Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says: ==================== Netfilter updates for net-next The following patchset contains a final Netfilter pull request for net-next 4.2. This mostly addresses some fallout from the previous pull request, small netns updates and a couple of new features for nfnetlink_log and the socket match that didn't get in time for the previous pull request. More specifically they are: 1) Add security context information to nfnetlink_queue, from Roman Kubiak. 2) Add support to restore the sk_mark into skb->mark through xt_socket, from Harout Hedeshian. 3) Force alignment of 16 bytes of per cpu xt_counters, from Eric Dumazet. 4) Rename br_netfilter.c to br_netfilter_hooks.c to prepare split of IPv6 code into a separated file. 5) Move the IPv6 code in br_netfilter into a separated file. 6) Remove unused RCV_SKB_FAIL() in nfnetlink_queue and nfetlink_log, from Eric Biederman. 7) Two liner to simplify netns logic in em_ipset_match(). 8) Add missing includes to net/net_namespace.h to avoid compilation problems that result from not including linux/netfilter.h in netns headers. 9) Use a forward declaration instead of including linux/proc_fs.h from netns/netfilter.h 10) Add a new linux/netfilter_defs.h to replace the linux/netfilter.h inclusion in netns headers. 11) Remove spurious netfilter.h file included in the net tree, also from Eric Biederman. 12) Fix x_tables compilation warnings on 32 bits platforms that resulted from recent changes in x_tables counters, from Florian Westphal. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2015-06-20 18:39:40 -0400
committer: David S. Miller <davem@davemloft.net> 2015-06-20 18:39:40 -0400
commit: 120119623b6798b70384248c0cacf8f8de419c9a (patch)
tree: 52cb7d6d6f5c30420833450a18c378b4d121825b
parent: b67ea97fcd4e29c97ced1ecba15443ecfce395b1 (diff)
parent: dcb8f5c8139ef945cdfd55900fae265c4dbefc02 (diff)
31 files changed, 444 insertions, 282 deletions
diff --git a/drivers/net/hamradio/bpqether.c b/drivers/net/hamradio/bpqether.c
index 63ff08a26da8..7856b6ccf5c5 100644
--- a/drivers/net/hamradio/bpqether.c
+++ b/drivers/net/hamradio/bpqether.c
@@ -76,7 +76,6 @@
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
 #include <linux/stat.h>
-#include <linux/netfilter.h>
 #include <linux/module.h>
 #include <linux/init.h>
 #include <linux/rtnetlink.h>
diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
index 14839bc0aaf5..686f37daa262 100644
--- a/drivers/net/ppp/pptp.c
+++ b/drivers/net/ppp/pptp.c
@@ -28,8 +28,6 @@
 #include <linux/file.h>
 #include <linux/in.h>
 #include <linux/ip.h>
-#include <linux/netfilter.h>
-#include <linux/netfilter_ipv4.h>
 #include <linux/rcupdate.h>
 #include <linux/spinlock.h>
diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
index 2f5eda8a7227..6676607164d6 100644
--- a/drivers/net/wan/lapbether.c
+++ b/drivers/net/wan/lapbether.c
@@ -40,7 +40,6 @@
 #include <linux/interrupt.h>
 #include <linux/notifier.h>
 #include <linux/stat.h>
-#include <linux/netfilter.h>
 #include <linux/module.h>
 #include <linux/lapb.h>
 #include <linux/init.h>
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index f5ff5d156da8..00050dfd9f23 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -10,7 +10,8 @@
 #include <linux/wait.h>
 #include <linux/list.h>
 #include <linux/static_key.h>
-#include <uapi/linux/netfilter.h>
+#include <linux/netfilter_defs.h>
 #ifdef CONFIG_NETFILTER
 static inline int NF_DROP_GETERR(int verdict)
 {
@@ -38,9 +39,6 @@ static inline void nf_inet_addr_mask(const union nf_inet_addr *a1,
 int netfilter_init(void);
-/* Largest hook number + 1 */
-#define NF_MAX_HOOKS 8
 struct sk_buff;
 struct nf_hook_ops;
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 95693c4cebdd..286098a5667f 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -356,7 +356,8 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
 * so nothing needs to be done there.
 *
 * xt_percpu_counter_alloc returns the address of the percpu
- * counter, or 0 on !SMP.
+ * counter, or 0 on !SMP. We force an alignment of 16 bytes
+ * so that bytes/packets share a common cache line.
