summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--sys-kernel/boest-v5.2.15/0001-patch-5.2-ja1.diff.patch2123
-rw-r--r--sys-kernel/boest-v5.2.15/0002-pool-2.6.25-tcp-timewait-20s.diff.patch27
-rw-r--r--sys-kernel/boest-v5.2.15/0003-pool-2.6.25-disable-tcp-debug.diff.patch25
-rw-r--r--sys-kernel/boest-v5.2.15/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch142
-rw-r--r--sys-kernel/boest-v5.2.15/0005-pool-2.6.25-disable-kbdrate-at-boot.diff.patch34
-rw-r--r--sys-kernel/boest-v5.2.15/0006-Disable-CONFIG_PROCESSOR_SELECT-printk-s.patch45
-rw-r--r--sys-kernel/boest-v5.2.15/0007-This-patch-adds-support-for-a-restricted-user-contro.patch75
-rw-r--r--sys-kernel/boest-v5.2.15/0008-fs-Enable-link-security-restrictions-by-default.patch26
-rw-r--r--sys-kernel/boest-v5.2.15/0009-The-encryption-is-only-mandatory-to-be-enforced-when.patch38
-rw-r--r--sys-kernel/boest-v5.2.15/0010-usb-storage-Disable-UAS-on-JMicron-SATA-enclosure.patch37
-rw-r--r--sys-kernel/boest-v5.2.15/0011-5.2-2600_enable-key-swapping-for-apple-mac.patch.patch125
-rw-r--r--sys-kernel/boest-v5.2.15/0012-5.2-4567_distro-Gentoo-Kconfig.patch.patch173
-rw-r--r--sys-kernel/boest-v5.2.15/0013-WARNING.patch589
l---------sys-kernel/stable-sources-5.2.151
14 files changed, 3460 insertions, 0 deletions
diff --git a/sys-kernel/boest-v5.2.15/0001-patch-5.2-ja1.diff.patch b/sys-kernel/boest-v5.2.15/0001-patch-5.2-ja1.diff.patch
new file mode 100644
index 00000000..b793843e
--- /dev/null
+++ b/sys-kernel/boest-v5.2.15/0001-patch-5.2-ja1.diff.patch
@@ -0,0 +1,2123 @@
+From 3041fa065ecd3d9284e0645a31925022f5fb1ab9 Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Sun, 15 Sep 2019 14:32:08 +0000
+Subject: [PATCH 01/13] patch-5.2-ja1.diff
+
+Jumbo patch containing the following parts:
+ - routes-2.X.*.diff (static_routes, alt_routes, nf_reroute but without arp_prefsrc functionality, it is replaced by arprules and rp_filter_mask)
+ - hidden-2.X.*.diff (conf/*/hidden)
+ - arprules-2.X.*.diff (iparp/arprules support)
+ - rp_filter_mask-2.X.*.diff (conf/*/rp_filter_mask)
+ - forward_shared-2.X.*.diff (conf/*/forward_shared)
+ - send-to-self-2.X.*.diff (conf/*/loop, included March 3, 2004, up to Linux 3.5)
+
+URL: http://ja.ssi.bg/patch-5.2-ja1.diff
+---
+ Documentation/networking/ip-sysctl.txt | 30 ++
+ TODO | 1 +
+ include/linux/inetdevice.h | 3 +
+ include/net/flow.h | 2 +
+ include/net/ip_fib.h | 5 +-
+ include/net/netfilter/nf_nat.h | 5 +
+ include/net/route.h | 5 +
+ include/uapi/linux/ip.h | 3 +
+ include/uapi/linux/rtnetlink.h | 64 ++-
+ net/bridge/br_netfilter_hooks.c | 3 +
+ net/ipv4/arp.c | 695 ++++++++++++++++++++++++-
+ net/ipv4/devinet.c | 14 +-
+ net/ipv4/fib_frontend.c | 56 +-
+ net/ipv4/fib_rules.c | 5 +
+ net/ipv4/fib_semantics.c | 236 ++++++---
+ net/ipv4/fib_trie.c | 5 +
+ net/ipv4/netfilter/iptable_nat.c | 7 +
+ net/ipv4/route.c | 69 ++-
+ net/netfilter/nf_nat_core.c | 43 ++
+ net/netfilter/nf_nat_masquerade.c | 27 +-
+ security/selinux/nlmsgtab.c | 5 +-
+ 21 files changed, 1167 insertions(+), 116 deletions(-)
+
+diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
+index 22f6b8b1110a..0afa013809dc 100644
+--- a/Documentation/networking/ip-sysctl.txt
++++ b/Documentation/networking/ip-sysctl.txt
+@@ -1098,6 +1098,19 @@ forwarding - BOOLEAN
+ Enable IP forwarding on this interface. This controls whether packets
+ received _on_ this interface can be forwarded.
+
++forward_shared - BOOLEAN
++ Integer value determines if a source validation should allow
++ forwarding of packets with local source address. 1 means yes,
++ 0 means no. By default the flag is disabled and such packets
++ are not forwarded.
++
++ If you enable this flag on internal network, the router will forward
++ packets from internal hosts with shared IP addresses no matter how
++ the rp_filter is set. This flag is activated only if it is
++ enabled both in specific device section and in "all" section.
++
++ The forward_shared value could be ignored when rp_filter is set to 0.
++
+ mc_forwarding - BOOLEAN
+ Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE
+ and a multicast routing daemon is required.
+@@ -1213,6 +1226,15 @@ rp_filter - INTEGER
+ Default value is 0. Note that some distributions enable it
+ in startup scripts.
+
++rp_filter_mask - INTEGER
++ Integer value representing bitmask of the mediums for which the
++ reverse path protection is disabled. If the source validation
++ results in reverse path to interface with medium_id value in
++ the 1..31 range the access is allowed if the corresponding bit
++ is set in the bitmask. The bitmask value is considered only when
++ rp_filter is enabled. By default the bitmask is empty preserving
++ the original rp_filter semantic.
++
+ arp_filter - BOOLEAN
+ 1 - Allows you to have multiple network interfaces on the same
+ subnet, and have the ARPs for each interface be answered
+@@ -1353,6 +1375,14 @@ drop_gratuitous_arp - BOOLEAN
+ Default: off (0)
+
+
++hidden - BOOLEAN
++ Hide addresses attached to this device from other devices.
++ Such addresses will never be selected by source address autoselection
++ mechanism, host does not answer broadcast ARP requests for them,
++ does not announce them as source address of ARP requests, but they
++ are still reachable via IP. This flag is activated only if it is
++ enabled both in specific device section and in "all" section.
++
+ tag - INTEGER
+ Allows you to write a number, which can be used as required.
+ Default value is 0.
+diff --git a/TODO b/TODO
+new file mode 100644
+index 000000000000..ee9f7ac8defe
+--- /dev/null
++++ b/TODO
+@@ -0,0 +1 @@
++fatal on sym_warn_unmet_dep
+diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
+index 367dc2a0f84a..cf03502e6a70 100644
+--- a/include/linux/inetdevice.h
++++ b/include/linux/inetdevice.h
+@@ -97,9 +97,11 @@ static inline void ipv4_devconf_setall(struct in_device *in_dev)
+ #define IN_DEV_MFORWARD(in_dev) IN_DEV_ANDCONF((in_dev), MC_FORWARDING)
+ #define IN_DEV_BFORWARD(in_dev) IN_DEV_ANDCONF((in_dev), BC_FORWARDING)
+ #define IN_DEV_RPFILTER(in_dev) IN_DEV_MAXCONF((in_dev), RP_FILTER)
++#define IN_DEV_RPFILTER_MASK(in_dev) IN_DEV_CONF_GET(in_dev, RP_FILTER_MASK)
+ #define IN_DEV_SRC_VMARK(in_dev) IN_DEV_ORCONF((in_dev), SRC_VMARK)
+ #define IN_DEV_SOURCE_ROUTE(in_dev) IN_DEV_ANDCONF((in_dev), \
+ ACCEPT_SOURCE_ROUTE)
++#define IN_DEV_FORWARD_SHARED(in_dev) IN_DEV_ANDCONF((in_dev), FORWARD_SHARED)
+ #define IN_DEV_ACCEPT_LOCAL(in_dev) IN_DEV_ORCONF((in_dev), ACCEPT_LOCAL)
+ #define IN_DEV_BOOTP_RELAY(in_dev) IN_DEV_ANDCONF((in_dev), BOOTP_RELAY)
+
+@@ -112,6 +114,7 @@ static inline void ipv4_devconf_setall(struct in_device *in_dev)
+ SECURE_REDIRECTS)
+ #define IN_DEV_IDTAG(in_dev) IN_DEV_CONF_GET(in_dev, TAG)
+ #define IN_DEV_MEDIUM_ID(in_dev) IN_DEV_CONF_GET(in_dev, MEDIUM_ID)
++#define IN_DEV_HIDDEN(in_dev) IN_DEV_ANDCONF((in_dev), HIDDEN)
+ #define IN_DEV_PROMOTE_SECONDARIES(in_dev) \
+ IN_DEV_ORCONF((in_dev), \
+ PROMOTE_SECONDARIES)
+diff --git a/include/net/flow.h b/include/net/flow.h
+index a50fb77a0b27..7dcdb9b3162e 100644
+--- a/include/net/flow.h
++++ b/include/net/flow.h
+@@ -93,6 +93,7 @@ struct flowi4 {
+ #define fl4_ipsec_spi uli.spi
+ #define fl4_mh_type uli.mht.type
+ #define fl4_gre_key uli.gre_key
++ __be32 fl4_gw;
+ } __attribute__((__aligned__(BITS_PER_LONG/8)));
+
+ static inline void flowi4_init_output(struct flowi4 *fl4, int oif,
+@@ -116,6 +117,7 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif,
+ fl4->saddr = saddr;
+ fl4->fl4_dport = dport;
+ fl4->fl4_sport = sport;
++ fl4->fl4_gw = 0;
+ }
+
+ /* Reset some input parameters after previous lookup */
+diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
+index bbeff32fb6cb..a6ce7e9dfe8c 100644
+--- a/include/net/ip_fib.h
++++ b/include/net/ip_fib.h
+@@ -394,6 +394,8 @@ static inline bool fib4_rules_early_flow_dissect(struct net *net,
+ return true;
+ }
+
++u32 fib_result_table(struct fib_result *res);
++
+ #endif /* CONFIG_IP_MULTIPLE_TABLES */
+
+ /* Exported by fib_frontend.c */
+@@ -405,7 +407,8 @@ __be32 fib_compute_spec_dst(struct sk_buff *skb);
+ bool fib_info_nh_uses_dev(struct fib_info *fi, const struct net_device *dev);
+ int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+ u8 tos, int oif, struct net_device *dev,
+- struct in_device *idev, u32 *itag);
++ struct in_device *idev, u32 *itag, int our);
++void fib_select_default(const struct flowi4 *flp, struct fib_result *res);
+ #ifdef CONFIG_IP_ROUTE_CLASSID
+ static inline int fib_num_tclassid_users(struct net *net)
+ {
+diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
+index 423cda2c6542..c6aefd01b672 100644
+--- a/include/net/netfilter/nf_nat.h
++++ b/include/net/netfilter/nf_nat.h
+@@ -36,6 +36,11 @@ struct nf_conn_nat {
+ #endif
+ };
+
++/* Call input routing for SNAT-ed traffic */
++unsigned int ip_nat_route_input(void *priv,
++ struct sk_buff *skb,
++ const struct nf_hook_state *state);
++
+ /* Set up the info structure to map into this range. */
+ unsigned int nf_nat_setup_info(struct nf_conn *ct,
+ const struct nf_nat_range2 *range,
+diff --git a/include/net/route.h b/include/net/route.h
+index 55ff71ffb796..78ed6e76c167 100644
+--- a/include/net/route.h
++++ b/include/net/route.h
+@@ -183,6 +183,9 @@ int ip_route_input_noref(struct sk_buff *skb, __be32 dst, __be32 src,
+ int ip_route_input_rcu(struct sk_buff *skb, __be32 dst, __be32 src,
+ u8 tos, struct net_device *devin,
+ struct fib_result *res);
++int ip_route_input_common_rcu(struct sk_buff *skb, __be32 dst, __be32 src,
++ u8 tos, struct net_device *devin, __be32 lsrc,
++ struct fib_result *res);
+
+ static inline int ip_route_input(struct sk_buff *skb, __be32 dst, __be32 src,
+ u8 tos, struct net_device *devin)
+@@ -218,6 +221,8 @@ unsigned int inet_addr_type_dev_table(struct net *net,
+ void ip_rt_multicast_event(struct in_device *);
+ int ip_rt_ioctl(struct net *, unsigned int cmd, struct rtentry *rt);
+ void ip_rt_get_source(u8 *src, struct sk_buff *skb, struct rtable *rt);
++int ip_route_input_lookup(struct sk_buff*, __be32 dst, __be32 src, u8 tos,
++ struct net_device *devin, __be32 lsrc);
+ struct rtable *rt_dst_alloc(struct net_device *dev,
+ unsigned int flags, u16 type,
+ bool nopolicy, bool noxfrm, bool will_cache);
+diff --git a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
+index e42d13b55cf3..d03711046f2e 100644
+--- a/include/uapi/linux/ip.h
++++ b/include/uapi/linux/ip.h
+@@ -169,6 +169,9 @@ enum
+ IPV4_DEVCONF_DROP_UNICAST_IN_L2_MULTICAST,
+ IPV4_DEVCONF_DROP_GRATUITOUS_ARP,
+ IPV4_DEVCONF_BC_FORWARDING,
++ IPV4_DEVCONF_HIDDEN,
++ IPV4_DEVCONF_RP_FILTER_MASK,
++ IPV4_DEVCONF_FORWARD_SHARED,
+ __IPV4_DEVCONF_MAX
+ };
+
+diff --git a/include/uapi/linux/rtnetlink.h b/include/uapi/linux/rtnetlink.h
+index 46399367627f..92593fd1a055 100644
+--- a/include/uapi/linux/rtnetlink.h
++++ b/include/uapi/linux/rtnetlink.h
+@@ -157,6 +157,13 @@ enum {
+ RTM_GETCHAIN,
+ #define RTM_GETCHAIN RTM_GETCHAIN
+
++ RTM_NEWARPRULE = 104,
++#define RTM_NEWARPRULE RTM_NEWARPRULE
++ RTM_DELARPRULE,
++#define RTM_DELARPRULE RTM_DELARPRULE
++ RTM_GETARPRULE,
++#define RTM_GETARPRULE RTM_GETARPRULE
++
+ __RTM_MAX,
+ #define RTM_MAX (((__RTM_MAX + 3) & ~3) - 1)
+ };
+@@ -374,8 +381,11 @@ struct rtnexthop {
+ #define RTNH_F_OFFLOAD 8 /* offloaded route */
+ #define RTNH_F_LINKDOWN 16 /* carrier-down on nexthop */
+ #define RTNH_F_UNRESOLVED 32 /* The entry is unresolved (ipmr) */
++#define RTNH_F_SUSPECT 64 /* We don't know the real state */
++#define RTNH_F_BADSTATE (RTNH_F_DEAD | RTNH_F_SUSPECT)
+
+-#define RTNH_COMPARE_MASK (RTNH_F_DEAD | RTNH_F_LINKDOWN | RTNH_F_OFFLOAD)
++#define RTNH_COMPARE_MASK (RTNH_F_DEAD | RTNH_F_LINKDOWN | \
++ RTNH_F_OFFLOAD | RTNH_F_SUSPECT)
+
+ /* Macros to handle hexthops */
+
+@@ -617,6 +627,54 @@ enum {
+
+ #define NDUSEROPT_MAX (__NDUSEROPT_MAX - 1)
+
++/******************************************************************************
++ * Definitions used in ARP tables administration
++ ****/
++
++#define ARPA_TABLE_INPUT 0
++#define ARPA_TABLE_OUTPUT 1
++#define ARPA_TABLE_FORWARD 2
++#define ARPA_TABLE_ALL -1
++
++#define ARPM_F_PREFSRC 0x0001
++#define ARPM_F_WILDIIF 0x0002
++#define ARPM_F_WILDOIF 0x0004
++#define ARPM_F_BROADCAST 0x0008
++#define ARPM_F_UNICAST 0x0010
++
++struct arpmsg
++{
++ unsigned char arpm_family;
++ unsigned char arpm_table;
++ unsigned char arpm_action;
++ unsigned char arpm_from_len;
++ unsigned char arpm_to_len;
++ unsigned char arpm__pad1;
++ unsigned short arpm__pad2;
++ unsigned arpm_pref;
++ unsigned arpm_flags;
++};
++
++enum
++{
++ ARPA_UNSPEC,
++ ARPA_FROM, /* FROM IP prefix */
++ ARPA_TO, /* TO IP prefix */
++ ARPA_LLFROM, /* FROM LL prefix */
++ ARPA_LLTO, /* TO LL prefix */
++ ARPA_LLSRC, /* New SRC lladdr */
++ ARPA_LLDST, /* New DST lladdr */
++ ARPA_IIF, /* In interface prefix */
++ ARPA_OIF, /* Out interface prefix */
++ ARPA_SRC, /* New IP SRC */
++ ARPA_DST, /* New IP DST, not used */
++ ARPA_PACKETS, /* Packets */
++};
++
++#define ARPA_MAX ARPA_PACKETS
++
++#define ARPA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct arpmsg))))
++
+ #ifndef __KERNEL__
+ /* RTnetlink multicast groups - backwards compatibility for userspace */
+ #define RTMGRP_LINK 1
+@@ -637,6 +695,8 @@ enum {
+ #define RTMGRP_DECnet_IFADDR 0x1000
+ #define RTMGRP_DECnet_ROUTE 0x4000
+
++#define RTMGRP_ARP 0x00010000
++
+ #define RTMGRP_IPV6_PREFIX 0x20000
+ #endif
+
+@@ -704,6 +764,8 @@ enum rtnetlink_groups {
+ #define RTNLGRP_IPV4_MROUTE_R RTNLGRP_IPV4_MROUTE_R
+ RTNLGRP_IPV6_MROUTE_R,
+ #define RTNLGRP_IPV6_MROUTE_R RTNLGRP_IPV6_MROUTE_R
++ RTNLGRP_ARP,
++#define RTNLGRP_ARP RTNLGRP_ARP
+ __RTNLGRP_MAX
+ };
+ #define RTNLGRP_MAX (__RTNLGRP_MAX - 1)
+diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
+index 34fa72c72ad8..1cf0c16e02a8 100644
+--- a/net/bridge/br_netfilter_hooks.c
++++ b/net/bridge/br_netfilter_hooks.c
+@@ -343,6 +343,9 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_
+
+ nf_bridge->frag_max_size = IPCB(skb)->frag_max_size;
+
++ /* Old skb->dst is not expected, it is lost in all cases */
++ skb_dst_drop(skb);
++
+ if (nf_bridge->pkt_otherhost) {
+ skb->pkt_type = PACKET_OTHERHOST;
+ nf_bridge->pkt_otherhost = false;
+diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
+index 05eb42f347e8..a1c2792ef0f8 100644
+--- a/net/ipv4/arp.c
++++ b/net/ipv4/arp.c
+@@ -67,6 +67,9 @@
+ * sending (e.g. insert 8021q tag).
+ * Harald Welte : convert to make use of jenkins hash
+ * Jesper D. Brouer: Proxy ARP PVLAN RFC 3069 support.
