From bb699ff491f65a6a612c0c0cfd49e1fa58de04ea Mon Sep 17 00:00:00 2001
From: Dongsu Park <dongsu@kinvolk.io>
Date: Wed, 14 Oct 2020 17:20:23 +0200
Subject: [PATCH] sys-kernel: remove blank kernel module nf-conntrack-ipv4

So far Flatcar has kept a third-party patch to add a blank kernel
module `nf-conntrack-ipv4.ko` to avoid regression around Kubernetes.
The issue was that kube-proxy with ipvs started using `nf-conntrack.ko`,
which does not exist in Kernel < 4.19. The patch was originally added by
https://github.com/flatcar-linux/coreos-overlay/commit/a24dbb6cb639d7e87c38502558336bdfe16f55b0.

However, Kubernetes 1.13 or newer already deals with the issue. It
automatically loads a different Kernel module according to Kernel
versions: `nf-conntrack-ipv4` for Kernel < 4.19, and `nf-conntrack`
for Kernel >= 4.19.
See https://github.com/kubernetes/kubernetes/commit/4b90559369261f1892f81ecdd3cd808e2fe39d22 .

We can simply remove the Kernel module, as since then all production
systems have updated Kubernetes to the newer versions than 1.13.
---
 .../coreos-sources-5.8.14.ebuild              |  1 -
 ...elative-path-for-srctree-from-CURDIR.patch |  2 +-
 ...kefile-Don-t-fail-on-fallthrough-wit.patch |  2 +-
 ...d-nf_conntrack_ipv4-compat-module-fo.patch | 87 -------------------
 4 files changed, 2 insertions(+), 90 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/5.8/z0003-net-netfilter-add-nf_conntrack_ipv4-compat-module-fo.patch

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-5.8.14.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-5.8.14.ebuild
index 017803b96b..3d782ccffa 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-5.8.14.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/coreos-sources-5.8.14.ebuild
@@ -34,5 +34,4 @@ IUSE=""
 UNIPATCH_LIST="
 	${PATCH_DIR}/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch \
 	${PATCH_DIR}/z0002-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch \
-	${PATCH_DIR}/z0003-net-netfilter-add-nf_conntrack_ipv4-compat-module-fo.patch \
 "
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/5.8/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/5.8/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch
index bf0bc4f199..3e801ba974 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/5.8/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/5.8/z0001-kbuild-derive-relative-path-for-srctree-from-CURDIR.patch
@@ -1,7 +1,7 @@
 From b500ac62a04f6aede02e0ca8c9a4228b0ffc2828 Mon Sep 17 00:00:00 2001
 From: Vito Caputo <vito.caputo@coreos.com>
 Date: Wed, 25 Nov 2015 02:59:45 -0800
-Subject: [PATCH 1/3] kbuild: derive relative path for srctree from CURDIR
+Subject: [PATCH 1/2] kbuild: derive relative path for srctree from CURDIR
 
 This enables relocating source and build trees to different roots,
 provided they stay reachable relative to one another.  Useful for
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/5.8/z0002-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/5.8/z0002-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch
index 81b4610013..50d18689dd 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/5.8/z0002-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/5.8/z0002-tools-objtool-Makefile-Don-t-fail-on-fallthrough-wit.patch
@@ -1,7 +1,7 @@
 From d2559ba1a806f8d010d09807c2c0906181824626 Mon Sep 17 00:00:00 2001
 From: David Michael <david.michael@coreos.com>
 Date: Thu, 8 Feb 2018 21:23:12 -0500
-Subject: [PATCH 2/3] tools/objtool/Makefile: Don't fail on fallthrough with
+Subject: [PATCH 2/2] tools/objtool/Makefile: Don't fail on fallthrough with
  new GCCs
 