 *
 * Hence caller must use IS_ERR_VALUE to check for error, this
 * allows us to return 0 for single core systems without forcing
@@ -365,12 +366,13 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
 static inline u64 xt_percpu_counter_alloc(void)
 {
        if (nr_cpu_ids > 1) {
-                void __percpu *res = alloc_percpu(struct xt_counters);
+                void __percpu *res = __alloc_percpu(sizeof(struct xt_counters),
+                                                    sizeof(struct xt_counters));
                if (res == NULL)
                        return (u64) -ENOMEM;
-                return (__force u64) res;
+                return (u64) (__force unsigned long) res;
        }
        return 0;
@@ -378,14 +380,14 @@ static inline u64 xt_percpu_counter_alloc(void)
 static inline void xt_percpu_counter_free(u64 pcnt)
 {
        if (nr_cpu_ids > 1)
-                free_percpu((void __percpu *) pcnt);
+                free_percpu((void __percpu *) (unsigned long) pcnt);
 }
 static inline struct xt_counters *
 xt_get_this_cpu_counter(struct xt_counters *cnt)
 {
        if (nr_cpu_ids > 1)
-                return this_cpu_ptr((void __percpu *) cnt->pcnt);
+                return this_cpu_ptr((void __percpu *) (unsigned long) cnt->pcnt);
        return cnt;
 }
@@ -394,7 +396,7 @@ static inline struct xt_counters *
 xt_get_per_cpu_counter(struct xt_counters *cnt, unsigned int cpu)
 {
        if (nr_cpu_ids > 1)
-                return per_cpu_ptr((void __percpu *) cnt->pcnt, cpu);
+                return per_cpu_ptr((void __percpu *) (unsigned long) cnt->pcnt, cpu);
        return cnt;
 }
diff --git a/include/linux/netfilter_defs.h b/include/linux/netfilter_defs.h
new file mode 100644
index 000000000000..d3a7f8597e82
--- /dev/null
+++ b/include/linux/netfilter_defs.h
@@ -0,0 +1,9 @@
+#ifndef __LINUX_NETFILTER_CORE_H_
+#define __LINUX_NETFILTER_CORE_H_
+#include <uapi/linux/netfilter.h>
+/* Largest hook number + 1, see uapi/linux/netfilter_decnet.h */
+#define NF_MAX_HOOKS 8
+#endif
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 72eb23723294..e951453e0a23 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -28,6 +28,8 @@
 #include <net/netns/xfrm.h>
 #include <net/netns/mpls.h>
 #include <linux/ns_common.h>
+#include <linux/idr.h>
+#include <linux/skbuff.h>
 struct user_namespace;
 struct proc_dir_entry;
diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h
index 2aa6048a55c1..bab824bde92c 100644
--- a/include/net/netfilter/br_netfilter.h
+++ b/include/net/netfilter/br_netfilter.h
@@ -1,6 +1,66 @@
 #ifndef _BR_NETFILTER_H_
 #define _BR_NETFILTER_H_
+#include "../../../net/bridge/br_private.h"
+static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
+{
+        skb->nf_bridge = kzalloc(sizeof(struct nf_bridge_info), GFP_ATOMIC);
+        if (likely(skb->nf_bridge))
+                atomic_set(&(skb->nf_bridge->use), 1);
+        return skb->nf_bridge;
+}
+void nf_bridge_update_protocol(struct sk_buff *skb);
+static inline struct nf_bridge_info *
+nf_bridge_info_get(const struct sk_buff *skb)
+{
+        return skb->nf_bridge;
+}
+unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb);
+static inline void nf_bridge_push_encap_header(struct sk_buff *skb)
+{
+        unsigned int len = nf_bridge_encap_header_len(skb);
+        skb_push(skb, len);
+        skb->network_header -= len;
+}
+int br_nf_pre_routing_finish_bridge(struct sock *sk, struct sk_buff *skb);
+static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
+{
+        struct net_bridge_port *port;
+        port = br_port_get_rcu(dev);
+        return port ? &port->br->fake_rtable : NULL;
+}
+struct net_device *setup_pre_routing(struct sk_buff *skb);
 void br_netfilter_enable(void);
+#if IS_ENABLED(CONFIG_IPV6)
+int br_validate_ipv6(struct sk_buff *skb);
+unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,
+                                    struct sk_buff *skb,
+                                    const struct nf_hook_state *state);
+#else
+static inline int br_validate_ipv6(struct sk_buff *skb)
+{
+        return -1;
+}
+static inline unsigned int
+br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops, struct sk_buff *skb,
+                       const struct nf_hook_state *state)
+{
+        return NF_DROP;
+}
+#endif
 #endif /* _BR_NETFILTER_H_ */
diff --git a/include/net/netns/netfilter.h b/include/net/netns/netfilter.h
index 88740024ccf3..532e4ba64f49 100644
--- a/include/net/netns/netfilter.h
+++ b/include/net/netns/netfilter.h
@@ -1,9 +1,9 @@
 #ifndef __NETNS_NETFILTER_H
 #define __NETNS_NETFILTER_H
-#include <linux/proc_fs.h>
+#include <linux/netfilter_defs.h>
-#include <linux/netfilter.h>
+struct proc_dir_entry;
 struct nf_logger;
 struct netns_nf {
diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
index 4d6597ad6067..c8a7681efa6a 100644
--- a/include/net/netns/x_tables.h
+++ b/include/net/netns/x_tables.h
@@ -2,7 +2,7 @@
 #define __NETNS_X_TABLES_H
 #include <linux/list.h>
-#include <linux/netfilter.h>
+#include <linux/netfilter_defs.h>
 struct ebt_table;
diff --git a/include/uapi/linux/netfilter.h b/include/uapi/linux/netfilter.h
index 177027cce6b3..d93f949d1d9a 100644
--- a/include/uapi/linux/netfilter.h
+++ b/include/uapi/linux/netfilter.h
@@ -4,7 +4,8 @@
 #include <linux/types.h>
 #include <linux/compiler.h>
 #include <linux/sysctl.h>
+#include <linux/in.h>
+#include <linux/in6.h>
 /* Responses from hook functions. */
 #define NF_DROP 0
diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index 8dd819e2b5fe..b67a853638ff 100644