++ * Julian Anastasov: "hidden" flag: hide the
++ * interface and don't reply for it
++ * Julian Anastasov: ARP filtering via netlink
+ */
+
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+@@ -91,6 +94,7 @@
+ #include <linux/proc_fs.h>
+ #include <linux/seq_file.h>
+ #include <linux/stat.h>
++#include <net/netlink.h>
+ #include <linux/init.h>
+ #include <linux/net.h>
+ #include <linux/rcupdate.h>
+@@ -181,6 +185,48 @@ struct neigh_table arp_tbl = {
+ };
+ EXPORT_SYMBOL(arp_tbl);
+
++struct arpf_node {
++ struct arpf_node * at_next;
++ u32 at_pref;
++ u32 at_from;
++ u32 at_from_mask;
++ u32 at_to;
++ u32 at_to_mask;
++ u32 at_src;
++ atomic_t at_packets;
++ atomic_t at_refcnt;
++ unsigned at_flags;
++ unsigned char at_from_len;
++ unsigned char at_to_len;
++ unsigned char at_action;
++ char at_dead;
++ unsigned char at_llfrom_len;
++ unsigned char at_llto_len;
++ unsigned char at_llsrc_len;
++ unsigned char at_lldst_len;
++ unsigned char at_iif_len;
++ unsigned char at_oif_len;
++ unsigned short at__pad1;
++ unsigned char at_llfrom[MAX_ADDR_LEN];
++ unsigned char at_llto[MAX_ADDR_LEN];
++ unsigned char at_llsrc[MAX_ADDR_LEN];
++ unsigned char at_lldst[MAX_ADDR_LEN];
++ char at_iif[IFNAMSIZ];
++ char at_oif[IFNAMSIZ];
++};
++
++static struct arpf_node *arp_tabs[3];
++
++static struct kmem_cache *arpf_cachep;
++
++static DEFINE_RWLOCK(arpf_lock);
++
++static void
++arpf_send(int table, struct net *net, struct sk_buff *skb, u32 sip, u32 tip,
++ unsigned char *from_hw, unsigned char *to_hw,
++ struct net_device *idev, struct net_device *odev,
++ struct dst_entry *dst);
++
+ int arp_mc_map(__be32 addr, u8 *haddr, struct net_device *dev, int dir)
+ {
+ switch (dev->type) {
+@@ -334,7 +380,9 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
+ struct net_device *dev = neigh->dev;
+ __be32 target = *(__be32 *)neigh->primary_key;
+ int probes = atomic_read(&neigh->probes);
+- struct in_device *in_dev;
++ struct in_device *in_dev, *in_dev2;
++ struct net_device *dev2;
++ int mode;
+ struct dst_entry *dst = NULL;
+
+ rcu_read_lock();
+@@ -343,9 +391,22 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
+ rcu_read_unlock();
+ return;
+ }
+- switch (IN_DEV_ARP_ANNOUNCE(in_dev)) {
++ mode = IN_DEV_ARP_ANNOUNCE(in_dev);
++ if (mode != 2 && skb &&
++ (dev2 = __ip_dev_find(dev_net(dev), ip_hdr(skb)->saddr,
++ false)) != NULL &&
++ (saddr = ip_hdr(skb)->saddr,
++ in_dev2 = __in_dev_get_rcu(dev2)) != NULL &&
++ IN_DEV_HIDDEN(in_dev2)) {
++ saddr = 0;
++ goto get;
++ }
++
++ switch (mode) {
+ default:
+ case 0: /* By default announce any local IP */
++ if (saddr)
++ break;
+ if (skb && inet_addr_type_dev_table(dev_net(dev), dev,
+ ip_hdr(skb)->saddr) == RTN_LOCAL)
+ saddr = ip_hdr(skb)->saddr;
+@@ -353,9 +414,10 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
+ case 1: /* Restrict announcements of saddr in same subnet */
+ if (!skb)
+ break;
+- saddr = ip_hdr(skb)->saddr;
+- if (inet_addr_type_dev_table(dev_net(dev), dev,
+- saddr) == RTN_LOCAL) {
++ if (saddr ||
++ (saddr = ip_hdr(skb)->saddr,
++ inet_addr_type_dev_table(dev_net(dev), dev,
++ saddr) == RTN_LOCAL)) {
+ /* saddr should be known to target */
+ if (inet_addr_onlink(in_dev, target, saddr))
+ break;
+@@ -365,6 +427,8 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
+ case 2: /* Avoid secondary IPs, get a primary/preferred one */
+ break;
+ }
++
++get:
+ rcu_read_unlock();
+
+ if (!saddr)
+@@ -386,8 +450,8 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
+
+ if (skb && !(dev->priv_flags & IFF_XMIT_DST_RELEASE))
+ dst = skb_dst(skb);
+- arp_send_dst(ARPOP_REQUEST, ETH_P_ARP, target, dev, saddr,
+- dst_hw, dev->dev_addr, NULL, dst);
++ arpf_send(ARPA_TABLE_OUTPUT, dev_net(dev), skb, saddr, target, NULL,
++ dst_hw, NULL, dev, dst);
+ }
+
+ static int arp_ignore(struct in_device *in_dev, __be32 sip, __be32 tip)
+@@ -444,6 +508,21 @@ static int arp_filter(__be32 sip, __be32 tip, struct net_device *dev)
+ return flag;
+ }
+
++static int arp_hidden(u32 tip, struct net_device *dev)
++{
++ struct net_device *dev2;
++ struct in_device *in_dev2;
++ int ret = 0;
++
++ if (!IPV4_DEVCONF_ALL(dev_net(dev), HIDDEN))
++ return 0;
++
++ if ((dev2 = __ip_dev_find(dev_net(dev), tip, false)) && dev2 != dev &&
++ (in_dev2 = __in_dev_get_rcu(dev2)) && IN_DEV_HIDDEN(in_dev2))
++ ret = 1;
++ return ret;
++}
++
+ /*
+ * Check if we can use proxy ARP for this path
+ */
+@@ -804,9 +883,10 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
+ if (sip == 0) {
+ if (arp->ar_op == htons(ARPOP_REQUEST) &&
+ inet_addr_type_dev_table(net, dev, tip) == RTN_LOCAL &&
++ !arp_hidden(tip, dev) &&
+ !arp_ignore(in_dev, sip, tip))
+- arp_send_dst(ARPOP_REPLY, ETH_P_ARP, sip, dev, tip,
+- sha, dev->dev_addr, sha, reply_dst);
++ arpf_send(ARPA_TABLE_INPUT, net, skb, sip, tip, sha,
++ tha, dev, NULL, reply_dst);
+ goto out_consume_skb;
+ }
+
+@@ -822,13 +902,14 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
+ dont_send = arp_ignore(in_dev, sip, tip);
+ if (!dont_send && IN_DEV_ARPFILTER(in_dev))
+ dont_send = arp_filter(sip, tip, dev);
++ if (!dont_send && skb->pkt_type != PACKET_HOST)
++ dont_send = arp_hidden(tip,dev);
+ if (!dont_send) {
+ n = neigh_event_ns(&arp_tbl, sha, &sip, dev);
+ if (n) {
+- arp_send_dst(ARPOP_REPLY, ETH_P_ARP,
+- sip, dev, tip, sha,
+- dev->dev_addr, sha,
+- reply_dst);
++ arpf_send(ARPA_TABLE_INPUT, net, skb,
++ sip, tip, sha, tha, dev,
++ NULL, reply_dst);
+ neigh_release(n);
+ }
+ }
+@@ -846,10 +927,9 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
+ if (NEIGH_CB(skb)->flags & LOCALLY_ENQUEUED ||
+ skb->pkt_type == PACKET_HOST ||
+ NEIGH_VAR(in_dev->arp_parms, PROXY_DELAY) == 0) {
+- arp_send_dst(ARPOP_REPLY, ETH_P_ARP,
+- sip, dev, tip, sha,
+- dev->dev_addr, sha,
+- reply_dst);
++ arpf_send(ARPA_TABLE_FORWARD, net,
++ skb, sip, tip, sha, tha, dev,
++ rt->dst.dev, reply_dst);
+ } else {
+ pneigh_enqueue(&arp_tbl,
+ in_dev->arp_parms, skb);
+@@ -1275,6 +1355,577 @@ void arp_ifdown(struct net_device *dev)
+ }
+
+
++static void arpf_destroy(struct arpf_node *afp)
++{
++ if (!afp->at_dead) {
++ printk(KERN_ERR "Destroying alive arp table node %p from %08lx\n", afp,
++ *(((unsigned long*)&afp)-1));
++ return;
++ }
++ kmem_cache_free(arpf_cachep, afp);
++}
++
++static inline void arpf_put(struct arpf_node *afp)
++{
++ if (atomic_dec_and_test(&afp->at_refcnt))
++ arpf_destroy(afp);
++}
++
++static inline struct arpf_node *
++arpf_lookup(int table, struct sk_buff *skb, u32 sip, u32 tip,
++ unsigned char *from_hw, unsigned char *to_hw,
++ struct net_device *idev, struct net_device *odev)
++{
++ int sz_iif = idev? strlen(idev->name) : 0;
++ int sz_oif = odev? strlen(odev->name) : 0;
++ int alen;
++ struct arpf_node *afp;
++
++ if (ARPA_TABLE_OUTPUT != table) {
++ alen = idev->addr_len;
++ } else {
++ if (!from_hw) from_hw = odev->dev_addr;
++ if (!to_hw) to_hw = odev->broadcast;
++ alen = odev->addr_len;
++ }
++
++ read_lock_bh(&arpf_lock);
++ for (afp = arp_tabs[table]; afp; afp = afp->at_next) {
++ if ((tip ^ afp->at_to) & afp->at_to_mask)
++ continue;
++ if ((sip ^ afp->at_from) & afp->at_from_mask)
++ continue;
++ if (afp->at_llfrom_len &&
++ (afp->at_llfrom_len > alen ||
++ memcmp(from_hw, afp->at_llfrom, afp->at_llfrom_len)))
++ continue;
++ if (afp->at_llto_len &&
++ (afp->at_llto_len > alen ||
++ memcmp(to_hw, afp->at_llto, afp->at_llto_len)))
++ continue;
++ if (afp->at_iif_len &&
++ (afp->at_iif_len > sz_iif ||
++ memcmp(afp->at_iif, idev->name, afp->at_iif_len) ||
++ (sz_iif != afp->at_iif_len &&
++ !(afp->at_flags & ARPM_F_WILDIIF))))
++ continue;
++ if (afp->at_oif_len &&
++ (afp->at_oif_len > sz_oif ||
++ memcmp(afp->at_oif, odev->name, afp->at_oif_len) ||
++ (sz_oif != afp->at_oif_len &&
++ !(afp->at_flags & ARPM_F_WILDOIF))))
++ continue;
++ if (afp->at_flags & ARPM_F_BROADCAST &&
++ skb->pkt_type == PACKET_HOST)
++ continue;
++ if (afp->at_flags & ARPM_F_UNICAST &&
++ skb->pkt_type != PACKET_HOST)
++ continue;
++ if (afp->at_llsrc_len && afp->at_llsrc_len != alen)
++ continue;
++ if (afp->at_lldst_len && afp->at_lldst_len != alen)
++ continue;
++ atomic_inc(&afp->at_refcnt);
++ atomic_inc(&afp->at_packets);
++ break;
++ }
++ read_unlock_bh(&arpf_lock);
++ return afp;
++}
++
++static void
++arpf_send(int table, struct net *net, struct sk_buff *skb, u32 sip, u32 tip,
++ unsigned char *from_hw, unsigned char *to_hw,
++ struct net_device *idev, struct net_device *odev,
++ struct dst_entry *dst)
++{
++ struct arpf_node *afp = NULL;
++
++ if (!arp_tabs[table] ||
++ !net_eq(net, &init_net) ||
++ !(afp = arpf_lookup(table, skb, sip, tip,
++ from_hw, to_hw, idev, odev))) {
++ switch (table) {
++ case ARPA_TABLE_INPUT:
++ case ARPA_TABLE_FORWARD:
++ arp_send_dst(ARPOP_REPLY, ETH_P_ARP, sip, idev, tip,
++ from_hw, idev->dev_addr, from_hw, dst);
++ break;
++ case ARPA_TABLE_OUTPUT:
++ arp_send_dst(ARPOP_REQUEST, ETH_P_ARP, tip, odev, sip,
++ to_hw, odev->dev_addr, NULL, dst);
++ break;
++ }
++ return;
++ }
++
++ /* deny? */
++ if (!afp->at_action) goto out;
++
++ switch (table) {
++ case ARPA_TABLE_INPUT:
++ case ARPA_TABLE_FORWARD:
++ arp_send_dst(ARPOP_REPLY, ETH_P_ARP, sip, idev, tip,
++ afp->at_lldst_len?afp->at_lldst:from_hw,
++ afp->at_llsrc_len?afp->at_llsrc:idev->dev_addr,
++ afp->at_lldst_len?afp->at_lldst:from_hw, dst);
++ break;
++ case ARPA_TABLE_OUTPUT:
++ if (afp->at_flags & ARPM_F_PREFSRC && afp->at_src == 0) {
++ struct rtable *rt;
++ struct flowi4 fl4 = { .daddr = tip,
++ .flowi4_oif = odev->ifindex };
++
++ rt = ip_route_output_key(net, &fl4);
++ if (IS_ERR(rt))
++ break;
++ sip = fl4.saddr;
++ ip_rt_put(rt);
++ if (!sip)
++ break;
++ }
++ arp_send_dst(ARPOP_REQUEST, ETH_P_ARP, tip, odev,
++ afp->at_src?:sip,
++ afp->at_lldst_len?afp->at_lldst:to_hw,
++ afp->at_llsrc_len?afp->at_llsrc:odev->dev_addr,
++ NULL, dst);
++ break;
++ }
++
++out:
++ arpf_put(afp);
++}
++
++static int
++arpf_fill_node(struct sk_buff *skb, u32 portid, u32 seq, unsigned flags,
++ int event, int table, struct arpf_node *afp)
++{
++ struct arpmsg *am;
++ struct nlmsghdr *nlh;
++ u32 packets = atomic_read(&afp->at_packets);
++
++ nlh = nlmsg_put(skb, portid, seq, event, sizeof(*am), 0);
++ if (nlh == NULL)
++ return -ENOBUFS;
++ nlh->nlmsg_flags = flags;
++ am = nlmsg_data(nlh);
++ am->arpm_family = AF_UNSPEC;
++ am->arpm_table = table;
++ am->arpm_action = afp->at_action;
++ am->arpm_from_len = afp->at_from_len;
++ am->arpm_to_len = afp->at_to_len;
++ am->arpm_pref = afp->at_pref;
++ am->arpm_flags = afp->at_flags;
++ if (afp->at_from_len &&
++ nla_put(skb, ARPA_FROM, 4, &afp->at_from))
++ goto nla_put_failure;
++ if (afp->at_to_len &&
++ nla_put(skb, ARPA_TO, 4, &afp->at_to))
++ goto nla_put_failure;
++ if ((afp->at_src || afp->at_flags & ARPM_F_PREFSRC) &&
++ nla_put(skb, ARPA_SRC, 4, &afp->at_src))
++ goto nla_put_failure;
++ if (afp->at_iif[0] &&
++ nla_put(skb, ARPA_IIF, sizeof(afp->at_iif), afp->at_iif))
++ goto nla_put_failure;
++ if (afp->at_oif[0] &&
++ nla_put(skb, ARPA_OIF, sizeof(afp->at_oif), afp->at_oif))
++ goto nla_put_failure;
++ if (afp->at_llfrom_len &&
++ nla_put(skb, ARPA_LLFROM, afp->at_llfrom_len, afp->at_llfrom))
++ goto nla_put_failure;
++ if (afp->at_llto_len &&
++ nla_put(skb, ARPA_LLTO, afp->at_llto_len, afp->at_llto))
++ goto nla_put_failure;
++ if (afp->at_llsrc_len &&
++ nla_put(skb, ARPA_LLSRC, afp->at_llsrc_len, afp->at_llsrc))
++ goto nla_put_failure;
++ if (afp->at_lldst_len &&
++ nla_put(skb, ARPA_LLDST, afp->at_lldst_len, afp->at_lldst))
++ goto nla_put_failure;
++ if (nla_put(skb, ARPA_PACKETS, 4, &packets))
++ goto nla_put_failure;
++ nlmsg_end(skb, nlh);
++ return 0;
++
++nla_put_failure:
++ nlmsg_cancel(skb, nlh);
++ return -EMSGSIZE;
++}
++
++static void
++arpmsg_notify(struct sk_buff *oskb, struct nlmsghdr *nlh, int table,
++ struct arpf_node *afp, int event)
++{
++ struct sk_buff *skb;
++ u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
++ int payload = sizeof(struct arpmsg) + 256;
++ int err = -ENOBUFS;
++
++ skb = nlmsg_new(nlmsg_total_size(payload), GFP_KERNEL);
++ if (!skb)
++ goto errout;
++
++ err = arpf_fill_node(skb, portid, nlh->nlmsg_seq, 0, event, table, afp);
++ if (err < 0) {
++ kfree_skb(skb);
++ goto errout;
++ }
++
++ rtnl_notify(skb, &init_net, portid, RTNLGRP_ARP, nlh, GFP_KERNEL);
++ return;
++errout:
++ if (err < 0)
++ rtnl_set_sk_err(&init_net, RTNLGRP_ARP, err);
++}
++
++static inline int
++arpf_str_size(int a, struct nlattr **rta, int maxlen)
++{
++ int size = 0;
++
++ if (rta[a] && (size = nla_len(rta[a]))) {
++ if (size > maxlen)
