Debian Patches

Status for iptables-netflow/2.6-7.1

Patch Description Author Forwarded Bugs Origin Last update
1010-compat-Linux-6.11-support.patch [PATCH] compat: Linux 6.11 support
There are several changes in linux kernel 6.11+ which are
incompatible with the module. Improve compatibility.		 Vadim Fedorenko <vvfedorenko@github.com> no other, https://github.com/aabc/ipt-netflow/pull/230/commits/22b13ea090f6c5897d8331f41a6c491534fa4873 2024-12-06
1011-Restore-ctl_table-backwards-compatibility.patch [PATCH] Restore ctl_table backwards compatibility Andreas Beckmann <anbe@debian.org> no 2025-03-06
1012-Fix-module-build-for-Linux-v6.12.patch [PATCH] Fix module build for Linux v6.12
adapt to "move asm/unaligned.h to linux/unaligned.h"
(5f60d5f6bbc12e782fac78110b0ee62698f3b576) in v6.12-rc2		 Andreas Beckmann <anbe@debian.org> no 2025-03-07
0017-Build-compatibility-with-v6.4-register_sysctl_paths.patch [PATCH 17/17] Build compatibility with v6.4 (register_sysctl_paths)
'register_sysctl_paths' is missed from v6.4 due to 0199849acd07
("sysctl: remove register_sysctl_paths()").		 ABC <abc@openwall.com> no 2023-06-26
1001-compat-Really-fix-__has_attribute-usage.patch [PATCH] compat: Really fix __has_attribute usage Andreas Beckmann <anbe@debian.org> no 2024-07-20
1002-fix-detect-modularized-CONFIG_BRIDGE_NETFILTER.patch [PATCH] fix: detect modularized CONFIG_BRIDGE_NETFILTER gnought <1684105+gnought@users.noreply.github.com> no other, https://github.com/aabc/ipt-netflow/pull/216 2023-04-29
1003-fix-backward-compatible-building-with-kernel-5.3.patch [PATCH] fix: backward compatible building with kernel <5.3 gnought <1684105+gnought@users.noreply.github.com> no other, https://github.com/aabc/ipt-netflow/pull/217 2023-05-01
1004-Fix-dkms-status-invocation.patch [PATCH] Fix dkms status invocation
and do not query unrelated modules		 Andreas Beckmann <anbe@debian.org> no 2024-07-03
1005-Do-not-check-for-dkms-if-called-from-dkms.patch [PATCH] Do not check for dkms if called from dkms
the recursive calls slowed down the configure script significantly		 Andreas Beckmann <anbe@debian.org> no 2024-07-03
1006-Set-KDIR-early-if-called-from-dkms-and-get-version-f.patch [PATCH] Set KDIR early if called from dkms and get version from sources Andreas Beckmann <anbe@debian.org> no 2024-07-03
1007-dkms.conf-Declare-BUILD_EXCLUSIVE_KERNEL_MIN-3.patch [PATCH] dkms.conf: Declare BUILD_EXCLUSIVE_KERNEL_MIN="3"
skb_reset_mac_len() was introduced in v3.0-rc3
and is used unconditionally		 Andreas Beckmann <anbe@debian.org> no 2025-03-01
1008-Fix-module-build-for-Linux-v4.3.patch [PATCH] Fix module build for Linux v4.3
netif_is_bridge_port() was introduced in v4.4-rc2 by
"vlan: Do not put vlan headers back on bridge and macvlan ports"
(28f9ee22bcdd84726dbf6267d0b58f254166b900)		 Andreas Beckmann <anbe@debian.org> no 2024-07-18
1009-Unexporting-find_module-has-been-backported-to-Linux.patch [PATCH] Unexporting find_module() has been backported to Linux v5.10.220 Andreas Beckmann <anbe@debian.org> no 2024-07-20
0001-Fix-compile-for-stable-kernels-by-not-using-ref_modu.patch [PATCH 01/17] Fix compile for stable kernels by not using 'ref_module'

`ref_module' unexport in 7ef5264de7732 ("modules: mark ref_module
static") is back-ported into stable kernels making old `#if
LINUX_VERSION_CODE' checks irrelevant or too complicated to update.