--- a/include/uapi/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -49,6 +49,7 @@ enum nfqnl_attr_type {
        NFQA_EXP,                       /* nf_conntrack_netlink.h */
        NFQA_UID,                       /* __u32 sk uid */
        NFQA_GID,                       /* __u32 sk gid */
+        NFQA_SECCTX,                    /* security context string */
        __NFQA_MAX
 };
@@ -102,7 +103,8 @@ enum nfqnl_attr_config {
 #define NFQA_CFG_F_CONNTRACK                    (1 << 1)
 #define NFQA_CFG_F_GSO                          (1 << 2)
 #define NFQA_CFG_F_UID_GID                      (1 << 3)
-#define NFQA_CFG_F_MAX                          (1 << 4)
+#define NFQA_CFG_F_SECCTX                       (1 << 4)
+#define NFQA_CFG_F_MAX                          (1 << 5)
 /* flags for NFQA_SKB_INFO */
 /* packet appears to have wrong checksums, but they are ok */
diff --git a/include/uapi/linux/netfilter/xt_socket.h b/include/uapi/linux/netfilter/xt_socket.h
index 6315e2ac3474..87644f832494 100644
--- a/include/uapi/linux/netfilter/xt_socket.h
+++ b/include/uapi/linux/netfilter/xt_socket.h
@@ -6,6 +6,7 @@
 enum {
        XT_SOCKET_TRANSPARENT = 1 << 0,
        XT_SOCKET_NOWILDCARD = 1 << 1,
+        XT_SOCKET_RESTORESKMARK = 1 << 2,
 };
 struct xt_socket_mtinfo1 {
@@ -18,4 +19,11 @@ struct xt_socket_mtinfo2 {
 };
 #define XT_SOCKET_FLAGS_V2 (XT_SOCKET_TRANSPARENT | XT_SOCKET_NOWILDCARD)
+struct xt_socket_mtinfo3 {
+        __u8 flags;
+};
+#define XT_SOCKET_FLAGS_V3 (XT_SOCKET_TRANSPARENT \
+                           | XT_SOCKET_NOWILDCARD \
+                           | XT_SOCKET_RESTORESKMARK)
 #endif /* _XT_SOCKET_H */
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index 4273533d22b1..9c891d0412a2 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -40,7 +40,6 @@
 #include <linux/notifier.h>
 #include <linux/proc_fs.h>
 #include <linux/stat.h>
-#include <linux/netfilter.h>
 #include <linux/sysctl.h>
 #include <linux/init.h>
 #include <linux/spinlock.h>
diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
index 7ed8ab724819..29a3687237aa 100644
--- a/net/ax25/ax25_in.c
+++ b/net/ax25/ax25_in.c
@@ -23,7 +23,6 @@
 #include <linux/inet.h>
 #include <linux/netdevice.h>
 #include <linux/skbuff.h>
-#include <linux/netfilter.h>
 #include <net/sock.h>
 #include <net/tcp_states.h>
 #include <asm/uaccess.h>
diff --git a/net/ax25/ax25_ip.c b/net/ax25/ax25_ip.c
index 7c646bb2c6f7..b563a3f5f2a8 100644
--- a/net/ax25/ax25_ip.c
+++ b/net/ax25/ax25_ip.c
@@ -31,7 +31,6 @@
 #include <linux/notifier.h>
 #include <linux/proc_fs.h>
 #include <linux/stat.h>
-#include <linux/netfilter.h>
 #include <linux/sysctl.h>
 #include <net/ip.h>
 #include <net/arp.h>
diff --git a/net/ax25/ax25_out.c b/net/ax25/ax25_out.c
index be2acab9be9d..8ddd41baa81c 100644
--- a/net/ax25/ax25_out.c
+++ b/net/ax25/ax25_out.c
@@ -24,7 +24,6 @@
 #include <linux/inet.h>
 #include <linux/netdevice.h>
 #include <linux/skbuff.h>
-#include <linux/netfilter.h>
 #include <net/sock.h>
 #include <asm/uaccess.h>
 #include <linux/fcntl.h>
diff --git a/net/ax25/ax25_uid.c b/net/ax25/ax25_uid.c
index 71c4badbc807..4ad2fb7bcd35 100644
--- a/net/ax25/ax25_uid.c
+++ b/net/ax25/ax25_uid.c
@@ -34,7 +34,6 @@
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
 #include <linux/stat.h>
-#include <linux/netfilter.h>
 #include <linux/sysctl.h>
 #include <linux/export.h>
 #include <net/ip.h>
diff --git a/net/bridge/Makefile b/net/bridge/Makefile
index fd7ee03c59b3..a1cda5d4718d 100644
--- a/net/bridge/Makefile
+++ b/net/bridge/Makefile
@@ -12,6 +12,8 @@ bridge-$(CONFIG_SYSFS) += br_sysfs_if.o br_sysfs_br.o
 bridge-$(subst m,y,$(CONFIG_BRIDGE_NETFILTER)) += br_nf_core.o
+br_netfilter-y := br_netfilter_hooks.o
+br_netfilter-$(subst m,y,$(CONFIG_IPV6)) += br_netfilter_ipv6.o
 obj-$(CONFIG_BRIDGE_NETFILTER) += br_netfilter.o
 bridge-$(CONFIG_BRIDGE_IGMP_SNOOPING) += br_multicast.o br_mdb.o
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter_hooks.c
index e4e5f2f29173..d89f4fac0bc5 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -123,11 +123,6 @@ struct brnf_frag_data {
 static DEFINE_PER_CPU(struct brnf_frag_data, brnf_frag_data_storage);
 #endif
-static struct nf_bridge_info *nf_bridge_info_get(const struct sk_buff *skb)
-{
-        return skb->nf_bridge;
-}
 static void nf_bridge_info_free(struct sk_buff *skb)
 {
        if (skb->nf_bridge) {
@@ -136,14 +131,6 @@ static void nf_bridge_info_free(struct sk_buff *skb)
        }
 }
-static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
-{
-        struct net_bridge_port *port;
-        port = br_port_get_rcu(dev);
-        return port ? &port->br->fake_rtable : NULL;
-}
 static inline struct net_device *bridge_parent(const struct net_device *dev)
 {
        struct net_bridge_port *port;
@@ -152,15 +139,6 @@ static inline struct net_device *bridge_parent(const struct net_device *dev)
        return port ? port->br->dev : NULL;
 }
-static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
-{
-        skb->nf_bridge = kzalloc(sizeof(struct nf_bridge_info), GFP_ATOMIC);
-        if (likely(skb->nf_bridge))
-                atomic_set(&(skb->nf_bridge->use), 1);
-        return skb->nf_bridge;
-}
 static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb)
 {
        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
@@ -178,7 +156,7 @@ static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb)
        return nf_bridge;
 }
-static unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb)
+unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb)
 {
        switch (skb->protocol) {