++ size = maxlen;
++ }
++ return size;
++}
++
++static inline int
++arpf_get_str(int a, struct nlattr **rta, unsigned char *p,
++ int maxlen, unsigned char *l)
++{
++ int size = arpf_str_size(a, rta, maxlen);
++
++ if (size) {
++ memcpy(p, nla_data(rta[a]), size);
++ *l = size;
++ }
++ return size;
++}
++
++#define ARPF_MATCH_U32(ind, field) ( \
++ (!rta[ind] && r->at_ ## field == 0) || \
++ (rta[ind] && \
++ *(u32*) nla_data(rta[ind]) == r->at_ ## field))
++
++#define ARPF_MATCH_STR(ind, field) ( \
++ (!rta[ind] && r->at_ ## field ## _len == 0) || \
++ (rta[ind] && r->at_ ## field ## _len && \
++ r->at_ ## field ## _len < nla_len(rta[ind]) && \
++ strcmp(nla_data(rta[ind]), r->at_ ## field) == 0))
++
++#define ARPF_MATCH_DATA(ind, field) ( \
++ (!rta[ind] && r->at_ ## field ## _len == 0) || \
++ (rta[ind] && r->at_ ## field ## _len && \
++ r->at_ ## field ## _len == nla_len(rta[ind]) && \
++ memcmp(nla_data(rta[ind]), &r->at_ ## field, \
++ r->at_ ## field ## _len) == 0))
++
++/* RTM_NEWARPRULE/RTM_DELARPRULE/RTM_GETARPRULE */
++
++int arpf_rule_ctl(struct sk_buff *skb, struct nlmsghdr *n,
++ struct netlink_ext_ack *extack)
++{
++ struct net *net = sock_net(skb->sk);
++ struct nlattr *rta[ARPA_MAX + 1];
++ struct arpmsg *am;
++ struct arpf_node *r, **rp, **prevp = 0, **delp = 0, *newp = 0;
++ unsigned pref = 1;
++ int size, ret;
++
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
++ if (!net_eq(net, &init_net))
++ return -EINVAL;
++
++ ret = nlmsg_parse(n, sizeof(struct arpmsg), rta, ARPA_MAX, NULL,
++ extack);
++ if (ret < 0)
++ return ret;
++
++ am = nlmsg_data(n);
++ ret = -EINVAL;
++ if (am->arpm_table >= sizeof(arp_tabs)/sizeof(arp_tabs[0]))
++ goto out;
++ if (!((~am->arpm_flags) & (ARPM_F_BROADCAST|ARPM_F_UNICAST)))
++ goto out;
++ if (am->arpm_action > 1)
++ goto out;
++ if (am->arpm_to_len > 32 || am->arpm_from_len > 32)
++ goto out;
++ if (am->arpm_flags & ARPM_F_WILDIIF &&
++ (!rta[ARPA_IIF] || !nla_len(rta[ARPA_IIF]) ||
++ !*(char*) nla_data(rta[ARPA_IIF])))
++ am->arpm_flags &= ~ARPM_F_WILDIIF;
++ if (am->arpm_flags & ARPM_F_WILDOIF &&
++ (!rta[ARPA_OIF] || !nla_len(rta[ARPA_OIF]) ||
++ !*(char*) nla_data(rta[ARPA_OIF])))
++ am->arpm_flags &= ~ARPM_F_WILDOIF;
++ switch (am->arpm_table) {
++ case ARPA_TABLE_INPUT:
++ if (rta[ARPA_SRC] || rta[ARPA_OIF])
++ goto out;
++ break;
++ case ARPA_TABLE_OUTPUT:
++ if (rta[ARPA_IIF])
++ goto out;
++ if (am->arpm_flags & (ARPM_F_BROADCAST|ARPM_F_UNICAST))
++ goto out;
++ break;
++ case ARPA_TABLE_FORWARD:
++ if (rta[ARPA_SRC])
++ goto out;
++ break;
++ }
++ if (rta[ARPA_SRC] && !*(u32*) nla_data(rta[ARPA_SRC]))
++ am->arpm_flags |= ARPM_F_PREFSRC;
++ else
++ am->arpm_flags &= ~ARPM_F_PREFSRC;
++
++ for (rp = &arp_tabs[am->arpm_table]; (r=*rp) != NULL; rp=&r->at_next) {
++ if (pref < r->at_pref)
++ prevp = rp;
++ if (am->arpm_pref == r->at_pref ||
++ (!am->arpm_pref &&
++ am->arpm_to_len == r->at_to_len &&
++ am->arpm_from_len == r->at_from_len &&
++ !((am->arpm_flags ^ r->at_flags) &
++ (ARPM_F_BROADCAST | ARPM_F_UNICAST |
++ ARPM_F_WILDIIF | ARPM_F_WILDOIF)) &&
++ ARPF_MATCH_U32(ARPA_TO, to) &&
++ ARPF_MATCH_U32(ARPA_FROM, from) &&
++ ARPF_MATCH_DATA(ARPA_LLFROM, llfrom) &&
++ ARPF_MATCH_DATA(ARPA_LLTO, llto) &&
++ ARPF_MATCH_STR(ARPA_IIF, iif) &&
++ ARPF_MATCH_STR(ARPA_OIF, oif) &&
++ (n->nlmsg_type != RTM_DELARPRULE ||
++ /* DEL matches more keys */
++ (am->arpm_flags == r->at_flags &&
++ am->arpm_action == r->at_action &&
++ ARPF_MATCH_U32(ARPA_SRC, src) &&
++ ARPF_MATCH_DATA(ARPA_LLSRC, llsrc) &&
++ ARPF_MATCH_DATA(ARPA_LLDST, lldst)
++ )
++ )
++ )
++ )
++ break;
++ if (am->arpm_pref && r->at_pref > am->arpm_pref) {
++ r = NULL;
++ break;
++ }
++ pref = r->at_pref+1;
++ }
++
++ /*
++ * r=NULL: *rp != NULL (stopped before next pref), pref: not valid
++ * *rp == NULL (not found), pref: ready to use
++ * r!=NULL: found, pref: not valid
++ *
++ * prevp=NULL: no free slot
++ * prevp!=NULL: free slot for rule
++ */
++
++ if (n->nlmsg_type == RTM_DELARPRULE) {
++ if (!r)
++ return -ESRCH;
++ delp = rp;
++ goto dequeue;
++ }
++
++ if (r) {
++ /* Existing rule */
++ ret = -EEXIST;
++ if (n->nlmsg_flags&NLM_F_EXCL)
++ goto out;
++
++ if (n->nlmsg_flags&NLM_F_REPLACE) {
++ pref = r->at_pref;
++ prevp = delp = rp;
++ goto replace;
++ }
++ }
++
++ if (n->nlmsg_flags&NLM_F_APPEND) {
++ if (r) {
++ pref = r->at_pref+1;
++ for (rp=&r->at_next; (r=*rp) != NULL; rp=&r->at_next) {
++ if (pref != r->at_pref)
++ break;
++ pref ++;
++ }
++ ret = -EBUSY;
++ if (!pref)
++ goto out;
++ } else if (am->arpm_pref)
++ pref = am->arpm_pref;
++ prevp = rp;
++ }
++
++ if (!(n->nlmsg_flags&NLM_F_CREATE)) {
++ ret = -ENOENT;
++ if (n->nlmsg_flags&NLM_F_EXCL || r)
++ ret = 0;
++ goto out;
++ }
++
++ if (!(n->nlmsg_flags&NLM_F_APPEND)) {
++ if (!prevp) {
++ ret = -EBUSY;
++ if (r || *rp ||
++ (!am->arpm_pref && arp_tabs[am->arpm_table]))
++ goto out;
++ prevp = rp;
++ pref = am->arpm_pref? : 99;
++ } else {
++ if (r || !am->arpm_pref) {
++ pref = (*prevp)->at_pref - 1;
++ if (am->arpm_pref && am->arpm_pref < pref)
++ pref = am->arpm_pref;
++ } else {
++ prevp = rp;
++ pref = am->arpm_pref;
++ }
++ }
++ }
++
++replace:
++
++ ret = -ENOMEM;
++ r = kmem_cache_alloc(arpf_cachep, GFP_KERNEL);
++ if (!r)
++ return ret;
++ memset(r, 0, sizeof(*r));
++
++ arpf_get_str(ARPA_LLFROM, rta, r->at_llfrom, MAX_ADDR_LEN,
++ &r->at_llfrom_len);
++ arpf_get_str(ARPA_LLTO, rta, r->at_llto, MAX_ADDR_LEN,
++ &r->at_llto_len);
++ arpf_get_str(ARPA_LLSRC, rta, r->at_llsrc, MAX_ADDR_LEN,
++ &r->at_llsrc_len);
++ arpf_get_str(ARPA_LLDST, rta, r->at_lldst, MAX_ADDR_LEN,
++ &r->at_lldst_len);
++
++ if (delp)
++ r->at_next = (*delp)->at_next;
++ else if (*prevp)
++ r->at_next = *prevp;
++
++ r->at_pref = pref;
++ r->at_from_len = am->arpm_from_len;
++ r->at_from_mask = inet_make_mask(r->at_from_len);
++ if (rta[ARPA_FROM])
++ r->at_from = *(u32*) nla_data(rta[ARPA_FROM]);
++ r->at_from &= r->at_from_mask;
++ r->at_to_len = am->arpm_to_len;
++ r->at_to_mask = inet_make_mask(r->at_to_len);
++ if (rta[ARPA_TO])
++ r->at_to = *(u32*) nla_data(rta[ARPA_TO]);
++ r->at_to &= r->at_to_mask;
++ if (rta[ARPA_SRC])
++ r->at_src = *(u32*) nla_data(rta[ARPA_SRC]);
++ if (rta[ARPA_PACKETS]) {
++ u32 packets = *(u32*) nla_data(rta[ARPA_PACKETS]);
++ atomic_set(&r->at_packets, packets);
++ }
++ atomic_set(&r->at_refcnt, 1);
++ r->at_flags = am->arpm_flags;
++ r->at_action = am->arpm_action;
++
++ if (rta[ARPA_IIF] && (size = nla_len(rta[ARPA_IIF]))) {
++ if (size >= sizeof(r->at_iif))
++ size = sizeof(r->at_iif)-1;
++ memcpy(r->at_iif, nla_data(rta[ARPA_IIF]), size);
++ r->at_iif_len = strlen(r->at_iif);
++ }
++ if (rta[ARPA_OIF] && (size = nla_len(rta[ARPA_OIF]))) {
++ if (size >= sizeof(r->at_oif))
++ size = sizeof(r->at_oif)-1;
++ memcpy(r->at_oif, nla_data(rta[ARPA_OIF]), size);
++ r->at_oif_len = strlen(r->at_oif);
++ }
++
++ newp = r;
++
++dequeue:
++
++ if (delp) {
++ r = *delp;
++ write_lock_bh(&arpf_lock);
++ if (newp) {
++ if (!rta[ARPA_PACKETS])
++ atomic_set(&newp->at_packets,
++ atomic_read(&r->at_packets));
++ *delp = newp;
++ } else {
++ *delp = r->at_next;
++ }
++ r->at_dead = 1;
++ write_unlock_bh(&arpf_lock);
++ arpmsg_notify(skb, n, am->arpm_table, r, RTM_DELARPRULE);
++ arpf_put(r);
++ prevp = 0;
++ }
++
++ if (newp) {
++ if (prevp) {
++ write_lock_bh(&arpf_lock);
++ *prevp = newp;
++ write_unlock_bh(&arpf_lock);
++ }
++ arpmsg_notify(skb, n, am->arpm_table, newp, RTM_NEWARPRULE);
++ }
++
++ ret = 0;
++
++out:
++ return ret;
++}
++
++int arpf_dump_table(int t, struct sk_buff *skb, struct netlink_callback *cb)
++{
++ int idx, ret = -1;
++ struct arpf_node *afp;
++ int s_idx = cb->args[1];
++
++ for (idx=0, afp = arp_tabs[t]; afp; afp = afp->at_next, idx++) {
++ if (idx < s_idx)
++ continue;
++ if (arpf_fill_node(skb, NETLINK_CB(cb->skb).portid,
++ cb->nlh->nlmsg_seq, NLM_F_MULTI, RTM_NEWARPRULE, t, afp) < 0)
++ goto out;
++ }
++
++ ret = skb->len;
++
++out:
++ cb->args[1] = idx;
++
++ return ret;
++}
++
++int arpf_dump_rules(struct sk_buff *skb, struct netlink_callback *cb)
++{
++ int idx;
++ int s_idx = cb->args[0];
++
++ read_lock_bh(&arpf_lock);
++ for (idx = 0; idx < sizeof(arp_tabs)/sizeof(arp_tabs[0]); idx++) {
++ if (idx < s_idx)
++ continue;
++ if (idx > s_idx)
++ memset(&cb->args[1], 0, sizeof(cb->args)-1*sizeof(cb->args[0]));
++ if (arpf_dump_table(idx, skb, cb) < 0)
++ break;
++ }
++ read_unlock_bh(&arpf_lock);
++ cb->args[0] = idx;
++
++ return skb->len;
++}
++
+ /*
+ * Called once on startup.
+ */
+@@ -1288,6 +1939,16 @@ static int arp_proc_init(void);
+
+ void __init arp_init(void)
+ {
++ arpf_cachep = kmem_cache_create("ip_arpf_cache",
++ sizeof(struct arpf_node), 0,
++ SLAB_HWCACHE_ALIGN, NULL);
++ if (!arpf_cachep)
++ panic("IP: failed to allocate ip_arpf_cache\n");
++
++ rtnl_register(PF_UNSPEC, RTM_NEWARPRULE, arpf_rule_ctl, NULL, 0);
++ rtnl_register(PF_UNSPEC, RTM_DELARPRULE, arpf_rule_ctl, NULL, 0);
++ rtnl_register(PF_UNSPEC, RTM_GETARPRULE, NULL, arpf_dump_rules, 0);
++
+ neigh_table_init(NEIGH_ARP_TABLE, &arp_tbl);
+
+ dev_add_pack(&arp_packet_type);
+diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
+index c5ebfa199794..4e6f5095ec62 100644
+--- a/net/ipv4/devinet.c
++++ b/net/ipv4/devinet.c
+@@ -1312,9 +1312,14 @@ __be32 inet_select_addr(const struct net_device *dev, __be32 dst, int scope)
+ if (!in_dev)
+ continue;
+
+- addr = in_dev_select_addr(in_dev, scope);
+- if (addr)
+- goto out_unlock;
++ for_primary_ifa(in_dev) {
++ if (!IN_DEV_HIDDEN(in_dev) &&
++ ifa->ifa_scope != RT_SCOPE_LINK &&
++ ifa->ifa_scope <= scope) {
++ addr = ifa->ifa_local;
++ goto out_unlock;
++ }
++ } endfor_ifa(in_dev);
+ }
+ out_unlock:
+ rcu_read_unlock();
+@@ -2469,13 +2474,16 @@ static struct devinet_sysctl_table {
+ DEVINET_SYSCTL_RW_ENTRY(SEND_REDIRECTS, "send_redirects"),
+ DEVINET_SYSCTL_RW_ENTRY(ACCEPT_SOURCE_ROUTE,
+ "accept_source_route"),
++ DEVINET_SYSCTL_RW_ENTRY(FORWARD_SHARED, "forward_shared"),
+ DEVINET_SYSCTL_RW_ENTRY(ACCEPT_LOCAL, "accept_local"),
+ DEVINET_SYSCTL_RW_ENTRY(SRC_VMARK, "src_valid_mark"),
+ DEVINET_SYSCTL_RW_ENTRY(PROXY_ARP, "proxy_arp"),
+ DEVINET_SYSCTL_RW_ENTRY(MEDIUM_ID, "medium_id"),
++ DEVINET_SYSCTL_RW_ENTRY(RP_FILTER_MASK, "rp_filter_mask"),
+ DEVINET_SYSCTL_RW_ENTRY(BOOTP_RELAY, "bootp_relay"),
+ DEVINET_SYSCTL_RW_ENTRY(LOG_MARTIANS, "log_martians"),
+ DEVINET_SYSCTL_RW_ENTRY(TAG, "tag"),
++ DEVINET_SYSCTL_RW_ENTRY(HIDDEN, "hidden"),
+ DEVINET_SYSCTL_RW_ENTRY(ARPFILTER, "arp_filter"),
+ DEVINET_SYSCTL_RW_ENTRY(ARP_ANNOUNCE, "arp_announce"),
+ DEVINET_SYSCTL_RW_ENTRY(ARP_IGNORE, "arp_ignore"),
+diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
+index e54c2bcbb465..d6e9c855c9e9 100644
+--- a/net/ipv4/fib_frontend.c
++++ b/net/ipv4/fib_frontend.c
+@@ -47,6 +47,8 @@
+
+ #ifndef CONFIG_IP_MULTIPLE_TABLES
+
++#define FIB_RES_TABLE(r) (RT_TABLE_MAIN)
++
+ static int __net_init fib4_rules_init(struct net *net)
+ {
+ struct fib_table *local_table, *main_table;
+@@ -76,6 +78,8 @@ static bool fib4_has_custom_rules(struct net *net)
+ }
+ #else
+
++#define FIB_RES_TABLE(r) (fib_result_table(r))
++
+ struct fib_table *fib_new_table(struct net *net, u32 id)
+ {
+ struct fib_table *tb, *alias = NULL;
+@@ -347,13 +351,19 @@ EXPORT_SYMBOL_GPL(fib_info_nh_uses_dev);
+ */
+ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+ u8 tos, int oif, struct net_device *dev,
+- int rpf, struct in_device *idev, u32 *itag)
++ int rpf, struct in_device *idev, u32 *itag,
++ int our)
+ {
+ struct net *net = dev_net(dev);
+ struct flow_keys flkeys;
++ u32 table;
++ unsigned char prefixlen;
++ unsigned char scope;
+ int ret, no_addr;
+ struct fib_result res;
+ struct flowi4 fl4;
++ int fwdsh;
++ unsigned int rpf_mask;
+ bool dev_match;
+
+ fl4.flowi4_oif = 0;
+@@ -367,10 +377,13 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+ fl4.flowi4_tun_key.tun_id = 0;
+ fl4.flowi4_flags = 0;
+ fl4.flowi4_uid = sock_net_uid(net, NULL);
++ fl4.fl4_gw = 0;
+
+ no_addr = idev->ifa_list == NULL;
+
++ fwdsh = IN_DEV_FORWARD_SHARED(idev);
+ fl4.flowi4_mark = IN_DEV_SRC_VMARK(idev) ? skb->mark : 0;
++ rpf_mask = IN_DEV_RPFILTER_MASK(idev);
+ if (!fib4_rules_early_flow_dissect(net, skb, &fl4, &flkeys)) {
+ fl4.flowi4_proto = 0;
+ fl4.fl4_sport = 0;
+@@ -379,7 +392,12 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+
+ if (fib_lookup(net, &fl4, &res, 0))
+ goto last_resort;
+- if (res.type != RTN_UNICAST &&
++ if (fwdsh) {
++ fwdsh = (res.type == RTN_LOCAL && !our);
++ if (fwdsh)
++ rpf = 0;
++ }
++ if (res.type != RTN_UNICAST && !fwdsh &&
