12 files changed, 70 insertions, 51 deletions
diff --git a/Documentation/networking/ipvs-sysctl.txt b/Documentation/networking/ipvs-sysctl.txt
index f2a2488f1bf3..9573d0c48c6e 100644
--- a/Documentation/networking/ipvs-sysctl.txt
+++ b/Documentation/networking/ipvs-sysctl.txt
@@ -15,6 +15,13 @@ amemthresh - INTEGER
        enabled and the variable is automatically set to 2, otherwise
        the strategy is disabled and the variable is  set  to 1.
+backup_only - BOOLEAN
+        0 - disabled (default)
+        not 0 - enabled
+        If set, disable the director function while the server is
+        in backup mode to avoid packet loops for DR/TUN methods.
 conntrack - BOOLEAN
        0 - disabled (default)
        not 0 - enabled
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index 68c69d54d392..fce8e6b66d55 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -976,6 +976,7 @@ struct netns_ipvs {
        int                     sysctl_sync_retries;
        int                     sysctl_nat_icmp_send;
        int                     sysctl_pmtu_disc;
+        int                     sysctl_backup_only;
        /* ip_vs_lblc */
        int                     sysctl_lblc_expiration;
@@ -1067,6 +1068,12 @@ static inline int sysctl_pmtu_disc(struct netns_ipvs *ipvs)
        return ipvs->sysctl_pmtu_disc;
 }
+static inline int sysctl_backup_only(struct netns_ipvs *ipvs)
+{
+        return ipvs->sync_state & IP_VS_STATE_BACKUP &&
+               ipvs->sysctl_backup_only;
+}
 #else
 static inline int sysctl_sync_threshold(struct netns_ipvs *ipvs)
@@ -1114,6 +1121,11 @@ static inline int sysctl_pmtu_disc(struct netns_ipvs *ipvs)
        return 1;
 }
+static inline int sysctl_backup_only(struct netns_ipvs *ipvs)
+{
+        return 0;
+}
 #endif
 /*
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index ce2d43e1f09f..0d755c50994b 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -36,19 +36,6 @@ config NF_CONNTRACK_PROC_COMPAT
          If unsure, say Y.
-config IP_NF_QUEUE
-        tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
-        depends on NETFILTER_ADVANCED
-        help
-          Netfilter has the ability to queue packets to user space: the
-          netlink device can be used to access them using this driver.
-          This option enables the old IPv4-only "ip_queue" implementation
-          which has been obsoleted by the new "nfnetlink_queue" code (see
-          CONFIG_NETFILTER_NETLINK_QUEUE).
-          To compile it as a module, choose M here.  If unsure, say N.
 config IP_NF_IPTABLES
        tristate "IP tables support (required for filtering/masq/NAT)"
        default m if NETFILTER_ADVANCED=n
diff --git a/net/ipv6/netfilter/ip6t_NPT.c b/net/ipv6/netfilter/ip6t_NPT.c
index 83acc1405a18..33608c610276 100644
--- a/net/ipv6/netfilter/ip6t_NPT.c
+++ b/net/ipv6/netfilter/ip6t_NPT.c
@@ -114,6 +114,7 @@ ip6t_dnpt_tg(struct sk_buff *skb, const struct xt_action_param *par)
 static struct xt_target ip6t_npt_target_reg[] __read_mostly = {
        {
                .name           = "SNPT",
+                .table          = "mangle",
                .target         = ip6t_snpt_tg,
                .targetsize     = sizeof(struct ip6t_npt_tginfo),
                .checkentry     = ip6t_npt_checkentry,
@@ -124,6 +125,7 @@ static struct xt_target ip6t_npt_target_reg[] __read_mostly = {
        },
        {
                .name           = "DNPT",
+                .table          = "mangle",
                .target         = ip6t_dnpt_tg,
                .targetsize     = sizeof(struct ip6t_npt_tginfo),
                .checkentry     = ip6t_npt_checkentry,
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 47edf5a40a59..61f49d241712 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1394,10 +1394,8 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
                        skb_reset_network_header(skb);
                        IP_VS_DBG(12, "ICMP for IPIP %pI4->%pI4: mtu=%u\n",
                                &ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr, mtu);
-                        rcu_read_lock();
                        ipv4_update_pmtu(skb, dev_net(skb->dev),
                                         mtu, 0, 0, 0, 0);
-                        rcu_read_unlock();
                        /* Client uses PMTUD? */
                        if (!(cih->frag_off & htons(IP_DF)))
                                goto ignore_ipip;
@@ -1577,7 +1575,8 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
        }
        /* ipvs enabled in this netns ? */
