aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/netfilter/ip_queue.c3
-rw-r--r--net/ipv4/netfilter/ipt_CLUSTERIP.c6
-rw-r--r--net/ipv4/netfilter/ipt_MASQUERADE.c2
-rw-r--r--net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c2
-rw-r--r--net/ipv4/netfilter/nf_conntrack_proto_icmp.c2
-rw-r--r--net/ipv4/netfilter/nf_nat_core.c2
-rw-r--r--net/ipv4/netfilter/nf_nat_helper.c2
-rw-r--r--net/ipv4/netfilter/nf_nat_rule.c2
-rw-r--r--net/ipv4/netfilter/nf_nat_standalone.c4
-rw-r--r--net/ipv6/netfilter/ip6_queue.c3
-rw-r--r--net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c2
-rw-r--r--net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c2
-rw-r--r--net/netfilter/ipset/ip_set_core.c2
-rw-r--r--net/netfilter/ipset/ip_set_hash_ipportnet.c10
-rw-r--r--net/netfilter/ipset/ip_set_hash_net.c8
-rw-r--r--net/netfilter/ipset/ip_set_hash_netport.c6
-rw-r--r--net/netfilter/ipvs/ip_vs_core.c16
-rw-r--r--net/netfilter/nf_conntrack_core.c7
-rw-r--r--net/netfilter/nf_conntrack_ftp.c2
-rw-r--r--net/netfilter/nf_conntrack_h323_main.c10
-rw-r--r--net/netfilter/nf_conntrack_irc.c3
-rw-r--r--net/netfilter/nf_conntrack_pptp.c3
-rw-r--r--net/netfilter/nf_conntrack_sane.c2
-rw-r--r--net/netfilter/nf_conntrack_sip.c2
-rw-r--r--net/netfilter/xt_socket.c4
25 files changed, 58 insertions, 49 deletions
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index d2c1311cb28d..f7f9bd7ba12d 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -402,7 +402,8 @@ ipq_dev_drop(int ifindex)
402static inline void 402static inline void
403__ipq_rcv_skb(struct sk_buff *skb) 403__ipq_rcv_skb(struct sk_buff *skb)
404{ 404{
405 int status, type, pid, flags, nlmsglen, skblen; 405 int status, type, pid, flags;
406 unsigned int nlmsglen, skblen;
406 struct nlmsghdr *nlh; 407 struct nlmsghdr *nlh;
407 408
408 skblen = skb->len; 409 skblen = skb->len;
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index d609ac3cb9a4..5c9e97c79017 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -307,7 +307,7 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
307 * error messages (RELATED) and information requests (see below) */ 307 * error messages (RELATED) and information requests (see below) */
308 if (ip_hdr(skb)->protocol == IPPROTO_ICMP && 308 if (ip_hdr(skb)->protocol == IPPROTO_ICMP &&
309 (ctinfo == IP_CT_RELATED || 309 (ctinfo == IP_CT_RELATED ||
310 ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY)) 310 ctinfo == IP_CT_RELATED_REPLY))
311 return XT_CONTINUE; 311 return XT_CONTINUE;
312 312
313 /* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO, 313 /* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
@@ -321,12 +321,12 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
321 ct->mark = hash; 321 ct->mark = hash;
322 break; 322 break;
323 case IP_CT_RELATED: 323 case IP_CT_RELATED:
324 case IP_CT_RELATED+IP_CT_IS_REPLY: 324 case IP_CT_RELATED_REPLY:
325 /* FIXME: we don't handle expectations at the 325 /* FIXME: we don't handle expectations at the
326 * moment. they can arrive on a different node than 326 * moment. they can arrive on a different node than
327 * the master connection (e.g. FTP passive mode) */ 327 * the master connection (e.g. FTP passive mode) */
328 case IP_CT_ESTABLISHED: 328 case IP_CT_ESTABLISHED:
329 case IP_CT_ESTABLISHED+IP_CT_IS_REPLY: 329 case IP_CT_ESTABLISHED_REPLY:
330 break; 330 break;
331 default: 331 default:
332 break; 332 break;
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index d2ed9dc74ebc..9931152a78b5 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -60,7 +60,7 @@ masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par)
60 nat = nfct_nat(ct); 60 nat = nfct_nat(ct);
61 61
62 NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED || 62 NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
63 ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY)); 63 ctinfo == IP_CT_RELATED_REPLY));
64 64
65 /* Source address is 0.0.0.0 - locally generated packet that is 65 /* Source address is 0.0.0.0 - locally generated packet that is
66 * probably not supposed to be masqueraded. 66 * probably not supposed to be masqueraded.