+ (res.type != RTN_LOCAL || !IN_DEV_ACCEPT_LOCAL(idev)))
+ goto e_inval;
+ fib_combine_itag(itag, &res);
+@@ -389,17 +407,36 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+ ret = FIB_RES_NHC(res)->nhc_scope >= RT_SCOPE_HOST;
+ return ret;
+ }
++ if (rpf_mask && rpf) {
++ int omi = 0;
++
++ idev = __in_dev_get_rcu(FIB_RES_DEV(res));
++ if (idev)
++ omi = IN_DEV_MEDIUM_ID(idev);
++ if (omi >= 1 && omi <= 31 && ((1 << omi) & rpf_mask))
++ rpf = 0;
++ }
+ if (no_addr)
+ goto last_resort;
+- if (rpf == 1)
+- goto e_rpf;
++ table = FIB_RES_TABLE(&res);
++ prefixlen = res.prefixlen;
++ scope = res.scope;
+ fl4.flowi4_oif = dev->ifindex;
++ if (fwdsh)
++ fl4.flowi4_iif = LOOPBACK_IFINDEX;
+
+ ret = 0;
+ if (fib_lookup(net, &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE) == 0) {
+- if (res.type == RTN_UNICAST)
++ if (res.type == RTN_UNICAST &&
++ ((table == FIB_RES_TABLE(&res) &&
++ res.prefixlen >= prefixlen && res.scope >= scope) ||
++ !rpf)) {
+ ret = FIB_RES_NHC(res)->nhc_scope >= RT_SCOPE_HOST;
++ return ret;
++ }
+ }
++ if (rpf == 1)
++ goto e_rpf;
+ return ret;
+
+ last_resort:
+@@ -417,7 +454,7 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+ /* Ignore rp_filter for packets protected by IPsec. */
+ int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+ u8 tos, int oif, struct net_device *dev,
+- struct in_device *idev, u32 *itag)
++ struct in_device *idev, u32 *itag, int our)
+ {
+ int r = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(idev);
+ struct net *net = dev_net(dev);
+@@ -442,7 +479,8 @@ int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
+ }
+
+ full_check:
+- return __fib_validate_source(skb, src, dst, tos, oif, dev, r, idev, itag);
++ return __fib_validate_source(skb, src, dst, tos, oif, dev, r, idev,
++ itag, our);
+ }
+
+ static inline __be32 sk_extract_addr(struct sockaddr *addr)
+@@ -1381,9 +1419,7 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
+ switch (event) {
+ case NETDEV_UP:
+ fib_add_ifaddr(ifa);
+-#ifdef CONFIG_IP_ROUTE_MULTIPATH
+ fib_sync_up(dev, RTNH_F_DEAD);
+-#endif
+ atomic_inc(&net->ipv4.dev_addr_genid);
+ rt_cache_flush(dev_net(dev));
+ break;
+@@ -1427,9 +1463,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
+ for_ifa(in_dev) {
+ fib_add_ifaddr(ifa);
+ } endfor_ifa(in_dev);
+-#ifdef CONFIG_IP_ROUTE_MULTIPATH
+ fib_sync_up(dev, RTNH_F_DEAD);
+-#endif
+ atomic_inc(&net->ipv4.dev_addr_genid);
+ rt_cache_flush(net);
+ break;
+diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
+index a38e86b98e4f..ce7a61d53ac9 100644
+--- a/net/ipv4/fib_rules.c
++++ b/net/ipv4/fib_rules.c
+@@ -74,6 +74,11 @@ unsigned int fib4_rules_seq_read(struct net *net)
+ return fib_rules_seq_read(net, AF_INET);
+ }
+
++u32 fib_result_table(struct fib_result *res)
++{
++ return res->table ? res->table->tb_id : RT_TABLE_UNSPEC;
++}
++
+ int __fib_lookup(struct net *net, struct flowi4 *flp,
+ struct fib_result *res, unsigned int flags)
+ {
+diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
+index bfa49a88d03a..e213bac33fe5 100644
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -51,6 +51,7 @@ static struct hlist_head *fib_info_hash;
+ static struct hlist_head *fib_info_laddrhash;
+ static unsigned int fib_info_hash_size;
+ static unsigned int fib_info_cnt;
++DEFINE_RWLOCK(fib_nhflags_lock);
+
+ #define DEVINDEX_HASHBITS 8
+ #define DEVINDEX_HASHSIZE (1U << DEVINDEX_HASHBITS)
+@@ -451,36 +452,78 @@ void rtmsg_fib(int event, __be32 key, struct fib_alias *fa,
+
+ static int fib_detect_death(struct fib_info *fi, int order,
+ struct fib_info **last_resort, int *last_idx,
+- int dflt)
++ int dflt, int *last_nhsel,
++ const struct flowi4 *flp)
+ {
+- const struct fib_nh_common *nhc = fib_info_nhc(fi, 0);
++ const struct fib_nh_common *nhc;
+ struct neighbour *n;
+- int state = NUD_NONE;
++ int nhsel;
++ int state;
++ struct fib_nh * nh;
++ int flag, dead = 1;
+
+- if (likely(nhc->nhc_gw_family == AF_INET))
+- n = neigh_lookup(&arp_tbl, &nhc->nhc_gw.ipv4, nhc->nhc_dev);
+- else if (nhc->nhc_gw_family == AF_INET6)
+- n = neigh_lookup(ipv6_stub->nd_tbl, &nhc->nhc_gw.ipv6,
+- nhc->nhc_dev);
+- else
+- n = NULL;
++ /* change_nexthops(fi) { */
++ for (nhsel = 0, nh = fi->fib_nh; nhsel < fi->fib_nhs; nh++, nhsel++) {
++ if (flp->flowi4_oif && flp->flowi4_oif != nh->fib_nh_oif &&
++ !(flp->flowi4_flags & FLOWI_FLAG_SKIP_NH_OIF))
++ continue;
++ if (flp->fl4_gw && flp->fl4_gw != nh->fib_nh_gw4 &&
++ nh->fib_nh_gw4 && nh->fib_nh_scope == RT_SCOPE_LINK)
++ continue;
++ if (nh->fib_nh_flags & RTNH_F_DEAD)
++ continue;
+
+- if (n) {
+- state = n->nud_state;
+- neigh_release(n);
+- } else {
+- return 0;
+- }
+- if (state == NUD_REACHABLE)
+- return 0;
+- if ((state & NUD_VALID) && order != dflt)
+- return 0;
+- if ((state & NUD_VALID) ||
+- (*last_idx < 0 && order > dflt && state != NUD_INCOMPLETE)) {
+- *last_resort = fi;
+- *last_idx = order;
++ flag = 0;
++ if (nh->fib_nh_dev->flags & IFF_NOARP) {
++ dead = 0;
++ goto setfl;
++ }
++
++ state = NUD_NONE;
++ nhc = fib_info_nhc(fi, nhsel);
++ if (!nhc->nhc_gw_family || nh->fib_nh_scope != RT_SCOPE_LINK ||
++ (nhc->nhc_gw_family == AF_INET && !nhc->nhc_gw.ipv4))
++ n = neigh_lookup(&arp_tbl, &flp->daddr,
++ nhc->nhc_dev);
++ else if (likely(nhc->nhc_gw_family == AF_INET))
++ n = neigh_lookup(&arp_tbl, &nhc->nhc_gw.ipv4,
++ nhc->nhc_dev);
++ else if (nhc->nhc_gw_family == AF_INET6)
++ n = neigh_lookup(ipv6_stub->nd_tbl, &nhc->nhc_gw.ipv6,
++ nhc->nhc_dev);
++ else
++ n = NULL;
++ if (n) {
++ state = n->nud_state;
++ neigh_release(n);
++ }
++ if (state == NUD_REACHABLE ||
++ ((state & NUD_VALID) && order != dflt)) {
++ dead = 0;
++ goto setfl;
++ }
++ if (!(state & NUD_VALID))
++ flag = 1;
++ if (!dead)
++ goto setfl;
++ if ((state & NUD_VALID) ||
++ (*last_idx < 0 && order >= dflt)) {
++ *last_resort = fi;
++ *last_idx = order;
++ *last_nhsel = nhsel;
++ }
++
++setfl:
++ read_lock_bh(&fib_nhflags_lock);
++ if (flag)
++ nh->fib_nh_flags |= RTNH_F_SUSPECT;
++ else
++ nh->fib_nh_flags &= ~RTNH_F_SUSPECT;
++ read_unlock_bh(&fib_nhflags_lock);
+ }
+- return 1;
++ /* } endfor_nexthops(fi) */
++
++ return dead;
+ }
+
+ int fib_nh_common_init(struct fib_nh_common *nhc, struct nlattr *encap,
+@@ -962,6 +1005,7 @@ static int fib_check_nh_v6_gw(struct net *net, struct fib_nh *nh,
+ static int fib_check_nh_v4_gw(struct net *net, struct fib_nh *nh, u32 table,
+ u8 scope, struct netlink_ext_ack *extack)
+ {
++ struct fib_info *fi = nh->nh_parent;
+ struct net_device *dev;
+ struct fib_result res;
+ int err = 0;
+@@ -979,8 +1023,12 @@ static int fib_check_nh_v4_gw(struct net *net, struct fib_nh *nh, u32 table,
+ return -ENODEV;
+ }
+ if (!(dev->flags & IFF_UP)) {
+- NL_SET_ERR_MSG(extack, "Nexthop device is not up");
+- return -ENETDOWN;
++ if (fi->fib_protocol != RTPROT_STATIC) {
++ NL_SET_ERR_MSG(extack,
++ "Nexthop device is not up");
++ return -ENETDOWN;
++ }
++ nh->fib_nh_flags |= RTNH_F_DEAD;
+ }
+ addr_type = inet_addr_type_dev_table(net, dev, nh->fib_nh_gw4);
+ if (addr_type != RTN_UNICAST) {
+@@ -1024,11 +1072,29 @@ static int fib_check_nh_v4_gw(struct net *net, struct fib_nh *nh, u32 table,
+ err = fib_lookup(net, &fl4, &res,
+ FIB_LOOKUP_IGNORE_LINKSTATE);
+ }
++ }
+
+- if (err) {
++ if (err) {
++ struct in_device *in_dev;
++
++ if (err != -ENETUNREACH ||
++ fi->fib_protocol != RTPROT_STATIC) {
+ NL_SET_ERR_MSG(extack, "Nexthop has invalid gateway");
+ goto out;
+ }
++ in_dev = inetdev_by_index(net, nh->fib_nh_oif);
++ if (in_dev == NULL ||
++ in_dev->dev->flags & IFF_UP) {
++ NL_SET_ERR_MSG(extack,
++ "Nexthop has invalid gateway");
++ goto out;
++ }
++ nh->fib_nh_flags |= RTNH_F_DEAD;
++ nh->fib_nh_scope = RT_SCOPE_LINK;
++ nh->fib_nh_dev = in_dev->dev;
++ dev_hold(nh->fib_nh_dev);
++ err = 0;
++ goto out;
+ }
+
+ err = -EINVAL;
+@@ -1047,7 +1113,16 @@ static int fib_check_nh_v4_gw(struct net *net, struct fib_nh *nh, u32 table,
+ dev_hold(dev);
+ if (!netif_carrier_ok(dev))
+ nh->fib_nh_flags |= RTNH_F_LINKDOWN;
+- err = (dev->flags & IFF_UP) ? 0 : -ENETDOWN;
++ if (!(dev->flags & IFF_UP)) {
++ if (fi->fib_protocol != RTPROT_STATIC) {
++ err = -ENETDOWN;
++ NL_SET_ERR_MSG(extack,
++ "Device for nexthop is not up");
++ goto out;
++ }
++ nh->fib_nh_flags |= RTNH_F_DEAD;
++ }
++ err = 0;
+ out:
+ rcu_read_unlock();
+ return err;
+@@ -1056,6 +1131,7 @@ static int fib_check_nh_v4_gw(struct net *net, struct fib_nh *nh, u32 table,
+ static int fib_check_nh_nongw(struct net *net, struct fib_nh *nh,
+ struct netlink_ext_ack *extack)
+ {
++ struct fib_info *fi = nh->nh_parent;
+ struct in_device *in_dev;
+ int err;
+
+@@ -1073,8 +1149,11 @@ static int fib_check_nh_nongw(struct net *net, struct fib_nh *nh,
+ goto out;
+ err = -ENETDOWN;
+ if (!(in_dev->dev->flags & IFF_UP)) {
+- NL_SET_ERR_MSG(extack, "Device for nexthop is not up");
+- goto out;
++ if (fi->fib_protocol != RTPROT_STATIC) {
++ NL_SET_ERR_MSG(extack, "Device for nexthop is not up");
++ goto out;
++ }
++ nh->fib_nh_flags |= RTNH_F_DEAD;
+ }
+
+ nh->fib_nh_dev = in_dev->dev;
+@@ -1777,10 +1856,15 @@ int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force)
+ prev_fi = fi;
+ dead = 0;
+ change_nexthops(fi) {
+- if (nexthop_nh->fib_nh_flags & RTNH_F_DEAD)
+- dead++;
+- else if (nexthop_nh->fib_nh_dev == dev &&
+- nexthop_nh->fib_nh_scope != scope) {
++ if (nexthop_nh->fib_nh_flags & RTNH_F_DEAD) {
++ if (fi->fib_protocol != RTPROT_STATIC ||
++ !nexthop_nh->fib_nh_dev ||
++ !__in_dev_get_rtnl(nexthop_nh->fib_nh_dev) ||
++ nexthop_nh->fib_nh_dev->flags&IFF_UP)
++ dead++;
++ } else if (nexthop_nh->fib_nh_dev == dev &&
++ nexthop_nh->fib_nh_scope != scope) {
++ write_lock_bh(&fib_nhflags_lock);
+ switch (event) {
+ case NETDEV_DOWN:
+ case NETDEV_UNREGISTER:
+@@ -1792,7 +1876,11 @@ int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force)
+ }
+ call_fib_nh_notifiers(nexthop_nh,
+ FIB_EVENT_NH_DEL);
+- dead++;
++ write_unlock_bh(&fib_nhflags_lock);
++ if (fi->fib_protocol != RTPROT_STATIC ||
++ force ||
++ !__in_dev_get_rtnl(dev))
++ dead++;
+ }
+ #ifdef CONFIG_IP_ROUTE_MULTIPATH
+ if (event == NETDEV_UNREGISTER &&
+@@ -1822,13 +1910,13 @@ int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force)
+ }
+
+ /* Must be invoked inside of an RCU protected region. */
+-static void fib_select_default(const struct flowi4 *flp, struct fib_result *res)
++void fib_select_default(const struct flowi4 *flp, struct fib_result *res)
+ {
+ struct fib_info *fi = NULL, *last_resort = NULL;
+ struct hlist_head *fa_head = res->fa_head;
+ struct fib_table *tb = res->table;
+ u8 slen = 32 - res->prefixlen;
+- int order = -1, last_idx = -1;
++ int order = -1, last_idx = -1, last_nhsel = 0;
+ struct fib_alias *fa, *fa1 = NULL;
+ u32 last_prio = res->fi->fib_priority;
+ u8 last_tos = 0;
+@@ -1856,9 +1944,6 @@ static void fib_select_default(const struct flowi4 *flp, struct fib_result *res)
+ if (next_fi->fib_scope != res->scope ||
+ fa->fa_type != RTN_UNICAST)
+ continue;
+- if (!next_fi->fib_nh[0].fib_nh_gw4 ||
+- next_fi->fib_nh[0].fib_nh_scope != RT_SCOPE_LINK)
+- continue;
+
+ fib_alias_accessed(fa);
+
+@@ -1867,7 +1952,8 @@ static void fib_select_default(const struct flowi4 *flp, struct fib_result *res)
+ break;
+ fa1 = fa;
+ } else if (!fib_detect_death(fi, order, &last_resort,
+- &last_idx, fa1->fa_default)) {
++ &last_idx, fa1->fa_default,
++ &last_nhsel, flp)) {
+ fib_result_assign(res, fi);
+ fa1->fa_default = order;
+ goto out;
+@@ -1877,28 +1963,39 @@ static void fib_select_default(const struct flowi4 *flp, struct fib_result *res)
+ }
+
+ if (order <= 0 || !fi) {
++ if (fi && fi->fib_nhs > 1 &&
++ fib_detect_death(fi, order, &last_resort, &last_idx,
++ fa1->fa_default, &last_nhsel, flp) &&
++ last_resort == fi) {
++ read_lock_bh(&fib_nhflags_lock);
++ fi->fib_nh[last_nhsel].fib_nh_flags &= ~RTNH_F_SUSPECT;
++ read_unlock_bh(&fib_nhflags_lock);
++ }
+ if (fa1)
+ fa1->fa_default = -1;
+ goto out;
+ }
+
+ if (!fib_detect_death(fi, order, &last_resort, &last_idx,
+- fa1->fa_default)) {
++ fa1->fa_default, &last_nhsel, flp)) {
+ fib_result_assign(res, fi);
+ fa1->fa_default = order;
+ goto out;
+ }
+
+- if (last_idx >= 0)
++ if (last_idx >= 0) {
+ fib_result_assign(res, last_resort);
++ read_lock_bh(&fib_nhflags_lock);
++ last_resort->fib_nh[last_nhsel].fib_nh_flags &= ~RTNH_F_SUSPECT;
++ read_unlock_bh(&fib_nhflags_lock);
++ }
+ fa1->fa_default = last_idx;
+ out:
+ return;
+ }
+
+ /*
+- * Dead device goes up. We wake up dead nexthops.
+- * It takes sense only on multipath routes.
++ * Dead device goes up or new address is added. We wake up dead nexthops.