        net = skb_net(skb);
-        if (!net_ipvs(net)->enable)
+        ipvs = net_ipvs(net);
+        if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
                return NF_ACCEPT;
        ip_vs_fill_iph_skb(af, skb, &iph);
@@ -1654,7 +1653,6 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
        }
        IP_VS_DBG_PKT(11, af, pp, skb, 0, "Incoming packet");
-        ipvs = net_ipvs(net);
        /* Check the server status */
        if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
                /* the destination server is not available */
@@ -1815,13 +1813,15 @@ ip_vs_forward_icmp(unsigned int hooknum, struct sk_buff *skb,
 {
        int r;
        struct net *net;
+        struct netns_ipvs *ipvs;
        if (ip_hdr(skb)->protocol != IPPROTO_ICMP)
                return NF_ACCEPT;
        /* ipvs enabled in this netns ? */
        net = skb_net(skb);
-        if (!net_ipvs(net)->enable)
+        ipvs = net_ipvs(net);
+        if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
                return NF_ACCEPT;
        return ip_vs_in_icmp(skb, &r, hooknum);
@@ -1835,6 +1835,7 @@ ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb,
 {
        int r;
        struct net *net;
+        struct netns_ipvs *ipvs;
        struct ip_vs_iphdr iphdr;
        ip_vs_fill_iph_skb(AF_INET6, skb, &iphdr);
@@ -1843,7 +1844,8 @@ ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb,
        /* ipvs enabled in this netns ? */
        net = skb_net(skb);
-        if (!net_ipvs(net)->enable)
+        ipvs = net_ipvs(net);
+        if (unlikely(sysctl_backup_only(ipvs) || !ipvs->enable))
                return NF_ACCEPT;
        return ip_vs_in_icmp_v6(skb, &r, hooknum, &iphdr);
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index c68198bf9128..9e2d1cccd1eb 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1808,6 +1808,12 @@ static struct ctl_table vs_vars[] = {
                .mode           = 0644,
                .proc_handler   = proc_dointvec,
        },
+        {
+                .procname       = "backup_only",
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec,
+        },
 #ifdef CONFIG_IP_VS_DEBUG
        {
                .procname       = "debug_level",
@@ -3741,6 +3747,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
        tbl[idx++].data = &ipvs->sysctl_nat_icmp_send;
        ipvs->sysctl_pmtu_disc = 1;
        tbl[idx++].data = &ipvs->sysctl_pmtu_disc;
+        tbl[idx++].data = &ipvs->sysctl_backup_only;
        ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl);
diff --git a/net/netfilter/ipvs/ip_vs_proto_sctp.c b/net/netfilter/ipvs/ip_vs_proto_sctp.c
index ae8ec6f27688..cd1d7298f7ba 100644
--- a/net/netfilter/ipvs/ip_vs_proto_sctp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c
@@ -906,7 +906,7 @@ set_sctp_state(struct ip_vs_proto_data *pd, struct ip_vs_conn *cp,
        sctp_chunkhdr_t _sctpch, *sch;
        unsigned char chunk_type;
        int event, next_state;
-        int ihl;
+        int ihl, cofs;
 #ifdef CONFIG_IP_VS_IPV6
        ihl = cp->af == AF_INET ? ip_hdrlen(skb) : sizeof(struct ipv6hdr);
@@ -914,8 +914,8 @@ set_sctp_state(struct ip_vs_proto_data *pd, struct ip_vs_conn *cp,
        ihl = ip_hdrlen(skb);
 #endif
-        sch = skb_header_pointer(skb, ihl + sizeof(sctp_sctphdr_t),
+        cofs = ihl + sizeof(sctp_sctphdr_t);
-                                sizeof(_sctpch), &_sctpch);
+        sch = skb_header_pointer(skb, cofs, sizeof(_sctpch), &_sctpch);
        if (sch == NULL)
                return;
@@ -933,10 +933,12 @@ set_sctp_state(struct ip_vs_proto_data *pd, struct ip_vs_conn *cp,
         */
        if ((sch->type == SCTP_CID_COOKIE_ECHO) ||
            (sch->type == SCTP_CID_COOKIE_ACK)) {
-                sch = skb_header_pointer(skb, (ihl + sizeof(sctp_sctphdr_t) +
+                int clen = ntohs(sch->length);
-                                sch->length), sizeof(_sctpch), &_sctpch);
-                if (sch) {
+                if (clen >= sizeof(sctp_chunkhdr_t)) {
-                        if (sch->type == SCTP_CID_ABORT)
+                        sch = skb_header_pointer(skb, cofs + ALIGN(clen, 4),
+                                                 sizeof(_sctpch), &_sctpch);
+                        if (sch && sch->type == SCTP_CID_ABORT)
                                chunk_type = sch->type;
                }
        }
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index 432f95780003..ba65b2041eb4 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -969,6 +969,10 @@ static int __init nf_conntrack_proto_dccp_init(void)
