summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBertrand Jacquin <bertrand@jacquin.bzh>2019-09-16 22:21:55 +0100
committerBertrand Jacquin <bertrand@jacquin.bzh>2019-09-16 22:22:44 +0100
commit83ae23d2e4a1ba7bf5b83f23da87145d97395ed0 (patch)
tree70aef2bfb087b8652180856bf30da13d76b11503
parentsys-kernel/longterm-sources: Bump 4.19 (diff)
downloadetc-portage-patches-83ae23d2e4a1ba7bf5b83f23da87145d97395ed0.tar.gz
sys-kernel/stable-sources: Drop 5.1
-rw-r--r--sys-kernel/boest-v5.1.17/0001-patch-5.1-ja1.diff.patch2120
-rw-r--r--sys-kernel/boest-v5.1.17/0002-pool-2.6.25-tcp-timewait-20s.diff.patch27
-rw-r--r--sys-kernel/boest-v5.1.17/0003-pool-2.6.25-disable-tcp-debug.diff.patch25
-rw-r--r--sys-kernel/boest-v5.1.17/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch142
-rw-r--r--sys-kernel/boest-v5.1.17/0005-pool-2.6.25-disable-kbdrate-at-boot.diff.patch34
-rw-r--r--sys-kernel/boest-v5.1.17/0006-Disable-CONFIG_PROCESSOR_SELECT-printk-s.patch45
-rw-r--r--sys-kernel/boest-v5.1.17/0007-This-patch-adds-support-for-a-restricted-user-contro.patch75
-rw-r--r--sys-kernel/boest-v5.1.17/0008-fs-Enable-link-security-restrictions-by-default.patch26
-rw-r--r--sys-kernel/boest-v5.1.17/0009-The-encryption-is-only-mandatory-to-be-enforced-when.patch38
-rw-r--r--sys-kernel/boest-v5.1.17/0010-usb-storage-Disable-UAS-on-JMicron-SATA-enclosure.patch37
-rw-r--r--sys-kernel/boest-v5.1.17/0011-5.1-2600_enable-key-swapping-for-apple-mac.patch.patch125
-rw-r--r--sys-kernel/boest-v5.1.17/0012-5.1-4567_distro-Gentoo-Kconfig.patch.patch173
-rw-r--r--sys-kernel/boest-v5.1.17/0013-WARNING.patch565
l---------sys-kernel/stable-sources-5.1.171
14 files changed, 0 insertions, 3433 deletions
diff --git a/sys-kernel/boest-v5.1.17/0001-patch-5.1-ja1.diff.patch b/sys-kernel/boest-v5.1.17/0001-patch-5.1-ja1.diff.patch
deleted file mode 100644
index 69d32360..00000000
--- a/sys-kernel/boest-v5.1.17/0001-patch-5.1-ja1.diff.patch
+++ /dev/null
@@ -1,2120 +0,0 @@
-From 3f8fd4402c7e120a4f1d73485cfedcdf17e08005 Mon Sep 17 00:00:00 2001
-From: Julian Anastasov <ja@ssi.bg>
-Date: Mon, 6 May 2019 12:45:11 +0000
-Subject: [PATCH 01/13] patch-5.1-ja1.diff
-
-Jumbo patch containing the following parts:
- - routes-2.X.*.diff (static_routes, alt_routes, nf_reroute but without arp_prefsrc functionality, it is replaced by arprules and rp_filter_mask)
- - hidden-2.X.*.diff (conf/*/hidden)
- - arprules-2.X.*.diff (iparp/arprules support)
- - rp_filter_mask-2.X.*.diff (conf/*/rp_filter_mask)
- - forward_shared-2.X.*.diff (conf/*/forward_shared)
- - send-to-self-2.X.*.diff (conf/*/loop, included March 3, 2004, up to Linux 3.5)
-
-URL: http://ja.ssi.bg/patch-5.1-ja1.diff
----
- Documentation/networking/ip-sysctl.txt | 30 ++
- include/linux/inetdevice.h | 3 +
- include/net/flow.h | 2 +
- include/net/ip_fib.h | 5 +-
- include/net/netfilter/nf_nat.h | 5 +
- include/net/route.h | 5 +
- include/uapi/linux/ip.h | 3 +
- include/uapi/linux/rtnetlink.h | 64 ++-
- net/bridge/br_netfilter_hooks.c | 3 +
- net/ipv4/arp.c | 695 ++++++++++++++++++++++++-
- net/ipv4/devinet.c | 14 +-
- net/ipv4/fib_frontend.c | 56 +-
- net/ipv4/fib_rules.c | 5 +
- net/ipv4/fib_semantics.c | 257 ++++++---
- net/ipv4/fib_trie.c | 3 +
- net/ipv4/netfilter/iptable_nat.c | 7 +
- net/ipv4/route.c | 69 ++-
- net/netfilter/nf_nat_core.c | 43 ++
- net/netfilter/nf_nat_masquerade.c | 27 +-
- security/selinux/nlmsgtab.c | 5 +-
- 20 files changed, 1173 insertions(+), 128 deletions(-)
-
-diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
-index f0d09162c7a3..048db28eb683 100644
---- a/Documentation/networking/ip-sysctl.txt
-+++ b/Documentation/networking/ip-sysctl.txt
-@@ -1085,6 +1085,19 @@ forwarding - BOOLEAN
- Enable IP forwarding on this interface. This controls whether packets
- received _on_ this interface can be forwarded.
-
-+forward_shared - BOOLEAN
-+ Integer value determines if a source validation should allow
-+ forwarding of packets with local source address. 1 means yes,
-+ 0 means no. By default the flag is disabled and such packets
-+ are not forwarded.
-+
-+ If you enable this flag on internal network, the router will forward
-+ packets from internal hosts with shared IP addresses no matter how
-+ the rp_filter is set. This flag is activated only if it is
-+ enabled both in specific device section and in "all" section.
-+
-+ The forward_shared value could be ignored when rp_filter is set to 0.
-+
- mc_forwarding - BOOLEAN
- Do multicast routing. The kernel needs to be compiled with CONFIG_MROUTE
- and a multicast routing daemon is required.
-@@ -1200,6 +1213,15 @@ rp_filter - INTEGER
- Default value is 0. Note that some distributions enable it
- in startup scripts.
-
-+rp_filter_mask - INTEGER
-+ Integer value representing bitmask of the mediums for which the
-+ reverse path protection is disabled. If the source validation
-+ results in reverse path to interface with medium_id value in
-+ the 1..31 range the access is allowed if the corresponding bit
-+ is set in the bitmask. The bitmask value is considered only when
-+ rp_filter is enabled. By default the bitmask is empty preserving
-+ the original rp_filter semantic.
-+
- arp_filter - BOOLEAN
- 1 - Allows you to have multiple network interfaces on the same
- subnet, and have the ARPs for each interface be answered
-@@ -1340,6 +1362,14 @@ drop_gratuitous_arp - BOOLEAN
- Default: off (0)
-
-
-+hidden - BOOLEAN
-+ Hide addresses attached to this device from other devices.
-+ Such addresses will never be selected by source address autoselection
-+ mechanism, host does not answer broadcast ARP requests for them,
-+ does not announce them as source address of ARP requests, but they
-+ are still reachable via IP. This flag is activated only if it is
-+ enabled both in specific device section and in "all" section.
-+
- tag - INTEGER
- Allows you to write a number, which can be used as required.
- Default value is 0.
-diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
-index a64f21a97369..f2103b9e67de 100644
---- a/include/linux/inetdevice.h
-+++ b/include/linux/inetdevice.h
-@@ -97,9 +97,11 @@ static inline void ipv4_devconf_setall(struct in_device *in_dev)
- #define IN_DEV_MFORWARD(in_dev) IN_DEV_ANDCONF((in_dev), MC_FORWARDING)
- #define IN_DEV_BFORWARD(in_dev) IN_DEV_ANDCONF((in_dev), BC_FORWARDING)
- #define IN_DEV_RPFILTER(in_dev) IN_DEV_MAXCONF((in_dev), RP_FILTER)
-+#define IN_DEV_RPFILTER_MASK(in_dev) IN_DEV_CONF_GET(in_dev, RP_FILTER_MASK)
- #define IN_DEV_SRC_VMARK(in_dev) IN_DEV_ORCONF((in_dev), SRC_VMARK)
- #define IN_DEV_SOURCE_ROUTE(in_dev) IN_DEV_ANDCONF((in_dev), \
- ACCEPT_SOURCE_ROUTE)
-+#define IN_DEV_FORWARD_SHARED(in_dev) IN_DEV_ANDCONF((in_dev), FORWARD_SHARED)
- #define IN_DEV_ACCEPT_LOCAL(in_dev) IN_DEV_ORCONF((in_dev), ACCEPT_LOCAL)
- #define IN_DEV_BOOTP_RELAY(in_dev) IN_DEV_ANDCONF((in_dev), BOOTP_RELAY)
-
-@@ -112,6 +114,7 @@ static inline void ipv4_devconf_setall(struct in_device *in_dev)
- SECURE_REDIRECTS)
- #define IN_DEV_IDTAG(in_dev) IN_DEV_CONF_GET(in_dev, TAG)
- #define IN_DEV_MEDIUM_ID(in_dev) IN_DEV_CONF_GET(in_dev, MEDIUM_ID)
-+#define IN_DEV_HIDDEN(in_dev) IN_DEV_ANDCONF((in_dev), HIDDEN)
- #define IN_DEV_PROMOTE_SECONDARIES(in_dev) \
- IN_DEV_ORCONF((in_dev), \
- PROMOTE_SECONDARIES)
-diff --git a/include/net/flow.h b/include/net/flow.h
-index a50fb77a0b27..7dcdb9b3162e 100644
---- a/include/net/flow.h
-+++ b/include/net/flow.h
-@@ -93,6 +93,7 @@ struct flowi4 {
- #define fl4_ipsec_spi uli.spi
- #define fl4_mh_type uli.mht.type
- #define fl4_gre_key uli.gre_key
-+ __be32 fl4_gw;
- } __attribute__((__aligned__(BITS_PER_LONG/8)));
-
- static inline void flowi4_init_output(struct flowi4 *fl4, int oif,
-@@ -116,6 +117,7 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif,
- fl4->saddr = saddr;
- fl4->fl4_dport = dport;
- fl4->fl4_sport = sport;
-+ fl4->fl4_gw = 0;
- }
-
- /* Reset some input parameters after previous lookup */
-diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
-index 9c8214d2116d..a1b2aa38264b 100644
---- a/include/net/ip_fib.h
-+++ b/include/net/ip_fib.h
-@@ -378,6 +378,8 @@ static inline bool fib4_rules_early_flow_dissect(struct net *net,
- return true;
- }
-
-+u32 fib_result_table(struct fib_result *res);
-+
- #endif /* CONFIG_IP_MULTIPLE_TABLES */
-
- /* Exported by fib_frontend.c */
-@@ -387,7 +389,8 @@ __be32 fib_compute_spec_dst(struct sk_buff *skb);
- bool fib_info_nh_uses_dev(struct fib_info *fi, const struct net_device *dev);
- int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
- u8 tos, int oif, struct net_device *dev,
-- struct in_device *idev, u32 *itag);
-+ struct in_device *idev, u32 *itag, int our);
-+void fib_select_default(const struct flowi4 *flp, struct fib_result *res);
- #ifdef CONFIG_IP_ROUTE_CLASSID
- static inline int fib_num_tclassid_users(struct net *net)
- {
-diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
-index cf332c4e0b32..420836188d8a 100644
---- a/include/net/netfilter/nf_nat.h
-+++ b/include/net/netfilter/nf_nat.h
-@@ -36,6 +36,11 @@ struct nf_conn_nat {
- #endif
- };
-
-+/* Call input routing for SNAT-ed traffic */
-+unsigned int ip_nat_route_input(void *priv,
-+ struct sk_buff *skb,
-+ const struct nf_hook_state *state);
-+
- /* Set up the info structure to map into this range. */
- unsigned int nf_nat_setup_info(struct nf_conn *ct,
- const struct nf_nat_range2 *range,
-diff --git a/include/net/route.h b/include/net/route.h
-index 9883dc82f723..a617bc7e0d8f 100644
---- a/include/net/route.h
-+++ b/include/net/route.h
-@@ -182,6 +182,9 @@ int ip_route_input_noref(struct sk_buff *skb, __be32 dst, __be32 src,
- int ip_route_input_rcu(struct sk_buff *skb, __be32 dst, __be32 src,
- u8 tos, struct net_device *devin,
- struct fib_result *res);
-+int ip_route_input_common_rcu(struct sk_buff *skb, __be32 dst, __be32 src,
-+ u8 tos, struct net_device *devin, __be32 lsrc,
-+ struct fib_result *res);
-
- static inline int ip_route_input(struct sk_buff *skb, __be32 dst, __be32 src,
- u8 tos, struct net_device *devin)
-@@ -217,6 +220,8 @@ unsigned int inet_addr_type_dev_table(struct net *net,
- void ip_rt_multicast_event(struct in_device *);
- int ip_rt_ioctl(struct net *, unsigned int cmd, struct rtentry *rt);
- void ip_rt_get_source(u8 *src, struct sk_buff *skb, struct rtable *rt);
-+int ip_route_input_lookup(struct sk_buff*, __be32 dst, __be32 src, u8 tos,
-+ struct net_device *devin, __be32 lsrc);
- struct rtable *rt_dst_alloc(struct net_device *dev,
- unsigned int flags, u16 type,
- bool nopolicy, bool noxfrm, bool will_cache);
-diff --git a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
-index e42d13b55cf3..d03711046f2e 100644
---- a/include/uapi/linux/ip.h
-+++ b/include/uapi/linux/ip.h
-@@ -169,6 +169,9 @@ enum
- IPV4_DEVCONF_DROP_UNICAST_IN_L2_MULTICAST,
- IPV4_DEVCONF_DROP_GRATUITOUS_ARP,
- IPV4_DEVCONF_BC_FORWARDING,
-+ IPV4_DEVCONF_HIDDEN,
-+ IPV4_DEVCONF_RP_FILTER_MASK,
-+ IPV4_DEVCONF_FORWARD_SHARED,
- __IPV4_DEVCONF_MAX
- };
-
-diff --git a/include/uapi/linux/rtnetlink.h b/include/uapi/linux/rtnetlink.h
-index 46399367627f..92593fd1a055 100644
---- a/include/uapi/linux/rtnetlink.h
-+++ b/include/uapi/linux/rtnetlink.h
-@@ -157,6 +157,13 @@ enum {
- RTM_GETCHAIN,
- #define RTM_GETCHAIN RTM_GETCHAIN
-
-+ RTM_NEWARPRULE = 104,
-+#define RTM_NEWARPRULE RTM_NEWARPRULE
-+ RTM_DELARPRULE,
-+#define RTM_DELARPRULE RTM_DELARPRULE
-+ RTM_GETARPRULE,
-+#define RTM_GETARPRULE RTM_GETARPRULE
-+
- __RTM_MAX,
- #define RTM_MAX (((__RTM_MAX + 3) & ~3) - 1)
- };
-@@ -374,8 +381,11 @@ struct rtnexthop {
- #define RTNH_F_OFFLOAD 8 /* offloaded route */
- #define RTNH_F_LINKDOWN 16 /* carrier-down on nexthop */
- #define RTNH_F_UNRESOLVED 32 /* The entry is unresolved (ipmr) */
-+#define RTNH_F_SUSPECT 64 /* We don't know the real state */
-+#define RTNH_F_BADSTATE (RTNH_F_DEAD | RTNH_F_SUSPECT)
-
--#define RTNH_COMPARE_MASK (RTNH_F_DEAD | RTNH_F_LINKDOWN | RTNH_F_OFFLOAD)
-+#define RTNH_COMPARE_MASK (RTNH_F_DEAD | RTNH_F_LINKDOWN | \
-+ RTNH_F_OFFLOAD | RTNH_F_SUSPECT)
-
- /* Macros to handle hexthops */
-
-@@ -617,6 +627,54 @@ enum {
-
- #define NDUSEROPT_MAX (__NDUSEROPT_MAX - 1)
-
-+/******************************************************************************
-+ * Definitions used in ARP tables administration
-+ ****/
-+
-+#define ARPA_TABLE_INPUT 0
-+#define ARPA_TABLE_OUTPUT 1
-+#define ARPA_TABLE_FORWARD 2
-+#define ARPA_TABLE_ALL -1
-+
-+#define ARPM_F_PREFSRC 0x0001
-+#define ARPM_F_WILDIIF 0x0002
-+#define ARPM_F_WILDOIF 0x0004
-+#define ARPM_F_BROADCAST 0x0008
-+#define ARPM_F_UNICAST 0x0010
-+
-+struct arpmsg
-+{
-+ unsigned char arpm_family;
-+ unsigned char arpm_table;
-+ unsigned char arpm_action;
-+ unsigned char arpm_from_len;
-+ unsigned char arpm_to_len;
-+ unsigned char arpm__pad1;
-+ unsigned short arpm__pad2;
-+ unsigned arpm_pref;
-+ unsigned arpm_flags;
-+};
-+
-+enum
-+{
-+ ARPA_UNSPEC,
-+ ARPA_FROM, /* FROM IP prefix */
-+ ARPA_TO, /* TO IP prefix */
-+ ARPA_LLFROM, /* FROM LL prefix */
-+ ARPA_LLTO, /* TO LL prefix */
-+ ARPA_LLSRC, /* New SRC lladdr */
-+ ARPA_LLDST, /* New DST lladdr */
-+ ARPA_IIF, /* In interface prefix */
-+ ARPA_OIF, /* Out interface prefix */
-+ ARPA_SRC, /* New IP SRC */
-+ ARPA_DST, /* New IP DST, not used */
-+ ARPA_PACKETS, /* Packets */
-+};
-+
-+#define ARPA_MAX ARPA_PACKETS
-+
-+#define ARPA_RTA(r) ((struct rtattr*)(((char*)(r)) + NLMSG_ALIGN(sizeof(struct arpmsg))))
-+
- #ifndef __KERNEL__
- /* RTnetlink multicast groups - backwards compatibility for userspace */
- #define RTMGRP_LINK 1
-@@ -637,6 +695,8 @@ enum {
- #define RTMGRP_DECnet_IFADDR 0x1000
- #define RTMGRP_DECnet_ROUTE 0x4000
-
-+#define RTMGRP_ARP 0x00010000
-+
- #define RTMGRP_IPV6_PREFIX 0x20000
- #endif
-
-@@ -704,6 +764,8 @@ enum rtnetlink_groups {
- #define RTNLGRP_IPV4_MROUTE_R RTNLGRP_IPV4_MROUTE_R
- RTNLGRP_IPV6_MROUTE_R,
- #define RTNLGRP_IPV6_MROUTE_R RTNLGRP_IPV6_MROUTE_R
-+ RTNLGRP_ARP,
-+#define RTNLGRP_ARP RTNLGRP_ARP
- __RTNLGRP_MAX
- };
- #define RTNLGRP_MAX (__RTNLGRP_MAX - 1)
-diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
-index 22afa566cbce..3de2da264fc8 100644
---- a/net/bridge/br_netfilter_hooks.c
-+++ b/net/bridge/br_netfilter_hooks.c
-@@ -347,6 +347,9 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_
-
- nf_bridge->frag_max_size = IPCB(skb)->frag_max_size;
-
-+ /* Old skb->dst is not expected, it is lost in all cases */
-+ skb_dst_drop(skb);
-+
- if (nf_bridge->pkt_otherhost) {
- skb->pkt_type = PACKET_OTHERHOST;
- nf_bridge->pkt_otherhost = false;
-diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
-index 850a6f13a082..bf0bf575eff6 100644
---- a/net/ipv4/arp.c
-+++ b/net/ipv4/arp.c
-@@ -71,6 +71,9 @@
- * sending (e.g. insert 8021q tag).