+ */
+ int fib_sync_up(struct net_device *dev, unsigned char nh_flags)
+ {
+@@ -1906,8 +2003,10 @@ int fib_sync_up(struct net_device *dev, unsigned char nh_flags)
+ unsigned int hash;
+ struct hlist_head *head;
+ struct fib_nh *nh;
+- int ret;
++ struct fib_result res;
++ int ret, rep;
+
++repeat:
+ if (!(dev->flags & IFF_UP))
+ return 0;
+
+@@ -1922,6 +2021,7 @@ int fib_sync_up(struct net_device *dev, unsigned char nh_flags)
+ hash = fib_devindex_hashfn(dev->ifindex);
+ head = &fib_info_devhash[hash];
+ ret = 0;
++ rep = 0;
+
+ hlist_for_each_entry(nh, head, nh_hash) {
+ struct fib_info *fi = nh->nh_parent;
+@@ -1934,16 +2034,39 @@ int fib_sync_up(struct net_device *dev, unsigned char nh_flags)
+ prev_fi = fi;
+ alive = 0;
+ change_nexthops(fi) {
+- if (!(nexthop_nh->fib_nh_flags & nh_flags)) {
+- alive++;
++ if (!(nexthop_nh->fib_nh_flags & nh_flags))
+ continue;
+- }
+ if (!nexthop_nh->fib_nh_dev ||
+ !(nexthop_nh->fib_nh_dev->flags & IFF_UP))
+ continue;
+ if (nexthop_nh->fib_nh_dev != dev ||
+ !__in_dev_get_rtnl(dev))
+ continue;
++ if ((nh_flags & RTNH_F_DEAD) &&
++ nexthop_nh->fib_nh_gw4 &&
++ nexthop_nh->fib_nh_gw_family == AF_INET &&
++ fi->fib_protocol == RTPROT_STATIC) {
++ struct flowi4 fl4 = {
++ .daddr = nexthop_nh->fib_nh_gw4,
++ .flowi4_scope = nexthop_nh->fib_nh_scope,
++ .flowi4_oif = nexthop_nh->fib_nh_oif,
++ };
++
++ rcu_read_lock();
++ if (fib_lookup(dev_net(dev), &fl4, &res,
++ FIB_LOOKUP_IGNORE_LINKSTATE) != 0) {
++ rcu_read_unlock();
++ continue;
++ }
++ if (res.type != RTN_UNICAST &&
++ res.type != RTN_LOCAL) {
++ rcu_read_unlock();
++ continue;
++ }
++ nexthop_nh->fib_nh_scope = res.scope;
++ rcu_read_unlock();
++ rep = 1;
++ }
+ alive++;
+ nexthop_nh->fib_nh_flags &= ~nh_flags;
+ call_fib_nh_notifiers(nexthop_nh, FIB_EVENT_NH_ADD);
+@@ -1956,6 +2079,8 @@ int fib_sync_up(struct net_device *dev, unsigned char nh_flags)
+
+ fib_rebalance(fi);
+ }
++ if (rep)
++ goto repeat;
+
+ return ret;
+ }
+@@ -2017,23 +2142,16 @@ void fib_select_multipath(struct fib_result *res, int hash)
+ void fib_select_path(struct net *net, struct fib_result *res,
+ struct flowi4 *fl4, const struct sk_buff *skb)
+ {
+- if (fl4->flowi4_oif && !(fl4->flowi4_flags & FLOWI_FLAG_SKIP_NH_OIF))
+- goto check_saddr;
+-
++ if (res->type == RTN_UNICAST)
++ fib_select_default(fl4, res);
+ #ifdef CONFIG_IP_ROUTE_MULTIPATH
+ if (res->fi->fib_nhs > 1) {
+ int h = fib_multipath_hash(net, fl4, skb, NULL);
+
+ fib_select_multipath(res, h);
+ }
+- else
+ #endif
+- if (!res->prefixlen &&
+- res->table->tb_num_default > 1 &&
+- res->type == RTN_UNICAST)
+- fib_select_default(fl4, res);
+
+-check_saddr:
+ if (!fl4->saddr)
+ fl4->saddr = fib_result_prefsrc(net, res);
+ }
+diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
+index 868c74771fa9..62c60f66270c 100644
+--- a/net/ipv4/fib_trie.c
++++ b/net/ipv4/fib_trie.c
+@@ -1470,6 +1470,11 @@ int fib_table_lookup(struct fib_table *tb, const struct flowi4 *flp,
+ if (flp->flowi4_oif &&
+ flp->flowi4_oif != nhc->nhc_oif)
+ continue;
++ if (flp->fl4_gw &&
++ flp->fl4_gw != nhc->nhc_gw.ipv4 &&
++ nhc->nhc_gw.ipv4 &&
++ nhc->nhc_scope == RT_SCOPE_LINK)
++ continue;
+ }
+
+ if (!(fib_flags & FIB_LOOKUP_NOREF))
+diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
+index ad33687b7444..49d98f51458b 100644
+--- a/net/ipv4/netfilter/iptable_nat.c
++++ b/net/ipv4/netfilter/iptable_nat.c
+@@ -40,6 +40,13 @@ static const struct nf_hook_ops nf_nat_ipv4_ops[] = {
+ .hooknum = NF_INET_PRE_ROUTING,
+ .priority = NF_IP_PRI_NAT_DST,
+ },
++ /* Before routing, route before mangling */
++ {
++ .hook = ip_nat_route_input,
++ .pf = NFPROTO_IPV4,
++ .hooknum = NF_INET_PRE_ROUTING,
++ .priority = NF_IP_PRI_LAST-1,
++ },
+ {
+ .hook = iptable_nat_do_chain,
+ .pf = NFPROTO_IPV4,
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 8ea0735a6754..a94f9c1efbe4 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1704,7 +1704,7 @@ int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ return -EINVAL;
+ } else {
+ err = fib_validate_source(skb, saddr, 0, tos, 0, dev,
+- in_dev, itag);
++ in_dev, itag, 1);
+ if (err < 0)
+ return err;
+ }
+@@ -1779,7 +1779,7 @@ static void ip_handle_martian_source(struct net_device *dev,
+ static int __mkroute_input(struct sk_buff *skb,
+ const struct fib_result *res,
+ struct in_device *in_dev,
+- __be32 daddr, __be32 saddr, u32 tos)
++ __be32 daddr, __be32 saddr, u32 tos, __be32 lsrc)
+ {
+ struct fib_nh_common *nhc = FIB_RES_NHC(*res);
+ struct net_device *dev = nhc->nhc_dev;
+@@ -1798,7 +1798,7 @@ static int __mkroute_input(struct sk_buff *skb,
+ }
+
+ err = fib_validate_source(skb, saddr, daddr, tos, FIB_RES_OIF(*res),
+- in_dev->dev, in_dev, &itag);
++ in_dev->dev, in_dev, &itag, 0);
+ if (err < 0) {
+ ip_handle_martian_source(in_dev->dev, in_dev, skb, daddr,
+ saddr);
+@@ -1808,7 +1808,7 @@ static int __mkroute_input(struct sk_buff *skb,
+
+ do_cache = res->fi && !itag;
+ if (out_dev == in_dev && err && IN_DEV_TX_REDIRECTS(out_dev) &&
+- skb->protocol == htons(ETH_P_IP)) {
++ skb->protocol == htons(ETH_P_IP) && !lsrc) {
+ __be32 gw;
+
+ gw = nhc->nhc_gw_family == AF_INET ? nhc->nhc_gw.ipv4 : 0;
+@@ -1974,10 +1974,12 @@ int fib_multipath_hash(const struct net *net, const struct flowi4 *fl4,
+
+ static int ip_mkroute_input(struct sk_buff *skb,
+ struct fib_result *res,
++ const struct flowi4 *fl4,
+ struct in_device *in_dev,
+ __be32 daddr, __be32 saddr, u32 tos,
+- struct flow_keys *hkeys)
++ struct flow_keys *hkeys, __be32 lsrc)
+ {
++ fib_select_default(fl4, res);
+ #ifdef CONFIG_IP_ROUTE_MULTIPATH
+ if (res->fi && res->fi->fib_nhs > 1) {
+ int h = fib_multipath_hash(res->fi->fib_net, NULL, skb, hkeys);
+@@ -1987,7 +1989,7 @@ static int ip_mkroute_input(struct sk_buff *skb,
+ #endif
+
+ /* create a routing cache entry */
+- return __mkroute_input(skb, res, in_dev, daddr, saddr, tos);
++ return __mkroute_input(skb, res, in_dev, daddr, saddr, tos, lsrc);
+ }
+
+ /*
+@@ -2002,7 +2004,7 @@ static int ip_mkroute_input(struct sk_buff *skb,
+ */
+
+ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+- u8 tos, struct net_device *dev,
++ u8 tos, struct net_device *dev, __be32 lsrc,
+ struct fib_result *res)
+ {
+ struct in_device *in_dev = __in_dev_get_rcu(dev);
+@@ -2060,18 +2062,25 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ goto martian_source;
+ }
+
++ if (lsrc) {
++ if (ipv4_is_multicast(lsrc) || ipv4_is_lbcast(lsrc) ||
++ ipv4_is_zeronet(lsrc) || ipv4_is_loopback(lsrc))
++ goto martian_source;
++ }
++
+ /*
+ * Now we are ready to route packet.
+ */
+ fl4.flowi4_oif = 0;
+- fl4.flowi4_iif = dev->ifindex;
++ fl4.flowi4_iif = lsrc ? LOOPBACK_IFINDEX : dev->ifindex;
+ fl4.flowi4_mark = skb->mark;
+ fl4.flowi4_tos = tos;
+ fl4.flowi4_scope = RT_SCOPE_UNIVERSE;
+ fl4.flowi4_flags = 0;
+ fl4.daddr = daddr;
+- fl4.saddr = saddr;
++ fl4.saddr = lsrc? : saddr;
+ fl4.flowi4_uid = sock_net_uid(net, NULL);
++ fl4.fl4_gw = 0;
+
+ if (fib4_rules_early_flow_dissect(net, skb, &fl4, &_flkeys)) {
+ flkeys = &_flkeys;
+@@ -2082,6 +2091,8 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ }
+
+ err = fib_lookup(net, &fl4, res, 0);
++ fl4.flowi4_iif = dev->ifindex;
++ fl4.saddr = saddr;
+ if (err != 0) {
+ if (!IN_DEV_FORWARD(in_dev))
+ err = -EHOSTUNREACH;
+@@ -2099,7 +2110,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+
+ if (res->type == RTN_LOCAL) {
+ err = fib_validate_source(skb, saddr, daddr, tos,
+- 0, dev, in_dev, &itag);
++ 0, dev, in_dev, &itag, 1);
+ if (err < 0)
+ goto martian_source;
+ goto local_input;
+@@ -2113,16 +2124,19 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ goto martian_destination;
+
+ make_route:
+- err = ip_mkroute_input(skb, res, in_dev, daddr, saddr, tos, flkeys);
++ err = ip_mkroute_input(skb, res, &fl4, in_dev, daddr, saddr, tos,
++ flkeys, lsrc);
+ out: return err;
+
+ brd_input:
+ if (skb->protocol != htons(ETH_P_IP))
+ goto e_inval;
++ if (lsrc)
++ goto e_inval;
+
+ if (!ipv4_is_zeronet(saddr)) {
+ err = fib_validate_source(skb, saddr, 0, tos, 0, dev,
+- in_dev, &itag);
++ in_dev, &itag, 1);
+ if (err < 0)
+ goto martian_source;
+ }
+@@ -2225,9 +2239,26 @@ int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ }
+ EXPORT_SYMBOL(ip_route_input_noref);
+
++int ip_route_input_lookup(struct sk_buff *skb, __be32 daddr, __be32 saddr,
++ u8 tos, struct net_device *dev, __be32 lsrc)
++{
++ struct fib_result res;
++ int err;
++
++ tos &= IPTOS_RT_MASK;
++ rcu_read_lock();
++ err = ip_route_input_common_rcu(skb, daddr, saddr, tos, dev, lsrc,
++ &res);
++ rcu_read_unlock();
++
++ return err;
++}
++EXPORT_SYMBOL(ip_route_input_lookup);
++
+ /* called with rcu_read_lock held */
+-int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+- u8 tos, struct net_device *dev, struct fib_result *res)
++int ip_route_input_common_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr,
++ u8 tos, struct net_device *dev, __be32 lsrc,
++ struct fib_result *res)
+ {
+ /* Multicast recognition logic is moved from route cache to here.
+ The problem was that too many Ethernet cards have broken/missing
+@@ -2273,7 +2304,13 @@ int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ return err;
+ }
+
+- return ip_route_input_slow(skb, daddr, saddr, tos, dev, res);
++ return ip_route_input_slow(skb, daddr, saddr, tos, dev, lsrc, res);
++}
++
++int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr,
++ u8 tos, struct net_device *dev, struct fib_result *res)
++{
++ return ip_route_input_common_rcu(skb, daddr, saddr, tos, dev, 0, res);
+ }
+
+ /* called with rcu_read_lock() */
+@@ -2525,6 +2562,7 @@ struct rtable *ip_route_output_key_hash_rcu(struct net *net, struct flowi4 *fl4,
+ fl4->daddr = fl4->saddr = htonl(INADDR_LOOPBACK);
+ dev_out = net->loopback_dev;
+ fl4->flowi4_oif = LOOPBACK_IFINDEX;
++ fl4->fl4_gw = 0;
+ res->type = RTN_LOCAL;
+ flags |= RTCF_LOCAL;
+ goto make_route;
+@@ -2583,6 +2621,7 @@ struct rtable *ip_route_output_key_hash_rcu(struct net *net, struct flowi4 *fl4,
+ orig_oif = FIB_RES_OIF(*res);
+
+ fl4->flowi4_oif = dev_out->ifindex;
++ fl4->fl4_gw = 0;
+ flags |= RTCF_LOCAL;
+ goto make_route;
+ }
+diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
+index 9ab410455992..bcee16d565fe 100644
+--- a/net/netfilter/nf_nat_core.c
++++ b/net/netfilter/nf_nat_core.c
+@@ -1148,6 +1148,49 @@ static struct nf_nat_hook nat_hook = {
+ .manip_pkt = nf_nat_manip_pkt,
+ };
+
++unsigned int ip_nat_route_input(void *priv,
++ struct sk_buff *skb,
++ const struct nf_hook_state *state)
++{
++ struct iphdr *iph;
++ struct nf_conn *conn;
++ enum ip_conntrack_info ctinfo;
++ enum ip_conntrack_dir dir;
++ unsigned long statusbit;
++ __be32 saddr;
++
++ if (!(conn = nf_ct_get(skb, &ctinfo)))
++ return NF_ACCEPT;
++
++ if (!(conn->status & IPS_NAT_DONE_MASK))
++ return NF_ACCEPT;
++ dir = CTINFO2DIR(ctinfo);
++ statusbit = IPS_SRC_NAT;
++ if (dir == IP_CT_DIR_REPLY)
++ statusbit ^= IPS_NAT_MASK;
++ if (!(conn->status & statusbit))
++ return NF_ACCEPT;
++
++ if (skb_dst(skb))
++ return NF_ACCEPT;
++
++ if (skb->len < sizeof(struct iphdr))
++ return NF_ACCEPT;
++
++ /* use daddr in other direction as masquerade address (lsrc) */
++ iph = ip_hdr(skb);
++ saddr = conn->tuplehash[!dir].tuple.dst.u3.ip;
++ if (saddr == iph->saddr)
++ return NF_ACCEPT;
++
++ if (ip_route_input_lookup(skb, iph->daddr, iph->saddr, iph->tos,
++ skb->dev, saddr))
++ return NF_DROP;
++
++ return NF_ACCEPT;
++}
++EXPORT_SYMBOL_GPL(ip_nat_route_input);
++
+ static int __init nf_nat_init(void)
+ {
+ int ret, i;
+diff --git a/net/netfilter/nf_nat_masquerade.c b/net/netfilter/nf_nat_masquerade.c
+index 8e8a65d46345..df1376143cd6 100644
+--- a/net/netfilter/nf_nat_masquerade.c
++++ b/net/netfilter/nf_nat_masquerade.c
+@@ -21,8 +21,8 @@ nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum,
+ struct nf_conn_nat *nat;
+ enum ip_conntrack_info ctinfo;
+ struct nf_nat_range2 newrange;
+- const struct rtable *rt;
+- __be32 newsrc, nh;
++ struct rtable *rt;
++ __be32 newsrc;
+
+ WARN_ON(hooknum != NF_INET_POST_ROUTING);
+
+@@ -37,12 +37,23 @@ nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum,
+ if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip == 0)
+ return NF_ACCEPT;
+
+- rt = skb_rtable(skb);
+- nh = rt_nexthop(rt, ip_hdr(skb)->daddr);
+- newsrc = inet_select_addr(out, nh, RT_SCOPE_UNIVERSE);
+- if (!newsrc) {
+- pr_info("%s ate my IP address\n", out->name);
+- return NF_DROP;
++ {
++ struct flowi4 fl4 = { .flowi4_tos = RT_TOS(ip_hdr(skb)->tos),
++ .flowi4_mark = skb->mark,
++ .flowi4_oif = out->ifindex,
++ .daddr = ip_hdr(skb)->daddr,
++ .fl4_gw = skb_rtable(skb)->rt_gw4 };
++ rt = ip_route_output_key(dev_net(out), &fl4);
++ if (IS_ERR(rt)) {
++ /* Funky routing can do this. */
++ if (net_ratelimit())
++ pr_info("%s:"
++ " No route: Rusty's brain broke!\n",
++ out->name);
++ return NF_DROP;
++ }
++ newsrc = fl4.saddr;
++ ip_rt_put(rt);
+ }
+
+ nat = nf_ct_nat_ext_add(ct);
+diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
+index 8cd7038389fd..6c41fb84c0b5 100644
+--- a/security/selinux/nlmsgtab.c
++++ b/security/selinux/nlmsgtab.c
+@@ -80,6 +80,9 @@ static const struct nlmsg_perm nlmsg_route_perms[] =
+ { RTM_NEWCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
+ { RTM_DELCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
+ { RTM_GETCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_READ },
++ { RTM_NEWARPRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
++ { RTM_DELARPRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
++ { RTM_GETARPRULE, NETLINK_ROUTE_SOCKET__NLMSG_READ },
+ };
+
+ static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
+@@ -163,7 +166,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
+ * structures at the top of this file with the new mappings
+ * before updating the BUILD_BUG_ON() macro!
+ */
+- BUILD_BUG_ON(RTM_MAX != (RTM_NEWCHAIN + 3));
++ BUILD_BUG_ON(RTM_MAX != (RTM_NEWARPRULE + 3));
+ err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms,
+ sizeof(nlmsg_route_perms));
+ break;
diff --git a/sys-kernel/boest-v5.2.15/0002-pool-2.6.25-tcp-timewait-20s.diff.patch b/sys-kernel/boest-v5.2.15/0002-pool-2.6.25-tcp-timewait-20s.diff.patch
new file mode 100644
index 00000000..19b58178
--- /dev/null
+++ b/sys-kernel/boest-v5.2.15/0002-pool-2.6.25-tcp-timewait-20s.diff.patch
@@ -0,0 +1,27 @@
+From 8cde5c13a8ea0253a8e6e5e09e7d82484ec3a678 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Sun, 15 Feb 2009 14:51:33 +0100
+Subject: [PATCH 02/13] pool/2.6.25-tcp-timewait-20s.diff
+
+From http://linux.1wt.eu/alix/kernel-src/2.6.27-wt11/patches-2.6.27-wt11.tar.bz2
+
+Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
+---
+ include/net/tcp.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 2ee06191c488..0f266366eb40 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -116,8 +116,8 @@ void tcp_time_wait(struct sock *sk, int state, int timeo);
+ * initial RTO.
+ */
+
+-#define TCP_TIMEWAIT_LEN (60*HZ) /* how long to wait to destroy TIME-WAIT
+- * state, about 60 seconds */
++#define TCP_TIMEWAIT_LEN (20*HZ) /* how long to wait to destroy TIME-WAIT
++ * state, about 20 seconds */
+ #define TCP_FIN_TIMEOUT TCP_TIMEWAIT_LEN
+ /* BSD style FIN_WAIT2 deadlock breaker.
+ * It used to be 3min, new value is 60sec,
diff --git a/sys-kernel/boest-v5.2.15/0003-pool-2.6.25-disable-tcp-debug.diff.patch b/sys-kernel/boest-v5.2.15/0003-pool-2.6.25-disable-tcp-debug.diff.patch
new file mode 100644
index 00000000..8535e858
--- /dev/null
+++ b/sys-kernel/boest-v5.2.15/0003-pool-2.6.25-disable-tcp-debug.diff.patch
@@ -0,0 +1,25 @@
+From f171b44c6cc924f147dd31527f60cb3c8e700075 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Sun, 15 Feb 2009 14:51:33 +0100
+Subject: [PATCH 03/13] pool/2.6.25-disable-tcp-debug.diff
+
+From http://linux.1wt.eu/alix/kernel-src/2.6.27-wt11/patches-2.6.27-wt11.tar.bz2
+
+Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
+---
+ include/net/tcp.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 0f266366eb40..0ed9a0680bfd 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -14,7 +14,7 @@
+ #ifndef _TCP_H
+ #define _TCP_H
+
+-#define FASTRETRANS_DEBUG 1
++#define FASTRETRANS_DEBUG 0
+
+ #include <linux/list.h>
+ #include <linux/tcp.h>
diff --git a/sys-kernel/boest-v5.2.15/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch b/sys-kernel/boest-v5.2.15/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch
new file mode 100644
index 00000000..ab108f11
--- /dev/null
+++ b/sys-kernel/boest-v5.2.15/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch
@@ -0,0 +1,142 @@
+From 2db6d6dafe966919505e11dd50195c4576c63af2 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Wed, 8 Oct 2008 10:00:42 +0200
+Subject: [PATCH 04/13] TCP: add a sysctl to disable simultaneous connection
+ opening.
+
+Strict implementation of RFC793 (TCP) requires support for a feature
+called "simultaneous connect", which allows two clients to connect to
+each other without anyone entering a listening state. While almost
+never used, and supported by few OSes, Linux supports this feature.
+
+However, it introduces a weakness in the protocol which makes it very
+easy for an attacker to prevent a client from connecting to a known
+server. The attacker only has to guess the source port to shut down
+the client connection during its establishment. The impact is limited,
+but it may be used to prevent an antivirus or IPS from fetching updates
+and not detecting an attack, or to prevent an SSL gateway from fetching
+a CRL for example.
+
+This patch provides a new sysctl "tcp_simult_connect" to enable or disable
+support for this useless feature. It comes disabled by default.
+
+Hundreds of systems running with that feature disabled for more than 4 years
+have never encountered an application which requires it. It is almost never
+supported by firewalls BTW.