 {
        int ret;
+        ret = register_pernet_subsys(&dccp_net_ops);
+        if (ret < 0)
+                goto out_pernet;
        ret = nf_ct_l4proto_register(&dccp_proto4);
        if (ret < 0)
                goto out_dccp4;
@@ -977,16 +981,12 @@ static int __init nf_conntrack_proto_dccp_init(void)
        if (ret < 0)
                goto out_dccp6;
-        ret = register_pernet_subsys(&dccp_net_ops);
-        if (ret < 0)
-                goto out_pernet;
        return 0;
-out_pernet:
-        nf_ct_l4proto_unregister(&dccp_proto6);
 out_dccp6:
        nf_ct_l4proto_unregister(&dccp_proto4);
 out_dccp4:
+        unregister_pernet_subsys(&dccp_net_ops);
+out_pernet:
        return ret;
 }
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index bd7d01d9c7e7..155ce9f8a0db 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -420,18 +420,18 @@ static int __init nf_ct_proto_gre_init(void)
 {
        int ret;
-        ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_gre4);
-        if (ret < 0)
-                goto out_gre4;
        ret = register_pernet_subsys(&proto_gre_net_ops);
        if (ret < 0)
                goto out_pernet;
+        ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_gre4);
+        if (ret < 0)
+                goto out_gre4;
        return 0;
-out_pernet:
-        nf_ct_l4proto_unregister(&nf_conntrack_l4proto_gre4);
 out_gre4:
+        unregister_pernet_subsys(&proto_gre_net_ops);
+out_pernet:
        return ret;
 }
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 480f616d5936..ec83536def9a 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -888,6 +888,10 @@ static int __init nf_conntrack_proto_sctp_init(void)
 {
        int ret;
+        ret = register_pernet_subsys(&sctp_net_ops);
+        if (ret < 0)
+                goto out_pernet;
        ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_sctp4);
        if (ret < 0)
                goto out_sctp4;
@@ -896,16 +900,12 @@ static int __init nf_conntrack_proto_sctp_init(void)
        if (ret < 0)
                goto out_sctp6;
-        ret = register_pernet_subsys(&sctp_net_ops);
-        if (ret < 0)
-                goto out_pernet;
        return 0;
-out_pernet:
-        nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
 out_sctp6:
        nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
 out_sctp4:
+        unregister_pernet_subsys(&sctp_net_ops);
+out_pernet:
        return ret;
 }
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index 157489581c31..ca969f6273f7 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -371,6 +371,10 @@ static int __init nf_conntrack_proto_udplite_init(void)
 {
        int ret;
+        ret = register_pernet_subsys(&udplite_net_ops);
+        if (ret < 0)
+                goto out_pernet;
        ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_udplite4);
        if (ret < 0)
                goto out_udplite4;
@@ -379,16 +383,12 @@ static int __init nf_conntrack_proto_udplite_init(void)
        if (ret < 0)
                goto out_udplite6;
-        ret = register_pernet_subsys(&udplite_net_ops);
-        if (ret < 0)
-                goto out_pernet;
        return 0;
-out_pernet:
-        nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udplite6);
 out_udplite6:
        nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udplite4);
 out_udplite4:
+        unregister_pernet_subsys(&udplite_net_ops);
+out_pernet:
        return ret;
 }
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 858fd52c1040..1cb48540f86a 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -112,7 +112,7 @@ instance_create(u_int16_t queue_num, int portid)
        inst->queue_num = queue_num;
        inst->peer_portid = portid;
        inst->queue_maxlen = NFQNL_QMAX_DEFAULT;
-        inst->copy_range = 0xfffff;
+        inst->copy_range = 0xffff;
        inst->copy_mode = NFQNL_COPY_NONE;
        spin_lock_init(&inst->lock);
        INIT_LIST_HEAD(&inst->queue_list);

diff --git a/Documentation/networking/ipvs-sysctl.txt b/Documentation/networking/ipvs-sysctl.txt index f2a2488f1bf3..9573d0c48c6e 100644 --- a/Documentation/networking/ipvs-sysctl.txt +++ b/Documentation/networking/ipvs-sysctl.txt
@@ -15,6 +15,13 @@ amemthresh - INTEGER
15	enabled and the variable is automatically set to 2, otherwise	15	enabled and the variable is automatically set to 2, otherwise
16	the strategy is disabled and the variable is set to 1.	16	the strategy is disabled and the variable is set to 1.