- * Harald Welte : convert to make use of jenkins hash
- * Jesper D. Brouer: Proxy ARP PVLAN RFC 3069 support.
-+ * Julian Anastasov: "hidden" flag: hide the
-+ * interface and don't reply for it
-+ * Julian Anastasov: ARP filtering via netlink
- */
-
- #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-@@ -95,6 +98,7 @@
- #include <linux/proc_fs.h>
- #include <linux/seq_file.h>
- #include <linux/stat.h>
-+#include <net/netlink.h>
- #include <linux/init.h>
- #include <linux/net.h>
- #include <linux/rcupdate.h>
-@@ -185,6 +189,48 @@ struct neigh_table arp_tbl = {
- };
- EXPORT_SYMBOL(arp_tbl);
-
-+struct arpf_node {
-+ struct arpf_node * at_next;
-+ u32 at_pref;
-+ u32 at_from;
-+ u32 at_from_mask;
-+ u32 at_to;
-+ u32 at_to_mask;
-+ u32 at_src;
-+ atomic_t at_packets;
-+ atomic_t at_refcnt;
-+ unsigned at_flags;
-+ unsigned char at_from_len;
-+ unsigned char at_to_len;
-+ unsigned char at_action;
-+ char at_dead;
-+ unsigned char at_llfrom_len;
-+ unsigned char at_llto_len;
-+ unsigned char at_llsrc_len;
-+ unsigned char at_lldst_len;
-+ unsigned char at_iif_len;
-+ unsigned char at_oif_len;
-+ unsigned short at__pad1;
-+ unsigned char at_llfrom[MAX_ADDR_LEN];
-+ unsigned char at_llto[MAX_ADDR_LEN];
-+ unsigned char at_llsrc[MAX_ADDR_LEN];
-+ unsigned char at_lldst[MAX_ADDR_LEN];
-+ char at_iif[IFNAMSIZ];
-+ char at_oif[IFNAMSIZ];
-+};
-+
-+static struct arpf_node *arp_tabs[3];
-+
-+static struct kmem_cache *arpf_cachep;
-+
-+static DEFINE_RWLOCK(arpf_lock);
-+
-+static void
-+arpf_send(int table, struct net *net, struct sk_buff *skb, u32 sip, u32 tip,
-+ unsigned char *from_hw, unsigned char *to_hw,
-+ struct net_device *idev, struct net_device *odev,
-+ struct dst_entry *dst);
-+
- int arp_mc_map(__be32 addr, u8 *haddr, struct net_device *dev, int dir)
- {
- switch (dev->type) {
-@@ -338,7 +384,9 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
- struct net_device *dev = neigh->dev;
- __be32 target = *(__be32 *)neigh->primary_key;
- int probes = atomic_read(&neigh->probes);
-- struct in_device *in_dev;
-+ struct in_device *in_dev, *in_dev2;
-+ struct net_device *dev2;
-+ int mode;
- struct dst_entry *dst = NULL;
-
- rcu_read_lock();
-@@ -347,9 +395,22 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
- rcu_read_unlock();
- return;
- }
-- switch (IN_DEV_ARP_ANNOUNCE(in_dev)) {
-+ mode = IN_DEV_ARP_ANNOUNCE(in_dev);
-+ if (mode != 2 && skb &&
-+ (dev2 = __ip_dev_find(dev_net(dev), ip_hdr(skb)->saddr,
-+ false)) != NULL &&
-+ (saddr = ip_hdr(skb)->saddr,
-+ in_dev2 = __in_dev_get_rcu(dev2)) != NULL &&
-+ IN_DEV_HIDDEN(in_dev2)) {
-+ saddr = 0;
-+ goto get;
-+ }
-+
-+ switch (mode) {
- default:
- case 0: /* By default announce any local IP */
-+ if (saddr)
-+ break;
- if (skb && inet_addr_type_dev_table(dev_net(dev), dev,
- ip_hdr(skb)->saddr) == RTN_LOCAL)
- saddr = ip_hdr(skb)->saddr;
-@@ -357,9 +418,10 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
- case 1: /* Restrict announcements of saddr in same subnet */
- if (!skb)
- break;
-- saddr = ip_hdr(skb)->saddr;
-- if (inet_addr_type_dev_table(dev_net(dev), dev,
-- saddr) == RTN_LOCAL) {
-+ if (saddr ||
-+ (saddr = ip_hdr(skb)->saddr,
-+ inet_addr_type_dev_table(dev_net(dev), dev,
-+ saddr) == RTN_LOCAL)) {
- /* saddr should be known to target */
- if (inet_addr_onlink(in_dev, target, saddr))
- break;
-@@ -369,6 +431,8 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
- case 2: /* Avoid secondary IPs, get a primary/preferred one */
- break;
- }
-+
-+get:
- rcu_read_unlock();
-
- if (!saddr)
-@@ -390,8 +454,8 @@ static void arp_solicit(struct neighbour *neigh, struct sk_buff *skb)
-
- if (skb && !(dev->priv_flags & IFF_XMIT_DST_RELEASE))
- dst = skb_dst(skb);
-- arp_send_dst(ARPOP_REQUEST, ETH_P_ARP, target, dev, saddr,
-- dst_hw, dev->dev_addr, NULL, dst);
-+ arpf_send(ARPA_TABLE_OUTPUT, dev_net(dev), skb, saddr, target, NULL,
-+ dst_hw, NULL, dev, dst);
- }
-
- static int arp_ignore(struct in_device *in_dev, __be32 sip, __be32 tip)
-@@ -448,6 +512,21 @@ static int arp_filter(__be32 sip, __be32 tip, struct net_device *dev)
- return flag;
- }
-
-+static int arp_hidden(u32 tip, struct net_device *dev)
-+{
-+ struct net_device *dev2;
-+ struct in_device *in_dev2;
-+ int ret = 0;
-+
-+ if (!IPV4_DEVCONF_ALL(dev_net(dev), HIDDEN))
-+ return 0;
-+
-+ if ((dev2 = __ip_dev_find(dev_net(dev), tip, false)) && dev2 != dev &&
-+ (in_dev2 = __in_dev_get_rcu(dev2)) && IN_DEV_HIDDEN(in_dev2))
-+ ret = 1;
-+ return ret;
-+}
-+
- /*
- * Check if we can use proxy ARP for this path
- */
-@@ -808,9 +887,10 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
- if (sip == 0) {
- if (arp->ar_op == htons(ARPOP_REQUEST) &&
- inet_addr_type_dev_table(net, dev, tip) == RTN_LOCAL &&
-+ !arp_hidden(tip, dev) &&
- !arp_ignore(in_dev, sip, tip))
-- arp_send_dst(ARPOP_REPLY, ETH_P_ARP, sip, dev, tip,
-- sha, dev->dev_addr, sha, reply_dst);
-+ arpf_send(ARPA_TABLE_INPUT, net, skb, sip, tip, sha,
-+ tha, dev, NULL, reply_dst);
- goto out_consume_skb;
- }
-
-@@ -826,13 +906,14 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
- dont_send = arp_ignore(in_dev, sip, tip);
- if (!dont_send && IN_DEV_ARPFILTER(in_dev))
- dont_send = arp_filter(sip, tip, dev);
-+ if (!dont_send && skb->pkt_type != PACKET_HOST)
-+ dont_send = arp_hidden(tip,dev);
- if (!dont_send) {
- n = neigh_event_ns(&arp_tbl, sha, &sip, dev);
- if (n) {
-- arp_send_dst(ARPOP_REPLY, ETH_P_ARP,
-- sip, dev, tip, sha,
-- dev->dev_addr, sha,
-- reply_dst);
-+ arpf_send(ARPA_TABLE_INPUT, net, skb,
-+ sip, tip, sha, tha, dev,
-+ NULL, reply_dst);
- neigh_release(n);
- }
- }
-@@ -850,10 +931,9 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
- if (NEIGH_CB(skb)->flags & LOCALLY_ENQUEUED ||
- skb->pkt_type == PACKET_HOST ||
- NEIGH_VAR(in_dev->arp_parms, PROXY_DELAY) == 0) {
-- arp_send_dst(ARPOP_REPLY, ETH_P_ARP,
-- sip, dev, tip, sha,
-- dev->dev_addr, sha,
-- reply_dst);
-+ arpf_send(ARPA_TABLE_FORWARD, net,
-+ skb, sip, tip, sha, tha, dev,
-+ rt->dst.dev, reply_dst);
- } else {
- pneigh_enqueue(&arp_tbl,
- in_dev->arp_parms, skb);
-@@ -1279,6 +1359,577 @@ void arp_ifdown(struct net_device *dev)
- }
-
-
-+static void arpf_destroy(struct arpf_node *afp)
-+{
-+ if (!afp->at_dead) {
-+ printk(KERN_ERR "Destroying alive arp table node %p from %08lx\n", afp,
-+ *(((unsigned long*)&afp)-1));
-+ return;
-+ }
-+ kmem_cache_free(arpf_cachep, afp);
-+}
-+
-+static inline void arpf_put(struct arpf_node *afp)
-+{
-+ if (atomic_dec_and_test(&afp->at_refcnt))
-+ arpf_destroy(afp);
-+}
-+
-+static inline struct arpf_node *
-+arpf_lookup(int table, struct sk_buff *skb, u32 sip, u32 tip,
-+ unsigned char *from_hw, unsigned char *to_hw,
-+ struct net_device *idev, struct net_device *odev)
-+{
-+ int sz_iif = idev? strlen(idev->name) : 0;
-+ int sz_oif = odev? strlen(odev->name) : 0;
-+ int alen;
-+ struct arpf_node *afp;
-+
-+ if (ARPA_TABLE_OUTPUT != table) {
-+ alen = idev->addr_len;
-+ } else {
-+ if (!from_hw) from_hw = odev->dev_addr;
-+ if (!to_hw) to_hw = odev->broadcast;
-+ alen = odev->addr_len;
-+ }
-+
-+ read_lock_bh(&arpf_lock);
-+ for (afp = arp_tabs[table]; afp; afp = afp->at_next) {
-+ if ((tip ^ afp->at_to) & afp->at_to_mask)
-+ continue;
-+ if ((sip ^ afp->at_from) & afp->at_from_mask)
-+ continue;
-+ if (afp->at_llfrom_len &&
-+ (afp->at_llfrom_len > alen ||
-+ memcmp(from_hw, afp->at_llfrom, afp->at_llfrom_len)))
-+ continue;
-+ if (afp->at_llto_len &&
-+ (afp->at_llto_len > alen ||
-+ memcmp(to_hw, afp->at_llto, afp->at_llto_len)))
-+ continue;
-+ if (afp->at_iif_len &&
-+ (afp->at_iif_len > sz_iif ||
-+ memcmp(afp->at_iif, idev->name, afp->at_iif_len) ||
-+ (sz_iif != afp->at_iif_len &&
-+ !(afp->at_flags & ARPM_F_WILDIIF))))
-+ continue;
-+ if (afp->at_oif_len &&
-+ (afp->at_oif_len > sz_oif ||
-+ memcmp(afp->at_oif, odev->name, afp->at_oif_len) ||
-+ (sz_oif != afp->at_oif_len &&
-+ !(afp->at_flags & ARPM_F_WILDOIF))))
-+ continue;
-+ if (afp->at_flags & ARPM_F_BROADCAST &&
-+ skb->pkt_type == PACKET_HOST)
-+ continue;
-+ if (afp->at_flags & ARPM_F_UNICAST &&
-+ skb->pkt_type != PACKET_HOST)
-+ continue;
-+ if (afp->at_llsrc_len && afp->at_llsrc_len != alen)
-+ continue;
-+ if (afp->at_lldst_len && afp->at_lldst_len != alen)
-+ continue;
-+ atomic_inc(&afp->at_refcnt);
-+ atomic_inc(&afp->at_packets);
-+ break;
-+ }
-+ read_unlock_bh(&arpf_lock);
-+ return afp;
-+}
-+
-+static void
-+arpf_send(int table, struct net *net, struct sk_buff *skb, u32 sip, u32 tip,
-+ unsigned char *from_hw, unsigned char *to_hw,
-+ struct net_device *idev, struct net_device *odev,
-+ struct dst_entry *dst)
-+{
-+ struct arpf_node *afp = NULL;
-+
-+ if (!arp_tabs[table] ||
-+ !net_eq(net, &init_net) ||
-+ !(afp = arpf_lookup(table, skb, sip, tip,
-+ from_hw, to_hw, idev, odev))) {
-+ switch (table) {
-+ case ARPA_TABLE_INPUT:
-+ case ARPA_TABLE_FORWARD:
-+ arp_send_dst(ARPOP_REPLY, ETH_P_ARP, sip, idev, tip,
-+ from_hw, idev->dev_addr, from_hw, dst);
-+ break;
-+ case ARPA_TABLE_OUTPUT:
-+ arp_send_dst(ARPOP_REQUEST, ETH_P_ARP, tip, odev, sip,
-+ to_hw, odev->dev_addr, NULL, dst);
-+ break;
-+ }
-+ return;
-+ }
-+
-+ /* deny? */
-+ if (!afp->at_action) goto out;
-+
-+ switch (table) {
-+ case ARPA_TABLE_INPUT:
-+ case ARPA_TABLE_FORWARD:
-+ arp_send_dst(ARPOP_REPLY, ETH_P_ARP, sip, idev, tip,
-+ afp->at_lldst_len?afp->at_lldst:from_hw,
-+ afp->at_llsrc_len?afp->at_llsrc:idev->dev_addr,
-+ afp->at_lldst_len?afp->at_lldst:from_hw, dst);
-+ break;
-+ case ARPA_TABLE_OUTPUT:
-+ if (afp->at_flags & ARPM_F_PREFSRC && afp->at_src == 0) {
-+ struct rtable *rt;
-+ struct flowi4 fl4 = { .daddr = tip,
-+ .flowi4_oif = odev->ifindex };
-+
-+ rt = ip_route_output_key(net, &fl4);
-+ if (IS_ERR(rt))
-+ break;
-+ sip = fl4.saddr;
-+ ip_rt_put(rt);
-+ if (!sip)
-+ break;
-+ }
-+ arp_send_dst(ARPOP_REQUEST, ETH_P_ARP, tip, odev,
-+ afp->at_src?:sip,
-+ afp->at_lldst_len?afp->at_lldst:to_hw,
-+ afp->at_llsrc_len?afp->at_llsrc:odev->dev_addr,
-+ NULL, dst);
-+ break;
-+ }
-+
-+out:
-+ arpf_put(afp);
-+}
-+
-+static int
-+arpf_fill_node(struct sk_buff *skb, u32 portid, u32 seq, unsigned flags,
-+ int event, int table, struct arpf_node *afp)
-+{
-+ struct arpmsg *am;
-+ struct nlmsghdr *nlh;
-+ u32 packets = atomic_read(&afp->at_packets);
-+
-+ nlh = nlmsg_put(skb, portid, seq, event, sizeof(*am), 0);
-+ if (nlh == NULL)
-+ return -ENOBUFS;
-+ nlh->nlmsg_flags = flags;
-+ am = nlmsg_data(nlh);
-+ am->arpm_family = AF_UNSPEC;
-+ am->arpm_table = table;
-+ am->arpm_action = afp->at_action;
-+ am->arpm_from_len = afp->at_from_len;
-+ am->arpm_to_len = afp->at_to_len;
-+ am->arpm_pref = afp->at_pref;
-+ am->arpm_flags = afp->at_flags;
-+ if (afp->at_from_len &&
-+ nla_put(skb, ARPA_FROM, 4, &afp->at_from))
-+ goto nla_put_failure;
-+ if (afp->at_to_len &&
-+ nla_put(skb, ARPA_TO, 4, &afp->at_to))
-+ goto nla_put_failure;
-+ if ((afp->at_src || afp->at_flags & ARPM_F_PREFSRC) &&
-+ nla_put(skb, ARPA_SRC, 4, &afp->at_src))
-+ goto nla_put_failure;
-+ if (afp->at_iif[0] &&
-+ nla_put(skb, ARPA_IIF, sizeof(afp->at_iif), afp->at_iif))
-+ goto nla_put_failure;
-+ if (afp->at_oif[0] &&
-+ nla_put(skb, ARPA_OIF, sizeof(afp->at_oif), afp->at_oif))
-+ goto nla_put_failure;
-+ if (afp->at_llfrom_len &&
-+ nla_put(skb, ARPA_LLFROM, afp->at_llfrom_len, afp->at_llfrom))
-+ goto nla_put_failure;
-+ if (afp->at_llto_len &&
-+ nla_put(skb, ARPA_LLTO, afp->at_llto_len, afp->at_llto))
-+ goto nla_put_failure;
-+ if (afp->at_llsrc_len &&
-+ nla_put(skb, ARPA_LLSRC, afp->at_llsrc_len, afp->at_llsrc))
-+ goto nla_put_failure;
-+ if (afp->at_lldst_len &&
-+ nla_put(skb, ARPA_LLDST, afp->at_lldst_len, afp->at_lldst))
-+ goto nla_put_failure;
-+ if (nla_put(skb, ARPA_PACKETS, 4, &packets))
-+ goto nla_put_failure;
-+ nlmsg_end(skb, nlh);
-+ return 0;
-+
-+nla_put_failure:
-+ nlmsg_cancel(skb, nlh);
-+ return -EMSGSIZE;
-+}
-+
-+static void
-+arpmsg_notify(struct sk_buff *oskb, struct nlmsghdr *nlh, int table,
-+ struct arpf_node *afp, int event)
-+{
-+ struct sk_buff *skb;
-+ u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
-+ int payload = sizeof(struct arpmsg) + 256;
-+ int err = -ENOBUFS;
-+
-+ skb = nlmsg_new(nlmsg_total_size(payload), GFP_KERNEL);
-+ if (!skb)
-+ goto errout;
-+
-+ err = arpf_fill_node(skb, portid, nlh->nlmsg_seq, 0, event, table, afp);
-+ if (err < 0) {
-+ kfree_skb(skb);
-+ goto errout;
-+ }
-+
-+ rtnl_notify(skb, &init_net, portid, RTNLGRP_ARP, nlh, GFP_KERNEL);
-+ return;
-+errout:
-+ if (err < 0)