Do not use `ref_module' API at all since `try_module_get' is ancient
enough to use always.		 ABC <abc@openwall.com> no 2021-06-22
0002-Namespace-sk_error_report.patch [PATCH 02/17] Namespace sk_error_report
sk_error_report is introduced in v5.14-rc1: e3ae2365efc14 ("net: sock:
introduce sk_error_report").		 ABC <abc@openwall.com> no 2021-07-14
0003-Fix-compilation-on-CentOS-8.patch [PATCH 03/17] Fix compilation on CentOS 8
Tested on kernel-4.18.0-305.7.1.el8_4.x86_64 using this
Dockerfile:

FROM centos:8
RUN yum install -y gcc make which kernel kernel-devel iptables-devel
WORKDIR /src
COPY . .
RUN ./configure --kver=$(cd /lib/modules; ls)
RUN make		 ABC <abc@openwall.com> no 2021-07-14
0004-Better-detection-of-CONFIG_BRIDGE_NETFILTER.patch [PATCH 04/17] Better detection of CONFIG_BRIDGE_NETFILTER
`CONFIG_BRIDGE_NETFILTER' is a tristate, thus just `#ifdef' cannot be used.		 ABC <abc@openwall.com> no 2021-10-22
0005-Avoid-using-incomplete-compat_def.h.patch [PATCH 05/17] Avoid using incomplete compat_def.h
Or else this may cause too much irrelevant errors.		 ABC <abc@openwall.com> no 2021-11-25
0006-Use-explicit-fallthrough-macro.patch [PATCH 06/17] Use explicit fallthrough macro
Since `-Wimplicit-fallthrough=5` is emabled in Linux Makefile.		 ABC <abc@openwall.com> no 2021-11-25
0007-Fix-build-on-v5.15-ct_event.patch [PATCH 07/17] Fix build on v5.15 (ct_event)
CC [M] ipt_NETFLOW.o
ipt_NETFLOW.c: In function ‘netflow_conntrack_event’:
ipt_NETFLOW.c:4622:31: error: ‘struct nf_ct_event_notifier’ has no member named ‘fcn’
4622 | ret = notifier->fcn(events, item);
| ^~
ipt_NETFLOW.c: At top level:
ipt_NETFLOW.c:4687:10: error: ‘struct nf_ct_event_notifier’ has no member named ‘fcn’
4687 | .fcn = netflow_conntrack_event
| ^~~
ipt_NETFLOW.c:4687:16: error: initialization of ‘int (*)(unsigned int, const struct nf_ct_event *)’ from incompatible pointer type ‘int (*)(const unsigned int, struct nf_ct_event *)’ [-Werror=incompatible-pointer-types]
4687 | .fcn = netflow_conntrack_event
| ^~~~~~~~~~~~~~~~~~~~~~~
ipt_NETFLOW.c:4687:16: note: (near initialization for ‘ctnl_notifier.ct_event’)
ipt_NETFLOW.c: In function ‘unset_notifier_cb’:
ipt_NETFLOW.c:5455:25: error: too many arguments to function ‘nf_conntrack_unregister_notifier’
5455 | nf_conntrack_unregister_notifier(NET_ARG &ctnl_notifier);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ./include/net/netfilter/nf_conntrack_core.h:18,
from ipt_NETFLOW.c:68:
./include/net/netfilter/nf_conntrack_ecache.h:88:6: note: declared here
88 | void nf_conntrack_unregister_notifier(struct net *net);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~		 ABC <abc@openwall.com> no 2021-11-25
0016-Fix-ipv4-options-parsing-and-bit-numbering.patch [PATCH 16/17] Fix ipv4 options parsing and bit numbering
RFC 5102 and its Errata[1] several times messed with a bit numbering.

"Options are mapped to bits according to their option numbers.
Option number X is mapped to bit X."

But actually it's in inverted order.

"A misunderstand arose as to whether bits were assigned in host order
or network order - so clarify that the bits are assigned from the
least significant to the most significant, ie right-to-left rather
than left-to-right."

That's about bit numbering in diagram. So final correct options mask is (from
Errata 2944):

0 1 2 3 4 5 6 7
+------+------+------+------+------+------+------+------+
| | EXP | to be assigned by IANA | QS | UMP | ...
+------+------+------+------+------+------+------+------+

8 9 10 11 12 13 14 15
+------+------+------+------+------+------+------+------+
... | DPS |NSAPA | SDB |RTRALT|ADDEXT| TR | EIP |IMITD | ...
+------+------+------+------+------+------+------+------+

16 17 18 19 20 21 22 23
+------+------+------+------+------+------+------+------+
... |ENCODE| VISA | FINN | MTUR | MTUP | ZSU | SSR | SID | ...
+------+------+------+------+------+------+------+------+

24 25 26 27 28 29 30 31
+------+------+------+------+------+------+------+------+
... | RR |CIPSO |E-SEC | TS | LSR | SEC | NOP | EOOL |
+------+------+------+------+------+------+------+------+		 ABC <abc@openwall.com> no 2023-01-18
0008-gen_compat_def-Catch-dereferencing-pointer-to-incomp.patch [PATCH 08/17] gen_compat_def: Catch 'dereferencing pointer to incomplete type'

If `CONFIG_NF_CONNTRACK_EVENTS` is undeclared following test produce build error:

Test member nf_ct_event_notifier.ct_event net/netfilter/nf_conntrack_ecache.h undeclared
Error: unexpected error from compiler
make -s -B M=cc-test-build modules
cc-test-build/test.c:4:41: error: dereferencing pointer to incomplete type 'struct nf_ct_event_notifier'
typeof(((struct nf_ct_event_notifier*)0)->ct_event) test;
^~
scripts/Makefile.build:288: recipe for target 'cc-test-build/test.o' failed