        case __cpu_to_be16(ETH_P_8021Q):
@@ -190,14 +168,6 @@ static unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb)
        }
 }
-static inline void nf_bridge_push_encap_header(struct sk_buff *skb)
-{
-        unsigned int len = nf_bridge_encap_header_len(skb);
-        skb_push(skb, len);
-        skb->network_header -= len;
-}
 static inline void nf_bridge_pull_encap_header(struct sk_buff *skb)
 {
        unsigned int len = nf_bridge_encap_header_len(skb);
@@ -267,112 +237,7 @@ drop:
        return -1;
 }
-/* We only check the length. A bridge shouldn't do any hop-by-hop stuff
+void nf_bridge_update_protocol(struct sk_buff *skb)
- * anyway
- */
-static int check_hbh_len(struct sk_buff *skb)
-{
-        unsigned char *raw = (u8 *)(ipv6_hdr(skb) + 1);
-        u32 pkt_len;
-        const unsigned char *nh = skb_network_header(skb);
-        int off = raw - nh;
-        int len = (raw[1] + 1) << 3;
-        if ((raw + len) - skb->data > skb_headlen(skb))
-                goto bad;
-        off += 2;
-        len -= 2;
-        while (len > 0) {
-                int optlen = nh[off + 1] + 2;
-                switch (nh[off]) {
-                case IPV6_TLV_PAD1:
-                        optlen = 1;
-                        break;
-                case IPV6_TLV_PADN:
-                        break;
-                case IPV6_TLV_JUMBO:
-                        if (nh[off + 1] != 4 || (off & 3) != 2)
-                                goto bad;
-                        pkt_len = ntohl(*(__be32 *)(nh + off + 2));
-                        if (pkt_len <= IPV6_MAXPLEN ||
-                            ipv6_hdr(skb)->payload_len)
-                                goto bad;
-                        if (pkt_len > skb->len - sizeof(struct ipv6hdr))
-                                goto bad;
-                        if (pskb_trim_rcsum(skb,
-                                            pkt_len + sizeof(struct ipv6hdr)))
-                                goto bad;
-                        nh = skb_network_header(skb);
-                        break;
-                default:
-                        if (optlen > len)
-                                goto bad;
-                        break;
-                }
-                off += optlen;
-                len -= optlen;
-        }
-        if (len == 0)
-                return 0;
-bad:
-        return -1;
-}
-/* Equivalent to br_validate_ipv4 for IPv6 */
-static int br_validate_ipv6(struct sk_buff *skb)
-{
-        const struct ipv6hdr *hdr;
-        struct net_device *dev = skb->dev;
-        struct inet6_dev *idev = in6_dev_get(skb->dev);
-        u32 pkt_len;
-        u8 ip6h_len = sizeof(struct ipv6hdr);
-        if (!pskb_may_pull(skb, ip6h_len))
-                goto inhdr_error;
-        if (skb->len < ip6h_len)
-                goto drop;
-        hdr = ipv6_hdr(skb);
-        if (hdr->version != 6)
-                goto inhdr_error;
-        pkt_len = ntohs(hdr->payload_len);
-        if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
-                if (pkt_len + ip6h_len > skb->len) {
-                        IP6_INC_STATS_BH(dev_net(dev), idev,
-                                         IPSTATS_MIB_INTRUNCATEDPKTS);
-                        goto drop;
-                }
-                if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) {
-                        IP6_INC_STATS_BH(dev_net(dev), idev,
-                                         IPSTATS_MIB_INDISCARDS);
-                        goto drop;
-                }
-        }
-        if (hdr->nexthdr == NEXTHDR_HOP && check_hbh_len(skb))
-                goto drop;
-        memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
-        /* No IP options in IPv6 header; however it should be
-         * checked if some next headers need special treatment
-         */
-        return 0;
-inhdr_error:
-        IP6_INC_STATS_BH(dev_net(dev), idev, IPSTATS_MIB_INHDRERRORS);
-drop:
-        return -1;
-}
-static void nf_bridge_update_protocol(struct sk_buff *skb)
 {
        switch (skb->nf_bridge->orig_proto) {
        case BRNF_PROTO_8021Q:
@@ -391,7 +256,7 @@ static void nf_bridge_update_protocol(struct sk_buff *skb)
 * don't, we use the neighbour framework to find out. In both cases, we make
 * sure that br_handle_frame_finish() is called afterwards.
 */
-static int br_nf_pre_routing_finish_bridge(struct sock *sk, struct sk_buff *skb)
+int br_nf_pre_routing_finish_bridge(struct sock *sk, struct sk_buff *skb)
 {
        struct neighbour *neigh;
        struct dst_entry *dst;
@@ -431,77 +296,11 @@ free_skb:
        return 0;
 }
-static bool daddr_was_changed(const struct sk_buff *skb,
+static inline bool
-                              const struct nf_bridge_info *nf_bridge)
+br_nf_ipv4_daddr_was_changed(const struct sk_buff *skb,
+                             const struct nf_bridge_info *nf_bridge)
 {
-        switch (skb->protocol) {
+        return ip_hdr(skb)->daddr != nf_bridge->ipv4_daddr;
-        case htons(ETH_P_IP):
-                return ip_hdr(skb)->daddr != nf_bridge->ipv4_daddr;
-        case htons(ETH_P_IPV6):
-                return memcmp(&nf_bridge->ipv6_daddr, &ipv6_hdr(skb)->daddr,
-                              sizeof(ipv6_hdr(skb)->daddr)) != 0;
-        default:
-                return false;
-        }
-}
-/* PF_BRIDGE/PRE_ROUTING: Undo the changes made for ip6tables
- * PREROUTING and continue the bridge PRE_ROUTING hook. See comment
- * for br_nf_pre_routing_finish(), same logic is used here but
- * equivalent IPv6 function ip6_route_input() called indirectly.