-+ rtnl_set_sk_err(&init_net, RTNLGRP_ARP, err);
-+}
-+
-+static inline int
-+arpf_str_size(int a, struct nlattr **rta, int maxlen)
-+{
-+ int size = 0;
-+
-+ if (rta[a] && (size = nla_len(rta[a]))) {
-+ if (size > maxlen)
-+ size = maxlen;
-+ }
-+ return size;
-+}
-+
-+static inline int
-+arpf_get_str(int a, struct nlattr **rta, unsigned char *p,
-+ int maxlen, unsigned char *l)
-+{
-+ int size = arpf_str_size(a, rta, maxlen);
-+
-+ if (size) {
-+ memcpy(p, nla_data(rta[a]), size);
-+ *l = size;
-+ }
-+ return size;
-+}
-+
-+#define ARPF_MATCH_U32(ind, field) ( \
-+ (!rta[ind] && r->at_ ## field == 0) || \
-+ (rta[ind] && \
-+ *(u32*) nla_data(rta[ind]) == r->at_ ## field))
-+
-+#define ARPF_MATCH_STR(ind, field) ( \
-+ (!rta[ind] && r->at_ ## field ## _len == 0) || \
-+ (rta[ind] && r->at_ ## field ## _len && \
-+ r->at_ ## field ## _len < nla_len(rta[ind]) && \
-+ strcmp(nla_data(rta[ind]), r->at_ ## field) == 0))
-+
-+#define ARPF_MATCH_DATA(ind, field) ( \
-+ (!rta[ind] && r->at_ ## field ## _len == 0) || \
-+ (rta[ind] && r->at_ ## field ## _len && \
-+ r->at_ ## field ## _len == nla_len(rta[ind]) && \
-+ memcmp(nla_data(rta[ind]), &r->at_ ## field, \
-+ r->at_ ## field ## _len) == 0))
-+
-+/* RTM_NEWARPRULE/RTM_DELARPRULE/RTM_GETARPRULE */
-+
-+int arpf_rule_ctl(struct sk_buff *skb, struct nlmsghdr *n,
-+ struct netlink_ext_ack *extack)
-+{
-+ struct net *net = sock_net(skb->sk);
-+ struct nlattr *rta[ARPA_MAX + 1];
-+ struct arpmsg *am;
-+ struct arpf_node *r, **rp, **prevp = 0, **delp = 0, *newp = 0;
-+ unsigned pref = 1;
-+ int size, ret;
-+
-+ if (!capable(CAP_NET_ADMIN))
-+ return -EPERM;
-+
-+ if (!net_eq(net, &init_net))
-+ return -EINVAL;
-+
-+ ret = nlmsg_parse(n, sizeof(struct arpmsg), rta, ARPA_MAX, NULL,
-+ extack);
-+ if (ret < 0)
-+ return ret;
-+
-+ am = nlmsg_data(n);
-+ ret = -EINVAL;
-+ if (am->arpm_table >= sizeof(arp_tabs)/sizeof(arp_tabs[0]))
-+ goto out;
-+ if (!((~am->arpm_flags) & (ARPM_F_BROADCAST|ARPM_F_UNICAST)))
-+ goto out;
-+ if (am->arpm_action > 1)
-+ goto out;
-+ if (am->arpm_to_len > 32 || am->arpm_from_len > 32)
-+ goto out;
-+ if (am->arpm_flags & ARPM_F_WILDIIF &&
-+ (!rta[ARPA_IIF] || !nla_len(rta[ARPA_IIF]) ||
-+ !*(char*) nla_data(rta[ARPA_IIF])))
-+ am->arpm_flags &= ~ARPM_F_WILDIIF;
-+ if (am->arpm_flags & ARPM_F_WILDOIF &&
-+ (!rta[ARPA_OIF] || !nla_len(rta[ARPA_OIF]) ||
-+ !*(char*) nla_data(rta[ARPA_OIF])))
-+ am->arpm_flags &= ~ARPM_F_WILDOIF;
-+ switch (am->arpm_table) {
-+ case ARPA_TABLE_INPUT:
-+ if (rta[ARPA_SRC] || rta[ARPA_OIF])
-+ goto out;
-+ break;
-+ case ARPA_TABLE_OUTPUT:
-+ if (rta[ARPA_IIF])
-+ goto out;
-+ if (am->arpm_flags & (ARPM_F_BROADCAST|ARPM_F_UNICAST))
-+ goto out;
-+ break;
-+ case ARPA_TABLE_FORWARD:
-+ if (rta[ARPA_SRC])
-+ goto out;
-+ break;
-+ }
-+ if (rta[ARPA_SRC] && !*(u32*) nla_data(rta[ARPA_SRC]))
-+ am->arpm_flags |= ARPM_F_PREFSRC;
-+ else
-+ am->arpm_flags &= ~ARPM_F_PREFSRC;
-+
-+ for (rp = &arp_tabs[am->arpm_table]; (r=*rp) != NULL; rp=&r->at_next) {
-+ if (pref < r->at_pref)
-+ prevp = rp;
-+ if (am->arpm_pref == r->at_pref ||
-+ (!am->arpm_pref &&
-+ am->arpm_to_len == r->at_to_len &&
-+ am->arpm_from_len == r->at_from_len &&
-+ !((am->arpm_flags ^ r->at_flags) &
-+ (ARPM_F_BROADCAST | ARPM_F_UNICAST |
-+ ARPM_F_WILDIIF | ARPM_F_WILDOIF)) &&
-+ ARPF_MATCH_U32(ARPA_TO, to) &&
-+ ARPF_MATCH_U32(ARPA_FROM, from) &&
-+ ARPF_MATCH_DATA(ARPA_LLFROM, llfrom) &&
-+ ARPF_MATCH_DATA(ARPA_LLTO, llto) &&
-+ ARPF_MATCH_STR(ARPA_IIF, iif) &&
-+ ARPF_MATCH_STR(ARPA_OIF, oif) &&
-+ (n->nlmsg_type != RTM_DELARPRULE ||
-+ /* DEL matches more keys */
-+ (am->arpm_flags == r->at_flags &&
-+ am->arpm_action == r->at_action &&
-+ ARPF_MATCH_U32(ARPA_SRC, src) &&
-+ ARPF_MATCH_DATA(ARPA_LLSRC, llsrc) &&
-+ ARPF_MATCH_DATA(ARPA_LLDST, lldst)
-+ )
-+ )
-+ )
-+ )
-+ break;
-+ if (am->arpm_pref && r->at_pref > am->arpm_pref) {
-+ r = NULL;
-+ break;
-+ }
-+ pref = r->at_pref+1;
-+ }
-+
-+ /*
-+ * r=NULL: *rp != NULL (stopped before next pref), pref: not valid
-+ * *rp == NULL (not found), pref: ready to use
-+ * r!=NULL: found, pref: not valid
-+ *
-+ * prevp=NULL: no free slot
-+ * prevp!=NULL: free slot for rule
-+ */
-+
-+ if (n->nlmsg_type == RTM_DELARPRULE) {
-+ if (!r)
-+ return -ESRCH;
-+ delp = rp;
-+ goto dequeue;
-+ }
-+
-+ if (r) {
-+ /* Existing rule */
-+ ret = -EEXIST;
-+ if (n->nlmsg_flags&NLM_F_EXCL)
-+ goto out;
-+
-+ if (n->nlmsg_flags&NLM_F_REPLACE) {
-+ pref = r->at_pref;
-+ prevp = delp = rp;
-+ goto replace;
-+ }
-+ }
-+
-+ if (n->nlmsg_flags&NLM_F_APPEND) {
-+ if (r) {
-+ pref = r->at_pref+1;
-+ for (rp=&r->at_next; (r=*rp) != NULL; rp=&r->at_next) {
-+ if (pref != r->at_pref)
-+ break;
-+ pref ++;
-+ }
-+ ret = -EBUSY;
-+ if (!pref)
-+ goto out;
-+ } else if (am->arpm_pref)
-+ pref = am->arpm_pref;
-+ prevp = rp;
-+ }
-+
-+ if (!(n->nlmsg_flags&NLM_F_CREATE)) {
-+ ret = -ENOENT;
-+ if (n->nlmsg_flags&NLM_F_EXCL || r)
-+ ret = 0;
-+ goto out;
-+ }
-+
-+ if (!(n->nlmsg_flags&NLM_F_APPEND)) {
-+ if (!prevp) {
-+ ret = -EBUSY;
-+ if (r || *rp ||
-+ (!am->arpm_pref && arp_tabs[am->arpm_table]))
-+ goto out;
-+ prevp = rp;
-+ pref = am->arpm_pref? : 99;
-+ } else {
-+ if (r || !am->arpm_pref) {
-+ pref = (*prevp)->at_pref - 1;
-+ if (am->arpm_pref && am->arpm_pref < pref)
-+ pref = am->arpm_pref;
-+ } else {
-+ prevp = rp;
-+ pref = am->arpm_pref;
-+ }
-+ }
-+ }
-+
-+replace:
-+
-+ ret = -ENOMEM;
-+ r = kmem_cache_alloc(arpf_cachep, GFP_KERNEL);
-+ if (!r)
-+ return ret;
-+ memset(r, 0, sizeof(*r));
-+
-+ arpf_get_str(ARPA_LLFROM, rta, r->at_llfrom, MAX_ADDR_LEN,
-+ &r->at_llfrom_len);
-+ arpf_get_str(ARPA_LLTO, rta, r->at_llto, MAX_ADDR_LEN,
-+ &r->at_llto_len);
-+ arpf_get_str(ARPA_LLSRC, rta, r->at_llsrc, MAX_ADDR_LEN,
-+ &r->at_llsrc_len);
-+ arpf_get_str(ARPA_LLDST, rta, r->at_lldst, MAX_ADDR_LEN,
-+ &r->at_lldst_len);
-+
-+ if (delp)
-+ r->at_next = (*delp)->at_next;
-+ else if (*prevp)
-+ r->at_next = *prevp;
-+
-+ r->at_pref = pref;
-+ r->at_from_len = am->arpm_from_len;
-+ r->at_from_mask = inet_make_mask(r->at_from_len);
-+ if (rta[ARPA_FROM])
-+ r->at_from = *(u32*) nla_data(rta[ARPA_FROM]);
-+ r->at_from &= r->at_from_mask;
-+ r->at_to_len = am->arpm_to_len;
-+ r->at_to_mask = inet_make_mask(r->at_to_len);
-+ if (rta[ARPA_TO])
-+ r->at_to = *(u32*) nla_data(rta[ARPA_TO]);
-+ r->at_to &= r->at_to_mask;
-+ if (rta[ARPA_SRC])
-+ r->at_src = *(u32*) nla_data(rta[ARPA_SRC]);
-+ if (rta[ARPA_PACKETS]) {
-+ u32 packets = *(u32*) nla_data(rta[ARPA_PACKETS]);
-+ atomic_set(&r->at_packets, packets);
-+ }
-+ atomic_set(&r->at_refcnt, 1);
-+ r->at_flags = am->arpm_flags;
-+ r->at_action = am->arpm_action;
-+
-+ if (rta[ARPA_IIF] && (size = nla_len(rta[ARPA_IIF]))) {
-+ if (size >= sizeof(r->at_iif))
-+ size = sizeof(r->at_iif)-1;
-+ memcpy(r->at_iif, nla_data(rta[ARPA_IIF]), size);
-+ r->at_iif_len = strlen(r->at_iif);
-+ }
-+ if (rta[ARPA_OIF] && (size = nla_len(rta[ARPA_OIF]))) {
-+ if (size >= sizeof(r->at_oif))
-+ size = sizeof(r->at_oif)-1;
-+ memcpy(r->at_oif, nla_data(rta[ARPA_OIF]), size);
-+ r->at_oif_len = strlen(r->at_oif);
-+ }
-+
-+ newp = r;
-+
-+dequeue:
-+
-+ if (delp) {
-+ r = *delp;
-+ write_lock_bh(&arpf_lock);
-+ if (newp) {
-+ if (!rta[ARPA_PACKETS])
-+ atomic_set(&newp->at_packets,
-+ atomic_read(&r->at_packets));
-+ *delp = newp;
-+ } else {
-+ *delp = r->at_next;
-+ }
-+ r->at_dead = 1;
-+ write_unlock_bh(&arpf_lock);
-+ arpmsg_notify(skb, n, am->arpm_table, r, RTM_DELARPRULE);
-+ arpf_put(r);
-+ prevp = 0;
-+ }
-+
-+ if (newp) {
-+ if (prevp) {
-+ write_lock_bh(&arpf_lock);
-+ *prevp = newp;
-+ write_unlock_bh(&arpf_lock);
-+ }
-+ arpmsg_notify(skb, n, am->arpm_table, newp, RTM_NEWARPRULE);
-+ }
-+
-+ ret = 0;
-+
-+out:
-+ return ret;
-+}
-+
-+int arpf_dump_table(int t, struct sk_buff *skb, struct netlink_callback *cb)
-+{
-+ int idx, ret = -1;
-+ struct arpf_node *afp;
-+ int s_idx = cb->args[1];
-+
-+ for (idx=0, afp = arp_tabs[t]; afp; afp = afp->at_next, idx++) {
-+ if (idx < s_idx)
-+ continue;
-+ if (arpf_fill_node(skb, NETLINK_CB(cb->skb).portid,
-+ cb->nlh->nlmsg_seq, NLM_F_MULTI, RTM_NEWARPRULE, t, afp) < 0)
-+ goto out;
-+ }
-+
-+ ret = skb->len;
-+
-+out:
-+ cb->args[1] = idx;
-+
-+ return ret;
-+}
-+
-+int arpf_dump_rules(struct sk_buff *skb, struct netlink_callback *cb)
-+{
-+ int idx;
-+ int s_idx = cb->args[0];
-+
-+ read_lock_bh(&arpf_lock);
-+ for (idx = 0; idx < sizeof(arp_tabs)/sizeof(arp_tabs[0]); idx++) {
-+ if (idx < s_idx)
-+ continue;
-+ if (idx > s_idx)
-+ memset(&cb->args[1], 0, sizeof(cb->args)-1*sizeof(cb->args[0]));
-+ if (arpf_dump_table(idx, skb, cb) < 0)
-+ break;
-+ }
-+ read_unlock_bh(&arpf_lock);
-+ cb->args[0] = idx;
-+
-+ return skb->len;
-+}
-+
- /*
- * Called once on startup.
- */
-@@ -1292,6 +1943,16 @@ static int arp_proc_init(void);
-
- void __init arp_init(void)
- {
-+ arpf_cachep = kmem_cache_create("ip_arpf_cache",
-+ sizeof(struct arpf_node), 0,
-+ SLAB_HWCACHE_ALIGN, NULL);
-+ if (!arpf_cachep)
-+ panic("IP: failed to allocate ip_arpf_cache\n");
-+
-+ rtnl_register(PF_UNSPEC, RTM_NEWARPRULE, arpf_rule_ctl, NULL, 0);
-+ rtnl_register(PF_UNSPEC, RTM_DELARPRULE, arpf_rule_ctl, NULL, 0);
-+ rtnl_register(PF_UNSPEC, RTM_GETARPRULE, NULL, arpf_dump_rules, 0);
-+
- neigh_table_init(NEIGH_ARP_TABLE, &arp_tbl);
-
- dev_add_pack(&arp_packet_type);
-diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
-index eb514f312e6f..3d2c6d7617cc 100644
---- a/net/ipv4/devinet.c
-+++ b/net/ipv4/devinet.c
-@@ -1308,9 +1308,14 @@ __be32 inet_select_addr(const struct net_device *dev, __be32 dst, int scope)
- if (!in_dev)
- continue;
-
-- addr = in_dev_select_addr(in_dev, scope);
-- if (addr)
-- goto out_unlock;
-+ for_primary_ifa(in_dev) {
-+ if (!IN_DEV_HIDDEN(in_dev) &&
-+ ifa->ifa_scope != RT_SCOPE_LINK &&
-+ ifa->ifa_scope <= scope) {
-+ addr = ifa->ifa_local;
-+ goto out_unlock;
-+ }
-+ } endfor_ifa(in_dev);
- }
- out_unlock:
- rcu_read_unlock();
-@@ -2462,13 +2467,16 @@ static struct devinet_sysctl_table {
- DEVINET_SYSCTL_RW_ENTRY(SEND_REDIRECTS, "send_redirects"),
- DEVINET_SYSCTL_RW_ENTRY(ACCEPT_SOURCE_ROUTE,
- "accept_source_route"),
-+ DEVINET_SYSCTL_RW_ENTRY(FORWARD_SHARED, "forward_shared"),
- DEVINET_SYSCTL_RW_ENTRY(ACCEPT_LOCAL, "accept_local"),
- DEVINET_SYSCTL_RW_ENTRY(SRC_VMARK, "src_valid_mark"),
- DEVINET_SYSCTL_RW_ENTRY(PROXY_ARP, "proxy_arp"),
- DEVINET_SYSCTL_RW_ENTRY(MEDIUM_ID, "medium_id"),
-+ DEVINET_SYSCTL_RW_ENTRY(RP_FILTER_MASK, "rp_filter_mask"),
- DEVINET_SYSCTL_RW_ENTRY(BOOTP_RELAY, "bootp_relay"),
- DEVINET_SYSCTL_RW_ENTRY(LOG_MARTIANS, "log_martians"),
- DEVINET_SYSCTL_RW_ENTRY(TAG, "tag"),
-+ DEVINET_SYSCTL_RW_ENTRY(HIDDEN, "hidden"),
- DEVINET_SYSCTL_RW_ENTRY(ARPFILTER, "arp_filter"),
- DEVINET_SYSCTL_RW_ENTRY(ARP_ANNOUNCE, "arp_announce"),
- DEVINET_SYSCTL_RW_ENTRY(ARP_IGNORE, "arp_ignore"),
-diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
-index ed14ec245584..1c5782a2e983 100644
---- a/net/ipv4/fib_frontend.c
-+++ b/net/ipv4/fib_frontend.c
-@@ -51,6 +51,8 @@
-
- #ifndef CONFIG_IP_MULTIPLE_TABLES
-
-+#define FIB_RES_TABLE(r) (RT_TABLE_MAIN)
-+
- static int __net_init fib4_rules_init(struct net *net)
- {
- struct fib_table *local_table, *main_table;
-@@ -80,6 +82,8 @@ static bool fib4_has_custom_rules(struct net *net)
- }
- #else
-
-+#define FIB_RES_TABLE(r) (fib_result_table(r))
-+
- struct fib_table *fib_new_table(struct net *net, u32 id)
- {
- struct fib_table *tb, *alias = NULL;
-@@ -351,13 +355,19 @@ EXPORT_SYMBOL_GPL(fib_info_nh_uses_dev);
- */
- static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
- u8 tos, int oif, struct net_device *dev,
-- int rpf, struct in_device *idev, u32 *itag)
-+ int rpf, struct in_device *idev, u32 *itag,
-+ int our)
- {
- struct net *net = dev_net(dev);
- struct flow_keys flkeys;
-+ u32 table;
-+ unsigned char prefixlen;
-+ unsigned char scope;
- int ret, no_addr;
- struct fib_result res;
- struct flowi4 fl4;
-+ int fwdsh;
-+ unsigned int rpf_mask;
- bool dev_match;
-
- fl4.flowi4_oif = 0;
-@@ -371,10 +381,13 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
- fl4.flowi4_tun_key.tun_id = 0;
- fl4.flowi4_flags = 0;
- fl4.flowi4_uid = sock_net_uid(net, NULL);
-+ fl4.fl4_gw = 0;
-
- no_addr = idev->ifa_list == NULL;
-
-+ fwdsh = IN_DEV_FORWARD_SHARED(idev);
- fl4.flowi4_mark = IN_DEV_SRC_VMARK(idev) ? skb->mark : 0;
-+ rpf_mask = IN_DEV_RPFILTER_MASK(idev);
- if (!fib4_rules_early_flow_dissect(net, skb, &fl4, &flkeys)) {
- fl4.flowi4_proto = 0;
- fl4.fl4_sport = 0;
