compat.h | 4 0 + 4 - 0 !
ipt_NETFLOW.c | 7 1 + 6 - 0 !
2 files changed, 1 insertion(+), 10 deletions(-)

 [patch 01/17] fix compile for stable kernels by not using
 'ref_module'

`ref_module' unexport in 7ef5264de7732 ("modules: mark ref_module
static") is back-ported into stable kernels making old `#if
LINUX_VERSION_CODE' checks irrelevant or too complicated to update.

Do not use `ref_module' API at all since `try_module_get' is ancient
enough to use always.

Reported-by: https://github.com/xtaran
Fixes: https://github.com/aabc/ipt-netflow/issues/177

ipt_NETFLOW.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch 02/17] namespace sk_error_report

sk_error_report is introduced in v5.14-rc1: e3ae2365efc14 ("net: sock:
introduce sk_error_report").

compat.h | 4 2 + 2 - 0 !
gen_compat_def | 33 28 + 5 - 0 !
ipt_NETFLOW.c | 2 1 + 1 - 0 !
3 files changed, 31 insertions(+), 8 deletions(-)

 [patch 03/17] fix compilation on centos 8

Tested on kernel-4.18.0-305.7.1.el8_4.x86_64 using this
Dockerfile:

  FROM centos:8
  RUN yum install -y gcc make which kernel kernel-devel iptables-devel
  WORKDIR /src
  COPY . .
  RUN ./configure --kver=$(cd /lib/modules; ls)
  RUN make

Fixes: #176 and #178.

ipt_NETFLOW.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 04/17] better detection of config_bridge_netfilter

`CONFIG_BRIDGE_NETFILTER' is a tristate, thus just `#ifdef' cannot be used.

Reported-by: https://github.com/lyt0112
Fixes: #184

Makefile.in | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch 05/17] avoid using incomplete compat_def.h

Or else this may cause too much irrelevant errors.

compat.h | 10 10 + 0 - 0 !
ipt_NETFLOW.c | 4 2 + 2 - 0 !
murmur3.h | 4 2 + 2 - 0 !
3 files changed, 14 insertions(+), 4 deletions(-)

 [patch 06/17] use explicit fallthrough macro

Since `-Wimplicit-fallthrough=5` is emabled in Linux Makefile.

compat.h | 4 4 + 0 - 0 !
gen_compat_def | 16 16 + 0 - 0 !
ipt_NETFLOW.c | 16 11 + 5 - 0 !
3 files changed, 31 insertions(+), 5 deletions(-)

 [patch 07/17] fix build on v5.15 (ct_event)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

    CC [M]  ipt_NETFLOW.o
  ipt_NETFLOW.c: In function netflow_conntrack_event:
  ipt_NETFLOW.c:4622:31: error: struct nf_ct_event_notifier has no member named fcn
   4622 |                 ret = notifier->fcn(events, item);
	|                               ^~
  ipt_NETFLOW.c: At top level:
  ipt_NETFLOW.c:4687:10: error: struct nf_ct_event_notifier has no member named fcn
   4687 |         .fcn = netflow_conntrack_event
	|          ^~~
  ipt_NETFLOW.c:4687:16: error: initialization of int (*)(unsigned int,  const struct nf_ct_event *) from incompatible pointer type int (*)(const unsigned int,  struct nf_ct_event *) [-Werror=incompatible-pointer-types]
   4687 |         .fcn = netflow_conntrack_event
	|                ^~~~~~~~~~~~~~~~~~~~~~~
  ipt_NETFLOW.c:4687:16: note: (near initialization for ctnl_notifier.ct_event)
  ipt_NETFLOW.c: In function unset_notifier_cb:
  ipt_NETFLOW.c:5455:25: error: too many arguments to function nf_conntrack_unregister_notifier
   5455 |                         nf_conntrack_unregister_notifier(NET_ARG &ctnl_notifier);
	|                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  In file included from ./include/net/netfilter/nf_conntrack_core.h:18,
		   from ipt_NETFLOW.c:68:
  ./include/net/netfilter/nf_conntrack_ecache.h:88:6: note: declared here
     88 | void nf_conntrack_unregister_notifier(struct net *net);
	|      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reported-by: https://github.com/rcmcronny
Fixes: #186

gen_compat_def | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch 08/17] gen_compat_def: catch 'dereferencing pointer to
 incomplete type'

If `CONFIG_NF_CONNTRACK_EVENTS` is undeclared following test produce build error:

  Test member nf_ct_event_notifier.ct_event net/netfilter/nf_conntrack_ecache.h  undeclared
  Error: unexpected error from compiler
  make -s -B M=cc-test-build modules
  cc-test-build/test.c:4:41: error: dereferencing pointer to incomplete type 'struct nf_ct_event_notifier'
   typeof(((struct nf_ct_event_notifier*)0)->ct_event) test;
					   ^~
  scripts/Makefile.build:288: recipe for target 'cc-test-build/test.o' failed