- */
-static int br_nf_pre_routing_finish_ipv6(struct sock *sk, struct sk_buff *skb)
-{
-        struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
-        struct rtable *rt;
-        struct net_device *dev = skb->dev;
-        const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
-        nf_bridge->frag_max_size = IP6CB(skb)->frag_max_size;
-        if (nf_bridge->pkt_otherhost) {
-                skb->pkt_type = PACKET_OTHERHOST;
-                nf_bridge->pkt_otherhost = false;
-        }
-        nf_bridge->mask &= ~BRNF_NF_BRIDGE_PREROUTING;
-        if (daddr_was_changed(skb, nf_bridge)) {
-                skb_dst_drop(skb);
-                v6ops->route_input(skb);
-                if (skb_dst(skb)->error) {
-                        kfree_skb(skb);
-                        return 0;
-                }
-                if (skb_dst(skb)->dev == dev) {
-                        skb->dev = nf_bridge->physindev;
-                        nf_bridge_update_protocol(skb);
-                        nf_bridge_push_encap_header(skb);
-                        NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING,
-                                       sk, skb, skb->dev, NULL,
-                                       br_nf_pre_routing_finish_bridge,
-                                       1);
-                        return 0;
-                }
-                ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr);
-                skb->pkt_type = PACKET_HOST;
-        } else {
-                rt = bridge_parent_rtable(nf_bridge->physindev);
-                if (!rt) {
-                        kfree_skb(skb);
-                        return 0;
-                }
-                skb_dst_set_noref(skb, &rt->dst);
-        }
-        skb->dev = nf_bridge->physindev;
-        nf_bridge_update_protocol(skb);
-        nf_bridge_push_encap_header(skb);
-        NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, sk, skb,
-                       skb->dev, NULL,
-                       br_handle_frame_finish, 1);
-        return 0;
 }
 /* This requires some explaining. If DNAT has taken place,
@@ -558,7 +357,7 @@ static int br_nf_pre_routing_finish(struct sock *sk, struct sk_buff *skb)
                nf_bridge->pkt_otherhost = false;
        }
        nf_bridge->mask &= ~BRNF_NF_BRIDGE_PREROUTING;
-        if (daddr_was_changed(skb, nf_bridge)) {
+        if (br_nf_ipv4_daddr_was_changed(skb, nf_bridge)) {
                if ((err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))) {
                        struct in_device *in_dev = __in_dev_get_rcu(dev);
@@ -636,7 +435,7 @@ static struct net_device *brnf_get_logical_dev(struct sk_buff *skb, const struct
 }
 /* Some common code for IPv4/IPv6 */
-static struct net_device *setup_pre_routing(struct sk_buff *skb)
+struct net_device *setup_pre_routing(struct sk_buff *skb)
 {
        struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
@@ -659,35 +458,6 @@ static struct net_device *setup_pre_routing(struct sk_buff *skb)
        return skb->dev;
 }
-/* Replicate the checks that IPv6 does on packet reception and pass the packet
- * to ip6tables.
- */
-static unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,
-                                           struct sk_buff *skb,
-                                           const struct nf_hook_state *state)
-{
-        struct nf_bridge_info *nf_bridge;
-        if (br_validate_ipv6(skb))
-                return NF_DROP;
-        nf_bridge_put(skb->nf_bridge);
-        if (!nf_bridge_alloc(skb))
-                return NF_DROP;
-        if (!setup_pre_routing(skb))
-                return NF_DROP;
-        nf_bridge = nf_bridge_info_get(skb);
-        nf_bridge->ipv6_daddr = ipv6_hdr(skb)->daddr;
-        skb->protocol = htons(ETH_P_IPV6);
-        NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, state->sk, skb,
-                skb->dev, NULL,
-                br_nf_pre_routing_finish_ipv6);
-        return NF_STOLEN;
-}
 /* Direct IPv6 traffic to br_nf_pre_routing_ipv6.
 * Replicate the checks that IPv4 does on packet reception.
 * Set skb->dev to the bridge device (i.e. parent of the
diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
new file mode 100644
index 000000000000..6d12d2675c80
--- /dev/null
+++ b/net/bridge/br_netfilter_ipv6.c
@@ -0,0 +1,245 @@
+/*
+ *      Handle firewalling
+ *      Linux ethernet bridge
+ *
+ *      Authors:
+ *      Lennert Buytenhek               <buytenh@gnu.org>
+ *      Bart De Schuymer                <bdschuym@pandora.be>
+ *
+ *      This program is free software; you can redistribute it and/or
+ *      modify it under the terms of the GNU General Public License
+ *      as published by the Free Software Foundation; either version
+ *      2 of the License, or (at your option) any later version.
+ *
+ *      Lennert dedicates this file to Kerstin Wurdinger.