-@@ -383,7 +396,12 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
-
- if (fib_lookup(net, &fl4, &res, 0))
- goto last_resort;
-- if (res.type != RTN_UNICAST &&
-+ if (fwdsh) {
-+ fwdsh = (res.type == RTN_LOCAL && !our);
-+ if (fwdsh)
-+ rpf = 0;
-+ }
-+ if (res.type != RTN_UNICAST && !fwdsh &&
- (res.type != RTN_LOCAL || !IN_DEV_ACCEPT_LOCAL(idev)))
- goto e_inval;
- fib_combine_itag(itag, &res);
-@@ -393,17 +411,36 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
- ret = FIB_RES_NH(res).nh_scope >= RT_SCOPE_HOST;
- return ret;
- }
-+ if (rpf_mask && rpf) {
-+ int omi = 0;
-+
-+ idev = __in_dev_get_rcu(FIB_RES_DEV(res));
-+ if (idev)
-+ omi = IN_DEV_MEDIUM_ID(idev);
-+ if (omi >= 1 && omi <= 31 && ((1 << omi) & rpf_mask))
-+ rpf = 0;
-+ }
- if (no_addr)
- goto last_resort;
-- if (rpf == 1)
-- goto e_rpf;
-+ table = FIB_RES_TABLE(&res);
-+ prefixlen = res.prefixlen;
-+ scope = res.scope;
- fl4.flowi4_oif = dev->ifindex;
-+ if (fwdsh)
-+ fl4.flowi4_iif = LOOPBACK_IFINDEX;
-
- ret = 0;
- if (fib_lookup(net, &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE) == 0) {
-- if (res.type == RTN_UNICAST)
-+ if (res.type == RTN_UNICAST &&
-+ ((table == FIB_RES_TABLE(&res) &&
-+ res.prefixlen >= prefixlen && res.scope >= scope) ||
-+ !rpf)) {
- ret = FIB_RES_NH(res).nh_scope >= RT_SCOPE_HOST;
-+ return ret;
-+ }
- }
-+ if (rpf == 1)
-+ goto e_rpf;
- return ret;
-
- last_resort:
-@@ -421,7 +458,7 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
- /* Ignore rp_filter for packets protected by IPsec. */
- int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
- u8 tos, int oif, struct net_device *dev,
-- struct in_device *idev, u32 *itag)
-+ struct in_device *idev, u32 *itag, int our)
- {
- int r = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(idev);
- struct net *net = dev_net(dev);
-@@ -446,7 +483,8 @@ int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
- }
-
- full_check:
-- return __fib_validate_source(skb, src, dst, tos, oif, dev, r, idev, itag);
-+ return __fib_validate_source(skb, src, dst, tos, oif, dev, r, idev,
-+ itag, our);
- }
-
- static inline __be32 sk_extract_addr(struct sockaddr *addr)
-@@ -1328,9 +1366,7 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
- switch (event) {
- case NETDEV_UP:
- fib_add_ifaddr(ifa);
--#ifdef CONFIG_IP_ROUTE_MULTIPATH
- fib_sync_up(dev, RTNH_F_DEAD);
--#endif
- atomic_inc(&net->ipv4.dev_addr_genid);
- rt_cache_flush(dev_net(dev));
- break;
-@@ -1374,9 +1410,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
- for_ifa(in_dev) {
- fib_add_ifaddr(ifa);
- } endfor_ifa(in_dev);
--#ifdef CONFIG_IP_ROUTE_MULTIPATH
- fib_sync_up(dev, RTNH_F_DEAD);
--#endif
- atomic_inc(&net->ipv4.dev_addr_genid);
- rt_cache_flush(net);
- break;
-diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
-index cfec3af54c8d..6ffc52a5c272 100644
---- a/net/ipv4/fib_rules.c
-+++ b/net/ipv4/fib_rules.c
-@@ -78,6 +78,11 @@ unsigned int fib4_rules_seq_read(struct net *net)
- return fib_rules_seq_read(net, AF_INET);
- }
-
-+u32 fib_result_table(struct fib_result *res)
-+{
-+ return res->table ? res->table->tb_id : RT_TABLE_UNSPEC;
-+}
-+
- int __fib_lookup(struct net *net, struct flowi4 *flp,
- struct fib_result *res, unsigned int flags)
- {
-diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
-index 8e185b5a2bf6..4bd84d2a2ddd 100644
---- a/net/ipv4/fib_semantics.c
-+++ b/net/ipv4/fib_semantics.c
-@@ -53,6 +53,7 @@ static struct hlist_head *fib_info_hash;
- static struct hlist_head *fib_info_laddrhash;
- static unsigned int fib_info_hash_size;
- static unsigned int fib_info_cnt;
-+DEFINE_RWLOCK(fib_nhflags_lock);
-
- #define DEVINDEX_HASHBITS 8
- #define DEVINDEX_HASHSIZE (1U << DEVINDEX_HASHBITS)
-@@ -433,28 +434,71 @@ void rtmsg_fib(int event, __be32 key, struct fib_alias *fa,
-
- static int fib_detect_death(struct fib_info *fi, int order,
- struct fib_info **last_resort, int *last_idx,
-- int dflt)
-+ int dflt, int *last_nhsel,
-+ const struct flowi4 *flp)
- {
- struct neighbour *n;
-- int state = NUD_NONE;
-+ int nhsel;
-+ int state;
-+ struct fib_nh * nh;
-+ __be32 dst;
-+ int flag, dead = 1;
-
-- n = neigh_lookup(&arp_tbl, &fi->fib_nh[0].nh_gw, fi->fib_dev);
-- if (n) {
-- state = n->nud_state;
-- neigh_release(n);
-- } else {
-- return 0;
-- }
-- if (state == NUD_REACHABLE)
-- return 0;
-- if ((state & NUD_VALID) && order != dflt)
-- return 0;
-- if ((state & NUD_VALID) ||
-- (*last_idx < 0 && order > dflt && state != NUD_INCOMPLETE)) {
-- *last_resort = fi;
-- *last_idx = order;
-+ /* change_nexthops(fi) { */
-+ for (nhsel = 0, nh = fi->fib_nh; nhsel < fi->fib_nhs; nh++, nhsel++) {
-+ if (flp->flowi4_oif && flp->flowi4_oif != nh->nh_oif &&
-+ !(flp->flowi4_flags & FLOWI_FLAG_SKIP_NH_OIF))
-+ continue;
-+ if (flp->fl4_gw && flp->fl4_gw != nh->nh_gw && nh->nh_gw &&
-+ nh->nh_scope == RT_SCOPE_LINK)
-+ continue;
-+ if (nh->nh_flags & RTNH_F_DEAD)
-+ continue;
-+
-+ flag = 0;
-+ if (nh->nh_dev->flags & IFF_NOARP) {
-+ dead = 0;
-+ goto setfl;
-+ }
-+
-+ dst = nh->nh_gw;
-+ if (!nh->nh_gw || nh->nh_scope != RT_SCOPE_LINK)
-+ dst = flp->daddr;
-+
-+ state = NUD_NONE;
-+ n = neigh_lookup(&arp_tbl, &dst, nh->nh_dev);
-+ if (n) {
-+ state = n->nud_state;
-+ neigh_release(n);
-+ }
-+ if (state == NUD_REACHABLE ||
-+ ((state & NUD_VALID) && order != dflt)) {
-+ dead = 0;
-+ goto setfl;
-+ }
-+ if (!(state & NUD_VALID))
-+ flag = 1;
-+ if (!dead)
-+ goto setfl;
-+ if ((state & NUD_VALID) ||
-+ (*last_idx < 0 && order >= dflt)) {
-+ *last_resort = fi;
-+ *last_idx = order;
-+ *last_nhsel = nhsel;
-+ }
-+
-+ setfl:
-+
-+ read_lock_bh(&fib_nhflags_lock);
-+ if (flag)
-+ nh->nh_flags |= RTNH_F_SUSPECT;
-+ else
-+ nh->nh_flags &= ~RTNH_F_SUSPECT;
-+ read_unlock_bh(&fib_nhflags_lock);
- }
-- return 1;
-+ /* } endfor_nexthops(fi) */
-+
-+ return dead;
- }
-
- #ifdef CONFIG_IP_ROUTE_MULTIPATH
-@@ -781,6 +825,7 @@ static int fib_check_nh(struct fib_config *cfg, struct fib_nh *nh,
- int err = 0;
- struct net *net;
- struct net_device *dev;
-+ struct fib_info *fi = nh->nh_parent;
-
- net = cfg->fc_nlinfo.nl_net;
- if (nh->nh_gw) {
-@@ -800,9 +845,12 @@ static int fib_check_nh(struct fib_config *cfg, struct fib_nh *nh,
- return -ENODEV;
- }
- if (!(dev->flags & IFF_UP)) {
-- NL_SET_ERR_MSG(extack,
-- "Nexthop device is not up");
-- return -ENETDOWN;
-+ if (fi->fib_protocol != RTPROT_STATIC) {
-+ NL_SET_ERR_MSG(extack,
-+ "Nexthop device is not up");
-+ return -ENETDOWN;
-+ }
-+ nh->nh_flags |= RTNH_F_DEAD;
- }
- addr_type = inet_addr_type_dev_table(net, dev, nh->nh_gw);
- if (addr_type != RTN_UNICAST) {
-@@ -847,31 +895,57 @@ static int fib_check_nh(struct fib_config *cfg, struct fib_nh *nh,
- err = fib_lookup(net, &fl4, &res,
- FIB_LOOKUP_IGNORE_LINKSTATE);
- }
-+ }
-+ if (err) {
-+ struct in_device *in_dev;
-
-- if (err) {
-+ if (err != -ENETUNREACH ||
-+ fi->fib_protocol != RTPROT_STATIC) {
- NL_SET_ERR_MSG(extack,
- "Nexthop has invalid gateway");
-- rcu_read_unlock();
-- return err;
-+ goto out;
- }
-+
-+ in_dev = inetdev_by_index(net, nh->nh_oif);
-+ if (in_dev == NULL ||
-+ in_dev->dev->flags & IFF_UP) {
-+ NL_SET_ERR_MSG(extack,
-+ "Device for nexthop is not up");
-+ goto out;
-+ }
-+ nh->nh_flags |= RTNH_F_DEAD;
-+ nh->nh_scope = RT_SCOPE_LINK;
-+ nh->nh_dev = in_dev->dev;
-+ dev_hold(nh->nh_dev);
-+ } else {
-+ err = -EINVAL;
-+ if (res.type != RTN_UNICAST && res.type != RTN_LOCAL) {
-+ NL_SET_ERR_MSG(extack,
-+ "Nexthop has invalid gateway");
-+ goto out;
-+ }
-+ nh->nh_scope = res.scope;
-+ nh->nh_oif = FIB_RES_OIF(res);
-+ nh->nh_dev = dev = FIB_RES_DEV(res);
-+ if (!dev) {
-+ NL_SET_ERR_MSG(extack,
-+ "No egress device for nexthop gateway");
-+ goto out;
-+ }
-+ dev_hold(dev);
-+ if (!netif_carrier_ok(dev))
-+ nh->nh_flags |= RTNH_F_LINKDOWN;
-+ if (!(nh->nh_dev->flags & IFF_UP)) {
-+ if (fi->fib_protocol != RTPROT_STATIC) {
-+ err = -ENETDOWN;
-+ NL_SET_ERR_MSG(extack,
-+ "Device for nexthop is not up");
-+ goto out;
-+ }
-+ nh->nh_flags |= RTNH_F_DEAD;
-+ }
-+ err = 0;
- }
-- err = -EINVAL;
-- if (res.type != RTN_UNICAST && res.type != RTN_LOCAL) {
-- NL_SET_ERR_MSG(extack, "Nexthop has invalid gateway");
-- goto out;
-- }
-- nh->nh_scope = res.scope;
-- nh->nh_oif = FIB_RES_OIF(res);
-- nh->nh_dev = dev = FIB_RES_DEV(res);
-- if (!dev) {
-- NL_SET_ERR_MSG(extack,
-- "No egress device for nexthop gateway");
-- goto out;
-- }
-- dev_hold(dev);
-- if (!netif_carrier_ok(dev))
-- nh->nh_flags |= RTNH_F_LINKDOWN;
-- err = (dev->flags & IFF_UP) ? 0 : -ENETDOWN;
- } else {
- struct in_device *in_dev;
-
-@@ -887,8 +961,12 @@ static int fib_check_nh(struct fib_config *cfg, struct fib_nh *nh,
- goto out;
- err = -ENETDOWN;
- if (!(in_dev->dev->flags & IFF_UP)) {
-- NL_SET_ERR_MSG(extack, "Device for nexthop is not up");
-- goto out;
-+ if (fi->fib_protocol != RTPROT_STATIC) {
-+ NL_SET_ERR_MSG(extack,
-+ "Device for nexthop is not up");
-+ goto out;
-+ }
-+ nh->nh_flags |= RTNH_F_DEAD;
- }
- nh->nh_dev = in_dev->dev;
- dev_hold(nh->nh_dev);
-@@ -1535,10 +1613,15 @@ int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force)
- prev_fi = fi;
- dead = 0;
- change_nexthops(fi) {
-- if (nexthop_nh->nh_flags & RTNH_F_DEAD)
-- dead++;
-- else if (nexthop_nh->nh_dev == dev &&
-- nexthop_nh->nh_scope != scope) {
-+ if (nexthop_nh->nh_flags & RTNH_F_DEAD) {
-+ if (fi->fib_protocol != RTPROT_STATIC ||
-+ nexthop_nh->nh_dev == NULL ||
-+ __in_dev_get_rtnl(nexthop_nh->nh_dev) == NULL ||
-+ nexthop_nh->nh_dev->flags&IFF_UP)
-+ dead++;
-+ } else if (nexthop_nh->nh_dev == dev &&
-+ nexthop_nh->nh_scope != scope) {
-+ write_lock_bh(&fib_nhflags_lock);
- switch (event) {
- case NETDEV_DOWN:
- case NETDEV_UNREGISTER:
-@@ -1550,7 +1633,11 @@ int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force)
- }
- call_fib_nh_notifiers(nexthop_nh,
- FIB_EVENT_NH_DEL);
-- dead++;
-+ write_unlock_bh(&fib_nhflags_lock);
-+ if (fi->fib_protocol != RTPROT_STATIC ||
-+ force ||
-+ __in_dev_get_rtnl(dev) == NULL)
-+ dead++;
- }
- #ifdef CONFIG_IP_ROUTE_MULTIPATH
- if (event == NETDEV_UNREGISTER &&
-@@ -1580,13 +1667,13 @@ int fib_sync_down_dev(struct net_device *dev, unsigned long event, bool force)
- }
-
- /* Must be invoked inside of an RCU protected region. */
--static void fib_select_default(const struct flowi4 *flp, struct fib_result *res)
-+void fib_select_default(const struct flowi4 *flp, struct fib_result *res)
- {
- struct fib_info *fi = NULL, *last_resort = NULL;
- struct hlist_head *fa_head = res->fa_head;
- struct fib_table *tb = res->table;
- u8 slen = 32 - res->prefixlen;
-- int order = -1, last_idx = -1;
-+ int order = -1, last_idx = -1, last_nhsel = 0;
- struct fib_alias *fa, *fa1 = NULL;
- u32 last_prio = res->fi->fib_priority;
- u8 last_tos = 0;
-@@ -1614,9 +1701,6 @@ static void fib_select_default(const struct flowi4 *flp, struct fib_result *res)
- if (next_fi->fib_scope != res->scope ||
- fa->fa_type != RTN_UNICAST)
- continue;
-- if (!next_fi->fib_nh[0].nh_gw ||
-- next_fi->fib_nh[0].nh_scope != RT_SCOPE_LINK)
-- continue;
-
- fib_alias_accessed(fa);
-
-@@ -1625,7 +1709,8 @@ static void fib_select_default(const struct flowi4 *flp, struct fib_result *res)
- break;
- fa1 = fa;
- } else if (!fib_detect_death(fi, order, &last_resort,
-- &last_idx, fa1->fa_default)) {
-+ &last_idx, fa1->fa_default,
-+ &last_nhsel, flp)) {
- fib_result_assign(res, fi);
- fa1->fa_default = order;
- goto out;
-@@ -1635,28 +1720,39 @@ static void fib_select_default(const struct flowi4 *flp, struct fib_result *res)
- }
-
- if (order <= 0 || !fi) {
-+ if (fi && fi->fib_nhs > 1 &&
-+ fib_detect_death(fi, order, &last_resort, &last_idx,
-+ fa1->fa_default, &last_nhsel, flp) &&
-+ last_resort == fi) {
-+ read_lock_bh(&fib_nhflags_lock);
-+ fi->fib_nh[last_nhsel].nh_flags &= ~RTNH_F_SUSPECT;
-+ read_unlock_bh(&fib_nhflags_lock);
-+ }
- if (fa1)
- fa1->fa_default = -1;
- goto out;
- }
-
- if (!fib_detect_death(fi, order, &last_resort, &last_idx,
-- fa1->fa_default)) {
-+ fa1->fa_default, &last_nhsel, flp)) {
- fib_result_assign(res, fi);
- fa1->fa_default = order;
- goto out;
- }
-
-- if (last_idx >= 0)
-+ if (last_idx >= 0) {
- fib_result_assign(res, last_resort);
-+ read_lock_bh(&fib_nhflags_lock);
-+ last_resort->fib_nh[last_nhsel].nh_flags &= ~RTNH_F_SUSPECT;
-+ read_unlock_bh(&fib_nhflags_lock);
-+ }
- fa1->fa_default = last_idx;
- out:
- return;
- }
-
- /*
-- * Dead device goes up. We wake up dead nexthops.
-- * It takes sense only on multipath routes.
-+ * Dead device goes up or new address is added. We wake up dead nexthops.