17		17
		18	backup_only - BOOLEAN
		19	0 - disabled (default)
		20	not 0 - enabled
		21
		22	If set, disable the director function while the server is
		23	in backup mode to avoid packet loops for DR/TUN methods.
		24
18	conntrack - BOOLEAN	25	conntrack - BOOLEAN
19	0 - disabled (default)	26	0 - disabled (default)
20	not 0 - enabled	27	not 0 - enabled


diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h index 68c69d54d392..fce8e6b66d55 100644 --- a/include/net/ip_vs.h +++ b/include/net/ip_vs.h
@@ -976,6 +976,7 @@ struct netns_ipvs {
976	int sysctl_sync_retries;	976	int sysctl_sync_retries;
977	int sysctl_nat_icmp_send;	977	int sysctl_nat_icmp_send;
978	int sysctl_pmtu_disc;	978	int sysctl_pmtu_disc;
		979	int sysctl_backup_only;
979		980
980	/* ip_vs_lblc */	981	/* ip_vs_lblc */
981	int sysctl_lblc_expiration;	982	int sysctl_lblc_expiration;
@@ -1067,6 +1068,12 @@ static inline int sysctl_pmtu_disc(struct netns_ipvs *ipvs)
1067	return ipvs->sysctl_pmtu_disc;	1068	return ipvs->sysctl_pmtu_disc;
1068	}	1069	}
1069		1070
		1071	static inline int sysctl_backup_only(struct netns_ipvs *ipvs)
		1072	{
		1073	return ipvs->sync_state & IP_VS_STATE_BACKUP &&
		1074	ipvs->sysctl_backup_only;
		1075	}
		1076
1070	#else	1077	#else
1071		1078
1072	static inline int sysctl_sync_threshold(struct netns_ipvs *ipvs)	1079	static inline int sysctl_sync_threshold(struct netns_ipvs *ipvs)
@@ -1114,6 +1121,11 @@ static inline int sysctl_pmtu_disc(struct netns_ipvs *ipvs)
1114	return 1;	1121	return 1;
1115	}	1122	}
1116		1123
		1124	static inline int sysctl_backup_only(struct netns_ipvs *ipvs)
		1125	{
		1126	return 0;
		1127	}
		1128
1117	#endif	1129	#endif
1118		1130
1119	/*	1131	/*


diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index ce2d43e1f09f..0d755c50994b 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig
@@ -36,19 +36,6 @@ config NF_CONNTRACK_PROC_COMPAT
36		36
37	If unsure, say Y.	37	If unsure, say Y.
38		38
39	config IP_NF_QUEUE
40	tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
41	depends on NETFILTER_ADVANCED
42	help
43	Netfilter has the ability to queue packets to user space: the
44	netlink device can be used to access them using this driver.