 ---
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/5.8/z0003-net-netfilter-add-nf_conntrack_ipv4-compat-module-fo.patch b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/5.8/z0003-net-netfilter-add-nf_conntrack_ipv4-compat-module-fo.patch
deleted file mode 100644
index 18fd18bb91..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-sources/files/5.8/z0003-net-netfilter-add-nf_conntrack_ipv4-compat-module-fo.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From ab2e2914cd297cd14a82fdbe6b709290bd9fe449 Mon Sep 17 00:00:00 2001
-From: Benjamin Gilbert <bgilbert@redhat.com>
-Date: Fri, 26 Oct 2018 17:00:56 -0700
-Subject: [PATCH 3/3] net/netfilter: add nf_conntrack_ipv4 compat module for
- kube-proxy
-
-kube-proxy won't enable ipvs unless it can modprobe nf_conntrack_ipv4 and
-find it in the list of loaded modules afterward.  Thus an alias isn't
-enough to maintain compatibility; we need an actual module.
----
- net/netfilter/Kconfig             |  8 ++++++++
- net/netfilter/Makefile            |  1 +
- net/netfilter/nf_conntrack_ipv4.c | 31 +++++++++++++++++++++++++++++++
- 3 files changed, 40 insertions(+)
- create mode 100644 net/netfilter/nf_conntrack_ipv4.c
-
-diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
-index 0ffe2b8723c4..522b1a6c9e7e 100644
---- a/net/netfilter/Kconfig
-+++ b/net/netfilter/Kconfig
-@@ -71,6 +71,14 @@ config NF_CONNTRACK
- 
- 	  To compile it as a module, choose M here.  If unsure, say N.
- 
-+config NF_CONNTRACK_IPV4_COMPAT
-+	tristate "Netfilter connection tracking IPv4 compatibility module"
-+	depends on NF_CONNTRACK
-+	default NF_CONNTRACK
-+	help
-+	  Compatibility nf_conntrack_ipv4 module that loads nf_conntrack.ko,
-+	  since kube-proxy cares about the names of loaded kernel modules.
-+
- config NF_LOG_COMMON
- 	tristate
- 
-diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
-index 0e0ded87e27b..fb28e546187b 100644
---- a/net/netfilter/Makefile
-+++ b/net/netfilter/Makefile
-@@ -25,6 +25,7 @@ obj-$(CONFIG_NETFILTER_NETLINK_OSF) += nfnetlink_osf.o
- 
- # connection tracking
- obj-$(CONFIG_NF_CONNTRACK) += nf_conntrack.o
-+obj-$(CONFIG_NF_CONNTRACK_IPV4_COMPAT) += nf_conntrack_ipv4.o
- 
- # netlink interface for nf_conntrack
- obj-$(CONFIG_NF_CT_NETLINK) += nf_conntrack_netlink.o
-diff --git a/net/netfilter/nf_conntrack_ipv4.c b/net/netfilter/nf_conntrack_ipv4.c
-new file mode 100644
-index 000000000000..8308772022c6
---- /dev/null
-+++ b/net/netfilter/nf_conntrack_ipv4.c
-@@ -0,0 +1,31 @@
-+/* SPDX-License-Identifier: GPL-2.0 */
-+/*
-+ * Compatibility nf_conntrack_ipv4 module that depends on nf_conntrack
-+ * to keep kube-proxy happy.
-+ *
-+ * Copyright (c) 2018 Red Hat, Inc.
-+ *
-+ * This program is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License as published by the Free
-+ * Software Foundation; either version 2 of the License, or (at your option)
-+ * any later version.
-+ */
-+
-+#include <linux/module.h>
-+#include <linux/printk.h>
-+#include <net/netfilter/nf_conntrack.h>
-+
-+unsigned int *pointer_to_nf_conntrack_data = &nf_conntrack_max;
-+
-+static int __init nf_conntrack_ipv4_init(void) {
-+	pr_notice("nf_conntrack_ipv4: loaded compatibility alias for nf_conntrack\n");
-+	return 0;
-+}
-+
-+static void __exit nf_conntrack_ipv4_exit(void) {}
-+
-+module_init(nf_conntrack_ipv4_init);
-+module_exit(nf_conntrack_ipv4_exit);
-+
-+MODULE_DESCRIPTION("kube-proxy compatibility wrapper for nf_conntrack.ko");
-+MODULE_LICENSE("GPL");
--- 
-2.26.2
-