- */
- int fib_sync_up(struct net_device *dev, unsigned int nh_flags)
- {
-@@ -1664,8 +1760,10 @@ int fib_sync_up(struct net_device *dev, unsigned int nh_flags)
- unsigned int hash;
- struct hlist_head *head;
- struct fib_nh *nh;
-- int ret;
-+ struct fib_result res;
-+ int ret, rep;
-
-+repeat:
- if (!(dev->flags & IFF_UP))
- return 0;
-
-@@ -1680,6 +1778,7 @@ int fib_sync_up(struct net_device *dev, unsigned int nh_flags)
- hash = fib_devindex_hashfn(dev->ifindex);
- head = &fib_info_devhash[hash];
- ret = 0;
-+ rep = 0;
-
- hlist_for_each_entry(nh, head, nh_hash) {
- struct fib_info *fi = nh->nh_parent;
-@@ -1692,16 +1791,37 @@ int fib_sync_up(struct net_device *dev, unsigned int nh_flags)
- prev_fi = fi;
- alive = 0;
- change_nexthops(fi) {
-- if (!(nexthop_nh->nh_flags & nh_flags)) {
-- alive++;
-+ if (!(nexthop_nh->nh_flags & nh_flags))
- continue;
-- }
- if (!nexthop_nh->nh_dev ||
- !(nexthop_nh->nh_dev->flags & IFF_UP))
- continue;
- if (nexthop_nh->nh_dev != dev ||
- !__in_dev_get_rtnl(dev))
- continue;
-+ if ((nh_flags & RTNH_F_DEAD) && nexthop_nh->nh_gw &&
-+ fi->fib_protocol == RTPROT_STATIC) {
-+ struct flowi4 fl4 = {
-+ .daddr = nexthop_nh->nh_gw,
-+ .flowi4_scope = nexthop_nh->nh_scope,
-+ .flowi4_oif = nexthop_nh->nh_oif,
-+ };
-+
-+ rcu_read_lock();
-+ if (fib_lookup(dev_net(dev), &fl4, &res,
-+ FIB_LOOKUP_IGNORE_LINKSTATE) != 0) {
-+ rcu_read_unlock();
-+ continue;
-+ }
-+ if (res.type != RTN_UNICAST &&
-+ res.type != RTN_LOCAL) {
-+ rcu_read_unlock();
-+ continue;
-+ }
-+ nexthop_nh->nh_scope = res.scope;
-+ rcu_read_unlock();
-+ rep = 1;
-+ }
- alive++;
- nexthop_nh->nh_flags &= ~nh_flags;
- call_fib_nh_notifiers(nexthop_nh, FIB_EVENT_NH_ADD);
-@@ -1714,6 +1834,8 @@ int fib_sync_up(struct net_device *dev, unsigned int nh_flags)
-
- fib_rebalance(fi);
- }
-+ if (rep)
-+ goto repeat;
-
- return ret;
- }
-@@ -1767,23 +1889,16 @@ void fib_select_multipath(struct fib_result *res, int hash)
- void fib_select_path(struct net *net, struct fib_result *res,
- struct flowi4 *fl4, const struct sk_buff *skb)
- {
-- if (fl4->flowi4_oif && !(fl4->flowi4_flags & FLOWI_FLAG_SKIP_NH_OIF))
-- goto check_saddr;
--
-+ if (res->type == RTN_UNICAST)
-+ fib_select_default(fl4, res);
- #ifdef CONFIG_IP_ROUTE_MULTIPATH
- if (res->fi->fib_nhs > 1) {
- int h = fib_multipath_hash(net, fl4, skb, NULL);
-
- fib_select_multipath(res, h);
- }
-- else
- #endif
-- if (!res->prefixlen &&
-- res->table->tb_num_default > 1 &&
-- res->type == RTN_UNICAST)
-- fib_select_default(fl4, res);
-
--check_saddr:
- if (!fl4->saddr)
- fl4->saddr = FIB_RES_PREFSRC(net, *res);
- }
-diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
-index a573e37e0615..d7572cbcfd7c 100644
---- a/net/ipv4/fib_trie.c
-+++ b/net/ipv4/fib_trie.c
-@@ -1482,6 +1482,9 @@ int fib_table_lookup(struct fib_table *tb, const struct flowi4 *flp,
- if (flp->flowi4_oif &&
- flp->flowi4_oif != nh->nh_oif)
- continue;
-+ if (flp->fl4_gw && flp->fl4_gw != nh->nh_gw &&
-+ nh->nh_gw && nh->nh_scope == RT_SCOPE_LINK)
-+ continue;
- }
-
- if (!(fib_flags & FIB_LOOKUP_NOREF))
-diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
-index 007da0882412..10e9d56ea776 100644
---- a/net/ipv4/netfilter/iptable_nat.c
-+++ b/net/ipv4/netfilter/iptable_nat.c
-@@ -43,6 +43,13 @@ static const struct nf_hook_ops nf_nat_ipv4_ops[] = {
- .hooknum = NF_INET_PRE_ROUTING,
- .priority = NF_IP_PRI_NAT_DST,
- },
-+ /* Before routing, route before mangling */
-+ {
-+ .hook = ip_nat_route_input,
-+ .pf = NFPROTO_IPV4,
-+ .hooknum = NF_INET_PRE_ROUTING,
-+ .priority = NF_IP_PRI_LAST-1,
-+ },
- {
- .hook = iptable_nat_do_chain,
- .pf = NFPROTO_IPV4,
-diff --git a/net/ipv4/route.c b/net/ipv4/route.c
-index 1cd512ac84ba..1e669785c41e 100644
---- a/net/ipv4/route.c
-+++ b/net/ipv4/route.c
-@@ -1650,7 +1650,7 @@ int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr,
- return -EINVAL;
- } else {
- err = fib_validate_source(skb, saddr, 0, tos, 0, dev,
-- in_dev, itag);
-+ in_dev, itag, 1);
- if (err < 0)
- return err;
- }
-@@ -1725,7 +1725,7 @@ static void ip_handle_martian_source(struct net_device *dev,
- static int __mkroute_input(struct sk_buff *skb,
- const struct fib_result *res,
- struct in_device *in_dev,
-- __be32 daddr, __be32 saddr, u32 tos)
-+ __be32 daddr, __be32 saddr, u32 tos, __be32 lsrc)
- {
- struct fib_nh_exception *fnhe;
- struct rtable *rth;
-@@ -1742,7 +1742,7 @@ static int __mkroute_input(struct sk_buff *skb,
- }
-
- err = fib_validate_source(skb, saddr, daddr, tos, FIB_RES_OIF(*res),
-- in_dev->dev, in_dev, &itag);
-+ in_dev->dev, in_dev, &itag, 0);
- if (err < 0) {
- ip_handle_martian_source(in_dev->dev, in_dev, skb, daddr,
- saddr);
-@@ -1752,7 +1752,7 @@ static int __mkroute_input(struct sk_buff *skb,
-
- do_cache = res->fi && !itag;
- if (out_dev == in_dev && err && IN_DEV_TX_REDIRECTS(out_dev) &&
-- skb->protocol == htons(ETH_P_IP) &&
-+ skb->protocol == htons(ETH_P_IP) && !lsrc &&
- (IN_DEV_SHARED_MEDIA(out_dev) ||
- inet_addr_onlink(out_dev, saddr, FIB_RES_GW(*res))))
- IPCB(skb)->flags |= IPSKB_DOREDIRECT;
-@@ -1914,10 +1914,12 @@ int fib_multipath_hash(const struct net *net, const struct flowi4 *fl4,
-
- static int ip_mkroute_input(struct sk_buff *skb,
- struct fib_result *res,
-+ const struct flowi4 *fl4,
- struct in_device *in_dev,
- __be32 daddr, __be32 saddr, u32 tos,
-- struct flow_keys *hkeys)
-+ struct flow_keys *hkeys, __be32 lsrc)
- {
-+ fib_select_default(fl4, res);
- #ifdef CONFIG_IP_ROUTE_MULTIPATH
- if (res->fi && res->fi->fib_nhs > 1) {
- int h = fib_multipath_hash(res->fi->fib_net, NULL, skb, hkeys);
-@@ -1927,7 +1929,7 @@ static int ip_mkroute_input(struct sk_buff *skb,
- #endif
-
- /* create a routing cache entry */
-- return __mkroute_input(skb, res, in_dev, daddr, saddr, tos);
-+ return __mkroute_input(skb, res, in_dev, daddr, saddr, tos, lsrc);
- }
-
- /*
-@@ -1942,7 +1944,7 @@ static int ip_mkroute_input(struct sk_buff *skb,
- */
-
- static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
-- u8 tos, struct net_device *dev,
-+ u8 tos, struct net_device *dev, __be32 lsrc,
- struct fib_result *res)
- {
- struct in_device *in_dev = __in_dev_get_rcu(dev);
-@@ -2000,18 +2002,25 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
- goto martian_source;
- }
-
-+ if (lsrc) {
-+ if (ipv4_is_multicast(lsrc) || ipv4_is_lbcast(lsrc) ||
-+ ipv4_is_zeronet(lsrc) || ipv4_is_loopback(lsrc))
-+ goto martian_source;
-+ }
-+
- /*
- * Now we are ready to route packet.
- */
- fl4.flowi4_oif = 0;
-- fl4.flowi4_iif = dev->ifindex;
-+ fl4.flowi4_iif = lsrc ? LOOPBACK_IFINDEX : dev->ifindex;
- fl4.flowi4_mark = skb->mark;
- fl4.flowi4_tos = tos;
- fl4.flowi4_scope = RT_SCOPE_UNIVERSE;
- fl4.flowi4_flags = 0;
- fl4.daddr = daddr;
-- fl4.saddr = saddr;
-+ fl4.saddr = lsrc? : saddr;
- fl4.flowi4_uid = sock_net_uid(net, NULL);
-+ fl4.fl4_gw = 0;
-
- if (fib4_rules_early_flow_dissect(net, skb, &fl4, &_flkeys)) {
- flkeys = &_flkeys;
-@@ -2022,6 +2031,8 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
- }
-
- err = fib_lookup(net, &fl4, res, 0);
-+ fl4.flowi4_iif = dev->ifindex;
-+ fl4.saddr = saddr;
- if (err != 0) {
- if (!IN_DEV_FORWARD(in_dev))
- err = -EHOSTUNREACH;
-@@ -2039,7 +2050,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
-
- if (res->type == RTN_LOCAL) {
- err = fib_validate_source(skb, saddr, daddr, tos,
-- 0, dev, in_dev, &itag);
-+ 0, dev, in_dev, &itag, 1);
- if (err < 0)
- goto martian_source;
- goto local_input;
-@@ -2053,16 +2064,19 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
- goto martian_destination;
-
- make_route:
-- err = ip_mkroute_input(skb, res, in_dev, daddr, saddr, tos, flkeys);
-+ err = ip_mkroute_input(skb, res, &fl4, in_dev, daddr, saddr, tos,
-+ flkeys, lsrc);
- out: return err;
-
- brd_input:
- if (skb->protocol != htons(ETH_P_IP))
- goto e_inval;
-+ if (lsrc)
-+ goto e_inval;
-
- if (!ipv4_is_zeronet(saddr)) {
- err = fib_validate_source(skb, saddr, 0, tos, 0, dev,
-- in_dev, &itag);
-+ in_dev, &itag, 1);
- if (err < 0)
- goto martian_source;
- }
-@@ -2163,9 +2177,26 @@ int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr,
- }
- EXPORT_SYMBOL(ip_route_input_noref);
-
-+int ip_route_input_lookup(struct sk_buff *skb, __be32 daddr, __be32 saddr,
-+ u8 tos, struct net_device *dev, __be32 lsrc)
-+{
-+ struct fib_result res;
-+ int err;
-+
-+ tos &= IPTOS_RT_MASK;
-+ rcu_read_lock();
-+ err = ip_route_input_common_rcu(skb, daddr, saddr, tos, dev, lsrc,
-+ &res);
-+ rcu_read_unlock();
-+
-+ return err;
-+}
-+EXPORT_SYMBOL(ip_route_input_lookup);
-+
- /* called with rcu_read_lock held */
--int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr,
-- u8 tos, struct net_device *dev, struct fib_result *res)
-+int ip_route_input_common_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr,
-+ u8 tos, struct net_device *dev, __be32 lsrc,
-+ struct fib_result *res)
- {
- /* Multicast recognition logic is moved from route cache to here.
- The problem was that too many Ethernet cards have broken/missing
-@@ -2211,7 +2242,13 @@ int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr,
- return err;
- }
-
-- return ip_route_input_slow(skb, daddr, saddr, tos, dev, res);
-+ return ip_route_input_slow(skb, daddr, saddr, tos, dev, lsrc, res);
-+}
-+
-+int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr,
-+ u8 tos, struct net_device *dev, struct fib_result *res)
-+{
-+ return ip_route_input_common_rcu(skb, daddr, saddr, tos, dev, 0, res);
- }
-
- /* called with rcu_read_lock() */
-@@ -2463,6 +2500,7 @@ struct rtable *ip_route_output_key_hash_rcu(struct net *net, struct flowi4 *fl4,
- fl4->daddr = fl4->saddr = htonl(INADDR_LOOPBACK);
- dev_out = net->loopback_dev;
- fl4->flowi4_oif = LOOPBACK_IFINDEX;
-+ fl4->fl4_gw = 0;
- res->type = RTN_LOCAL;
- flags |= RTCF_LOCAL;
- goto make_route;
-@@ -2521,6 +2559,7 @@ struct rtable *ip_route_output_key_hash_rcu(struct net *net, struct flowi4 *fl4,
- orig_oif = FIB_RES_OIF(*res);
-
- fl4->flowi4_oif = dev_out->ifindex;
-+ fl4->fl4_gw = 0;
- flags |= RTCF_LOCAL;
- goto make_route;
- }
-diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
-index 000952719adf..ff44c43411d7 100644
---- a/net/netfilter/nf_nat_core.c
-+++ b/net/netfilter/nf_nat_core.c
-@@ -1152,6 +1152,49 @@ static struct nf_nat_hook nat_hook = {
- .manip_pkt = nf_nat_manip_pkt,
- };
-
-+unsigned int ip_nat_route_input(void *priv,
-+ struct sk_buff *skb,
-+ const struct nf_hook_state *state)
-+{
-+ struct iphdr *iph;
-+ struct nf_conn *conn;
-+ enum ip_conntrack_info ctinfo;
-+ enum ip_conntrack_dir dir;
-+ unsigned long statusbit;
-+ __be32 saddr;
-+
-+ if (!(conn = nf_ct_get(skb, &ctinfo)))
-+ return NF_ACCEPT;
-+
-+ if (!(conn->status & IPS_NAT_DONE_MASK))
-+ return NF_ACCEPT;
-+ dir = CTINFO2DIR(ctinfo);
-+ statusbit = IPS_SRC_NAT;
-+ if (dir == IP_CT_DIR_REPLY)
-+ statusbit ^= IPS_NAT_MASK;
-+ if (!(conn->status & statusbit))
-+ return NF_ACCEPT;
-+
-+ if (skb_dst(skb))
-+ return NF_ACCEPT;
-+
-+ if (skb->len < sizeof(struct iphdr))
-+ return NF_ACCEPT;
-+
-+ /* use daddr in other direction as masquerade address (lsrc) */
-+ iph = ip_hdr(skb);
-+ saddr = conn->tuplehash[!dir].tuple.dst.u3.ip;
-+ if (saddr == iph->saddr)
-+ return NF_ACCEPT;
-+
-+ if (ip_route_input_lookup(skb, iph->daddr, iph->saddr, iph->tos,
-+ skb->dev, saddr))
-+ return NF_DROP;
-+
-+ return NF_ACCEPT;
-+}
-+EXPORT_SYMBOL_GPL(ip_nat_route_input);
-+
- static int __init nf_nat_init(void)
- {
- int ret, i;
-diff --git a/net/netfilter/nf_nat_masquerade.c b/net/netfilter/nf_nat_masquerade.c
-index d85c4d902e7b..f45df6cf24d7 100644
---- a/net/netfilter/nf_nat_masquerade.c
-+++ b/net/netfilter/nf_nat_masquerade.c
-@@ -23,8 +23,8 @@ nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum,
- struct nf_conn_nat *nat;
- enum ip_conntrack_info ctinfo;
- struct nf_nat_range2 newrange;
-- const struct rtable *rt;
-- __be32 newsrc, nh;
-+ struct rtable *rt;
-+ __be32 newsrc;
-
- WARN_ON(hooknum != NF_INET_POST_ROUTING);
-
-@@ -39,12 +39,23 @@ nf_nat_masquerade_ipv4(struct sk_buff *skb, unsigned int hooknum,
- if (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip == 0)
- return NF_ACCEPT;
-
-- rt = skb_rtable(skb);
-- nh = rt_nexthop(rt, ip_hdr(skb)->daddr);
-- newsrc = inet_select_addr(out, nh, RT_SCOPE_UNIVERSE);
-- if (!newsrc) {
-- pr_info("%s ate my IP address\n", out->name);
-- return NF_DROP;
-+ {
-+ struct flowi4 fl4 = { .flowi4_tos = RT_TOS(ip_hdr(skb)->tos),
-+ .flowi4_mark = skb->mark,
-+ .flowi4_oif = out->ifindex,
-+ .daddr = ip_hdr(skb)->daddr,
-+ .fl4_gw = skb_rtable(skb)->rt_gateway };
-+ rt = ip_route_output_key(dev_net(out), &fl4);
-+ if (IS_ERR(rt)) {
-+ /* Funky routing can do this. */
-+ if (net_ratelimit())
-+ pr_info("%s:"
-+ " No route: Rusty's brain broke!\n",
-+ out->name);
-+ return NF_DROP;
-+ }
-+ newsrc = fl4.saddr;
-+ ip_rt_put(rt);
- }
-
- nat = nf_ct_nat_ext_add(ct);
-diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
-index 9cec81209617..820ede89c74a 100644
---- a/security/selinux/nlmsgtab.c
-+++ b/security/selinux/nlmsgtab.c
-@@ -83,6 +83,9 @@ static const struct nlmsg_perm nlmsg_route_perms[] =
- { RTM_NEWCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
- { RTM_DELCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
- { RTM_GETCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_READ },
-+ { RTM_NEWARPRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
-+ { RTM_DELARPRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
-+ { RTM_GETARPRULE, NETLINK_ROUTE_SOCKET__NLMSG_READ },
- };
-
- static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
-@@ -166,7 +169,7 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
- * structures at the top of this file with the new mappings
- * before updating the BUILD_BUG_ON() macro!
- */
-- BUILD_BUG_ON(RTM_MAX != (RTM_NEWCHAIN + 3));
-+ BUILD_BUG_ON(RTM_MAX != (RTM_NEWARPRULE + 3));
- err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms,
- sizeof(nlmsg_route_perms));
- break;
diff --git a/sys-kernel/boest-v5.1.17/0002-pool-2.6.25-tcp-timewait-20s.diff.patch b/sys-kernel/boest-v5.1.17/0002-pool-2.6.25-tcp-timewait-20s.diff.patch
deleted file mode 100644
index 2b0214d0..00000000
--- a/sys-kernel/boest-v5.1.17/0002-pool-2.6.25-tcp-timewait-20s.diff.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From bcde76ef4407d1fd8485186ff61d390bca7abfbd Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Sun, 15 Feb 2009 14:51:33 +0100
-Subject: [PATCH 02/13] pool/2.6.25-tcp-timewait-20s.diff
-
-From http://linux.1wt.eu/alix/kernel-src/2.6.27-wt11/patches-2.6.27-wt11.tar.bz2
-
-Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
----
- include/net/tcp.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/include/net/tcp.h b/include/net/tcp.h
-index 36fcd0ad0515..229a56ae55d9 100644
---- a/include/net/tcp.h
-+++ b/include/net/tcp.h
-@@ -120,8 +120,8 @@ void tcp_time_wait(struct sock *sk, int state, int timeo);
- * initial RTO.
- */
-
--#define TCP_TIMEWAIT_LEN (60*HZ) /* how long to wait to destroy TIME-WAIT
-- * state, about 60 seconds */
-+#define TCP_TIMEWAIT_LEN (20*HZ) /* how long to wait to destroy TIME-WAIT
-+ * state, about 20 seconds */
- #define TCP_FIN_TIMEOUT TCP_TIMEWAIT_LEN
- /* BSD style FIN_WAIT2 deadlock breaker.
- * It used to be 3min, new value is 60sec,
diff --git a/sys-kernel/boest-v5.1.17/0003-pool-2.6.25-disable-tcp-debug.diff.patch b/sys-kernel/boest-v5.1.17/0003-pool-2.6.25-disable-tcp-debug.diff.patch
deleted file mode 100644
index 272ecb36..00000000
--- a/sys-kernel/boest-v5.1.17/0003-pool-2.6.25-disable-tcp-debug.diff.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From b8acf576d5865c662e9bbcc4fb9a2b0d9fbd81a1 Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Sun, 15 Feb 2009 14:51:33 +0100
-Subject: [PATCH 03/13] pool/2.6.25-disable-tcp-debug.diff
-
-From http://linux.1wt.eu/alix/kernel-src/2.6.27-wt11/patches-2.6.27-wt11.tar.bz2
-
-Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
----
- include/net/tcp.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/net/tcp.h b/include/net/tcp.h
-index 229a56ae55d9..92bb26dd475e 100644
---- a/include/net/tcp.h
-+++ b/include/net/tcp.h
-@@ -18,7 +18,7 @@
- #ifndef _TCP_H
- #define _TCP_H
-
--#define FASTRETRANS_DEBUG 1
-+#define FASTRETRANS_DEBUG 0
-
- #include <linux/list.h>
- #include <linux/tcp.h>
diff --git a/sys-kernel/boest-v5.1.17/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch b/sys-kernel/boest-v5.1.17/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch
deleted file mode 100644
index 6252f782..00000000
--- a/sys-kernel/boest-v5.1.17/0004-TCP-add-a-sysctl-to-disable-simultaneous-connection-.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-From 458006093115886530e1ff4a885daade519e519b Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Wed, 8 Oct 2008 10:00:42 +0200
-Subject: [PATCH 04/13] TCP: add a sysctl to disable simultaneous connection
- opening.
-
-Strict implementation of RFC793 (TCP) requires support for a feature
-called "simultaneous connect", which allows two clients to connect to
-each other without anyone entering a listening state. While almost
-never used, and supported by few OSes, Linux supports this feature.
-
-However, it introduces a weakness in the protocol which makes it very
-easy for an attacker to prevent a client from connecting to a known
-server. The attacker only has to guess the source port to shut down
-the client connection during its establishment. The impact is limited,
-but it may be used to prevent an antivirus or IPS from fetching updates
-and not detecting an attack, or to prevent an SSL gateway from fetching
-a CRL for example.
-
-This patch provides a new sysctl "tcp_simult_connect" to enable or disable
-support for this useless feature. It comes disabled by default.
-
-Hundreds of systems running with that feature disabled for more than 4 years
-have never encountered an application which requires it. It is almost never
-supported by firewalls BTW.