+
+From http://linux.1wt.eu/alix/kernel-src/2.6.27-wt11/patches-2.6.27-wt11.tar.bz2
+
+Reviewed-by: Bertrand Jacquin <bertrand@jacquin.bzh>
+
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
+---
+ Documentation/networking/ip-sysctl.txt | 22 ++++++++++++++++++++++
+ include/net/netns/ipv4.h | 1 +
+ include/uapi/linux/sysctl.h | 1 +
+ net/ipv4/sysctl_net_ipv4.c | 7 +++++++
+ net/ipv4/tcp_input.c | 6 +++++-
+ 5 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
+index 0afa013809dc..afb7578ed8fd 100644
+--- a/Documentation/networking/ip-sysctl.txt
++++ b/Documentation/networking/ip-sysctl.txt
+@@ -204,6 +204,28 @@ inet_peer_maxttl - INTEGER
+
+ TCP variables:
+
++tcp_simult_connect - BOOLEAN
++ Enables TCP simultaneous connect feature conforming to RFC793.
++ Strict implementation of RFC793 (TCP) requires support for a feature
++ called "simultaneous connect", which allows two clients to connect to
++ each other without anyone entering a listening state. While almost
++ never used, and supported by few OSes, Linux supports this feature.
++
++ However, it introduces a weakness in the protocol which makes it very
++ easy for an attacker to prevent a client from connecting to a known
++ server. The attacker only has to guess the source port to shut down
++ the client connection during its establishment. The impact is limited,
++ but it may be used to prevent an antivirus or IPS from fetching updates
++ and not detecting an attack, or to prevent an SSL gateway from fetching
++ a CRL for example.
++
++ If you want absolute compatibility with any possible application,
++ you should set it to 1. If you prefer to enhance security on your
++ systems you'd better let it to 0. After four years of usage on
++ hundreds of systems, no application was ever found to require this
++ feature, which is not even supported by most firewalls.
++ Default: 0
++
+ somaxconn - INTEGER
+ Limit of socket listen() backlog, known in userspace as SOMAXCONN.
+ Defaults to 128. See also tcp_max_syn_backlog for additional tuning
+diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
+index 623cfbb7b8dc..a62a48ab3992 100644
+--- a/include/net/netns/ipv4.h
++++ b/include/net/netns/ipv4.h
+@@ -142,6 +142,7 @@ struct netns_ipv4 {
+ int sysctl_tcp_recovery;
+ int sysctl_tcp_thin_linear_timeouts;
+ int sysctl_tcp_slow_start_after_idle;
++ int sysctl_tcp_simult_connect;
+ int sysctl_tcp_retrans_collapse;
+ int sysctl_tcp_stdurg;
+ int sysctl_tcp_rfc1337;
+diff --git a/include/uapi/linux/sysctl.h b/include/uapi/linux/sysctl.h
+index 87aa2a6d9125..c94a1099bc5b 100644
+--- a/include/uapi/linux/sysctl.h
++++ b/include/uapi/linux/sysctl.h
+@@ -426,6 +426,7 @@ enum
+ NET_TCP_ALLOWED_CONG_CONTROL=123,
+ NET_TCP_MAX_SSTHRESH=124,
+ NET_TCP_FRTO_RESPONSE=125,
++ NET_TCP_SIMULT_CONNECT=126,
+ };
+
+ enum {
+diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
+index b6f14af926fa..d348cfb09ae0 100644
+--- a/net/ipv4/sysctl_net_ipv4.c
++++ b/net/ipv4/sysctl_net_ipv4.c
+@@ -517,6 +517,13 @@ static struct ctl_table ipv4_table[] = {
+ .mode = 0444,
+ .proc_handler = proc_tcp_available_congestion_control,
+ },
++ {
++ .procname = "tcp_simult_connect",
++ .data = &init_net.ipv4.sysctl_tcp_simult_connect,
++ .maxlen = sizeof(int),
++ .mode = 0644,
++ .proc_handler = &proc_dointvec,
++ },
+ {
+ .procname = "tcp_allowed_congestion_control",
+ .maxlen = TCP_CA_BUF_MAX,
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index d95ee40df6c2..2c9a5924e07d 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -5815,6 +5815,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
+ const struct tcphdr *th)
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
++ struct net *net = sock_net(sk);
+ struct tcp_sock *tp = tcp_sk(sk);
+ struct tcp_fastopen_cookie foc = { .len = -1 };
+ int saved_clamp = tp->rx_opt.mss_clamp;
+@@ -5971,10 +5972,13 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
+ tcp_paws_reject(&tp->rx_opt, 0))
+ goto discard_and_undo;
+
+- if (th->syn) {
++ if (th->syn && net->ipv4.sysctl_tcp_simult_connect) {
+ /* We see SYN without ACK. It is attempt of
+ * simultaneous connect with crossed SYNs.
+ * Particularly, it can be connect to self.
++ * This feature is disabled by default as it introduces
++ * weakness in the protocol. It can be enabled by a
++ * sysctl.
+ */
+ tcp_set_state(sk, TCP_SYN_RECV);
+
diff --git a/sys-kernel/boest-v5.2.15/0005-pool-2.6.25-disable-kbdrate-at-boot.diff.patch b/sys-kernel/boest-v5.2.15/0005-pool-2.6.25-disable-kbdrate-at-boot.diff.patch
new file mode 100644
index 00000000..b98443b8
--- /dev/null
+++ b/sys-kernel/boest-v5.2.15/0005-pool-2.6.25-disable-kbdrate-at-boot.diff.patch
@@ -0,0 +1,34 @@
+From 7dc0ea4765198c5ae61a9a48a1611a81712cfd9c Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Sun, 15 Feb 2009 14:51:33 +0100
+Subject: [PATCH 05/13] pool/2.6.25-disable-kbdrate-at-boot.diff
+
+From http://linux.1wt.eu/alix/kernel-src/2.6.27-wt11/patches-2.6.27-wt11.tar.bz2
+
+Reviewed-by: Bertrand Jacquin <bertrand@jacquin.bzh>
+Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
+---
+ arch/x86/boot/main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/x86/boot/main.c b/arch/x86/boot/main.c
+index 996df3d586f0..b9ee34bf0268 100644
+--- a/arch/x86/boot/main.c
++++ b/arch/x86/boot/main.c
+@@ -62,6 +62,8 @@ static void copy_boot_params(void)
+ */
+ static void keyboard_init(void)
+ {
++/*This may take several seconds if the system has no kbd controller */
++#ifdef CONFIG_INPUT_KEYBOARD
+ struct biosregs ireg, oreg;
+ initregs(&ireg);
+
+@@ -71,6 +73,7 @@ static void keyboard_init(void)
+
+ ireg.ax = 0x0305; /* Set keyboard repeat rate */
+ intcall(0x16, &ireg, NULL);
++#endif
+ }
+
+ /*
diff --git a/sys-kernel/boest-v5.2.15/0006-Disable-CONFIG_PROCESSOR_SELECT-printk-s.patch b/sys-kernel/boest-v5.2.15/0006-Disable-CONFIG_PROCESSOR_SELECT-printk-s.patch
new file mode 100644
index 00000000..798ca587
--- /dev/null
+++ b/sys-kernel/boest-v5.2.15/0006-Disable-CONFIG_PROCESSOR_SELECT-printk-s.patch
@@ -0,0 +1,45 @@
+From ea39099766c7a2fc96d11ba29a0cab0180b69160 Mon Sep 17 00:00:00 2001
+From: Bertrand Jacquin <bertrand@jacquin.bzh>
+Date: Wed, 9 Jan 2013 00:28:28 +0100
+Subject: [PATCH 06/13] Disable CONFIG_PROCESSOR_SELECT printk()'s
+
+Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
+---
+ arch/x86/kernel/cpu/common.c | 17 -----------------
+ 1 file changed, 17 deletions(-)
+
+diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
+index 3ae218b51eed..6d555f9f9c38 100644
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -1161,10 +1161,6 @@ void __init early_cpu_init(void)
+ const struct cpu_dev *const *cdev;
+ int count = 0;
+
+-#ifdef CONFIG_PROCESSOR_SELECT
+- pr_info("KERNEL supported cpus:\n");
+-#endif
+-
+ for (cdev = __x86_cpu_dev_start; cdev < __x86_cpu_dev_end; cdev++) {
+ const struct cpu_dev *cpudev = *cdev;
+
+@@ -1172,19 +1168,6 @@ void __init early_cpu_init(void)
+ break;
+ cpu_devs[count] = cpudev;
+ count++;
+-
+-#ifdef CONFIG_PROCESSOR_SELECT
+- {
+- unsigned int j;
+-
+- for (j = 0; j < 2; j++) {
+- if (!cpudev->c_ident[j])
+- continue;
+- pr_info(" %s %s\n", cpudev->c_vendor,
+- cpudev->c_ident[j]);
+- }
+- }
+-#endif
+ }
+ early_identify_cpu(&boot_cpu_data);
+ }
diff --git a/sys-kernel/boest-v5.2.15/0007-This-patch-adds-support-for-a-restricted-user-contro.patch b/sys-kernel/boest-v5.2.15/0007-This-patch-adds-support-for-a-restricted-user-contro.patch
new file mode 100644
index 00000000..7ecb57d6
--- /dev/null
+++ b/sys-kernel/boest-v5.2.15/0007-This-patch-adds-support-for-a-restricted-user-contro.patch
@@ -0,0 +1,75 @@
+From 408d9e98d1f1df9156ae1a6d044fbca4863d50c2 Mon Sep 17 00:00:00 2001
+From: "Anthony G. Basile" <blueness@gentoo.org>
+Date: Sat, 22 Jun 2019 19:30:55 -0400
+Subject: [PATCH 07/13] This patch adds support for a restricted
+ user-controlled namespace on tmpfs filesystem used to house PaX flags. The
+ namespace must be of the form user.pax.* and its value cannot exceed a size
+ of 8 bytes.
+
+This is needed even on all Gentoo systems so that XATTR_PAX flags
+are preserved for users who might build packages using portage on
+a tmpfs system with a non-hardened kernel and then switch to a
+hardened kernel with XATTR_PAX enabled.
+
+The namespace is added to any user with Extended Attribute support
+enabled for tmpfs. Users who do not enable xattrs will not have
+the XATTR_PAX flags preserved.
+---
+ include/uapi/linux/xattr.h | 4 ++++
+ mm/shmem.c | 15 +++++++++++++++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
+index c1395b5bd432..bac6d48eca8e 100644
+--- a/include/uapi/linux/xattr.h
++++ b/include/uapi/linux/xattr.h
+@@ -77,5 +77,9 @@
+ #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default"
+ #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT
+
++/* User namespace */
++#define XATTR_PAX_PREFIX XATTR_USER_PREFIX "pax."
++#define XATTR_PAX_FLAGS_SUFFIX "flags"
++#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX
+
+ #endif /* _UAPI_LINUX_XATTR_H */
+diff --git a/mm/shmem.c b/mm/shmem.c
+index f4dce9c8670d..8a5cb941032b 100644
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -3220,6 +3220,14 @@ static int shmem_xattr_handler_set(const struct xattr_handler *handler,
+ struct shmem_inode_info *info = SHMEM_I(inode);
+
+ name = xattr_full_name(handler, name);
++
++ if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) {
++ if (strcmp(name, XATTR_NAME_PAX_FLAGS))
++ return -EOPNOTSUPP;
++ if (size > 8)
++ return -EINVAL;
++ }
++
+ return simple_xattr_set(&info->xattrs, name, value, size, flags);
+ }
+
+@@ -3235,6 +3243,12 @@ static const struct xattr_handler shmem_trusted_xattr_handler = {
+ .set = shmem_xattr_handler_set,
+ };
+
++static const struct xattr_handler shmem_user_xattr_handler = {
++ .prefix = XATTR_USER_PREFIX,
++ .get = shmem_xattr_handler_get,
++ .set = shmem_xattr_handler_set,
++};
++
+ static const struct xattr_handler *shmem_xattr_handlers[] = {
+ #ifdef CONFIG_TMPFS_POSIX_ACL
+ &posix_acl_access_xattr_handler,
+@@ -3242,6 +3256,7 @@ static const struct xattr_handler *shmem_xattr_handlers[] = {
+ #endif
+ &shmem_security_xattr_handler,
+ &shmem_trusted_xattr_handler,
++ &shmem_user_xattr_handler,
+ NULL
+ };
+
diff --git a/sys-kernel/boest-v5.2.15/0008-fs-Enable-link-security-restrictions-by-default.patch b/sys-kernel/boest-v5.2.15/0008-fs-Enable-link-security-restrictions-by-default.patch
new file mode 100644
index 00000000..5c003400
--- /dev/null
+++ b/sys-kernel/boest-v5.2.15/0008-fs-Enable-link-security-restrictions-by-default.patch
@@ -0,0 +1,26 @@
+From 32fe42a505a142afe5b9e8cccd7422c4ee9ad99b Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 2 Nov 2012 05:32:06 +0000
+Subject: [PATCH 08/13] fs: Enable link security restrictions by default
+
+This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415
+('VFS: don't do protected {sym,hard}links by default').
+---
+ fs/namei.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/namei.c b/fs/namei.c
+index 20831c2fbb34..8a7ee3f2eff1 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -883,8 +883,8 @@ static inline void put_link(struct nameidata *nd)
+ path_put(&last->link);
+ }
+
+-int sysctl_protected_symlinks __read_mostly = 0;
+-int sysctl_protected_hardlinks __read_mostly = 0;
++int sysctl_protected_symlinks __read_mostly = 1;
++int sysctl_protected_hardlinks __read_mostly = 1;
+ int sysctl_protected_fifos __read_mostly;
+ int sysctl_protected_regular __read_mostly;
+
diff --git a/sys-kernel/boest-v5.2.15/0009-The-encryption-is-only-mandatory-to-be-enforced-when.patch b/sys-kernel/boest-v5.2.15/0009-The-encryption-is-only-mandatory-to-be-enforced-when.patch
new file mode 100644
index 00000000..68603ba2
--- /dev/null
+++ b/sys-kernel/boest-v5.2.15/0009-The-encryption-is-only-mandatory-to-be-enforced-when.patch
@@ -0,0 +1,38 @@
+From 258bf262b8e3f5454a04b430d41ba7ba41899599 Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Sat, 22 Jun 2019 19:30:55 -0400
+Subject: [PATCH 09/13] The encryption is only mandatory to be enforced when
+ both sides are using Secure Simple Pairing and this means the key size check
+ makes only sense in that case.
+
+On legacy Bluetooth 2.0 and earlier devices like mice the encryption was
+optional and thus causing an issue if the key size check is not bound to
+using Secure Simple Pairing.
+
+Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections")
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: stable@vger.kernel.org
+---
+ net/bluetooth/hci_conn.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index 15d1cb5aee18..034a5ec74624 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1272,8 +1272,13 @@ int hci_conn_check_link_mode(struct hci_conn *conn)
+ return 0;
+ }
+
+- if (hci_conn_ssp_enabled(conn) &&
+- !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
++ /* If Secure Simple Pairing is not enabled, then legacy connection
++ * setup is used and no encryption or key sizes can be enforced.
++ */
++ if (!hci_conn_ssp_enabled(conn))
++ return 1;
++
++ if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
+ return 0;
+
+ return 1;
diff --git a/sys-kernel/boest-v5.2.15/0010-usb-storage-Disable-UAS-on-JMicron-SATA-enclosure.patch b/sys-kernel/boest-v5.2.15/0010-usb-storage-Disable-UAS-on-JMicron-SATA-enclosure.patch
new file mode 100644
index 00000000..bd8bba47
--- /dev/null
+++ b/sys-kernel/boest-v5.2.15/0010-usb-storage-Disable-UAS-on-JMicron-SATA-enclosure.patch
@@ -0,0 +1,37 @@
+From 74028cb33e65cd28946214fb2f2d73808c25bf23 Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@fedoraproject.org>
+Date: Tue, 8 Sep 2015 09:53:38 -0700
+Subject: [PATCH 10/13] usb-storage: Disable UAS on JMicron SATA enclosure
+
+Steve Ellis reported incorrect block sizes and alignement
+offsets with a SATA enclosure. Adding a quirk to disable
+UAS fixes the problems.