+ */
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/slab.h>
+#include <linux/ip.h>
+#include <linux/netdevice.h>
+#include <linux/skbuff.h>
+#include <linux/if_arp.h>
+#include <linux/if_ether.h>
+#include <linux/if_vlan.h>
+#include <linux/if_pppox.h>
+#include <linux/ppp_defs.h>
+#include <linux/netfilter_bridge.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv6.h>
+#include <linux/netfilter_arp.h>
+#include <linux/in_route.h>
+#include <linux/inetdevice.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
+#include <net/addrconf.h>
+#include <net/route.h>
+#include <net/netfilter/br_netfilter.h>
+#include <asm/uaccess.h>
+#include "br_private.h"
+#ifdef CONFIG_SYSCTL
+#include <linux/sysctl.h>
+#endif
+/* We only check the length. A bridge shouldn't do any hop-by-hop stuff
+ * anyway
+ */
+static int br_nf_check_hbh_len(struct sk_buff *skb)
+{
+        unsigned char *raw = (u8 *)(ipv6_hdr(skb) + 1);
+        u32 pkt_len;
+        const unsigned char *nh = skb_network_header(skb);
+        int off = raw - nh;
+        int len = (raw[1] + 1) << 3;
+        if ((raw + len) - skb->data > skb_headlen(skb))
+                goto bad;
+        off += 2;
+        len -= 2;
+        while (len > 0) {
+                int optlen = nh[off + 1] + 2;
+                switch (nh[off]) {
+                case IPV6_TLV_PAD1:
+                        optlen = 1;
+                        break;
+                case IPV6_TLV_PADN:
+                        break;
+                case IPV6_TLV_JUMBO:
+                        if (nh[off + 1] != 4 || (off & 3) != 2)
+                                goto bad;
+                        pkt_len = ntohl(*(__be32 *)(nh + off + 2));
+                        if (pkt_len <= IPV6_MAXPLEN ||
+                            ipv6_hdr(skb)->payload_len)
+                                goto bad;
+                        if (pkt_len > skb->len - sizeof(struct ipv6hdr))
+                                goto bad;
+                        if (pskb_trim_rcsum(skb,
+                                            pkt_len + sizeof(struct ipv6hdr)))
+                                goto bad;
+                        nh = skb_network_header(skb);
+                        break;
+                default:
+                        if (optlen > len)
+                                goto bad;
+                        break;
+                }
+                off += optlen;
+                len -= optlen;
+        }
+        if (len == 0)
+                return 0;
+bad:
+        return -1;
+}
+int br_validate_ipv6(struct sk_buff *skb)
+{
+        const struct ipv6hdr *hdr;
+        struct net_device *dev = skb->dev;
+        struct inet6_dev *idev = in6_dev_get(skb->dev);
+        u32 pkt_len;
+        u8 ip6h_len = sizeof(struct ipv6hdr);
+        if (!pskb_may_pull(skb, ip6h_len))
+                goto inhdr_error;
+        if (skb->len < ip6h_len)
+                goto drop;
+        hdr = ipv6_hdr(skb);
+        if (hdr->version != 6)
+                goto inhdr_error;
+        pkt_len = ntohs(hdr->payload_len);
+        if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
+                if (pkt_len + ip6h_len > skb->len) {
+                        IP6_INC_STATS_BH(dev_net(dev), idev,
+                                         IPSTATS_MIB_INTRUNCATEDPKTS);
+                        goto drop;
+                }
+                if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) {
+                        IP6_INC_STATS_BH(dev_net(dev), idev,
+                                         IPSTATS_MIB_INDISCARDS);
+                        goto drop;
+                }
+        }
+        if (hdr->nexthdr == NEXTHDR_HOP && br_nf_check_hbh_len(skb))
+                goto drop;
+        memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
+        /* No IP options in IPv6 header; however it should be
+         * checked if some next headers need special treatment
+         */
+        return 0;
+inhdr_error:
+        IP6_INC_STATS_BH(dev_net(dev), idev, IPSTATS_MIB_INHDRERRORS);
+drop:
+        return -1;
+}
+static inline bool
+br_nf_ipv6_daddr_was_changed(const struct sk_buff *skb,
+                             const struct nf_bridge_info *nf_bridge)
+{
+        return memcmp(&nf_bridge->ipv6_daddr, &ipv6_hdr(skb)->daddr,
+                      sizeof(ipv6_hdr(skb)->daddr)) != 0;
+}
+/* PF_BRIDGE/PRE_ROUTING: Undo the changes made for ip6tables
+ * PREROUTING and continue the bridge PRE_ROUTING hook. See comment
+ * for br_nf_pre_routing_finish(), same logic is used here but
+ * equivalent IPv6 function ip6_route_input() called indirectly.
+ */
+static int br_nf_pre_routing_finish_ipv6(struct sock *sk, struct sk_buff *skb)
+{
+        struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
+        struct rtable *rt;
+        struct net_device *dev = skb->dev;
+        const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
+        nf_bridge->frag_max_size = IP6CB(skb)->frag_max_size;
+        if (nf_bridge->pkt_otherhost) {
+                skb->pkt_type = PACKET_OTHERHOST;
+                nf_bridge->pkt_otherhost = false;
+        }
+        nf_bridge->mask &= ~BRNF_NF_BRIDGE_PREROUTING;
+        if (br_nf_ipv6_daddr_was_changed(skb, nf_bridge)) {
+                skb_dst_drop(skb);
+                v6ops->route_input(skb);
+                if (skb_dst(skb)->error) {
+                        kfree_skb(skb);
+                        return 0;
+                }
+                if (skb_dst(skb)->dev == dev) {
+                        skb->dev = nf_bridge->physindev;
+                        nf_bridge_update_protocol(skb);
+                        nf_bridge_push_encap_header(skb);
+                        NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING,
+                                       sk, skb, skb->dev, NULL,
+                                       br_nf_pre_routing_finish_bridge,
+                                       1);
+                        return 0;
+                }
+                ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr);
+                skb->pkt_type = PACKET_HOST;
+        } else {
+                rt = bridge_parent_rtable(nf_bridge->physindev);
+                if (!rt) {
+                        kfree_skb(skb);
+                        return 0;
+                }
+                skb_dst_set_noref(skb, &rt->dst);
+        }
+        skb->dev = nf_bridge->physindev;
+        nf_bridge_update_protocol(skb);
+        nf_bridge_push_encap_header(skb);
+        NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, sk, skb,
+                       skb->dev, NULL,
+                       br_handle_frame_finish, 1);
+        return 0;
+}
+/* Replicate the checks that IPv6 does on packet reception and pass the packet
+ * to ip6tables.