-
-From http://linux.1wt.eu/alix/kernel-src/2.6.27-wt11/patches-2.6.27-wt11.tar.bz2
-
-Reviewed-by: Bertrand Jacquin <bertrand@jacquin.bzh>
-
-Signed-off-by: Willy Tarreau <w@1wt.eu>
-Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
----
- Documentation/networking/ip-sysctl.txt | 22 ++++++++++++++++++++++
- include/net/netns/ipv4.h | 1 +
- include/uapi/linux/sysctl.h | 1 +
- net/ipv4/sysctl_net_ipv4.c | 7 +++++++
- net/ipv4/tcp_input.c | 6 +++++-
- 5 files changed, 36 insertions(+), 1 deletion(-)
-
-diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
-index 048db28eb683..c0fd3af84508 100644
---- a/Documentation/networking/ip-sysctl.txt
-+++ b/Documentation/networking/ip-sysctl.txt
-@@ -199,6 +199,28 @@ inet_peer_maxttl - INTEGER
-
- TCP variables:
-
-+tcp_simult_connect - BOOLEAN
-+ Enables TCP simultaneous connect feature conforming to RFC793.
-+ Strict implementation of RFC793 (TCP) requires support for a feature
-+ called "simultaneous connect", which allows two clients to connect to
-+ each other without anyone entering a listening state. While almost
-+ never used, and supported by few OSes, Linux supports this feature.
-+
-+ However, it introduces a weakness in the protocol which makes it very
-+ easy for an attacker to prevent a client from connecting to a known
-+ server. The attacker only has to guess the source port to shut down
-+ the client connection during its establishment. The impact is limited,
-+ but it may be used to prevent an antivirus or IPS from fetching updates
-+ and not detecting an attack, or to prevent an SSL gateway from fetching
-+ a CRL for example.
-+
-+ If you want absolute compatibility with any possible application,
-+ you should set it to 1. If you prefer to enhance security on your
-+ systems you'd better let it to 0. After four years of usage on
-+ hundreds of systems, no application was ever found to require this
-+ feature, which is not even supported by most firewalls.
-+ Default: 0
-+
- somaxconn - INTEGER
- Limit of socket listen() backlog, known in userspace as SOMAXCONN.
- Defaults to 128. See also tcp_max_syn_backlog for additional tuning
-diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
-index 623cfbb7b8dc..a62a48ab3992 100644
---- a/include/net/netns/ipv4.h
-+++ b/include/net/netns/ipv4.h
-@@ -142,6 +142,7 @@ struct netns_ipv4 {
- int sysctl_tcp_recovery;
- int sysctl_tcp_thin_linear_timeouts;
- int sysctl_tcp_slow_start_after_idle;
-+ int sysctl_tcp_simult_connect;
- int sysctl_tcp_retrans_collapse;
- int sysctl_tcp_stdurg;
- int sysctl_tcp_rfc1337;
-diff --git a/include/uapi/linux/sysctl.h b/include/uapi/linux/sysctl.h
-index 87aa2a6d9125..c94a1099bc5b 100644
---- a/include/uapi/linux/sysctl.h
-+++ b/include/uapi/linux/sysctl.h
-@@ -426,6 +426,7 @@ enum
- NET_TCP_ALLOWED_CONG_CONTROL=123,
- NET_TCP_MAX_SSTHRESH=124,
- NET_TCP_FRTO_RESPONSE=125,
-+ NET_TCP_SIMULT_CONNECT=126,
- };
-
- enum {
-diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
-index 4f1fa744d3c8..bf9e6b3bc260 100644
---- a/net/ipv4/sysctl_net_ipv4.c
-+++ b/net/ipv4/sysctl_net_ipv4.c
-@@ -517,6 +517,13 @@ static struct ctl_table ipv4_table[] = {
- .mode = 0444,
- .proc_handler = proc_tcp_available_congestion_control,
- },
-+ {
-+ .procname = "tcp_simult_connect",
-+ .data = &init_net.ipv4.sysctl_tcp_simult_connect,
-+ .maxlen = sizeof(int),
-+ .mode = 0644,
-+ .proc_handler = &proc_dointvec,
-+ },
- {
- .procname = "tcp_allowed_congestion_control",
- .maxlen = TCP_CA_BUF_MAX,
-diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
-index d48f935c8e28..7f52710b97eb 100644
---- a/net/ipv4/tcp_input.c
-+++ b/net/ipv4/tcp_input.c
-@@ -5766,6 +5766,7 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
- const struct tcphdr *th)
- {
- struct inet_connection_sock *icsk = inet_csk(sk);
-+ struct net *net = sock_net(sk);
- struct tcp_sock *tp = tcp_sk(sk);
- struct tcp_fastopen_cookie foc = { .len = -1 };
- int saved_clamp = tp->rx_opt.mss_clamp;
-@@ -5921,10 +5922,13 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
- tcp_paws_reject(&tp->rx_opt, 0))
- goto discard_and_undo;
-
-- if (th->syn) {
-+ if (th->syn && net->ipv4.sysctl_tcp_simult_connect) {
- /* We see SYN without ACK. It is attempt of
- * simultaneous connect with crossed SYNs.
- * Particularly, it can be connect to self.
-+ * This feature is disabled by default as it introduces
-+ * weakness in the protocol. It can be enabled by a
-+ * sysctl.
- */
- tcp_set_state(sk, TCP_SYN_RECV);
-
diff --git a/sys-kernel/boest-v5.1.17/0005-pool-2.6.25-disable-kbdrate-at-boot.diff.patch b/sys-kernel/boest-v5.1.17/0005-pool-2.6.25-disable-kbdrate-at-boot.diff.patch
deleted file mode 100644
index 67f420c3..00000000
--- a/sys-kernel/boest-v5.1.17/0005-pool-2.6.25-disable-kbdrate-at-boot.diff.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From f33c6605bf288702c0229190d2a392da69464afa Mon Sep 17 00:00:00 2001
-From: Willy Tarreau <w@1wt.eu>
-Date: Sun, 15 Feb 2009 14:51:33 +0100
-Subject: [PATCH 05/13] pool/2.6.25-disable-kbdrate-at-boot.diff
-
-From http://linux.1wt.eu/alix/kernel-src/2.6.27-wt11/patches-2.6.27-wt11.tar.bz2
-
-Reviewed-by: Bertrand Jacquin <bertrand@jacquin.bzh>
-Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
----
- arch/x86/boot/main.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/arch/x86/boot/main.c b/arch/x86/boot/main.c
-index 73532543d689..e0d26ecfb713 100644
---- a/arch/x86/boot/main.c
-+++ b/arch/x86/boot/main.c
-@@ -64,6 +64,8 @@ static void copy_boot_params(void)
- */
- static void keyboard_init(void)
- {
-+/*This may take several seconds if the system has no kbd controller */
-+#ifdef CONFIG_INPUT_KEYBOARD
- struct biosregs ireg, oreg;
- initregs(&ireg);
-
-@@ -73,6 +75,7 @@ static void keyboard_init(void)
-
- ireg.ax = 0x0305; /* Set keyboard repeat rate */
- intcall(0x16, &ireg, NULL);
-+#endif
- }
-
- /*
diff --git a/sys-kernel/boest-v5.1.17/0006-Disable-CONFIG_PROCESSOR_SELECT-printk-s.patch b/sys-kernel/boest-v5.1.17/0006-Disable-CONFIG_PROCESSOR_SELECT-printk-s.patch
deleted file mode 100644
index 3a63cf1d..00000000
--- a/sys-kernel/boest-v5.1.17/0006-Disable-CONFIG_PROCESSOR_SELECT-printk-s.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 263ba1935f0d75e4e1415b4e660530292408b22b Mon Sep 17 00:00:00 2001
-From: Bertrand Jacquin <bertrand@jacquin.bzh>
-Date: Wed, 9 Jan 2013 00:28:28 +0100
-Subject: [PATCH 06/13] Disable CONFIG_PROCESSOR_SELECT printk()'s
-
-Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
----
- arch/x86/kernel/cpu/common.c | 17 -----------------
- 1 file changed, 17 deletions(-)
-
-diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
-index 132a63dc5a76..0f9d27df958c 100644
---- a/arch/x86/kernel/cpu/common.c
-+++ b/arch/x86/kernel/cpu/common.c
-@@ -1158,10 +1158,6 @@ void __init early_cpu_init(void)
- const struct cpu_dev *const *cdev;
- int count = 0;
-
--#ifdef CONFIG_PROCESSOR_SELECT
-- pr_info("KERNEL supported cpus:\n");
--#endif
--
- for (cdev = __x86_cpu_dev_start; cdev < __x86_cpu_dev_end; cdev++) {
- const struct cpu_dev *cpudev = *cdev;
-
-@@ -1169,19 +1165,6 @@ void __init early_cpu_init(void)
- break;
- cpu_devs[count] = cpudev;
- count++;
--
--#ifdef CONFIG_PROCESSOR_SELECT
-- {
-- unsigned int j;
--
-- for (j = 0; j < 2; j++) {
-- if (!cpudev->c_ident[j])
-- continue;
-- pr_info(" %s %s\n", cpudev->c_vendor,
-- cpudev->c_ident[j]);
-- }
-- }
--#endif
- }
- early_identify_cpu(&boot_cpu_data);
- }
diff --git a/sys-kernel/boest-v5.1.17/0007-This-patch-adds-support-for-a-restricted-user-contro.patch b/sys-kernel/boest-v5.1.17/0007-This-patch-adds-support-for-a-restricted-user-contro.patch
deleted file mode 100644
index 8e3bb0e1..00000000
--- a/sys-kernel/boest-v5.1.17/0007-This-patch-adds-support-for-a-restricted-user-contro.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 56fe6cf05eff8e85260e4351c08c7d517c8b42f4 Mon Sep 17 00:00:00 2001
-From: "Anthony G. Basile" <blueness@gentoo.org>
-Date: Sun, 21 Apr 2019 16:05:59 -0400
-Subject: [PATCH 07/13] This patch adds support for a restricted
- user-controlled namespace on tmpfs filesystem used to house PaX flags. The
- namespace must be of the form user.pax.* and its value cannot exceed a size
- of 8 bytes.
-
-This is needed even on all Gentoo systems so that XATTR_PAX flags
-are preserved for users who might build packages using portage on
-a tmpfs system with a non-hardened kernel and then switch to a
-hardened kernel with XATTR_PAX enabled.
-
-The namespace is added to any user with Extended Attribute support
-enabled for tmpfs. Users who do not enable xattrs will not have
-the XATTR_PAX flags preserved.
----
- include/uapi/linux/xattr.h | 4 ++++
- mm/shmem.c | 15 +++++++++++++++
- 2 files changed, 19 insertions(+)
-
-diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
-index c1395b5bd432..bac6d48eca8e 100644
---- a/include/uapi/linux/xattr.h
-+++ b/include/uapi/linux/xattr.h
-@@ -77,5 +77,9 @@
- #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default"
- #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT
-
-+/* User namespace */
-+#define XATTR_PAX_PREFIX XATTR_USER_PREFIX "pax."
-+#define XATTR_PAX_FLAGS_SUFFIX "flags"
-+#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX
-
- #endif /* _UAPI_LINUX_XATTR_H */
-diff --git a/mm/shmem.c b/mm/shmem.c
-index 2275a0ff7c30..8cb1d2571c33 100644
---- a/mm/shmem.c
-+++ b/mm/shmem.c
-@@ -3220,6 +3220,14 @@ static int shmem_xattr_handler_set(const struct xattr_handler *handler,
- struct shmem_inode_info *info = SHMEM_I(inode);
-
- name = xattr_full_name(handler, name);
-+
-+ if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) {
-+ if (strcmp(name, XATTR_NAME_PAX_FLAGS))
-+ return -EOPNOTSUPP;
-+ if (size > 8)
-+ return -EINVAL;
-+ }
-+
- return simple_xattr_set(&info->xattrs, name, value, size, flags);
- }
-
-@@ -3235,6 +3243,12 @@ static const struct xattr_handler shmem_trusted_xattr_handler = {
- .set = shmem_xattr_handler_set,
- };
-
-+static const struct xattr_handler shmem_user_xattr_handler = {
-+ .prefix = XATTR_USER_PREFIX,
-+ .get = shmem_xattr_handler_get,
-+ .set = shmem_xattr_handler_set,
-+};
-+
- static const struct xattr_handler *shmem_xattr_handlers[] = {
- #ifdef CONFIG_TMPFS_POSIX_ACL
- &posix_acl_access_xattr_handler,
-@@ -3242,6 +3256,7 @@ static const struct xattr_handler *shmem_xattr_handlers[] = {
- #endif
- &shmem_security_xattr_handler,
- &shmem_trusted_xattr_handler,
-+ &shmem_user_xattr_handler,
- NULL
- };
-
diff --git a/sys-kernel/boest-v5.1.17/0008-fs-Enable-link-security-restrictions-by-default.patch b/sys-kernel/boest-v5.1.17/0008-fs-Enable-link-security-restrictions-by-default.patch
deleted file mode 100644
index 439f60ef..00000000
--- a/sys-kernel/boest-v5.1.17/0008-fs-Enable-link-security-restrictions-by-default.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 6d74a03a38c9b32403babc01bed0451ea492c0e9 Mon Sep 17 00:00:00 2001
-From: Ben Hutchings <ben@decadent.org.uk>
-Date: Fri, 2 Nov 2012 05:32:06 +0000
-Subject: [PATCH 08/13] fs: Enable link security restrictions by default
-
-This reverts commit 561ec64ae67ef25cac8d72bb9c4bfc955edfd415
-('VFS: don't do protected {sym,hard}links by default').
----
- fs/namei.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/fs/namei.c b/fs/namei.c
-index dede0147b3f6..cc9ce8705551 100644
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -883,8 +883,8 @@ static inline void put_link(struct nameidata *nd)
- path_put(&last->link);
- }
-
--int sysctl_protected_symlinks __read_mostly = 0;
--int sysctl_protected_hardlinks __read_mostly = 0;
-+int sysctl_protected_symlinks __read_mostly = 1;
-+int sysctl_protected_hardlinks __read_mostly = 1;
- int sysctl_protected_fifos __read_mostly;
- int sysctl_protected_regular __read_mostly;
-
diff --git a/sys-kernel/boest-v5.1.17/0009-The-encryption-is-only-mandatory-to-be-enforced-when.patch b/sys-kernel/boest-v5.1.17/0009-The-encryption-is-only-mandatory-to-be-enforced-when.patch
deleted file mode 100644
index 8b87de1a..00000000
--- a/sys-kernel/boest-v5.1.17/0009-The-encryption-is-only-mandatory-to-be-enforced-when.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 52f6245a23b6aaf0421b5232b47cea74e6f18740 Mon Sep 17 00:00:00 2001
-From: Mike Pagano <mpagano@gentoo.org>
-Date: Tue, 11 Jun 2019 14:01:00 -0400
-Subject: [PATCH 09/13] The encryption is only mandatory to be enforced when
- both sides are using Secure Simple Pairing and this means the key size check
- makes only sense in that case.
-
-On legacy Bluetooth 2.0 and earlier devices like mice the encryption was
-optional and thus causing an issue if the key size check is not bound to
-using Secure Simple Pairing.
-
-Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections")
-Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
-Cc: stable@vger.kernel.org
----
- net/bluetooth/hci_conn.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
-index 15d1cb5aee18..034a5ec74624 100644
---- a/net/bluetooth/hci_conn.c
-+++ b/net/bluetooth/hci_conn.c
-@@ -1272,8 +1272,13 @@ int hci_conn_check_link_mode(struct hci_conn *conn)
- return 0;
- }
-
-- if (hci_conn_ssp_enabled(conn) &&
-- !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
-+ /* If Secure Simple Pairing is not enabled, then legacy connection
-+ * setup is used and no encryption or key sizes can be enforced.
-+ */
-+ if (!hci_conn_ssp_enabled(conn))
-+ return 1;
-+
-+ if (!test_bit(HCI_CONN_ENCRYPT, &conn->flags))
- return 0;
-
- return 1;
diff --git a/sys-kernel/boest-v5.1.17/0010-usb-storage-Disable-UAS-on-JMicron-SATA-enclosure.patch b/sys-kernel/boest-v5.1.17/0010-usb-storage-Disable-UAS-on-JMicron-SATA-enclosure.patch
deleted file mode 100644
index 8bd9cd08..00000000
--- a/sys-kernel/boest-v5.1.17/0010-usb-storage-Disable-UAS-on-JMicron-SATA-enclosure.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 21a465d2cf691a30c44d486f5d358056cf492462 Mon Sep 17 00:00:00 2001
-From: Laura Abbott <labbott@fedoraproject.org>
-Date: Tue, 8 Sep 2015 09:53:38 -0700
-Subject: [PATCH 10/13] usb-storage: Disable UAS on JMicron SATA enclosure
-
-Steve Ellis reported incorrect block sizes and alignement
-offsets with a SATA enclosure. Adding a quirk to disable
-UAS fixes the problems.
