Hi David, The following patchset contains Netfilter updates for your net-next tree, they are: * Add full port randomization support. Some crazy researchers found a way to reconstruct the secure ephemeral ports that are allocated in random mode by sending off-path bursts of UDP packets to overrun the socket buffer of the DNS resolver to trigger retransmissions, then if the timing for the DNS resolution done by a client is larger than usual, then they conclude that the port that received the burst of UDP packets is the one that was opened. It seems a bit aggressive method to me but it seems to work for them. As a result, Daniel Borkmann and Hannes Frederic Sowa came up with a new NAT mode to fully randomize ports using prandom. * Add a new classifier to x_tables based on the socket net_cls set via cgroups. These includes two patches to prepare the field as requested by Zefan Li. Also from Daniel Borkmann. * Use prandom instead of get_random_bytes in several locations of the netfilter code, from Florian Westphal. * Allow to use the CTA_MARK_MASK in ctnetlink when mangling the conntrack mark, also from Florian Westphal. * Fix compilation warning due to unused variable in IPVS, from Geert Uytterhoeven. * Add support for UID/GID via nfnetlink_queue, from Valentina Giusti. * Add IPComp extension to x_tables, from Fan Du. You can pull these changes from: Daniel Borkmann (4): netfilter: nf_nat: add full port randomization support net: net_cls: move cgroupfs classid handling into core net: netprio: rename config to be more consistent with cgroup configs netfilter: x_tables: lightweight process control group matching Eric Leblond (1): netfilter: xt_CT: fix error value in xt_ct_tg_check() Florian Westphal (2): netfilter: avoid get_random_bytes calls netfilter: ctnetlink: honor CTA_MARK_MASK when setting ctmark Geert Uytterhoeven (1): ipvs: Remove unused variable ret from sync_thread_master() Valentina Giusti (1): netfilter: nfnetlink_queue: enable UID/GID socket info retrieval fan.du (1): netfilter: add IPv4/6 IPComp extension match support stephen hemminger (2): netfilter: ipset: remove unused code netfilter: nf_conntrack: remove dead code Documentation/cgroups/net_cls.txt | 5 + include/linux/cgroup_subsys.h | 4 +- include/linux/netdevice.h | 2 +- include/linux/netfilter/ipset/ip_set.h | 1 - include/net/cls_cgroup.h | 40 +++----- include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 2 - include/net/netfilter/nf_conntrack_l3proto.h | 1 - include/net/netprio_cgroup.h | 18 ++-- include/net/sock.h | 2 +- include/uapi/linux/netfilter/Kbuild | 2 + include/uapi/linux/netfilter/nf_nat.h | 12 ++- include/uapi/linux/netfilter/nfnetlink_queue.h | 5 +- include/uapi/linux/netfilter/xt_cgroup.h | 11 +++ include/uapi/linux/netfilter/xt_ipcomp.h | 16 ++++ net/Kconfig | 11 ++- net/core/Makefile | 3 +- net/core/dev.c | 2 +- net/core/netclassid_cgroup.c | 120 ++++++++++++++++++++++++ net/core/sock.c | 14 +-- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 6 -- net/netfilter/Kconfig | 19 ++++ net/netfilter/Makefile | 2 + net/netfilter/ipset/ip_set_core.c | 28 ------ net/netfilter/ipvs/ip_vs_sync.c | 5 +- net/netfilter/nf_conntrack_core.c | 15 --- net/netfilter/nf_conntrack_netlink.c | 12 ++- net/netfilter/nf_conntrack_proto.c | 6 -- net/netfilter/nf_nat_core.c | 4 +- net/netfilter/nf_nat_proto_common.c | 10 +- net/netfilter/nfnetlink_log.c | 8 -- net/netfilter/nfnetlink_queue_core.c | 34 +++++++ net/netfilter/nft_hash.c | 2 +- net/netfilter/xt_CT.c | 4 +- net/netfilter/xt_RATEEST.c | 2 +- net/netfilter/xt_cgroup.c | 71 ++++++++++++++ net/netfilter/xt_connlimit.c | 2 +- net/netfilter/xt_hashlimit.c | 2 +- net/netfilter/xt_ipcomp.c | 111 ++++++++++++++++++++++ net/netfilter/xt_recent.c | 2 +- net/sched/Kconfig | 1 + net/sched/cls_cgroup.c | 111 +--------------------- 41 files changed, 470 insertions(+), 258 deletions(-) create mode 100644 include/uapi/linux/netfilter/xt_cgroup.h create mode 100644 include/uapi/linux/netfilter/xt_ipcomp.h create mode 100644 net/core/netclassid_cgroup.c create mode 100644 net/netfilter/xt_cgroup.c create mode 100644 net/netfilter/xt_ipcomp.c -- 1.7.10.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html