45
46	This option enables the old IPv4-only "ip_queue" implementation
47	which has been obsoleted by the new "nfnetlink_queue" code (see
48	CONFIG_NETFILTER_NETLINK_QUEUE).
49
50	To compile it as a module, choose M here. If unsure, say N.
51
52	config IP_NF_IPTABLES	39	config IP_NF_IPTABLES
53	tristate "IP tables support (required for filtering/masq/NAT)"	40	tristate "IP tables support (required for filtering/masq/NAT)"
54	default m if NETFILTER_ADVANCED=n	41	default m if NETFILTER_ADVANCED=n


diff --git a/net/ipv6/netfilter/ip6t_NPT.c b/net/ipv6/netfilter/ip6t_NPT.c index 83acc1405a18..33608c610276 100644 --- a/net/ipv6/netfilter/ip6t_NPT.c +++ b/net/ipv6/netfilter/ip6t_NPT.c
@@ -114,6 +114,7 @@ ip6t_dnpt_tg(struct sk_buff skb, const struct xt_action_param par)
114	static struct xt_target ip6t_npt_target_reg[] __read_mostly = {	114	static struct xt_target ip6t_npt_target_reg[] __read_mostly = {
115	{	115	{
116	.name = "SNPT",	116	.name = "SNPT",
		117	.table = "mangle",
117	.target = ip6t_snpt_tg,	118	.target = ip6t_snpt_tg,
118	.targetsize = sizeof(struct ip6t_npt_tginfo),	119	.targetsize = sizeof(struct ip6t_npt_tginfo),
119	.checkentry = ip6t_npt_checkentry,	120	.checkentry = ip6t_npt_checkentry,
@@ -124,6 +125,7 @@ static struct xt_target ip6t_npt_target_reg[] __read_mostly = {
124	},	125	},
125	{	126	{
126	.name = "DNPT",	127	.name = "DNPT",
		128	.table = "mangle",
127	.target = ip6t_dnpt_tg,	129	.target = ip6t_dnpt_tg,
128	.targetsize = sizeof(struct ip6t_npt_tginfo),	130	.targetsize = sizeof(struct ip6t_npt_tginfo),
129	.checkentry = ip6t_npt_checkentry,	131	.checkentry = ip6t_npt_checkentry,


diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index 47edf5a40a59..61f49d241712 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1394,10 +1394,8 @@ ip_vs_in_icmp(struct sk_buff skb, int related, unsigned int hooknum)
1394	skb_reset_network_header(skb);	1394	skb_reset_network_header(skb);
1395	IP_VS_DBG(12, "ICMP for IPIP %pI4->%pI4: mtu=%u\n",	1395	IP_VS_DBG(12, "ICMP for IPIP %pI4->%pI4: mtu=%u\n",
1396	&ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr, mtu);	1396	&ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr, mtu);
1397	rcu_read_lock();
1398	ipv4_update_pmtu(skb, dev_net(skb->dev),	1397	ipv4_update_pmtu(skb, dev_net(skb->dev),
1399	mtu, 0, 0, 0, 0);	1398	mtu, 0, 0, 0, 0);
1400	rcu_read_unlock();
1401	/* Client uses PMTUD? */	1399	/* Client uses PMTUD? */
1402	if (!(cih->frag_off & htons(IP_DF)))	1400	if (!(cih->frag_off & htons(IP_DF)))
1403	goto ignore_ipip;	1401	goto ignore_ipip;
@@ -1577,7 +1575,8 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
1577	}	1575	}
1578	/* ipvs enabled in this netns ? */	1576	/* ipvs enabled in this netns ? */
1579	net = skb_net(skb);	1577	net = skb_net(skb);
1580	if (!net_ipvs(net)->enable)	1578	ipvs = net_ipvs(net);
		1579	if (unlikely(sysctl_backup_only(ipvs) \|\| !ipvs->enable))
1581	return NF_ACCEPT;	1580	return NF_ACCEPT;
1582		1581
1583	ip_vs_fill_iph_skb(af, skb, &iph);	1582	ip_vs_fill_iph_skb(af, skb, &iph);
@@ -1654,7 +1653,6 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
1654	}	1653	}
1655		1654
1656	IP_VS_DBG_PKT(11, af, pp, skb, 0, "Incoming packet");	1655	IP_VS_DBG_PKT(11, af, pp, skb, 0, "Incoming packet");
1657	ipvs = net_ipvs(net);
1658	/* Check the server status */	1656	/* Check the server status */
1659	if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {	1657	if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