Treat this error as just a negative test case.		 ABC <abc@openwall.com> no 2022-04-20
0009-Fix-preemptive-enabled-warning.patch [PATCH 09/17] Fix preemptive enabled warning
Issue 193, we can use unstable reading because we actually don't
care much of actual CPU that executed worker		 Vadim Fedorenko <vfedorenko@novek.ru> no 2022-03-28
0010-fix-building-on-old-kernels.patch [PATCH 10/17] fix building on old kernels Vadim Fedorenko <vfedorenko@novek.ru> no 2022-03-28
0011-nat_events-add-expect-callback.patch [PATCH 11/17] nat_events: add expect callback
Starting with 5.15 kernel uses the same notifier structure for
actual nat events and additional expect events for nat helpers.
Expect event callback is assumed to exist and the only thing that
could disable such events is netlink configuration from user space.
That's why this module have to provide such callback, otherwise
kernel panic is expected to happen if any nat helper is enabled
(most common is pptp gre helper).		 Vadim Fedorenko <vfedorenko@novek.ru> no 2022-03-28
0012-compat-Fix-__has_attribute-usage.patch [PATCH 12/17] compat: Fix __has_attribute usage ABC <abc@openwall.com> no 2022-05-10
0013-tcp-options-fix-possible-shift-out-of-bounds.patch [PATCH 13/17] tcp options: fix possible shift-out-of-bounds
Calculation of tcp option bit is done before actual check and could lead
to shift-out-of-bounds error tracked by UBSAN. Fix it by checking for
zero value before the calculation.
While here also fix bit calculation because it should be 31-based
instead of 32-based.		 Vadim Fedorenko <vvfedorenko@github.com> no 2022-11-13
0014-TCP-Option-0-should-participate-in-bitmask-too.patch [PATCH 14/17] TCP Option 0 should participate in bitmask too ABC <abc@openwall.com> no 2023-01-18
0015-Fix-possible-out-of-bounds-read-in-tcp_options-fix.patch [PATCH 15/17] Fix possible out-of-bounds read in tcp_options fix
Out-of-bounds read could occur in `p[i] < 2` before boundary of `i` is
checked.

Basically it's returning previous code except for a fix and early
zeroing of `ret`.		 ABC <abc@openwall.com> no 2023-01-18
2001-physindev-has-been-replaced-by-physinif-in-Linux-v6..patch [PATCH] physindev has been replaced by physinif in Linux v6.8
disable ENABLE_PHYSDEV/ENABLE_PHYSDEV_OVER after
"netfilter: bridge: replace physindev with physinif in nf_bridge_info"
v6.8-rc1 (9874808878d9eed407e3977fd11fee49de1e1d86)
v6.7.2 (544add1f1cfb78c3dfa3e6edcf4668f6be5e730c)
v6.6.14 (9325e3188a9cf3f69fc6f32af59844bbc5b90547)
v6.1.75 (7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b)		 Andreas Beckmann <anbe@debian.org> no 2025-02-28
ignore-unknown-configure-options.patch Warn about unknown configure options instead of bailing out Avoids "Invalid option: --build=x86_64-linux-gnu" build error.
.
Additionally make it understand some configure options passed by
debhelper by default, namely --prefix, --libdir and --includedir.		 Axel Beckert <abe@debian.org> no upstream
properly-pass-CPPFLAGS-and-LDFLAGS.patch Properly pass $CPPFLAGS and $LDFLAGS Axel Beckert <abe@debian.org> no
disable-kernel-check.patch Disable kernel check in configure script if no dkms is used This means it's skipped during package build but not during install
time when a build of the kernel module is being triggered via dkms.		 Axel Beckert <abe@debian.org> not-needed
dont-hardcode-current-gcc.patch Don't hardcode default gcc version (i.e. don't override $CC if set) Avoids compilation failures with older kernels which can't be
compiled with the current gcc, e.g. 5.7 needs gcc-9 instead of the
current gcc-10 (where the gcc symlink points to).		 Axel Beckert <abe@debian.org> no
cross.patch no
use-get_random_u32_below-instead-of-deprecated-prand.patch [PATCH] use get_random_u32_below() instead of deprecated prandom_u32_max() Paolo Pisati <paolo.pisati@canonical.com> no 2023-02-14
replace-strlcpy-by-strscpy.patch Replace all occurrences of strlcpy with strscpy Fixes compilation against Linux kernel 6.8 which has strlcpy removed. yes upstream https://github.com/aabc/ipt-netflow/issues/227#issuecomment-2036168081
verbose.patch dump compat_def.h Andreas Beckmann <anbe@debian.org> no

All known versions for source package 'iptables-netflow'

Links