-
-Reported-by: Steven Ellis <sellis@redhat.com>
-Signed-off-by: Laura Abbott <labbott@fedoraproject.org>
----
- drivers/usb/storage/unusual_uas.h | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h
-index d0bdebd87ce3..1b23741036ee 100644
---- a/drivers/usb/storage/unusual_uas.h
-+++ b/drivers/usb/storage/unusual_uas.h
-@@ -87,12 +87,15 @@ UNUSUAL_DEV(0x2537, 0x1068, 0x0000, 0x9999,
- USB_SC_DEVICE, USB_PR_DEVICE, NULL,
- US_FL_IGNORE_UAS),
-
--/* Reported-by: Takeo Nakayama <javhera@gmx.com> */
-+/*
-+ * Initially Reported-by: Takeo Nakayama <javhera@gmx.com>
-+ * UAS Ignore Reported by Steven Ellis <sellis@redhat.com>
-+ */
- UNUSUAL_DEV(0x357d, 0x7788, 0x0000, 0x9999,
- "JMicron",
- "JMS566",
- USB_SC_DEVICE, USB_PR_DEVICE, NULL,
-- US_FL_NO_REPORT_OPCODES),
-+ US_FL_NO_REPORT_OPCODES | US_FL_IGNORE_UAS),
-
- /* Reported-by: Hans de Goede <hdegoede@redhat.com> */
- UNUSUAL_DEV(0x4971, 0x1012, 0x0000, 0x9999,
diff --git a/sys-kernel/boest-v5.1.17/0011-5.1-2600_enable-key-swapping-for-apple-mac.patch.patch b/sys-kernel/boest-v5.1.17/0011-5.1-2600_enable-key-swapping-for-apple-mac.patch.patch
deleted file mode 100644
index 674c5e1a..00000000
--- a/sys-kernel/boest-v5.1.17/0011-5.1-2600_enable-key-swapping-for-apple-mac.patch.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From f71a7957ec0de5b6371d3fa106eed4a65ddece22 Mon Sep 17 00:00:00 2001
-From: Mike Pagano <mpagano@gentoo.org>
-Date: Sun, 21 Apr 2019 16:05:59 -0400
-Subject: [PATCH 11/13] 5.1:2600_enable-key-swapping-for-apple-mac.patch
-
----
- drivers/hid/hid-apple.c | 76 +++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 74 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
-index 1cb41992aaa1..c34a3be5085a 100644
---- a/drivers/hid/hid-apple.c
-+++ b/drivers/hid/hid-apple.c
-@@ -54,6 +54,22 @@ MODULE_PARM_DESC(swap_opt_cmd, "Swap the Option (\"Alt\") and Command (\"Flag\")
- "(For people who want to keep Windows PC keyboard muscle memory. "
- "[0] = as-is, Mac layout. 1 = swapped, Windows layout.)");
-
-+static unsigned int swap_fn_leftctrl;
-+module_param(swap_fn_leftctrl, uint, 0644);
-+MODULE_PARM_DESC(swap_fn_leftctrl, "Swap the Fn and left Control keys. "
-+ "(For people who want to keep PC keyboard muscle memory. "
-+ "[0] = as-is, Mac layout, 1 = swapped, PC layout)");
-+
-+static unsigned int rightalt_as_rightctrl;
-+module_param(rightalt_as_rightctrl, uint, 0644);
-+MODULE_PARM_DESC(rightalt_as_rightctrl, "Use the right Alt key as a right Ctrl key. "
-+ "[0] = as-is, Mac layout. 1 = Right Alt is right Ctrl");
-+
-+static unsigned int ejectcd_as_delete;
-+module_param(ejectcd_as_delete, uint, 0644);
-+MODULE_PARM_DESC(ejectcd_as_delete, "Use Eject-CD key as Delete key. "
-+ "([0] = disabled, 1 = enabled)");
-+
- struct apple_sc {
- unsigned long quirks;
- unsigned int fn_on;
-@@ -166,6 +182,21 @@ static const struct apple_key_translation swapped_option_cmd_keys[] = {
- { }
- };
-
-+static const struct apple_key_translation swapped_fn_leftctrl_keys[] = {
-+ { KEY_FN, KEY_LEFTCTRL },
-+ { }
-+};
-+
-+static const struct apple_key_translation rightalt_as_rightctrl_keys[] = {
-+ { KEY_RIGHTALT, KEY_RIGHTCTRL },
-+ { }
-+};
-+
-+static const struct apple_key_translation ejectcd_as_delete_keys[] = {
-+ { KEY_EJECTCD, KEY_DELETE },
-+ { }
-+};
-+
- static const struct apple_key_translation *apple_find_translation(
- const struct apple_key_translation *table, u16 from)
- {
-@@ -185,9 +216,11 @@ static int hidinput_apple_event(struct hid_device *hid, struct input_dev *input,
- struct apple_sc *asc = hid_get_drvdata(hid);
- const struct apple_key_translation *trans, *table;
-
-- if (usage->code == KEY_FN) {
-+ u16 fn_keycode = (swap_fn_leftctrl) ? (KEY_LEFTCTRL) : (KEY_FN);
-+
-+ if (usage->code == fn_keycode) {
- asc->fn_on = !!value;
-- input_event(input, usage->type, usage->code, value);
-+ input_event(input, usage->type, KEY_FN, value);
- return 1;
- }
-
-@@ -266,6 +299,30 @@ static int hidinput_apple_event(struct hid_device *hid, struct input_dev *input,
- }
- }
-
-+ if (swap_fn_leftctrl) {
-+ trans = apple_find_translation(swapped_fn_leftctrl_keys, usage->code);
-+ if (trans) {
-+ input_event(input, usage->type, trans->to, value);
-+ return 1;
-+ }
-+ }
-+
-+ if (ejectcd_as_delete) {
-+ trans = apple_find_translation(ejectcd_as_delete_keys, usage->code);
-+ if (trans) {
-+ input_event(input, usage->type, trans->to, value);
-+ return 1;
-+ }
-+ }
-+
-+ if (rightalt_as_rightctrl) {
-+ trans = apple_find_translation(rightalt_as_rightctrl_keys, usage->code);
-+ if (trans) {
-+ input_event(input, usage->type, trans->to, value);
-+ return 1;
-+ }
-+ }
-+
- return 0;
- }
-
-@@ -329,6 +386,21 @@ static void apple_setup_input(struct input_dev *input)
-
- for (trans = apple_iso_keyboard; trans->from; trans++)
- set_bit(trans->to, input->keybit);
-+
-+ if (swap_fn_leftctrl) {
-+ for (trans = swapped_fn_leftctrl_keys; trans->from; trans++)
-+ set_bit(trans->to, input->keybit);
-+ }
-+
-+ if (ejectcd_as_delete) {
-+ for (trans = ejectcd_as_delete_keys; trans->from; trans++)
-+ set_bit(trans->to, input->keybit);
-+ }
-+
-+ if (rightalt_as_rightctrl) {
-+ for (trans = rightalt_as_rightctrl_keys; trans->from; trans++)
-+ set_bit(trans->to, input->keybit);
-+ }
- }
-
- static int apple_input_mapping(struct hid_device *hdev, struct hid_input *hi,
diff --git a/sys-kernel/boest-v5.1.17/0012-5.1-4567_distro-Gentoo-Kconfig.patch.patch b/sys-kernel/boest-v5.1.17/0012-5.1-4567_distro-Gentoo-Kconfig.patch.patch
deleted file mode 100644
index f65e59ec..00000000
--- a/sys-kernel/boest-v5.1.17/0012-5.1-4567_distro-Gentoo-Kconfig.patch.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-From 01af98d44673f4c57c560c43ca26176d0566b34a Mon Sep 17 00:00:00 2001
-From: Mike Pagano <mpagano@gentoo.org>
-Date: Fri, 28 Dec 2018 18:58:06 -0500
-Subject: [PATCH 12/13] 5.1:4567_distro-Gentoo-Kconfig.patch
-
----
- Kconfig | 2 +
- distro/Kconfig | 147 +++++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 149 insertions(+)
-
-diff --git a/Kconfig b/Kconfig
-index 48a80beab685..a5ad73c66099 100644
---- a/Kconfig
-+++ b/Kconfig
-@@ -30,3 +30,5 @@ source "crypto/Kconfig"
- source "lib/Kconfig"
-
- source "lib/Kconfig.debug"
-+
-+source "distro/Kconfig"
-diff --git a/distro/Kconfig b/distro/Kconfig
-new file mode 100644
-index 000000000000..57379b7720de
---- /dev/null
-+++ b/distro/Kconfig
-@@ -0,0 +1,147 @@
-+menu "Gentoo Linux"
-+
-+config GENTOO_LINUX
-+ bool "Gentoo Linux support"
-+
-+ default y
-+
-+ help
-+ In order to boot Gentoo Linux a minimal set of config settings needs to
-+ be enabled in the kernel; to avoid the users from having to enable them
-+ manually as part of a Gentoo Linux installation or a new clean config,
-+ we enable these config settings by default for convenience.
-+
-+ See the settings that become available for more details and fine-tuning.
-+
-+config GENTOO_LINUX_UDEV
-+ bool "Linux dynamic and persistent device naming (userspace devfs) support"
-+
-+ depends on GENTOO_LINUX
-+ default y if GENTOO_LINUX
-+
-+ select DEVTMPFS
-+ select TMPFS
-+ select UNIX
-+
-+ select MMU
-+ select SHMEM
-+
-+ help
-+ In order to boot Gentoo Linux a minimal set of config settings needs to
-+ be enabled in the kernel; to avoid the users from having to enable them
-+ manually as part of a Gentoo Linux installation or a new clean config,
-+ we enable these config settings by default for convenience.
-+
-+ Currently this only selects TMPFS, DEVTMPFS and their dependencies.
-+ TMPFS is enabled to maintain a tmpfs file system at /dev/shm, /run and
-+ /sys/fs/cgroup; DEVTMPFS to maintain a devtmpfs file system at /dev.
-+
-+ Some of these are critical files that need to be available early in the
-+ boot process; if not available, it causes sysfs and udev to malfunction.
-+
-+ To ensure Gentoo Linux boots, it is best to leave this setting enabled;
-+ if you run a custom setup, you could consider whether to disable this.
-+
-+config GENTOO_LINUX_PORTAGE
-+ bool "Select options required by Portage features"
-+
-+ depends on GENTOO_LINUX
-+ default y if GENTOO_LINUX
-+
-+ select CGROUPS
-+ select NAMESPACES
-+ select IPC_NS
-+ select NET_NS
-+ select PID_NS
-+ select SYSVIPC
-+
-+ help
-+ This enables options required by various Portage FEATURES.
-+ Currently this selects:
-+
-+ CGROUPS (required for FEATURES=cgroup)
-+ IPC_NS (required for FEATURES=ipc-sandbox)
-+ NET_NS (required for FEATURES=network-sandbox)
-+ PID_NS (required for FEATURES=pid-sandbox)
-+ SYSVIPC (required by IPC_NS)
-+
-+
-+ It is highly recommended that you leave this enabled as these FEATURES
-+ are, or will soon be, enabled by default.
-+
-+menu "Support for init systems, system and service managers"
-+ visible if GENTOO_LINUX
-+
-+config GENTOO_LINUX_INIT_SCRIPT
-+ bool "OpenRC, runit and other script based systems and managers"
-+
-+ default y if GENTOO_LINUX
-+
-+ depends on GENTOO_LINUX
-+
-+ select BINFMT_SCRIPT
-+
-+ help
-+ The init system is the first thing that loads after the kernel booted.
-+
-+ These config settings allow you to select which init systems to support;
-+ instead of having to select all the individual settings all over the
-+ place, these settings allows you to select all the settings at once.
-+
-+ This particular setting enables all the known requirements for OpenRC,
-+ runit and similar script based systems and managers.
-+
-+ If you are unsure about this, it is best to leave this setting enabled.
-+
-+config GENTOO_LINUX_INIT_SYSTEMD
-+ bool "systemd"
-+
-+ default n
-+
-+ depends on GENTOO_LINUX && GENTOO_LINUX_UDEV
-+
-+ select AUTOFS4_FS
-+ select BLK_DEV_BSG
-+ select CGROUPS
-+ select CHECKPOINT_RESTORE
-+ select CRYPTO_HMAC
-+ select CRYPTO_SHA256
-+ select CRYPTO_USER_API_HASH
-+ select DEVPTS_MULTIPLE_INSTANCES
-+ select DMIID if X86_32 || X86_64 || X86
-+ select EPOLL
-+ select FANOTIFY
-+ select FHANDLE
-+ select INOTIFY_USER
-+ select IPV6
-+ select NET
-+ select NET_NS
-+ select PROC_FS
-+ select SECCOMP
-+ select SECCOMP_FILTER
-+ select SIGNALFD
-+ select SYSFS
-+ select TIMERFD
-+ select TMPFS_POSIX_ACL
-+ select TMPFS_XATTR
-+
-+ select ANON_INODES
-+ select BLOCK
-+ select EVENTFD
-+ select FSNOTIFY
-+ select INET
-+ select NLATTR
-+
-+ help
-+ The init system is the first thing that loads after the kernel booted.
-+
-+ These config settings allow you to select which init systems to support;
-+ instead of having to select all the individual settings all over the
-+ place, these settings allows you to select all the settings at once.
-+
-+ This particular setting enables all the known requirements for systemd;
-+ it also enables suggested optional settings, as the package suggests to.
-+
-+endmenu
-+
-+endmenu
diff --git a/sys-kernel/boest-v5.1.17/0013-WARNING.patch b/sys-kernel/boest-v5.1.17/0013-WARNING.patch
deleted file mode 100644
index 8d3969d6..00000000
--- a/sys-kernel/boest-v5.1.17/0013-WARNING.patch
+++ /dev/null
@@ -1,565 +0,0 @@
-From d1063821eac472d2cdc6ed18a847542372b3bb6c Mon Sep 17 00:00:00 2001
-From: Mike Pagano <mpagano@gentoo.org>
-Date: Fri, 10 May 2019 19:39:45 -0400
-Subject: [PATCH 13/13] WARNING This patch works with gcc versions 4.9+ and
- with kernel version 4.13+ and should NOT be applied when compiling on older
- versions of gcc due to key name changes of the march flags introduced with
- the version 4.9 release of gcc.[1]
-
-Use the older version of this patch hosted on the same github for older
-versions of gcc.
-
-FEATURES
-This patch adds additional CPU options to the Linux kernel accessible under:
- Processor type and features --->
- Processor family --->
-
-The expanded microarchitectures include:
-* AMD Improved K8-family
-* AMD K10-family
-* AMD Family 10h (Barcelona)
-* AMD Family 14h (Bobcat)
-* AMD Family 16h (Jaguar)
-* AMD Family 15h (Bulldozer)
-* AMD Family 15h (Piledriver)
-* AMD Family 15h (Steamroller)
-* AMD Family 15h (Excavator)
-* AMD Family 17h (Zen)
-* Intel Silvermont low-power processors
-* Intel 1st Gen Core i3/i5/i7 (Nehalem)
-* Intel 1.5 Gen Core i3/i5/i7 (Westmere)
-* Intel 2nd Gen Core i3/i5/i7 (Sandybridge)
-* Intel 3rd Gen Core i3/i5/i7 (Ivybridge)
-* Intel 4th Gen Core i3/i5/i7 (Haswell)
-* Intel 5th Gen Core i3/i5/i7 (Broadwell)
-* Intel 6th Gen Core i3/i5/i7 (Skylake)
-* Intel 6th Gen Core i7/i9 (Skylake X)
-
-It also offers to compile passing the 'native' option which, "selects the CPU
-to generate code for at compilation time by determining the processor type of
-the compiling machine. Using -march=native enables all instruction subsets
-supported by the local machine and will produce code optimized for the local
-machine under the constraints of the selected instruction set."[3]
-
-MINOR NOTES
-This patch also changes 'atom' to 'bonnell' in accordance with the gcc v4.9
-changes. Note that upstream is using the deprecated 'match=atom' flags when I
-believe it should use the newer 'march=bonnell' flag for atom processors.[2]
-
-It is not recommended to compile on Atom-CPUs with the 'native' option.[4] The
-recommendation is to use the 'atom' option instead.
-
-BENEFITS
-Small but real speed increases are measurable using a make endpoint comparing
-a generic kernel to one built with one of the respective microarchs.
-
-See the following experimental evidence supporting this statement:
-https://github.com/graysky2/kernel_gcc_patch
-
-REQUIREMENTS
-linux version >=4.13
-gcc version >=4.9
-
-ACKNOWLEDGMENTS
-This patch builds on the seminal work by Jeroen.[5]
-
-REFERENCES
-1. https://gcc.gnu.org/gcc-4.9/changes.html
-2. https://bugzilla.kernel.org/show_bug.cgi?id=77461
-3. https://gcc.gnu.org/onlinedocs/gcc/x86-Options.html
-4. https://github.com/graysky2/kernel_gcc_patch/issues/15
-5. http://www.linuxforge.net/docs/linux/linux-gcc.php
----
- arch/x86/Kconfig.cpu | 235 +++++++++++++++++++++++++++++-----
- arch/x86/Makefile | 35 ++++-
- arch/x86/Makefile_32.cpu | 24 +++-
- arch/x86/include/asm/module.h | 40 ++++++
- 4 files changed, 297 insertions(+), 37 deletions(-)
-
-diff --git a/arch/x86/Kconfig.cpu b/arch/x86/Kconfig.cpu
-index 6adce15268bd..7d0709e548af 100644
---- a/arch/x86/Kconfig.cpu
-+++ b/arch/x86/Kconfig.cpu
-@@ -116,6 +116,7 @@ config MPENTIUMM
- config MPENTIUM4
- bool "Pentium-4/Celeron(P4-based)/Pentium-4 M/older Xeon"
- depends on X86_32
-+ select X86_P6_NOP
- ---help---
- Select this for Intel Pentium 4 chips. This includes the
- Pentium 4, Pentium D, P4-based Celeron and Xeon, and
-@@ -148,9 +149,8 @@ config MPENTIUM4
- -Paxville
- -Dempsey
-
--
- config MK6
-- bool "K6/K6-II/K6-III"
-+ bool "AMD K6/K6-II/K6-III"
- depends on X86_32
- ---help---
- Select this for an AMD K6-family processor. Enables use of
-@@ -158,7 +158,7 @@ config MK6
- flags to GCC.
-
- config MK7
-- bool "Athlon/Duron/K7"
-+ bool "AMD Athlon/Duron/K7"
- depends on X86_32
- ---help---
- Select this for an AMD Athlon K7-family processor. Enables use of
-@@ -166,12 +166,83 @@ config MK7
- flags to GCC.
-
- config MK8
-- bool "Opteron/Athlon64/Hammer/K8"
-+ bool "AMD Opteron/Athlon64/Hammer/K8"
- ---help---
- Select this for an AMD Opteron or Athlon64 Hammer-family processor.
- Enables use of some extended instructions, and passes appropriate
- optimization flags to GCC.
-
-+config MK8SSE3
-+ bool "AMD Opteron/Athlon64/Hammer/K8 with SSE3"
-+ ---help---
-+ Select this for improved AMD Opteron or Athlon64 Hammer-family processors.
-+ Enables use of some extended instructions, and passes appropriate
-+ optimization flags to GCC.
-+
-+config MK10
-+ bool "AMD 61xx/7x50/PhenomX3/X4/II/K10"
-+ ---help---
-+ Select this for an AMD 61xx Eight-Core Magny-Cours, Athlon X2 7x50,
-+ Phenom X3/X4/II, Athlon II X2/X3/X4, or Turion II-family processor.
-+ Enables use of some extended instructions, and passes appropriate
-+ optimization flags to GCC.
-+
-+config MBARCELONA
-+ bool "AMD Barcelona"
-+ ---help---
-+ Select this for AMD Family 10h Barcelona processors.
-+
-+ Enables -march=barcelona
-+
-+config MBOBCAT
-+ bool "AMD Bobcat"
-+ ---help---
-+ Select this for AMD Family 14h Bobcat processors.
-+
-+ Enables -march=btver1
-+
-+config MJAGUAR
-+ bool "AMD Jaguar"
-+ ---help---
-+ Select this for AMD Family 16h Jaguar processors.
-+
-+ Enables -march=btver2
-+
-+config MBULLDOZER
-+ bool "AMD Bulldozer"
-+ ---help---
-+ Select this for AMD Family 15h Bulldozer processors.
-+
-+ Enables -march=bdver1
-+
-+config MPILEDRIVER
-+ bool "AMD Piledriver"
-+ ---help---
-+ Select this for AMD Family 15h Piledriver processors.
-+
-+ Enables -march=bdver2
-+
-+config MSTEAMROLLER
-+ bool "AMD Steamroller"
-+ ---help---
-+ Select this for AMD Family 15h Steamroller processors.
-+
-+ Enables -march=bdver3
-+
-+config MEXCAVATOR
-+ bool "AMD Excavator"
-+ ---help---
-+ Select this for AMD Family 15h Excavator processors.
-+
-+ Enables -march=bdver4
-+
-+config MZEN
-+ bool "AMD Zen"
-+ ---help---
-+ Select this for AMD Family 17h Zen processors.
-+
-+ Enables -march=znver1
-+
- config MCRUSOE
- bool "Crusoe"
- depends on X86_32
-@@ -253,6 +324,7 @@ config MVIAC7
-
- config MPSC
- bool "Intel P4 / older Netburst based Xeon"
-+ select X86_P6_NOP
- depends on X86_64
- ---help---
- Optimize for Intel Pentium 4, Pentium D and older Nocona/Dempsey
-@@ -262,17 +334,9 @@ config MPSC
- using the cpu family field
- in /proc/cpuinfo. Family 15 is an older Xeon, Family 6 a newer one.
-
--config MCORE2
-- bool "Core 2/newer Xeon"
-- ---help---
--
-- Select this for Intel Core 2 and newer Core 2 Xeons (Xeon 51xx and
-- 53xx) CPUs. You can distinguish newer from older Xeons by the CPU
-- family in /proc/cpuinfo. Newer ones have 6 and older ones 15
-- (not a typo)
--
- config MATOM
- bool "Intel Atom"
-+ select X86_P6_NOP
- ---help---
-
- Select this for the Intel Atom platform. Intel Atom CPUs have an
-@@ -280,6 +344,99 @@ config MATOM
- accordingly optimized code. Use a recent GCC with specific Atom
- support in order to fully benefit from selecting this option.
-
-+config MCORE2
-+ bool "Intel Core 2"
-+ select X86_P6_NOP
-+ ---help---
-+
-+ Select this for Intel Core 2 and newer Core 2 Xeons (Xeon 51xx and
-+ 53xx) CPUs. You can distinguish newer from older Xeons by the CPU
-+ family in /proc/cpuinfo. Newer ones have 6 and older ones 15
-+ (not a typo)
-+
-+ Enables -march=core2
-+
-+config MNEHALEM
-+ bool "Intel Nehalem"
-+ select X86_P6_NOP
-+ ---help---
-+
-+ Select this for 1st Gen Core processors in the Nehalem family.