1660	/* the destination server is not available */	1658	/* the destination server is not available */
@@ -1815,13 +1813,15 @@ ip_vs_forward_icmp(unsigned int hooknum, struct sk_buff *skb,
1815	{	1813	{
1816	int r;	1814	int r;
1817	struct net *net;	1815	struct net *net;
		1816	struct netns_ipvs *ipvs;
1818		1817
1819	if (ip_hdr(skb)->protocol != IPPROTO_ICMP)	1818	if (ip_hdr(skb)->protocol != IPPROTO_ICMP)
1820	return NF_ACCEPT;	1819	return NF_ACCEPT;
1821		1820
1822	/* ipvs enabled in this netns ? */	1821	/* ipvs enabled in this netns ? */
1823	net = skb_net(skb);	1822	net = skb_net(skb);
1824	if (!net_ipvs(net)->enable)	1823	ipvs = net_ipvs(net);
		1824	if (unlikely(sysctl_backup_only(ipvs) \|\| !ipvs->enable))
1825	return NF_ACCEPT;	1825	return NF_ACCEPT;
1826		1826
1827	return ip_vs_in_icmp(skb, &r, hooknum);	1827	return ip_vs_in_icmp(skb, &r, hooknum);
@@ -1835,6 +1835,7 @@ ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb,
1835	{	1835	{
1836	int r;	1836	int r;
1837	struct net *net;	1837	struct net *net;
		1838	struct netns_ipvs *ipvs;
1838	struct ip_vs_iphdr iphdr;	1839	struct ip_vs_iphdr iphdr;
1839		1840
1840	ip_vs_fill_iph_skb(AF_INET6, skb, &iphdr);	1841	ip_vs_fill_iph_skb(AF_INET6, skb, &iphdr);
@@ -1843,7 +1844,8 @@ ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb,
1843		1844
1844	/* ipvs enabled in this netns ? */	1845	/* ipvs enabled in this netns ? */
1845	net = skb_net(skb);	1846	net = skb_net(skb);
1846	if (!net_ipvs(net)->enable)	1847	ipvs = net_ipvs(net);
		1848	if (unlikely(sysctl_backup_only(ipvs) \|\| !ipvs->enable))
1847	return NF_ACCEPT;	1849	return NF_ACCEPT;
1848		1850
1849	return ip_vs_in_icmp_v6(skb, &r, hooknum, &iphdr);	1851	return ip_vs_in_icmp_v6(skb, &r, hooknum, &iphdr);


diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index c68198bf9128..9e2d1cccd1eb 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1808,6 +1808,12 @@ static struct ctl_table vs_vars[] = {
1808	.mode = 0644,	1808	.mode = 0644,
1809	.proc_handler = proc_dointvec,	1809	.proc_handler = proc_dointvec,
1810	},	1810	},
		1811	{
		1812	.procname = "backup_only",
		1813	.maxlen = sizeof(int),
		1814	.mode = 0644,
		1815	.proc_handler = proc_dointvec,
		1816	},
1811	#ifdef CONFIG_IP_VS_DEBUG	1817	#ifdef CONFIG_IP_VS_DEBUG
1812	{	1818	{
1813	.procname = "debug_level",	1819	.procname = "debug_level",
@@ -3741,6 +3747,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
3741	tbl[idx++].data = &ipvs->sysctl_nat_icmp_send;	3747	tbl[idx++].data = &ipvs->sysctl_nat_icmp_send;
3742	ipvs->sysctl_pmtu_disc = 1;	3748	ipvs->sysctl_pmtu_disc = 1;
3743	tbl[idx++].data = &ipvs->sysctl_pmtu_disc;	3749	tbl[idx++].data = &ipvs->sysctl_pmtu_disc;
		3750	tbl[idx++].data = &ipvs->sysctl_backup_only;
3744		3751
3745		3752
3746	ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl);	3753	ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl);


diff --git a/net/netfilter/ipvs/ip_vs_proto_sctp.c b/net/netfilter/ipvs/ip_vs_proto_sctp.c index ae8ec6f27688..cd1d7298f7ba 100644 --- a/net/netfilter/ipvs/ip_vs_proto_sctp.c +++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c
@@ -906,7 +906,7 @@ set_sctp_state(struct ip_vs_proto_data pd, struct ip_vs_conn cp,
906	sctp_chunkhdr_t _sctpch, *sch;	906	sctp_chunkhdr_t _sctpch, *sch;
907	unsigned char chunk_type;	907	unsigned char chunk_type;
908	int event, next_state;	908	int event, next_state;
909	int ihl;	909	int ihl, cofs;
910		910