+ */
+unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,
+                                    struct sk_buff *skb,
+                                    const struct nf_hook_state *state)
+{
+        struct nf_bridge_info *nf_bridge;
+        if (br_validate_ipv6(skb))
+                return NF_DROP;
+        nf_bridge_put(skb->nf_bridge);
+        if (!nf_bridge_alloc(skb))
+                return NF_DROP;
+        if (!setup_pre_routing(skb))
+                return NF_DROP;
+        nf_bridge = nf_bridge_info_get(skb);
+        nf_bridge->ipv6_daddr = ipv6_hdr(skb)->daddr;
+        skb->protocol = htons(ETH_P_IPV6);
+        NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, state->sk, skb,
+                skb->dev, NULL,
+                br_nf_pre_routing_finish_ipv6);
+        return NF_STOLEN;
+}
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index 21678acd4521..928a0fb0b744 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -8,6 +8,7 @@
 #include <net/ip6_fib.h>
 #include <net/addrconf.h>
 #include <net/secure_seq.h>
+#include <linux/netfilter.h>
 static u32 __ipv6_select_ident(struct net *net, u32 hashrnd,
                               const struct in6_addr *dst,
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index 52e20c9a46a5..789feeae6c44 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -11,6 +11,7 @@
 #include <asm/unaligned.h>
 #include <net/tcp.h>
 #include <net/netns/generic.h>
+#include <linux/proc_fs.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter/x_tables.h>
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 4ef1fae8445e..4670821b569d 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -598,8 +598,6 @@ nla_put_failure:
        return -1;
 }
-#define RCV_SKB_FAIL(err) do { netlink_ack(skb, nlh, (err)); return; } while (0)
 static struct nf_loginfo default_loginfo = {
        .type =         NF_LOG_TYPE_ULOG,
        .u = {
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 22a5ac76683e..e26a46ef19ba 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -278,6 +278,23 @@ nla_put_failure:
        return -1;
 }
+static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
+{
+        u32 seclen = 0;
+#if IS_ENABLED(CONFIG_NETWORK_SECMARK)
+        if (!skb || !sk_fullsock(skb->sk))
+                return 0;
+        read_lock_bh(&skb->sk->sk_callback_lock);
+        if (skb->secmark)
+                security_secid_to_secctx(skb->secmark, secdata, &seclen);
+        read_unlock_bh(&skb->sk->sk_callback_lock);
+#endif
+        return seclen;
+}
 static struct sk_buff *
 nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
                           struct nf_queue_entry *entry,
@@ -297,6 +314,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
        struct nf_conn *ct = NULL;
        enum ip_conntrack_info uninitialized_var(ctinfo);
        bool csum_verify;
+        char *secdata = NULL;
+        u32 seclen = 0;
        size =    nlmsg_total_size(sizeof(struct nfgenmsg))
                + nla_total_size(sizeof(struct nfqnl_msg_packet_hdr))
@@ -352,6 +371,12 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
                        + nla_total_size(sizeof(u_int32_t)));   /* gid */
        }
+        if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) {
+                seclen = nfqnl_get_sk_secctx(entskb, &secdata);
+                if (seclen)
+                        size += nla_total_size(seclen);
+        }
        skb = nfnetlink_alloc_skb(net, size, queue->peer_portid,
                                  GFP_ATOMIC);
        if (!skb) {
@@ -479,6 +504,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
            nfqnl_put_sk_uidgid(skb, entskb->sk) < 0)
                goto nla_put_failure;
+        if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
+                goto nla_put_failure;
        if (ct && nfqnl_ct_put(skb, ct, ctinfo) < 0)
                goto nla_put_failure;
@@ -806,8 +834,6 @@ nfqnl_dev_drop(struct net *net, int ifindex)
        rcu_read_unlock();
 }
-#define RCV_SKB_FAIL(err) do { netlink_ack(skb, nlh, (err)); return; } while (0)
 static int
 nfqnl_rcv_dev_event(struct notifier_block *this,
                    unsigned long event, void *ptr)
@@ -1142,7 +1168,12 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
                        ret = -EOPNOTSUPP;
                        goto err_out_unlock;
                }
+#if !IS_ENABLED(CONFIG_NETWORK_SECMARK)
+                if (flags & mask & NFQA_CFG_F_SECCTX) {
+                        ret = -EOPNOTSUPP;
+                        goto err_out_unlock;
+                }
+#endif
                spin_lock_bh(&queue->lock);
                queue->flags &= ~mask;
                queue->flags |= flags & mask;
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index e092cb046326..43e26c881100 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -205,6 +205,7 @@ static bool
 socket_match(const struct sk_buff *skb, struct xt_action_param *par,
             const struct xt_socket_mtinfo1 *info)
 {
+        struct sk_buff *pskb = (struct sk_buff *)skb;
        struct sock *sk = skb->sk;
        if (!sk)
@@ -226,6 +227,10 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,
                if (info->flags & XT_SOCKET_TRANSPARENT)
                        transparent = xt_socket_sk_is_transparent(sk);
+                if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard &&
+                    transparent)
+                        pskb->mark = sk->sk_mark;
                if (sk != skb->sk)
                        sock_gen_put(sk);
@@ -247,7 +252,7 @@ socket_mt4_v0(const struct sk_buff *skb, struct xt_action_param *par)
 }
 static bool
-socket_mt4_v1_v2(const struct sk_buff *skb, struct xt_action_param *par)
+socket_mt4_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par)
 {
        return socket_match(skb, par, par->matchinfo);
 }
@@ -371,9 +376,10 @@ static struct sock *xt_socket_lookup_slow_v6(const struct sk_buff *skb,
 }
 static bool
-socket_mt6_v1_v2(const struct sk_buff *skb, struct xt_action_param *par)
+socket_mt6_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
+        struct sk_buff *pskb = (struct sk_buff *)skb;
        struct sock *sk = skb->sk;
        if (!sk)
@@ -395,6 +401,10 @@ socket_mt6_v1_v2(const struct sk_buff *skb, struct xt_action_param *par)
                if (info->flags & XT_SOCKET_TRANSPARENT)
                        transparent = xt_socket_sk_is_transparent(sk);