Treat this error as just a negative test case.

ipt_NETFLOW.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 09/17] fix preemptive enabled warning

Issue 193, we can use unstable reading because we actually don't
care much of actual CPU that executed worker

Link: https://github.com/aabc/ipt-netflow/issues/193
Link: https://github.com/aabc/ipt-netflow/pull/197

compat.h | 7 7 + 0 - 0 !
ipt_NETFLOW.c | 2 1 + 1 - 0 !
2 files changed, 8 insertions(+), 1 deletion(-)

 [patch 10/17] fix building on old kernels

Link: https://github.com/aabc/ipt-netflow/pull/196

ipt_NETFLOW.c | 18 17 + 1 - 0 !
1 file changed, 17 insertions(+), 1 deletion(-)

 [patch 11/17] nat_events: add expect callback

Starting with 5.15 kernel uses the same notifier structure for
actual nat events and additional expect events for nat helpers.
Expect event callback is assumed to exist and the only thing that
could disable such events is netlink configuration from user space.
That's why this module have to provide such callback, otherwise
kernel panic is expected to happen if any nat helper is enabled
(most common is pptp gre helper).

Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru>
Link: https://github.com/aabc/ipt-netflow/pull/196

compat.h | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 12/17] compat: fix __has_attribute usage

Fixes: #195
Link: https://github.com/aabc/ipt-netflow/issues/195

ipt_NETFLOW.c | 18 8 + 10 - 0 !
1 file changed, 8 insertions(+), 10 deletions(-)

 [patch 13/17] tcp options: fix possible shift-out-of-bounds

Calculation of tcp option bit is done before actual check and could lead
to shift-out-of-bounds error tracked by UBSAN. Fix it by checking for
zero value before the calculation.
While here also fix bit calculation because it should be 31-based
instead of 32-based.

Signed-off-by: Vadim Fedorenko <vvfedorenko@github.com>

ipt_NETFLOW.c | 6 2 + 4 - 0 !
1 file changed, 2 insertions(+), 4 deletions(-)

 [patch 14/17] tcp option 0 should participate in bitmask too

Fixes: a1386af ("tcp options: fix possible shift-out-of-bounds")
Signed-off-by: ABC <abc@openwall.com>

ipt_NETFLOW.c | 10 7 + 3 - 0 !
1 file changed, 7 insertions(+), 3 deletions(-)

 [patch 15/17] fix possible out-of-bounds read in tcp_options fix

Out-of-bounds read could occur in `p[i] < 2` before boundary of `i` is
checked.

Basically it's returning previous code except for a fix and early
zeroing of `ret`.

Fixes: a1386af ("tcp options: fix possible shift-out-of-bounds")
Signed-off-by: ABC <abc@openwall.com>

ipt_NETFLOW.c | 64 17 + 47 - 0 !
1 file changed, 17 insertions(+), 47 deletions(-)

 [patch 16/17] fix ipv4 options parsing and bit numbering

RFC 5102 and its Errata[1] several times messed with a bit numbering.

  "Options are mapped to bits according to their option numbers.
  Option number X is mapped to bit X."

But actually it's in inverted order.

  "A misunderstand arose as to whether bits were assigned in host order
  or network order - so clarify that the bits are assigned from the
  least significant to the most significant, ie right-to-left rather
  than left-to-right."

That's about bit numbering in diagram. So final correct options mask is (from
Errata 2944):

           0      1      2      3      4      5      6      7
       +

gen_compat_def | 2 2 + 0 - 0 !
ipt_NETFLOW.c | 10 8 + 2 - 0 !
2 files changed, 10 insertions(+), 2 deletions(-)

 [patch 17/17] build compatibility with v6.4 (register_sysctl_paths)

'register_sysctl_paths' is missed from v6.4 due to 0199849acd07
("sysctl: remove register_sysctl_paths()").

Signed-off-by: ABC <abc@openwall.com>

compat.h | 9 5 + 4 - 0 !
1 file changed, 5 insertions(+), 4 deletions(-)

 [patch] compat: really fix __has_attribute usage

Fixes: 40fefb2 ("compat: Fix __has_attribute usage")
Signed-off-by: Andreas Beckmann <anbe@debian.org>

compat.h | 2 1 + 1 - 0 !
gen_compat_def | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 [patch] fix: detect modularized config_bridge_netfilter

ipt_NETFLOW.c | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 [patch] fix: backward compatible building with kernel <5.3

configure | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fix dkms status invocation

and do not query unrelated modules

Signed-off-by: Andreas Beckmann <anbe@debian.org>

configure | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] do not check for dkms if called from dkms

the recursive calls slowed down the configure script significantly

Signed-off-by: Andreas Beckmann <anbe@debian.org>

configure | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] set kdir early if called from dkms and get version from
 sources