-+
-+ Enables -march=nehalem
-+
-+config MWESTMERE
-+ bool "Intel Westmere"
-+ select X86_P6_NOP
-+ ---help---
-+
-+ Select this for the Intel Westmere formerly Nehalem-C family.
-+
-+ Enables -march=westmere
-+
-+config MSILVERMONT
-+ bool "Intel Silvermont"
-+ select X86_P6_NOP
-+ ---help---
-+
-+ Select this for the Intel Silvermont platform.
-+
-+ Enables -march=silvermont
-+
-+config MSANDYBRIDGE
-+ bool "Intel Sandy Bridge"
-+ select X86_P6_NOP
-+ ---help---
-+
-+ Select this for 2nd Gen Core processors in the Sandy Bridge family.
-+
-+ Enables -march=sandybridge
-+
-+config MIVYBRIDGE
-+ bool "Intel Ivy Bridge"
-+ select X86_P6_NOP
-+ ---help---
-+
-+ Select this for 3rd Gen Core processors in the Ivy Bridge family.
-+
-+ Enables -march=ivybridge
-+
-+config MHASWELL
-+ bool "Intel Haswell"
-+ select X86_P6_NOP
-+ ---help---
-+
-+ Select this for 4th Gen Core processors in the Haswell family.
-+
-+ Enables -march=haswell
-+
-+config MBROADWELL
-+ bool "Intel Broadwell"
-+ select X86_P6_NOP
-+ ---help---
-+
-+ Select this for 5th Gen Core processors in the Broadwell family.
-+
-+ Enables -march=broadwell
-+
-+config MSKYLAKE
-+ bool "Intel Skylake"
-+ select X86_P6_NOP
-+ ---help---
-+
-+ Select this for 6th Gen Core processors in the Skylake family.
-+
-+ Enables -march=skylake
-+
-+config MSKYLAKEX
-+ bool "Intel Skylake X"
-+ select X86_P6_NOP
-+ ---help---
-+
-+ Select this for 6th Gen Core processors in the Skylake X family.
-+
-+ Enables -march=skylake-avx512
-+
- config GENERIC_CPU
- bool "Generic-x86-64"
- depends on X86_64
-@@ -287,6 +444,19 @@ config GENERIC_CPU
- Generic x86-64 CPU.
- Run equally well on all x86-64 CPUs.
-
-+config MNATIVE
-+ bool "Native optimizations autodetected by GCC"
-+ ---help---
-+
-+ GCC 4.2 and above support -march=native, which automatically detects
-+ the optimum settings to use based on your processor. -march=native
-+ also detects and applies additional settings beyond -march specific
-+ to your CPU, (eg. -msse4). Unless you have a specific reason not to
-+ (e.g. distcc cross-compiling), you should probably be using
-+ -march=native rather than anything listed below.
-+
-+ Enables -march=native
-+
- endchoice
-
- config X86_GENERIC
-@@ -311,7 +481,7 @@ config X86_INTERNODE_CACHE_SHIFT
- config X86_L1_CACHE_SHIFT
- int
- default "7" if MPENTIUM4 || MPSC
-- default "6" if MK7 || MK8 || MPENTIUMM || MCORE2 || MATOM || MVIAC7 || X86_GENERIC || GENERIC_CPU
-+ default "6" if MK7 || MK8 || MK8SSE3 || MK10 || MBARCELONA || MBOBCAT || MBULLDOZER || MPILEDRIVER || MSTEAMROLLER || MEXCAVATOR || MZEN || MJAGUAR || MPENTIUMM || MCORE2 || MNEHALEM || MWESTMERE || MSILVERMONT || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MNATIVE || MATOM || MVIAC7 || X86_GENERIC || GENERIC_CPU
- default "4" if MELAN || M486 || MGEODEGX1
- default "5" if MWINCHIP3D || MWINCHIPC6 || MCRUSOE || MEFFICEON || MCYRIXIII || MK6 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || MVIAC3_2 || MGEODE_LX
-
-@@ -329,35 +499,36 @@ config X86_ALIGNMENT_16
-
- config X86_INTEL_USERCOPY
- def_bool y
-- depends on MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M586MMX || X86_GENERIC || MK8 || MK7 || MEFFICEON || MCORE2
-+ depends on MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M586MMX || X86_GENERIC || MK8 || MK8SSE3 || MK7 || MEFFICEON || MCORE2 || MK10 || MBARCELONA || MNEHALEM || MWESTMERE || MSILVERMONT || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MNATIVE
-
- config X86_USE_PPRO_CHECKSUM
- def_bool y
-- depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || MK7 || MK6 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MK8 || MVIAC3_2 || MVIAC7 || MEFFICEON || MGEODE_LX || MCORE2 || MATOM
-+ depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || MK7 || MK6 || MK10 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MK8 || MK8SSE3 || MVIAC3_2 || MVIAC7 || MEFFICEON || MGEODE_LX || MCORE2 || MNEHALEM || MWESTMERE || MSILVERMONT || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MATOM || MNATIVE
-
- config X86_USE_3DNOW
- def_bool y
- depends on (MCYRIXIII || MK7 || MGEODE_LX) && !UML
-
--#
--# P6_NOPs are a relatively minor optimization that require a family >=
--# 6 processor, except that it is broken on certain VIA chips.
--# Furthermore, AMD chips prefer a totally different sequence of NOPs
--# (which work on all CPUs). In addition, it looks like Virtual PC
--# does not understand them.
--#
--# As a result, disallow these if we're not compiling for X86_64 (these
--# NOPs do work on all x86-64 capable chips); the list of processors in
--# the right-hand clause are the cores that benefit from this optimization.
--#
- config X86_P6_NOP
-- def_bool y
-- depends on X86_64
-- depends on (MCORE2 || MPENTIUM4 || MPSC)
-+ default n
-+ bool "Support for P6_NOPs on Intel chips"
-+ depends on (MCORE2 || MPENTIUM4 || MPSC || MATOM || MNEHALEM || MWESTMERE || MSILVERMONT || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MNATIVE)
-+ ---help---
-+ P6_NOPs are a relatively minor optimization that require a family >=
-+ 6 processor, except that it is broken on certain VIA chips.
-+ Furthermore, AMD chips prefer a totally different sequence of NOPs
-+ (which work on all CPUs). In addition, it looks like Virtual PC
-+ does not understand them.
-+
-+ As a result, disallow these if we're not compiling for X86_64 (these
-+ NOPs do work on all x86-64 capable chips); the list of processors in
-+ the right-hand clause are the cores that benefit from this optimization.
-+
-+ Say Y if you have Intel CPU newer than Pentium Pro, N otherwise.
-
- config X86_TSC
- def_bool y
-- depends on (MWINCHIP3D || MCRUSOE || MEFFICEON || MCYRIXIII || MK7 || MK6 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || MK8 || MVIAC3_2 || MVIAC7 || MGEODEGX1 || MGEODE_LX || MCORE2 || MATOM) || X86_64
-+ depends on (MWINCHIP3D || MCRUSOE || MEFFICEON || MCYRIXIII || MK7 || MK6 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || MK8 || MK8SSE3 || MVIAC3_2 || MVIAC7 || MGEODEGX1 || MGEODE_LX || MCORE2 || MNEHALEM || MWESTMERE || MSILVERMONT || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MNATIVE || MATOM) || X86_64
-
- config X86_CMPXCHG64
- def_bool y
-@@ -367,7 +538,7 @@ config X86_CMPXCHG64
- # generates cmov.
- config X86_CMOV
- def_bool y
-- depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
-+ depends on (MK8 || MK8SSE3 || MK10 || MBARCELONA || MBOBCAT || MBULLDOZER || MPILEDRIVER || MSTEAMROLLER || MEXCAVATOR || MZEN || MJAGUAR || MK7 || MCORE2 || MNEHALEM || MWESTMERE || MSILVERMONT || MSANDYBRIDGE || MIVYBRIDGE || MHASWELL || MBROADWELL || MSKYLAKE || MSKYLAKEX || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MNATIVE || MATOM || MGEODE_LX)
-
- config X86_MINIMUM_CPU_FAMILY
- int
-diff --git a/arch/x86/Makefile b/arch/x86/Makefile
-index 56e748a7679f..191a478d8bfe 100644
---- a/arch/x86/Makefile
-+++ b/arch/x86/Makefile
-@@ -118,13 +118,42 @@ else
- KBUILD_CFLAGS += $(call cc-option,-mskip-rax-setup)
-
- # FIXME - should be integrated in Makefile.cpu (Makefile_32.cpu)
-+ cflags-$(CONFIG_MNATIVE) += $(call cc-option,-march=native)
- cflags-$(CONFIG_MK8) += $(call cc-option,-march=k8)
-+ cflags-$(CONFIG_MK8SSE3) += $(call cc-option,-march=k8-sse3,-mtune=k8)
-+ cflags-$(CONFIG_MK10) += $(call cc-option,-march=amdfam10)
-+ cflags-$(CONFIG_MBARCELONA) += $(call cc-option,-march=barcelona)
-+ cflags-$(CONFIG_MBOBCAT) += $(call cc-option,-march=btver1)
-+ cflags-$(CONFIG_MJAGUAR) += $(call cc-option,-march=btver2)
-+ cflags-$(CONFIG_MBULLDOZER) += $(call cc-option,-march=bdver1)
-+ cflags-$(CONFIG_MPILEDRIVER) += $(call cc-option,-march=bdver2)
-+ cflags-$(CONFIG_MSTEAMROLLER) += $(call cc-option,-march=bdver3)
-+ cflags-$(CONFIG_MEXCAVATOR) += $(call cc-option,-march=bdver4)
-+ cflags-$(CONFIG_MZEN) += $(call cc-option,-march=znver1)
- cflags-$(CONFIG_MPSC) += $(call cc-option,-march=nocona)
-
- cflags-$(CONFIG_MCORE2) += \
-- $(call cc-option,-march=core2,$(call cc-option,-mtune=generic))
-- cflags-$(CONFIG_MATOM) += $(call cc-option,-march=atom) \
-- $(call cc-option,-mtune=atom,$(call cc-option,-mtune=generic))
-+ $(call cc-option,-march=core2,$(call cc-option,-mtune=core2))
-+ cflags-$(CONFIG_MNEHALEM) += \
-+ $(call cc-option,-march=nehalem,$(call cc-option,-mtune=nehalem))
-+ cflags-$(CONFIG_MWESTMERE) += \
-+ $(call cc-option,-march=westmere,$(call cc-option,-mtune=westmere))
-+ cflags-$(CONFIG_MSILVERMONT) += \
-+ $(call cc-option,-march=silvermont,$(call cc-option,-mtune=silvermont))
-+ cflags-$(CONFIG_MSANDYBRIDGE) += \
-+ $(call cc-option,-march=sandybridge,$(call cc-option,-mtune=sandybridge))
-+ cflags-$(CONFIG_MIVYBRIDGE) += \
-+ $(call cc-option,-march=ivybridge,$(call cc-option,-mtune=ivybridge))
-+ cflags-$(CONFIG_MHASWELL) += \
-+ $(call cc-option,-march=haswell,$(call cc-option,-mtune=haswell))
-+ cflags-$(CONFIG_MBROADWELL) += \
-+ $(call cc-option,-march=broadwell,$(call cc-option,-mtune=broadwell))
-+ cflags-$(CONFIG_MSKYLAKE) += \
-+ $(call cc-option,-march=skylake,$(call cc-option,-mtune=skylake))
-+ cflags-$(CONFIG_MSKYLAKEX) += \
-+ $(call cc-option,-march=skylake-avx512,$(call cc-option,-mtune=skylake-avx512))
-+ cflags-$(CONFIG_MATOM) += $(call cc-option,-march=bonnell) \
-+ $(call cc-option,-mtune=bonnell,$(call cc-option,-mtune=generic))
- cflags-$(CONFIG_GENERIC_CPU) += $(call cc-option,-mtune=generic)
- KBUILD_CFLAGS += $(cflags-y)
-
-diff --git a/arch/x86/Makefile_32.cpu b/arch/x86/Makefile_32.cpu
-index 1f5faf8606b4..4a3a27cedc75 100644
---- a/arch/x86/Makefile_32.cpu
-+++ b/arch/x86/Makefile_32.cpu
-@@ -23,7 +23,18 @@ cflags-$(CONFIG_MK6) += -march=k6
- # Please note, that patches that add -march=athlon-xp and friends are pointless.
- # They make zero difference whatsosever to performance at this time.
- cflags-$(CONFIG_MK7) += -march=athlon
-+cflags-$(CONFIG_MNATIVE) += $(call cc-option,-march=native)
- cflags-$(CONFIG_MK8) += $(call cc-option,-march=k8,-march=athlon)
-+cflags-$(CONFIG_MK8SSE3) += $(call cc-option,-march=k8-sse3,-march=athlon)
-+cflags-$(CONFIG_MK10) += $(call cc-option,-march=amdfam10,-march=athlon)
-+cflags-$(CONFIG_MBARCELONA) += $(call cc-option,-march=barcelona,-march=athlon)
-+cflags-$(CONFIG_MBOBCAT) += $(call cc-option,-march=btver1,-march=athlon)
-+cflags-$(CONFIG_MJAGUAR) += $(call cc-option,-march=btver2,-march=athlon)
-+cflags-$(CONFIG_MBULLDOZER) += $(call cc-option,-march=bdver1,-march=athlon)
-+cflags-$(CONFIG_MPILEDRIVER) += $(call cc-option,-march=bdver2,-march=athlon)
-+cflags-$(CONFIG_MSTEAMROLLER) += $(call cc-option,-march=bdver3,-march=athlon)
-+cflags-$(CONFIG_MEXCAVATOR) += $(call cc-option,-march=bdver4,-march=athlon)
-+cflags-$(CONFIG_MZEN) += $(call cc-option,-march=znver1,-march=athlon)
- cflags-$(CONFIG_MCRUSOE) += -march=i686 -falign-functions=0 -falign-jumps=0 -falign-loops=0
- cflags-$(CONFIG_MEFFICEON) += -march=i686 $(call tune,pentium3) -falign-functions=0 -falign-jumps=0 -falign-loops=0
- cflags-$(CONFIG_MWINCHIPC6) += $(call cc-option,-march=winchip-c6,-march=i586)
-@@ -32,8 +43,17 @@ cflags-$(CONFIG_MCYRIXIII) += $(call cc-option,-march=c3,-march=i486) -falign-fu
- cflags-$(CONFIG_MVIAC3_2) += $(call cc-option,-march=c3-2,-march=i686)
- cflags-$(CONFIG_MVIAC7) += -march=i686
- cflags-$(CONFIG_MCORE2) += -march=i686 $(call tune,core2)
--cflags-$(CONFIG_MATOM) += $(call cc-option,-march=atom,$(call cc-option,-march=core2,-march=i686)) \
-- $(call cc-option,-mtune=atom,$(call cc-option,-mtune=generic))
-+cflags-$(CONFIG_MNEHALEM) += -march=i686 $(call tune,nehalem)
-+cflags-$(CONFIG_MWESTMERE) += -march=i686 $(call tune,westmere)
-+cflags-$(CONFIG_MSILVERMONT) += -march=i686 $(call tune,silvermont)
-+cflags-$(CONFIG_MSANDYBRIDGE) += -march=i686 $(call tune,sandybridge)
-+cflags-$(CONFIG_MIVYBRIDGE) += -march=i686 $(call tune,ivybridge)
-+cflags-$(CONFIG_MHASWELL) += -march=i686 $(call tune,haswell)
-+cflags-$(CONFIG_MBROADWELL) += -march=i686 $(call tune,broadwell)
-+cflags-$(CONFIG_MSKYLAKE) += -march=i686 $(call tune,skylake)
-+cflags-$(CONFIG_MSKYLAKEX) += -march=i686 $(call tune,skylake-avx512)
-+cflags-$(CONFIG_MATOM) += $(call cc-option,-march=bonnell,$(call cc-option,-march=core2,-march=i686)) \
-+ $(call cc-option,-mtune=bonnell,$(call cc-option,-mtune=generic))
-
- # AMD Elan support
- cflags-$(CONFIG_MELAN) += -march=i486
-diff --git a/arch/x86/include/asm/module.h b/arch/x86/include/asm/module.h
-index 7948a17febb4..22c53c8b844b 100644
---- a/arch/x86/include/asm/module.h
-+++ b/arch/x86/include/asm/module.h
-@@ -25,6 +25,26 @@ struct mod_arch_specific {
- #define MODULE_PROC_FAMILY "586MMX "
- #elif defined CONFIG_MCORE2
- #define MODULE_PROC_FAMILY "CORE2 "
-+#elif defined CONFIG_MNATIVE
-+#define MODULE_PROC_FAMILY "NATIVE "
-+#elif defined CONFIG_MNEHALEM
-+#define MODULE_PROC_FAMILY "NEHALEM "
-+#elif defined CONFIG_MWESTMERE
-+#define MODULE_PROC_FAMILY "WESTMERE "
-+#elif defined CONFIG_MSILVERMONT
-+#define MODULE_PROC_FAMILY "SILVERMONT "
-+#elif defined CONFIG_MSANDYBRIDGE
-+#define MODULE_PROC_FAMILY "SANDYBRIDGE "
-+#elif defined CONFIG_MIVYBRIDGE
-+#define MODULE_PROC_FAMILY "IVYBRIDGE "
-+#elif defined CONFIG_MHASWELL
-+#define MODULE_PROC_FAMILY "HASWELL "
-+#elif defined CONFIG_MBROADWELL
-+#define MODULE_PROC_FAMILY "BROADWELL "
-+#elif defined CONFIG_MSKYLAKE
-+#define MODULE_PROC_FAMILY "SKYLAKE "
-+#elif defined CONFIG_MSKYLAKEX
-+#define MODULE_PROC_FAMILY "SKYLAKEX "
- #elif defined CONFIG_MATOM
- #define MODULE_PROC_FAMILY "ATOM "
- #elif defined CONFIG_M686
-@@ -43,6 +63,26 @@ struct mod_arch_specific {
- #define MODULE_PROC_FAMILY "K7 "
- #elif defined CONFIG_MK8
- #define MODULE_PROC_FAMILY "K8 "
-+#elif defined CONFIG_MK8SSE3
-+#define MODULE_PROC_FAMILY "K8SSE3 "
-+#elif defined CONFIG_MK10
-+#define MODULE_PROC_FAMILY "K10 "
-+#elif defined CONFIG_MBARCELONA
-+#define MODULE_PROC_FAMILY "BARCELONA "
-+#elif defined CONFIG_MBOBCAT
-+#define MODULE_PROC_FAMILY "BOBCAT "
-+#elif defined CONFIG_MBULLDOZER
-+#define MODULE_PROC_FAMILY "BULLDOZER "
-+#elif defined CONFIG_MPILEDRIVER
-+#define MODULE_PROC_FAMILY "PILEDRIVER "
-+#elif defined CONFIG_MSTEAMROLLER
-+#define MODULE_PROC_FAMILY "STEAMROLLER "
-+#elif defined CONFIG_MJAGUAR
-+#define MODULE_PROC_FAMILY "JAGUAR "
-+#elif defined CONFIG_MEXCAVATOR
-+#define MODULE_PROC_FAMILY "EXCAVATOR "
-+#elif defined CONFIG_MZEN
-+#define MODULE_PROC_FAMILY "ZEN "
- #elif defined CONFIG_MELAN
- #define MODULE_PROC_FAMILY "ELAN "
- #elif defined CONFIG_MCRUSOE
diff --git a/sys-kernel/stable-sources-5.1.17 b/sys-kernel/stable-sources-5.1.17
deleted file mode 120000
index f40ed380..00000000
--- a/sys-kernel/stable-sources-5.1.17
+++ /dev/null
@@ -1 +0,0 @@
-boest-v5.1.17 \ No newline at end of file