+
+Reported-by: Steven Ellis <sellis@redhat.com>
+Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
+---
+ drivers/usb/storage/unusual_uas.h | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h
+index d0bdebd87ce3..1b23741036ee 100644
+--- a/drivers/usb/storage/unusual_uas.h
++++ b/drivers/usb/storage/unusual_uas.h
+@@ -87,12 +87,15 @@ UNUSUAL_DEV(0x2537, 0x1068, 0x0000, 0x9999,
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_IGNORE_UAS),
+
+-/* Reported-by: Takeo Nakayama <javhera@gmx.com> */
++/*
++ * Initially Reported-by: Takeo Nakayama <javhera@gmx.com>
++ * UAS Ignore Reported by Steven Ellis <sellis@redhat.com>
++ */
+ UNUSUAL_DEV(0x357d, 0x7788, 0x0000, 0x9999,
+ "JMicron",
+ "JMS566",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+- US_FL_NO_REPORT_OPCODES),
++ US_FL_NO_REPORT_OPCODES | US_FL_IGNORE_UAS),
+
+ /* Reported-by: Hans de Goede <hdegoede@redhat.com> */
+ UNUSUAL_DEV(0x4971, 0x1012, 0x0000, 0x9999,
diff --git a/sys-kernel/boest-v5.2.15/0011-5.2-2600_enable-key-swapping-for-apple-mac.patch.patch b/sys-kernel/boest-v5.2.15/0011-5.2-2600_enable-key-swapping-for-apple-mac.patch.patch
new file mode 100644
index 00000000..1bd6daeb
--- /dev/null
+++ b/sys-kernel/boest-v5.2.15/0011-5.2-2600_enable-key-swapping-for-apple-mac.patch.patch
@@ -0,0 +1,125 @@
+From e12189c02410392c98de28716db209228757429f Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Sat, 22 Jun 2019 19:30:55 -0400
+Subject: [PATCH 11/13] 5.2:2600_enable-key-swapping-for-apple-mac.patch
+
+---
+ drivers/hid/hid-apple.c | 76 +++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 74 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
+index 81df62f48c4c..e2db70cbc995 100644
+--- a/drivers/hid/hid-apple.c
++++ b/drivers/hid/hid-apple.c
+@@ -51,6 +51,22 @@ MODULE_PARM_DESC(swap_opt_cmd, "Swap the Option (\"Alt\") and Command (\"Flag\")
+ "(For people who want to keep Windows PC keyboard muscle memory. "
+ "[0] = as-is, Mac layout. 1 = swapped, Windows layout.)");
+
++static unsigned int swap_fn_leftctrl;
++module_param(swap_fn_leftctrl, uint, 0644);
++MODULE_PARM_DESC(swap_fn_leftctrl, "Swap the Fn and left Control keys. "
++ "(For people who want to keep PC keyboard muscle memory. "
++ "[0] = as-is, Mac layout, 1 = swapped, PC layout)");
++
++static unsigned int rightalt_as_rightctrl;
++module_param(rightalt_as_rightctrl, uint, 0644);
++MODULE_PARM_DESC(rightalt_as_rightctrl, "Use the right Alt key as a right Ctrl key. "
++ "[0] = as-is, Mac layout. 1 = Right Alt is right Ctrl");
++
++static unsigned int ejectcd_as_delete;
++module_param(ejectcd_as_delete, uint, 0644);
++MODULE_PARM_DESC(ejectcd_as_delete, "Use Eject-CD key as Delete key. "
++ "([0] = disabled, 1 = enabled)");
++
+ struct apple_sc {
+ unsigned long quirks;
+ unsigned int fn_on;
+@@ -163,6 +179,21 @@ static const struct apple_key_translation swapped_option_cmd_keys[] = {
+ { }
+ };
+
++static const struct apple_key_translation swapped_fn_leftctrl_keys[] = {
++ { KEY_FN, KEY_LEFTCTRL },
++ { }
++};
++
++static const struct apple_key_translation rightalt_as_rightctrl_keys[] = {
++ { KEY_RIGHTALT, KEY_RIGHTCTRL },
++ { }
++};
++
++static const struct apple_key_translation ejectcd_as_delete_keys[] = {
++ { KEY_EJECTCD, KEY_DELETE },
++ { }
++};
++
+ static const struct apple_key_translation *apple_find_translation(
+ const struct apple_key_translation *table, u16 from)
+ {
+@@ -182,9 +213,11 @@ static int hidinput_apple_event(struct hid_device *hid, struct input_dev *input,
+ struct apple_sc *asc = hid_get_drvdata(hid);
+ const struct apple_key_translation *trans, *table;
+
+- if (usage->code == KEY_FN) {
++ u16 fn_keycode = (swap_fn_leftctrl) ? (KEY_LEFTCTRL) : (KEY_FN);
++
++ if (usage->code == fn_keycode) {
+ asc->fn_on = !!value;
+- input_event(input, usage->type, usage->code, value);
++ input_event(input, usage->type, KEY_FN, value);
+ return 1;
+ }
+
+@@ -263,6 +296,30 @@ static int hidinput_apple_event(struct hid_device *hid, struct input_dev *input,
+ }
+ }
+
++ if (swap_fn_leftctrl) {
++ trans = apple_find_translation(swapped_fn_leftctrl_keys, usage->code);
++ if (trans) {
++ input_event(input, usage->type, trans->to, value);
++ return 1;
++ }
++ }
++
++ if (ejectcd_as_delete) {
++ trans = apple_find_translation(ejectcd_as_delete_keys, usage->code);
++ if (trans) {
++ input_event(input, usage->type, trans->to, value);
++ return 1;
++ }
++ }
++
++ if (rightalt_as_rightctrl) {
++ trans = apple_find_translation(rightalt_as_rightctrl_keys, usage->code);
++ if (trans) {
++ input_event(input, usage->type, trans->to, value);
++ return 1;
++ }
++ }
++
+ return 0;
+ }
+
+@@ -326,6 +383,21 @@ static void apple_setup_input(struct input_dev *input)
+
+ for (trans = apple_iso_keyboard; trans->from; trans++)
+ set_bit(trans->to, input->keybit);
++
++ if (swap_fn_leftctrl) {
++ for (trans = swapped_fn_leftctrl_keys; trans->from; trans++)
++ set_bit(trans->to, input->keybit);
++ }
++
++ if (ejectcd_as_delete) {
++ for (trans = ejectcd_as_delete_keys; trans->from; trans++)
++ set_bit(trans->to, input->keybit);
++ }
++
++ if (rightalt_as_rightctrl) {
++ for (trans = rightalt_as_rightctrl_keys; trans->from; trans++)
++ set_bit(trans->to, input->keybit);
++ }
+ }
+
+ static int apple_input_mapping(struct hid_device *hdev, struct hid_input *hi,
diff --git a/sys-kernel/boest-v5.2.15/0012-5.2-4567_distro-Gentoo-Kconfig.patch.patch b/sys-kernel/boest-v5.2.15/0012-5.2-4567_distro-Gentoo-Kconfig.patch.patch
new file mode 100644
index 00000000..9e76a917
--- /dev/null
+++ b/sys-kernel/boest-v5.2.15/0012-5.2-4567_distro-Gentoo-Kconfig.patch.patch
@@ -0,0 +1,173 @@
+From d40dbbb463a3880ea13663aaeea958873c0428bd Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Fri, 28 Dec 2018 18:58:06 -0500
+Subject: [PATCH 12/13] 5.2:4567_distro-Gentoo-Kconfig.patch
+
+---
+ Kconfig | 2 +
+ distro/Kconfig | 147 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 149 insertions(+)
+
+diff --git a/Kconfig b/Kconfig
+index 48a80beab685..a5ad73c66099 100644
+--- a/Kconfig
++++ b/Kconfig
+@@ -30,3 +30,5 @@ source "crypto/Kconfig"
+ source "lib/Kconfig"
+
+ source "lib/Kconfig.debug"
++
++source "distro/Kconfig"
+diff --git a/distro/Kconfig b/distro/Kconfig
+new file mode 100644
+index 000000000000..cc385887e08a
+--- /dev/null
++++ b/distro/Kconfig
+@@ -0,0 +1,147 @@
++menu "Gentoo Linux"
++
++config GENTOO_LINUX
++ bool "Gentoo Linux support"
++
++ default y
++
++ help
++ In order to boot Gentoo Linux a minimal set of config settings needs to
++ be enabled in the kernel; to avoid the users from having to enable them
++ manually as part of a Gentoo Linux installation or a new clean config,
++ we enable these config settings by default for convenience.
++
++ See the settings that become available for more details and fine-tuning.
++
++config GENTOO_LINUX_UDEV
++ bool "Linux dynamic and persistent device naming (userspace devfs) support"
++
++ depends on GENTOO_LINUX
++ default y if GENTOO_LINUX
++
++ select DEVTMPFS
++ select TMPFS
++ select UNIX
++
++ select MMU
++ select SHMEM
++
++ help
++ In order to boot Gentoo Linux a minimal set of config settings needs to
++ be enabled in the kernel; to avoid the users from having to enable them
++ manually as part of a Gentoo Linux installation or a new clean config,
++ we enable these config settings by default for convenience.
++
++ Currently this only selects TMPFS, DEVTMPFS and their dependencies.
++ TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and
++ /sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev.
++
++ Some of these are critical files that need to be available early in the
++ boot process; if not available, it causes sysfs and udev to malfunction.
++
++ To ensure Gentoo Linux boots, it is best to leave this setting enabled;
++ if you run a custom setup, you could consider whether to disable this.
++
++config GENTOO_LINUX_PORTAGE
++ bool "Select options required by Portage features"
++
++ depends on GENTOO_LINUX
++ default y if GENTOO_LINUX
++
++ select CGROUPS
++ select NAMESPACES
++ select IPC_NS
++ select NET_NS
++ select PID_NS
++ select SYSVIPC
++
++ help
++ This enables options required by various Portage FEATURES.
++ Currently this selects:
++
++ CGROUPS (required for FEATURES=cgroup)
++ IPC_NS (required for FEATURES=ipc-sandbox)
++ NET_NS (required for FEATURES=network-sandbox)
++ PID_NS (required for FEATURES=pid-sandbox)
++ SYSVIPC (required by IPC_NS)
++
++
++ It is highly recommended that you leave this enabled as these FEATURES
++ are, or will soon be, enabled by default.
++
++menu "Support for init systems, system and service managers"
++ visible if GENTOO_LINUX
++
++config GENTOO_LINUX_INIT_SCRIPT
++ bool "OpenRC, runit and other script based systems and managers"
++
++ default y if GENTOO_LINUX
++
++ depends on GENTOO_LINUX
++
++ select BINFMT_SCRIPT
++
++ help
++ The init system is the first thing that loads after the kernel booted.
++
++ These config settings allow you to select which init systems to support;
++ instead of having to select all the individual settings all over the
++ place, these settings allows you to select all the settings at once.
++
++ This particular setting enables all the known requirements for OpenRC,
++ runit and similar script based systems and managers.
++
++ If you are unsure about this, it is best to leave this setting enabled.
++
++config GENTOO_LINUX_INIT_SYSTEMD
++ bool "systemd"
++
++ default n
++
++ depends on GENTOO_LINUX && GENTOO_LINUX_UDEV
++
++ select AUTOFS4_FS
++ select BLK_DEV_BSG
++ select CGROUPS
++ select CHECKPOINT_RESTORE
++ select CRYPTO_HMAC
++ select CRYPTO_SHA256
++ select CRYPTO_USER_API_HASH
++ select DEVPTS_MULTIPLE_INSTANCES
++ select DMIID if X86_32 || X86_64 || X86
++ select EPOLL
++ select FANOTIFY
++ select FHANDLE
++ select INOTIFY_USER
++ select IPV6
++ select NET
++ select NET_NS
++ select PROC_FS
++ select SECCOMP
++ select SECCOMP_FILTER
++ select SIGNALFD
++ select SYSFS
++ select TIMERFD
++ select TMPFS_POSIX_ACL
++ select TMPFS_XATTR
++
++ select ANON_INODES
++ select BLOCK
++ select EVENTFD
++ select FSNOTIFY
++ select INET
++ select NLATTR
++
++ help
++ The init system is the first thing that loads after the kernel booted.
++
++ These config settings allow you to select which init systems to support;
++ instead of having to select all the individual settings all over the
++ place, these settings allows you to select all the settings at once.
++
++ This particular setting enables all the known requirements for systemd;
++ it also enables suggested optional settings, as the package suggests to.
++
++endmenu
++
++endmenu
diff --git a/sys-kernel/boest-v5.2.15/0013-WARNING.patch b/sys-kernel/boest-v5.2.15/0013-WARNING.patch
new file mode 100644
index 00000000..727d5b3b
--- /dev/null
+++ b/sys-kernel/boest-v5.2.15/0013-WARNING.patch
@@ -0,0 +1,589 @@
+From db15fdca08377d48babd641f6b0313561bab6eb2 Mon Sep 17 00:00:00 2001
+From: Mike Pagano <mpagano@gentoo.org>
+Date: Sat, 22 Jun 2019 19:30:55 -0400
+Subject: [PATCH 13/13] WARNING This patch works with gcc versions 8.1+ and
+ with kernel version 4.13+ and should NOT be applied when compiling on older
+ versions of gcc due to key name changes of the march flags introduced with
+ the version 4.9 release of gcc.[1]
+
+Use the older version of this patch hosted on the same github for older
+versions of gcc.
+
+FEATURES
+This patch adds additional CPU options to the Linux kernel accessible under:
+ Processor type and features --->
+ Processor family --->
+
+The expanded microarchitectures include:
+* AMD Improved K8-family
+* AMD K10-family
+* AMD Family 10h (Barcelona)
+* AMD Family 14h (Bobcat)
+* AMD Family 16h (Jaguar)
+* AMD Family 15h (Bulldozer)
+* AMD Family 15h (Piledriver)
+* AMD Family 15h (Steamroller)
+* AMD Family 15h (Excavator)
+* AMD Family 17h (Zen)
+* Intel Silvermont low-power processors
+* Intel 1st Gen Core i3/i5/i7 (Nehalem)
+* Intel 1.5 Gen Core i3/i5/i7 (Westmere)
+* Intel 2nd Gen Core i3/i5/i7 (Sandybridge)
+* Intel 3rd Gen Core i3/i5/i7 (Ivybridge)
+* Intel 4th Gen Core i3/i5/i7 (Haswell)
+* Intel 5th Gen Core i3/i5/i7 (Broadwell)
+* Intel 6th Gen Core i3/i5/i7 (Skylake)
+* Intel 6th Gen Core i7/i9 (Skylake X)
+* Intel 8th Gen Core i3/i5/i7 (Cannon Lake)
+* Intel 8th Gen Core i7/i9 (Ice Lake)
+
+It also offers to compile passing the 'native' option which, "selects the CPU
+to generate code for at compilation time by determining the processor type of
+the compiling machine. Using -march=native enables all instruction subsets
+supported by the local machine and will produce code optimized for the local
+machine under the constraints of the selected instruction set."[3]
+
+MINOR NOTES
+This patch also changes 'atom' to 'bonnell' in accordance with the gcc v4.9
+changes. Note that upstream is using the deprecated 'match=atom' flags when I
+believe it should use the newer 'march=bonnell' flag for atom processors.[2]
+
+It is not recommended to compile on Atom-CPUs with the 'native' option.[4] The
+recommendation is to use the 'atom' option instead.
+
+BENEFITS
+Small but real speed increases are measurable using a make endpoint comparing
+a generic kernel to one built with one of the respective microarchs.
+
+See the following experimental evidence supporting this statement:
+https://github.com/graysky2/kernel_gcc_patch
+
+REQUIREMENTS
+linux version >=4.20
+gcc version >=8.1
+
+ACKNOWLEDGMENTS
+This patch builds on the seminal work by Jeroen.[5]
+
+REFERENCES
+1. https://gcc.gnu.org/gcc-4.9/changes.html
+2. https://bugzilla.kernel.org/show_bug.cgi?id=77461
+3. https://gcc.gnu.org/onlinedocs/gcc/x86-Options.html
+4. https://github.com/graysky2/kernel_gcc_patch/issues/15
+5. http://www.linuxforge.net/docs/linux/linux-gcc.php
+---
+ arch/x86/Kconfig.cpu | 251 +++++++++++++++++++++++++++++-----
+ arch/x86/Makefile | 39 +++++-
+ arch/x86/Makefile_32.cpu | 28 +++-
+ arch/x86/include/asm/module.h | 44 ++++++
+ 4 files changed, 325 insertions(+), 37 deletions(-)
+
+diff --git a/arch/x86/Kconfig.cpu b/arch/x86/Kconfig.cpu
+index 6adce15268bd..d0be00a2d7e7 100644
+--- a/arch/x86/Kconfig.cpu
++++ b/arch/x86/Kconfig.cpu
+@@ -116,6 +116,7 @@ config MPENTIUMM
+ config MPENTIUM4
+ bool "Pentium-4/Celeron(P4-based)/Pentium-4 M/older Xeon"
+ depends on X86_32
++ select X86_P6_NOP
+ ---help---
+ Select this for Intel Pentium 4 chips. This includes the
+ Pentium 4, Pentium D, P4-based Celeron and Xeon, and
+@@ -150,7 +151,7 @@ config MPENTIUM4
+
+
+ config MK6
+- bool "K6/K6-II/K6-III"
++ bool "AMD K6/K6-II/K6-III"
+ depends on X86_32
+ ---help---
+ Select this for an AMD K6-family processor. Enables use of
+@@ -158,7 +159,7 @@ config MK6
+ flags to GCC.
+
+ config MK7
+- bool "Athlon/Duron/K7"
++ bool "AMD Athlon/Duron/K7"
+ depends on X86_32
+ ---help---
+ Select this for an AMD Athlon K7-family processor. Enables use of
+@@ -166,11 +167,81 @@ config MK7
+ flags to GCC.
+
+ config MK8
+- bool "Opteron/Athlon64/Hammer/K8"
++ bool "AMD Opteron/Athlon64/Hammer/K8"
+ ---help---
+ Select this for an AMD Opteron or Athlon64 Hammer-family processor.
+ Enables use of some extended instructions, and passes appropriate
+ optimization flags to GCC.
++config MK8SSE3
++ bool "AMD Opteron/Athlon64/Hammer/K8 with SSE3"
++ ---help---
++ Select this for improved AMD Opteron or Athlon64 Hammer-family processors.
++ Enables use of some extended instructions, and passes appropriate
++ optimization flags to GCC.
++
++config MK10
++ bool "AMD 61xx/7x50/PhenomX3/X4/II/K10"
++ ---help---
++ Select this for an AMD 61xx Eight-Core Magny-Cours, Athlon X2 7x50,
++ Phenom X3/X4/II, Athlon II X2/X3/X4, or Turion II-family processor.
++ Enables use of some extended instructions, and passes appropriate
++ optimization flags to GCC.
++
++config MBARCELONA
++ bool "AMD Barcelona"
++ ---help---
++ Select this for AMD Family 10h Barcelona processors.
++
++ Enables -march=barcelona
++
++config MBOBCAT
++ bool "AMD Bobcat"
++ ---help---
++ Select this for AMD Family 14h Bobcat processors.
++
++ Enables -march=btver1
++
++config MJAGUAR
++ bool "AMD Jaguar"
++ ---help---
++ Select this for AMD Family 16h Jaguar processors.
++
++ Enables -march=btver2
++
++config MBULLDOZER
++ bool "AMD Bulldozer"
++ ---help---
++ Select this for AMD Family 15h Bulldozer processors.
++
++ Enables -march=bdver1
++
++config MPILEDRIVER
++ bool "AMD Piledriver"
++ ---help---
++ Select this for AMD Family 15h Piledriver processors.
++
++ Enables -march=bdver2
++
++config MSTEAMROLLER
++ bool "AMD Steamroller"
++ ---help---
++ Select this for AMD Family 15h Steamroller processors.
++
++ Enables -march=bdver3
++
++config MEXCAVATOR
++ bool "AMD Excavator"
++ ---help---
++ Select this for AMD Family 15h Excavator processors.
++
++ Enables -march=bdver4
++
++config MZEN
++ bool "AMD Zen"
++ ---help---
++ Select this for AMD Family 17h Zen processors.
++
++ Enables -march=znver1
+
+ config MCRUSOE
+ bool "Crusoe"
+@@ -253,6 +324,7 @@ config MVIAC7
+
+ config MPSC
+ bool "Intel P4 / older Netburst based Xeon"
++ select X86_P6_NOP
+ depends on X86_64
+ ---help---
+ Optimize for Intel Pentium 4, Pentium D and older Nocona/Dempsey
+@@ -262,17 +334,9 @@ config MPSC
+ using the cpu family field
+ in /proc/cpuinfo. Family 15 is an older Xeon, Family 6 a newer one.
+
+-config MCORE2
+- bool "Core 2/newer Xeon"
+- ---help---
+-
+- Select this for Intel Core 2 and newer Core 2 Xeons (Xeon 51xx and
+- 53xx) CPUs. You can distinguish newer from older Xeons by the CPU
+- family in /proc/cpuinfo. Newer ones have 6 and older ones 15
+- (not a typo)
+-
+ config MATOM
+ bool "Intel Atom"
++ select X86_P6_NOP
+ ---help---
+
+ Select this for the Intel Atom platform. Intel Atom CPUs have an
+@@ -280,6 +344,117 @@ config MATOM
+ accordingly optimized code. Use a recent GCC with specific Atom
+ support in order to fully benefit from selecting this option.
+
++config MCORE2
++ bool "Intel Core 2"
++ select X86_P6_NOP
++
++ ---help---
++
++ Select this for Intel Core 2 and newer Core 2 Xeons (Xeon 51xx and
++ 53xx) CPUs. You can distinguish newer from older Xeons by the CPU
++ family in /proc/cpuinfo. Newer ones have 6 and older ones 15
++ (not a typo)
++ Enables -march=core2
++
++config MNEHALEM
++ bool "Intel Nehalem"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 1st Gen Core processors in the Nehalem family.
++
++ Enables -march=nehalem
++
++config MWESTMERE
++ bool "Intel Westmere"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for the Intel Westmere formerly Nehalem-C family.
++
++ Enables -march=westmere
++
++config MSILVERMONT
++ bool "Intel Silvermont"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for the Intel Silvermont platform.
++
++ Enables -march=silvermont
++
++config MSANDYBRIDGE
++ bool "Intel Sandy Bridge"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 2nd Gen Core processors in the Sandy Bridge family.
++
++ Enables -march=sandybridge
++
++config MIVYBRIDGE
++ bool "Intel Ivy Bridge"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 3rd Gen Core processors in the Ivy Bridge family.
++
++ Enables -march=ivybridge
++
++config MHASWELL
++ bool "Intel Haswell"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 4th Gen Core processors in the Haswell family.