Signed-off-by: Andreas Beckmann <anbe@debian.org>

dkms.conf | 4 4 + 0 - 0 !
ipt_NETFLOW.c | 1 1 + 0 - 0 !
2 files changed, 5 insertions(+)

 [patch] dkms.conf: declare build_exclusive_kernel_min="3"

skb_reset_mac_len() was introduced in v3.0-rc3
and is used unconditionally

Signed-off-by: Andreas Beckmann <anbe@debian.org>

ipt_NETFLOW.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] fix module build for linux v4.3

netif_is_bridge_port() was introduced in v4.4-rc2 by
"vlan: Do not put vlan headers back on bridge and macvlan ports"
(28f9ee22bcdd84726dbf6267d0b58f254166b900)

Signed-off-by: Andreas Beckmann <anbe@debian.org>

compat.h | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 [patch] unexporting find_module() has been backported to linux
 v5.10.220

Signed-off-by: Andreas Beckmann <anbe@debian.org>

compat.h | 10 6 + 4 - 0 !
ipt_NETFLOW.c | 24 13 + 11 - 0 !
2 files changed, 19 insertions(+), 15 deletions(-)

 [patch] compat: linux 6.11 support

There are several changes in linux kernel 6.11+ which are
incompatible with the module. Improve compatibility.

Signed-off-by: Vadim Fedorenko <vvfedorenko@github.com>

compat.h | 10 8 + 2 - 0 !
1 file changed, 8 insertions(+), 2 deletions(-)

 [patch] restore ctl_table backwards compatibility

gen_compat_def | 9 7 + 2 - 0 !
ipt_NETFLOW.c | 4 4 + 0 - 0 !
2 files changed, 11 insertions(+), 2 deletions(-)

 [patch] fix module build for linux v6.12

adapt to "move asm/unaligned.h to linux/unaligned.h"
(5f60d5f6bbc12e782fac78110b0ee62698f3b576) in v6.12-rc2

Fixes: #237
Signed-off-by: Andreas Beckmann <anbe@debian.org>

ipt_NETFLOW.c | 13 13 + 0 - 0 !
1 file changed, 13 insertions(+)

 [patch] physindev has been replaced by physinif in linux v6.8

disable ENABLE_PHYSDEV/ENABLE_PHYSDEV_OVER after
"netfilter: bridge: replace physindev with physinif in nf_bridge_info"
v6.8-rc1 (9874808878d9eed407e3977fd11fee49de1e1d86)
v6.7.2   (544add1f1cfb78c3dfa3e6edcf4668f6be5e730c)
v6.6.14  (9325e3188a9cf3f69fc6f32af59844bbc5b90547)
v6.1.75  (7ae19ee81ca56b13c50a78de6c47d5b8fdc9d97b)

Signed-off-by: Andreas Beckmann <anbe@debian.org>

configure | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 warn about unknown configure options instead of bailing out
 Avoids "Invalid option: --build=x86_64-linux-gnu" build error.
 .
 Additionally make it understand some configure options passed by
 debhelper by default, namely --prefix, --libdir and --includedir.

Makefile.in | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 properly pass $cppflags and $ldflags

configure | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 disable kernel check in configure script if no dkms is used
 This means it's skipped during package build but not during install
 time when a build of the kernel module is being triggered via dkms.

Makefile.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 don't hardcode default gcc version (i.e. don't override $cc if set)
 Avoids compilation failures with older kernels which can't be
 compiled with the current gcc, e.g. 5.7 needs gcc-9 instead of the
 current gcc-10 (where the gcc symlink points to).

configure | 29 17 + 12 - 0 !
1 file changed, 17 insertions(+), 12 deletions(-)

---

compat.h | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 [patch] use get_random_u32_below() instead of deprecated
 prandom_u32_max()

Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>

compat.h | 4 4 + 0 - 0 !
ipt_NETFLOW.c | 10 5 + 5 - 0 !
2 files changed, 9 insertions(+), 5 deletions(-)

 replace all occurrences of strlcpy with strscpy
 Fixes compilation against Linux kernel 6.8 which has strlcpy removed.

Makefile.in | 1 1 + 0 - 0 !
gen_compat_def | 3 2 + 1 - 0 !
2 files changed, 3 insertions(+), 1 deletion(-)

 dump compat_def.h

ipt_NETFLOW.c | 12 10 + 2 - 0 !
1 file changed, 10 insertions(+), 2 deletions(-)

 rename del_timer_sync to timer_delete_sync in linux 6.15
 The kernel upstream commit 8fa7292fee5c (treewide: Switch/rename to timer_delete[_sync]())),
 which landed mainline in v6.15, renames the function from del_timer_sync()
 to timer_delete_sync(). Adjust the code accordingly.