+                if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard &&
+                    transparent)
+                        pskb->mark = sk->sk_mark;
                if (sk != skb->sk)
                        sock_gen_put(sk);
@@ -428,6 +438,19 @@ static int socket_mt_v2_check(const struct xt_mtchk_param *par)
        return 0;
 }
+static int socket_mt_v3_check(const struct xt_mtchk_param *par)
+{
+        const struct xt_socket_mtinfo3 *info =
+                                    (struct xt_socket_mtinfo3 *)par->matchinfo;
+        if (info->flags & ~XT_SOCKET_FLAGS_V3) {
+                pr_info("unknown flags 0x%x\n",
+                        info->flags & ~XT_SOCKET_FLAGS_V3);
+                return -EINVAL;
+        }
+        return 0;
+}
 static struct xt_match socket_mt_reg[] __read_mostly = {
        {
                .name           = "socket",
@@ -442,7 +465,7 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
                .name           = "socket",
                .revision       = 1,
                .family         = NFPROTO_IPV4,
-                .match          = socket_mt4_v1_v2,
+                .match          = socket_mt4_v1_v2_v3,
                .checkentry     = socket_mt_v1_check,
                .matchsize      = sizeof(struct xt_socket_mtinfo1),
                .hooks          = (1 << NF_INET_PRE_ROUTING) |
@@ -454,7 +477,7 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
                .name           = "socket",
                .revision       = 1,
                .family         = NFPROTO_IPV6,
-                .match          = socket_mt6_v1_v2,
+                .match          = socket_mt6_v1_v2_v3,
                .checkentry     = socket_mt_v1_check,
                .matchsize      = sizeof(struct xt_socket_mtinfo1),
                .hooks          = (1 << NF_INET_PRE_ROUTING) |
@@ -466,7 +489,7 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
                .name           = "socket",
                .revision       = 2,
                .family         = NFPROTO_IPV4,
-                .match          = socket_mt4_v1_v2,
+                .match          = socket_mt4_v1_v2_v3,
                .checkentry     = socket_mt_v2_check,
                .matchsize      = sizeof(struct xt_socket_mtinfo1),
                .hooks          = (1 << NF_INET_PRE_ROUTING) |
@@ -478,7 +501,7 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
                .name           = "socket",
                .revision       = 2,
                .family         = NFPROTO_IPV6,
-                .match          = socket_mt6_v1_v2,
+                .match          = socket_mt6_v1_v2_v3,
                .checkentry     = socket_mt_v2_check,
                .matchsize      = sizeof(struct xt_socket_mtinfo1),
                .hooks          = (1 << NF_INET_PRE_ROUTING) |
@@ -486,6 +509,30 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
                .me             = THIS_MODULE,
        },
 #endif
+        {
+                .name           = "socket",
+                .revision       = 3,
+                .family         = NFPROTO_IPV4,
+                .match          = socket_mt4_v1_v2_v3,
+                .checkentry     = socket_mt_v3_check,
+                .matchsize      = sizeof(struct xt_socket_mtinfo1),
+                .hooks          = (1 << NF_INET_PRE_ROUTING) |
+                                  (1 << NF_INET_LOCAL_IN),
+                .me             = THIS_MODULE,
+        },
+#ifdef XT_SOCKET_HAVE_IPV6
+        {
+                .name           = "socket",
+                .revision       = 3,
+                .family         = NFPROTO_IPV6,
+                .match          = socket_mt6_v1_v2_v3,
+                .checkentry     = socket_mt_v3_check,
+                .matchsize      = sizeof(struct xt_socket_mtinfo1),
+                .hooks          = (1 << NF_INET_PRE_ROUTING) |
+                                  (1 << NF_INET_LOCAL_IN),
+                .me             = THIS_MODULE,
+        },
+#endif
 };
 static int __init socket_mt_init(void)
diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
index 96b64d2f6dbf..d72a4f1558f2 100644
--- a/net/netrom/nr_route.c
+++ b/net/netrom/nr_route.c
@@ -31,7 +31,6 @@
 #include <linux/mm.h>
 #include <linux/interrupt.h>
 #include <linux/notifier.h>
-#include <linux/netfilter.h>
 #include <linux/init.h>
 #include <linux/spinlock.h>
 #include <net/netrom.h>
diff --git a/net/rose/rose_link.c b/net/rose/rose_link.c
index e873d7d9f857..c76638cc2cd5 100644
--- a/net/rose/rose_link.c
+++ b/net/rose/rose_link.c
@@ -25,7 +25,6 @@
 #include <linux/fcntl.h>
 #include <linux/mm.h>
 #include <linux/interrupt.h>
-#include <linux/netfilter.h>
 #include <net/rose.h>
 static void rose_ftimer_expiry(unsigned long);
diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index 40148932c8a4..0fc76d845103 100644
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -31,7 +31,6 @@
 #include <linux/mm.h>
 #include <linux/interrupt.h>
 #include <linux/notifier.h>
-#include <linux/netfilter.h>
 #include <linux/init.h>
 #include <net/rose.h>
 #include <linux/seq_file.h>
diff --git a/net/sched/em_ipset.c b/net/sched/em_ipset.c
index a3d79c8bf3b8..df0328ba6a48 100644
--- a/net/sched/em_ipset.c
+++ b/net/sched/em_ipset.c
@@ -92,8 +92,8 @@ static int em_ipset_match(struct sk_buff *skb, struct tcf_ematch *em,
        rcu_read_lock();
-        if (dev && skb->skb_iif)
+        if (skb->skb_iif)
-                indev = dev_get_by_index_rcu(dev_net(dev), skb->skb_iif);
+                indev = dev_get_by_index_rcu(em->net, skb->skb_iif);
        acpar.in      = indev ? indev : dev;
        acpar.out     = dev;
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 98b042630a9e..56e354fcdfc6 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -35,9 +35,6 @@
 #include <linux/init.h>
 #include <linux/security.h>
 #include <linux/types.h>
-#include <linux/netfilter.h>
-#include <linux/netfilter_ipv4.h>
-#include <linux/netfilter_ipv6.h>
 #include <linux/slab.h>
 #include <linux/ip.h>
 #include <linux/tcp.h>
author	David S. Miller <davem@davemloft.net>	2015-06-20 18:39:40 -0400
committer	David S. Miller <davem@davemloft.net>	2015-06-20 18:39:40 -0400
commit	120119623b6798b70384248c0cacf8f8de419c9a (patch)
tree	52cb7d6d6f5c30420833450a18c378b4d121825b
parent	b67ea97fcd4e29c97ced1ecba15443ecfce395b1 (diff)
parent	dcb8f5c8139ef945cdfd55900fae265c4dbefc02 (diff)