911	#ifdef CONFIG_IP_VS_IPV6	911	#ifdef CONFIG_IP_VS_IPV6
912	ihl = cp->af == AF_INET ? ip_hdrlen(skb) : sizeof(struct ipv6hdr);	912	ihl = cp->af == AF_INET ? ip_hdrlen(skb) : sizeof(struct ipv6hdr);
@@ -914,8 +914,8 @@ set_sctp_state(struct ip_vs_proto_data pd, struct ip_vs_conn cp,
914	ihl = ip_hdrlen(skb);	914	ihl = ip_hdrlen(skb);
915	#endif	915	#endif
916		916
917	sch = skb_header_pointer(skb, ihl + sizeof(sctp_sctphdr_t),	917	cofs = ihl + sizeof(sctp_sctphdr_t);
918	sizeof(_sctpch), &_sctpch);	918	sch = skb_header_pointer(skb, cofs, sizeof(_sctpch), &_sctpch);
919	if (sch == NULL)	919	if (sch == NULL)
920	return;	920	return;
921		921
@@ -933,10 +933,12 @@ set_sctp_state(struct ip_vs_proto_data pd, struct ip_vs_conn cp,
933	*/	933	*/
934	if ((sch->type == SCTP_CID_COOKIE_ECHO) \|\|	934	if ((sch->type == SCTP_CID_COOKIE_ECHO) \|\|
935	(sch->type == SCTP_CID_COOKIE_ACK)) {	935	(sch->type == SCTP_CID_COOKIE_ACK)) {
936	sch = skb_header_pointer(skb, (ihl + sizeof(sctp_sctphdr_t) +	936	int clen = ntohs(sch->length);
937	sch->length), sizeof(_sctpch), &_sctpch);	937
938	if (sch) {	938	if (clen >= sizeof(sctp_chunkhdr_t)) {
939	if (sch->type == SCTP_CID_ABORT)	939	sch = skb_header_pointer(skb, cofs + ALIGN(clen, 4),
		940	sizeof(_sctpch), &_sctpch);
		941	if (sch && sch->type == SCTP_CID_ABORT)
940	chunk_type = sch->type;	942	chunk_type = sch->type;
941	}	943	}
942	}	944	}


diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c index 432f95780003..ba65b2041eb4 100644 --- a/net/netfilter/nf_conntrack_proto_dccp.c +++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -969,6 +969,10 @@ static int __init nf_conntrack_proto_dccp_init(void)
969	{	969	{
970	int ret;	970	int ret;
971		971
		972	ret = register_pernet_subsys(&dccp_net_ops);
		973	if (ret < 0)
		974	goto out_pernet;
		975
972	ret = nf_ct_l4proto_register(&dccp_proto4);	976	ret = nf_ct_l4proto_register(&dccp_proto4);
973	if (ret < 0)	977	if (ret < 0)
974	goto out_dccp4;	978	goto out_dccp4;
@@ -977,16 +981,12 @@ static int __init nf_conntrack_proto_dccp_init(void)
977	if (ret < 0)	981	if (ret < 0)
978	goto out_dccp6;	982	goto out_dccp6;
979		983
980	ret = register_pernet_subsys(&dccp_net_ops);
981	if (ret < 0)
982	goto out_pernet;
983
984	return 0;	984	return 0;
985	out_pernet:
986	nf_ct_l4proto_unregister(&dccp_proto6);
987	out_dccp6:	985	out_dccp6:
988	nf_ct_l4proto_unregister(&dccp_proto4);	986	nf_ct_l4proto_unregister(&dccp_proto4);
989	out_dccp4:	987	out_dccp4:
		988	unregister_pernet_subsys(&dccp_net_ops);
		989	out_pernet:
990	return ret;	990	return ret;
991	}	991	}
992		992


diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c index bd7d01d9c7e7..155ce9f8a0db 100644 --- a/net/netfilter/nf_conntrack_proto_gre.c +++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -420,18 +420,18 @@ static int __init nf_ct_proto_gre_init(void)
420	{	420	{
421	int ret;	421	int ret;
422		422
423	ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_gre4);
424	if (ret < 0)
425	goto out_gre4;
426
427	ret = register_pernet_subsys(&proto_gre_net_ops);	423	ret = register_pernet_subsys(&proto_gre_net_ops);
428	if (ret < 0)	424	if (ret < 0)
429	goto out_pernet;	425	goto out_pernet;
430		426
		427	ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_gre4);
		428	if (ret < 0)
		429	goto out_gre4;
		430
431	return 0;	431	return 0;
432	out_pernet:
433	nf_ct_l4proto_unregister(&nf_conntrack_l4proto_gre4);
434	out_gre4:	432	out_gre4:
		433	unregister_pernet_subsys(&proto_gre_net_ops);