++
++ Enables -march=haswell
++
++config MBROADWELL
++ bool "Intel Broadwell"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 5th Gen Core processors in the Broadwell family.
++
++ Enables -march=broadwell
++
++config MSKYLAKE
++ bool "Intel Skylake"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 6th Gen Core processors in the Skylake family.
++
++ Enables -march=skylake
++
++config MSKYLAKEX
++ bool "Intel Skylake X"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 6th Gen Core processors in the Skylake X family.
++
++ Enables -march=skylake-avx512
++
++config MCANNONLAKE
++ bool "Intel Cannon Lake"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 8th Gen Core processors
++
++ Enables -march=cannonlake
++
++config MICELAKE
++ bool "Intel Ice Lake"
++ select X86_P6_NOP
++ ---help---
++
++ Select this for 8th Gen Core processors in the Ice Lake family.
++
++ Enables -march=icelake
++
+ config GENERIC_CPU
+ bool "Generic-x86-64"
+ depends on X86_64
+@@ -287,6 +462,19 @@ config GENERIC_CPU
+ Generic x86-64 CPU.
+ Run equally well on all x86-64 CPUs.
+
++config MNATIVE
++ bool "Native optimizations autodetected by GCC"
++ ---help---
++
++ GCC 4.2 and above support -march=native, which automatically detects
++ the optimum settings to use based on your processor. -march=native
++ also detects and applies additional settings beyond -march specific
++ to your CPU, (eg. -msse4). Unless you have a specific reason not to
++ (e.g. distcc cross-compiling), you should probably be using
++ -march=native rather than anything listed below.
++
++ Enables -march=native
++
+ endchoice
+
+ config X86_GENERIC
+@@ -311,7 +499,7 @@ config X86_INTERNODE_CACHE_SHIFT
+ config X86_L1_CACHE_SHIFT
+ int
+ default "7" if MPENTIUM4 || MPSC
+- default "6" if MK7 || MK8 || MPENTIUMM || MCORE2 || MATOM || MVIAC7 || X86_GENERIC || GENERIC_CPU
++ default "6" if MK7 || MK8 || MK8SSE3 || MK10 || MBARCELONA || MBOBCAT || MBULLDOZER || MPILEDRIVER || MSTEAMROLLER || MEXCAVATOR || MZEN || MJAGUAR || MPENTIUMM || MCORE2 || MNEHALEM || MWESTMERE || MSILVERMONT || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MCANNONLAKE || MICELAKE || MNATIVE || MATOM || MVIAC7 || X86_GENERIC || GENERIC_CPU
+ default "4" if MELAN || M486 || MGEODEGX1
+ default "5" if MWINCHIP3D || MWINCHIPC6 || MCRUSOE || MEFFICEON || MCYRIXIII || MK6 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || MVIAC3_2 || MGEODE_LX
+
+@@ -329,39 +517,40 @@ config X86_ALIGNMENT_16
+
+ config X86_INTEL_USERCOPY
+ def_bool y
+- depends on MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M586MMX || X86_GENERIC || MK8 || MK7 || MEFFICEON || MCORE2
++ depends on MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M586MMX || X86_GENERIC || MK8 || MK8SSE3 || MK7 || MEFFICEON || MCORE2 || MK10 || MBARCELONA || MNEHALEM || MWESTMERE || MSILVERMONT || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MCANNONLAKE || MICELAKE || MNATIVE
+
+ config X86_USE_PPRO_CHECKSUM
+ def_bool y
+- depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || MK7 || MK6 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MK8 || MVIAC3_2 || MVIAC7 || MEFFICEON || MGEODE_LX || MCORE2 || MATOM
++ depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || MK7 || MK6 || MK10 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MK8 || MK8SSE3 || MVIAC3_2 || MVIAC7 || MEFFICEON || MGEODE_LX || MCORE2 || MNEHALEM || MWESTMERE || MSILVERMONT || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MCANNONLAKE || MICELAKE || MATOM || MNATIVE
+
+ config X86_USE_3DNOW
+ def_bool y
+ depends on (MCYRIXIII || MK7 || MGEODE_LX) && !UML
+
+-#
+-# P6_NOPs are a relatively minor optimization that require a family >=
+-# 6 processor, except that it is broken on certain VIA chips.
+-# Furthermore, AMD chips prefer a totally different sequence of NOPs
+-# (which work on all CPUs). In addition, it looks like Virtual PC
+-# does not understand them.
+-#
+-# As a result, disallow these if we're not compiling for X86_64 (these
+-# NOPs do work on all x86-64 capable chips); the list of processors in
+-# the right-hand clause are the cores that benefit from this optimization.
+-#
+ config X86_P6_NOP
+- def_bool y
+- depends on X86_64
+- depends on (MCORE2 || MPENTIUM4 || MPSC)
++ default n
++ bool "Support for P6_NOPs on Intel chips"
++ depends on (MCORE2 || MPENTIUM4 || MPSC || MATOM || MNEHALEM || MWESTMERE || MSILVERMONT || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MCANNONLAKE || MICELAKE || MNATIVE)
++ ---help---
++ P6_NOPs are a relatively minor optimization that require a family >=
++ 6 processor, except that it is broken on certain VIA chips.
++ Furthermore, AMD chips prefer a totally different sequence of NOPs
++ (which work on all CPUs). In addition, it looks like Virtual PC
++ does not understand them.
+
++ As a result, disallow these if we're not compiling for X86_64 (these
++ NOPs do work on all x86-64 capable chips); the list of processors in
++ the right-hand clause are the cores that benefit from this optimization.
++
++ Say Y if you have Intel CPU newer than Pentium Pro, N otherwise.
++
+ config X86_TSC
+ def_bool y
+- depends on (MWINCHIP3D || MCRUSOE || MEFFICEON || MCYRIXIII || MK7 || MK6 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || MK8 || MVIAC3_2 || MVIAC7 || MGEODEGX1 || MGEODE_LX || MCORE2 || MATOM) || X86_64
++ depends on (MWINCHIP3D || MCRUSOE || MEFFICEON || MCYRIXIII || MK7 || MK6 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || MK8 || MK8SSE3 || MVIAC3_2 || MVIAC7 || MGEODEGX1 || MGEODE_LX || MCORE2 || MNEHALEM || MWESTMERE || MSILVERMONT || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MCANNONLAKE || MICELAKE || MNATIVE || MATOM) || X86_64
+
+ config X86_CMPXCHG64
+ def_bool y
+- depends on X86_PAE || X86_64 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || M586TSC || M586MMX || MATOM || MGEODE_LX || MGEODEGX1 || MK6 || MK7 || MK8
++ depends on (MK8 || MK8SSE3 || MK10 || MBARCELONA || MBOBCAT || MBULLDOZER || MPILEDRIVER || MSTEAMROLLER || MEXCAVATOR || MZEN || MJAGUAR || MK7 || MCORE2 || MNEHALEM || MWESTMERE || MSILVERMONT || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MCANNONLAKE || MICELAKE || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MNATIVE || MATOM || MGEODE_LX)
+
+ # this should be set for all -march=.. options where the compiler
+ # generates cmov.
+diff --git a/arch/x86/Makefile b/arch/x86/Makefile
+index 56e748a7679f..5f0f7305bdf3 100644
+--- a/arch/x86/Makefile
++++ b/arch/x86/Makefile
+@@ -118,13 +118,46 @@ else
+ KBUILD_CFLAGS += $(call cc-option,-mskip-rax-setup)
+
+ # FIXME - should be integrated in Makefile.cpu (Makefile_32.cpu)
++ cflags-$(CONFIG_MNATIVE) += $(call cc-option,-march=native)
+ cflags-$(CONFIG_MK8) += $(call cc-option,-march=k8)
++ cflags-$(CONFIG_MK8SSE3) += $(call cc-option,-march=k8-sse3,-mtune=k8)
++ cflags-$(CONFIG_MK10) += $(call cc-option,-march=amdfam10)
++ cflags-$(CONFIG_MBARCELONA) += $(call cc-option,-march=barcelona)
++ cflags-$(CONFIG_MBOBCAT) += $(call cc-option,-march=btver1)
++ cflags-$(CONFIG_MJAGUAR) += $(call cc-option,-march=btver2)
++ cflags-$(CONFIG_MBULLDOZER) += $(call cc-option,-march=bdver1)
++ cflags-$(CONFIG_MPILEDRIVER) += $(call cc-option,-march=bdver2)
++ cflags-$(CONFIG_MSTEAMROLLER) += $(call cc-option,-march=bdver3)
++ cflags-$(CONFIG_MEXCAVATOR) += $(call cc-option,-march=bdver4)
++ cflags-$(CONFIG_MZEN) += $(call cc-option,-march=znver1)
+ cflags-$(CONFIG_MPSC) += $(call cc-option,-march=nocona)
+
+ cflags-$(CONFIG_MCORE2) += \
+- $(call cc-option,-march=core2,$(call cc-option,-mtune=generic))
+- cflags-$(CONFIG_MATOM) += $(call cc-option,-march=atom) \
+- $(call cc-option,-mtune=atom,$(call cc-option,-mtune=generic))
++ $(call cc-option,-march=core2,$(call cc-option,-mtune=core2))
++ cflags-$(CONFIG_MNEHALEM) += \
++ $(call cc-option,-march=nehalem,$(call cc-option,-mtune=nehalem))
++ cflags-$(CONFIG_MWESTMERE) += \
++ $(call cc-option,-march=westmere,$(call cc-option,-mtune=westmere))
++ cflags-$(CONFIG_MSILVERMONT) += \
++ $(call cc-option,-march=silvermont,$(call cc-option,-mtune=silvermont))
++ cflags-$(CONFIG_MSANDYBRIDGE) += \
++ $(call cc-option,-march=sandybridge,$(call cc-option,-mtune=sandybridge))
++ cflags-$(CONFIG_MIVYBRIDGE) += \
++ $(call cc-option,-march=ivybridge,$(call cc-option,-mtune=ivybridge))
++ cflags-$(CONFIG_MHASWELL) += \
++ $(call cc-option,-march=haswell,$(call cc-option,-mtune=haswell))
++ cflags-$(CONFIG_MBROADWELL) += \
++ $(call cc-option,-march=broadwell,$(call cc-option,-mtune=broadwell))
++ cflags-$(CONFIG_MSKYLAKE) += \
++ $(call cc-option,-march=skylake,$(call cc-option,-mtune=skylake))
++ cflags-$(CONFIG_MSKYLAKEX) += \
++ $(call cc-option,-march=skylake-avx512,$(call cc-option,-mtune=skylake-avx512))
++ cflags-$(CONFIG_MCANNONLAKE) += \
++ $(call cc-option,-march=cannonlake,$(call cc-option,-mtune=cannonlake))
++ cflags-$(CONFIG_MICELAKE) += \
++ $(call cc-option,-march=icelake,$(call cc-option,-mtune=icelake))
++ cflags-$(CONFIG_MATOM) += $(call cc-option,-march=bonnell) \
++ $(call cc-option,-mtune=bonnell,$(call cc-option,-mtune=generic))
+ cflags-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mtune=generic)
+ KBUILD_CFLAGS += $(cflags-y)
+
+diff --git a/arch/x86/Makefile_32.cpu b/arch/x86/Makefile_32.cpu
+index 1f5faf8606b4..136dbfc189e4 100644
+--- a/arch/x86/Makefile_32.cpu
++++ b/arch/x86/Makefile_32.cpu
+@@ -23,7 +23,18 @@ cflags-$(CONFIG_MK6) += -march=k6
+ # Please note, that patches that add -march=athlon-xp and friends are pointless.
+ # They make zero difference whatsosever to performance at this time.
+ cflags-$(CONFIG_MK7) += -march=athlon
++cflags-$(CONFIG_MNATIVE) += $(call cc-option,-march=native)
+ cflags-$(CONFIG_MK8) += $(call cc-option,-march=k8,-march=athlon)
++cflags-$(CONFIG_MK8SSE3) += $(call cc-option,-march=k8-sse3,-march=athlon)
++cflags-$(CONFIG_MK10) += $(call cc-option,-march=amdfam10,-march=athlon)
++cflags-$(CONFIG_MBARCELONA) += $(call cc-option,-march=barcelona,-march=athlon)
++cflags-$(CONFIG_MBOBCAT) += $(call cc-option,-march=btver1,-march=athlon)
++cflags-$(CONFIG_MJAGUAR) += $(call cc-option,-march=btver2,-march=athlon)
++cflags-$(CONFIG_MBULLDOZER) += $(call cc-option,-march=bdver1,-march=athlon)
++cflags-$(CONFIG_MPILEDRIVER) += $(call cc-option,-march=bdver2,-march=athlon)
++cflags-$(CONFIG_MSTEAMROLLER) += $(call cc-option,-march=bdver3,-march=athlon)
++cflags-$(CONFIG_MEXCAVATOR) += $(call cc-option,-march=bdver4,-march=athlon)
++cflags-$(CONFIG_MZEN) += $(call cc-option,-march=znver1,-march=athlon)
+ cflags-$(CONFIG_MCRUSOE) += -march=i686 -falign-functions=0 -falign-jumps=0 -falign-loops=0
+ cflags-$(CONFIG_MEFFICEON) += -march=i686 $(call tune,pentium3) -falign-functions=0 -falign-jumps=0 -falign-loops=0
+ cflags-$(CONFIG_MWINCHIPC6) += $(call cc-option,-march=winchip-c6,-march=i586)
+@@ -32,9 +43,20 @@ cflags-$(CONFIG_MCYRIXIII) += $(call cc-option,-march=c3,-march=i486) -falign-fu
+ cflags-$(CONFIG_MVIAC3_2) += $(call cc-option,-march=c3-2,-march=i686)
+ cflags-$(CONFIG_MVIAC7) += -march=i686
+ cflags-$(CONFIG_MCORE2) += -march=i686 $(call tune,core2)
+-cflags-$(CONFIG_MATOM) += $(call cc-option,-march=atom,$(call cc-option,-march=core2,-march=i686)) \
+- $(call cc-option,-mtune=atom,$(call cc-option,-mtune=generic))
+-
++cflags-$(CONFIG_MNEHALEM) += -march=i686 $(call tune,nehalem)
++cflags-$(CONFIG_MWESTMERE) += -march=i686 $(call tune,westmere)
++cflags-$(CONFIG_MSILVERMONT) += -march=i686 $(call tune,silvermont)
++cflags-$(CONFIG_MSANDYBRIDGE) += -march=i686 $(call tune,sandybridge)
++cflags-$(CONFIG_MIVYBRIDGE) += -march=i686 $(call tune,ivybridge)
++cflags-$(CONFIG_MHASWELL) += -march=i686 $(call tune,haswell)
++cflags-$(CONFIG_MBROADWELL) += -march=i686 $(call tune,broadwell)
++cflags-$(CONFIG_MSKYLAKE) += -march=i686 $(call tune,skylake)
++cflags-$(CONFIG_MSKYLAKEX) += -march=i686 $(call tune,skylake-avx512)
++cflags-$(CONFIG_MCANNONLAKE) += -march=i686 $(call tune,cannonlake)
++cflags-$(CONFIG_MICELAKE) += -march=i686 $(call tune,icelake)
++cflags-$(CONFIG_MATOM) += $(call cc-option,-march=bonnell,$(call cc-option,-march=core2,-march=i686)) \
++ $(call cc-option,-mtune=bonnell,$(call cc-option,-mtune=generic))
++
+ # AMD Elan support
+ cflags-$(CONFIG_MELAN) += -march=i486
+
+diff --git a/arch/x86/include/asm/module.h b/arch/x86/include/asm/module.h
+index 7948a17febb4..44b776297dc3 100644
+--- a/arch/x86/include/asm/module.h
++++ b/arch/x86/include/asm/module.h
+@@ -25,6 +25,30 @@ struct mod_arch_specific {
+ #define MODULE_PROC_FAMILY "586MMX "
+ #elif defined CONFIG_MCORE2
+ #define MODULE_PROC_FAMILY "CORE2 "
++#elif defined CONFIG_MNATIVE
++#define MODULE_PROC_FAMILY "NATIVE "
++#elif defined CONFIG_MNEHALEM
++#define MODULE_PROC_FAMILY "NEHALEM "
++#elif defined CONFIG_MWESTMERE
++#define MODULE_PROC_FAMILY "WESTMERE "
++#elif defined CONFIG_MSILVERMONT
++#define MODULE_PROC_FAMILY "SILVERMONT "
++#elif defined CONFIG_MSANDYBRIDGE
++#define MODULE_PROC_FAMILY "SANDYBRIDGE "
++#elif defined CONFIG_MIVYBRIDGE
++#define MODULE_PROC_FAMILY "IVYBRIDGE "
++#elif defined CONFIG_MHASWELL
++#define MODULE_PROC_FAMILY "HASWELL "
++#elif defined CONFIG_MBROADWELL
++#define MODULE_PROC_FAMILY "BROADWELL "
++#elif defined CONFIG_MSKYLAKE
++#define MODULE_PROC_FAMILY "SKYLAKE "
++#elif defined CONFIG_MSKYLAKEX
++#define MODULE_PROC_FAMILY "SKYLAKEX "
++#elif defined CONFIG_MCANNONLAKE
++#define MODULE_PROC_FAMILY "CANNONLAKE "
++#elif defined CONFIG_MICELAKE
++#define MODULE_PROC_FAMILY "ICELAKE "
+ #elif defined CONFIG_MATOM
+ #define MODULE_PROC_FAMILY "ATOM "
+ #elif defined CONFIG_M686
+@@ -43,6 +67,26 @@ struct mod_arch_specific {
+ #define MODULE_PROC_FAMILY "K7 "
+ #elif defined CONFIG_MK8
+ #define MODULE_PROC_FAMILY "K8 "
++#elif defined CONFIG_MK8SSE3
++#define MODULE_PROC_FAMILY "K8SSE3 "
++#elif defined CONFIG_MK10
++#define MODULE_PROC_FAMILY "K10 "
++#elif defined CONFIG_MBARCELONA
++#define MODULE_PROC_FAMILY "BARCELONA "
++#elif defined CONFIG_MBOBCAT
++#define MODULE_PROC_FAMILY "BOBCAT "
++#elif defined CONFIG_MBULLDOZER
++#define MODULE_PROC_FAMILY "BULLDOZER "
++#elif defined CONFIG_MPILEDRIVER
++#define MODULE_PROC_FAMILY "PILEDRIVER "
++#elif defined CONFIG_MSTEAMROLLER
++#define MODULE_PROC_FAMILY "STEAMROLLER "
++#elif defined CONFIG_MJAGUAR
++#define MODULE_PROC_FAMILY "JAGUAR "
++#elif defined CONFIG_MEXCAVATOR
++#define MODULE_PROC_FAMILY "EXCAVATOR "
++#elif defined CONFIG_MZEN
++#define MODULE_PROC_FAMILY "ZEN "
+ #elif defined CONFIG_MELAN
+ #define MODULE_PROC_FAMILY "ELAN "
+ #elif defined CONFIG_MCRUSOE
diff --git a/sys-kernel/stable-sources-5.2.15 b/sys-kernel/stable-sources-5.2.15
new file mode 120000
index 00000000..cb892cc4
--- /dev/null
+++ b/sys-kernel/stable-sources-5.2.15
@@ -0,0 +1 @@
+boest-v5.2.15 \ No newline at end of file