finds this problem is as follows:
    (http://www.emn.fr/x-info/coccinelle/)
    
    // <smpl>
    @match exists@
    expression x, E;
    position p1,p2;
    statement S1, S2;
    @@
    
    x@p1 = nf_conntrack_alloc(...)
    ... when != x = E
    (
      if (x@p2 == NULL || ...) S1 else S2
    |
      if (x@p2 == NULL && ...) S1 else S2
    )
    
    @other_match exists@
    expression match.x, E1, E2;
    position p1!=match.p1,match.p2;
    @@
    
    x@p1 = E1
    ... when != x = E2
    x@p2
    
    @ script:python depends on !other_match@
    p1 << match.p1;
    p2 << match.p2;
    @@
    
    print "%s: call to nf_conntrack_alloc %s bad test %s" % (p1[0].file,p1[0].line,p2[0].line)
    // </smpl>
    
    Signed-off-by: Julia Lawall <julia@diku.dk>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 7e83f74..90ce9dd 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -469,7 +469,7 @@ struct nf_conn *nf_conntrack_alloc(struct net *net,
 				   const struct nf_conntrack_tuple *repl,
 				   gfp_t gfp)
 {
-	struct nf_conn *ct = NULL;
+	struct nf_conn *ct;
 
 	if (unlikely(!nf_conntrack_hash_rnd_initted)) {
 		get_random_bytes(&nf_conntrack_hash_rnd, 4);
@@ -551,7 +551,7 @@ init_conntrack(struct net *net,
 	}
 
 	ct = nf_conntrack_alloc(net, tuple, &repl_tuple, GFP_ATOMIC);
-	if (ct == NULL || IS_ERR(ct)) {
+	if (IS_ERR(ct)) {
 		pr_debug("Can't allocate conntrack.\n");
 		return (struct nf_conntrack_tuple_hash *)ct;
 	}
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 00e8c27..3dddec6 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1134,7 +1134,7 @@ ctnetlink_create_conntrack(struct nlattr *cda[],
 	struct nf_conntrack_helper *helper;
 
 	ct = nf_conntrack_alloc(&init_net, otuple, rtuple, GFP_ATOMIC);
-	if (ct == NULL || IS_ERR(ct))
+	if (IS_ERR(ct))
 		return -ENOMEM;
 
 	if (!cda[CTA_TIMEOUT])

netfilter 08/09: xt_time: print timezone for user information

[Patrick McHardy]

commit 0fd565aa7fdb2dc88c65b16a4e2260d4abd5b027
Author: Jan Engelhardt <jengelh@medozas.de>
Date:   Mon Jan 12 10:51:56 2009 +0100

    netfilter: xt_time: print timezone for user information
    
    Let users have a way to figure out if their distro set the kernel
    timezone at all.
    
    Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 29375ba..93acaa5 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -243,6 +243,17 @@ static struct xt_match xt_time_mt_reg __read_mostly = {
 
 static int __init time_mt_init(void)
 {
+	int minutes = sys_tz.tz_minuteswest;
+
+	if (minutes < 0) /* east of Greenwich */
+		printk(KERN_INFO KBUILD_MODNAME
+		       ": kernel timezone is +%02d%02d\n",
+		       -minutes / 60, -minutes % 60);
+	else /* west of Greenwich */
+		printk(KERN_INFO KBUILD_MODNAME
+		       ": kernel timezone is -%02d%02d\n",
+		       minutes / 60, minutes % 60);
+
 	return xt_register_match(&xt_time_mt_reg);
 }
 

netfilter 09/09: remove padding from struct xt_match on 64bit builds

[Patrick McHardy]

commit 269e837197ecee6b37ed3d83b1ddc582f6a53947
Author: Richard Kennedy <richard@rsk.demon.co.uk>
Date:   Mon Jan 12 10:52:48 2009 +0100

    netfilter: remove padding from struct xt_match on 64bit builds
    
    reorder struct xt_match to remove 8 bytes of padding and make its size
    128 bytes.
    
    This saves a small amount of data space in each of the xt netfilter
    modules and fits xt_match in one 128 byte cache line.
    
    Signed-off-by: Richard Kennedy <richard@rsk.demon.co.uk>
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index e52ce47..c7ee874 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -270,6 +270,7 @@ struct xt_match
 	struct list_head list;
 
 	const char name[XT_FUNCTION_MAXNAMELEN-1];
+	u_int8_t revision;
 
 	/* Return true or false: return FALSE and set *hotdrop = 1 to
            force immediate packet drop. */
@@ -302,7 +303,6 @@ struct xt_match
 	unsigned short proto;
 
 	unsigned short family;
-	u_int8_t revision;
 };
 
 /* Registration hooks for targets. */

Re: netfilter 00/09: netfilter fixes/trivial patches

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 12 Jan 2009 11:05:59 +0100 (MET)

> the following patches contain fixes for a number of netfilter bugs:
> 
> - Herbert's patches to fix VLAN/PPPoE handling in bridge netfilter
> 
> - a fix for an iptables regression in 2.6.28, breaking revision queries
>   for match and target revisions
> 
> - a fix for an ebtables regression in 2.6.28, which inverted the
>   meaning of match result codes
> 
> - a fix for a problem with the ICMP/ICMPv6 conntrack timeout sysctls
>   on big-endian
> 
> Additionally it includes four trivial patches that don't seem worth
> queueing for the next merge window:
> 
> - removal of the "happy cracking" and similar messages
> 
> - simplification of nf_conntrack_alloc() error handling
> 
> - addition of an informational message to the xt_time match
> 
> - reordering of struct xt_match to make it fit into a 128 byte cacheline

All applied, thanks Patrick.

Your GIT tree looked perfectly fine, and the only reason I didn't
pull was that I wanted to practice using bundles with patchwork.

Next time I'll pull direct from your tree :-)