		434	out_pernet:
435	return ret;	435	return ret;
436	}	436	}
437		437


diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c index 480f616d5936..ec83536def9a 100644 --- a/net/netfilter/nf_conntrack_proto_sctp.c +++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -888,6 +888,10 @@ static int __init nf_conntrack_proto_sctp_init(void)
888	{	888	{
889	int ret;	889	int ret;
890		890
		891	ret = register_pernet_subsys(&sctp_net_ops);
		892	if (ret < 0)
		893	goto out_pernet;
		894
891	ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_sctp4);	895	ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_sctp4);
892	if (ret < 0)	896	if (ret < 0)
893	goto out_sctp4;	897	goto out_sctp4;
@@ -896,16 +900,12 @@ static int __init nf_conntrack_proto_sctp_init(void)
896	if (ret < 0)	900	if (ret < 0)
897	goto out_sctp6;	901	goto out_sctp6;
898		902
899	ret = register_pernet_subsys(&sctp_net_ops);
900	if (ret < 0)
901	goto out_pernet;
902
903	return 0;	903	return 0;
904	out_pernet:
905	nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
906	out_sctp6:	904	out_sctp6:
907	nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp4);	905	nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
908	out_sctp4:	906	out_sctp4:
		907	unregister_pernet_subsys(&sctp_net_ops);
		908	out_pernet:
909	return ret;	909	return ret;
910	}	910	}
911		911


diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c index 157489581c31..ca969f6273f7 100644 --- a/net/netfilter/nf_conntrack_proto_udplite.c +++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -371,6 +371,10 @@ static int __init nf_conntrack_proto_udplite_init(void)
371	{	371	{
372	int ret;	372	int ret;
373		373
		374	ret = register_pernet_subsys(&udplite_net_ops);
		375	if (ret < 0)
		376	goto out_pernet;
		377
374	ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_udplite4);	378	ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_udplite4);
375	if (ret < 0)	379	if (ret < 0)
376	goto out_udplite4;	380	goto out_udplite4;
@@ -379,16 +383,12 @@ static int __init nf_conntrack_proto_udplite_init(void)
379	if (ret < 0)	383	if (ret < 0)
380	goto out_udplite6;	384	goto out_udplite6;
381		385
382	ret = register_pernet_subsys(&udplite_net_ops);
383	if (ret < 0)
384	goto out_pernet;
385
386	return 0;	386	return 0;
387	out_pernet:
388	nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udplite6);
389	out_udplite6:	387	out_udplite6:
390	nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udplite4);	388	nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udplite4);
391	out_udplite4:	389	out_udplite4:
		390	unregister_pernet_subsys(&udplite_net_ops);
		391	out_pernet:
392	return ret;	392	return ret;
393	}	393	}
394		394


diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c index 858fd52c1040..1cb48540f86a 100644 --- a/net/netfilter/nfnetlink_queue_core.c +++ b/net/netfilter/nfnetlink_queue_core.c
@@ -112,7 +112,7 @@ instance_create(u_int16_t queue_num, int portid)
112	inst->queue_num = queue_num;	112	inst->queue_num = queue_num;
113	inst->peer_portid = portid;	113	inst->peer_portid = portid;
114	inst->queue_maxlen = NFQNL_QMAX_DEFAULT;	114	inst->queue_maxlen = NFQNL_QMAX_DEFAULT;
115	inst->copy_range = 0xfffff;	115	inst->copy_range = 0xffff;
116	inst->copy_mode = NFQNL_COPY_NONE;	116	inst->copy_mode = NFQNL_COPY_NONE;
117	spin_lock_init(&inst->lock);	117	spin_lock_init(&inst->lock);
118	INIT_LIST_HEAD(&inst->queue_list);	118	INIT_LIST_HEAD(&inst->queue_list);