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 5a03c02af999..db10075dd88e 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -101,7 +101,7 @@ static unsigned int ipv4_confirm(unsigned int hooknum,
101 101
102 /* This is where we call the helper: as the packet goes out. */ 102 /* This is where we call the helper: as the packet goes out. */
103 ct = nf_ct_get(skb, &ctinfo); 103 ct = nf_ct_get(skb, &ctinfo);
104 if (!ct || ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY) 104 if (!ct || ctinfo == IP_CT_RELATED_REPLY)
105 goto out; 105 goto out;
106 106
107 help = nfct_help(ct); 107 help = nfct_help(ct);
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 7404bde95994..ab5b27a2916f 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -160,7 +160,7 @@ icmp_error_message(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
160 /* Update skb to refer to this connection */ 160 /* Update skb to refer to this connection */
161 skb->nfct = &nf_ct_tuplehash_to_ctrack(h)->ct_general; 161 skb->nfct = &nf_ct_tuplehash_to_ctrack(h)->ct_general;
162 skb->nfctinfo = *ctinfo; 162 skb->nfctinfo = *ctinfo;
163 return -NF_ACCEPT; 163 return NF_ACCEPT;
164} 164}
165 165
166/* Small and modified version of icmp_rcv */ 166/* Small and modified version of icmp_rcv */
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 9c71b2755ce3..3346de5d94d0 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -433,7 +433,7 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct,
433 433
434 /* Must be RELATED */ 434 /* Must be RELATED */
435 NF_CT_ASSERT(skb->nfctinfo == IP_CT_RELATED || 435 NF_CT_ASSERT(skb->nfctinfo == IP_CT_RELATED ||
436 skb->nfctinfo == IP_CT_RELATED+IP_CT_IS_REPLY); 436 skb->nfctinfo == IP_CT_RELATED_REPLY);
437 437
438 /* Redirects on non-null nats must be dropped, else they'll 438 /* Redirects on non-null nats must be dropped, else they'll
439 start talking to each other without our translation, and be 439 start talking to each other without our translation, and be
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c
index 99cfa28b6d38..ebc5f8894f99 100644
--- a/net/ipv4/netfilter/nf_nat_helper.c
+++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -160,7 +160,7 @@ static void nf_nat_csum(struct sk_buff *skb, const struct iphdr *iph, void *data
160 160
161 if (skb->ip_summed != CHECKSUM_PARTIAL) { 161 if (skb->ip_summed != CHECKSUM_PARTIAL) {
162 if (!(rt->rt_flags & RTCF_LOCAL) && 162 if (!(rt->rt_flags & RTCF_LOCAL) &&
163 skb->dev->features & NETIF_F_V4_CSUM) { 163 (!skb->dev || skb->dev->features & NETIF_F_V4_CSUM)) {
164 skb->ip_summed = CHECKSUM_PARTIAL; 164 skb->ip_summed = CHECKSUM_PARTIAL;
165 skb->csum_start = skb_headroom(skb) + 165 skb->csum_start = skb_headroom(skb) +
166 skb_network_offset(skb) + 166 skb_network_offset(skb) +
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 21c30426480b..733c9abc1cbd 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -53,7 +53,7 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
53 53
54 /* Connection must be valid and new. */ 54 /* Connection must be valid and new. */
55 NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED || 55 NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
56 ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY)); 56 ctinfo == IP_CT_RELATED_REPLY));
57 NF_CT_ASSERT(par->out != NULL); 57 NF_CT_ASSERT(par->out != NULL);
58 58
59 return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_SRC); 59 return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_SRC);
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 7317bdf1d457..483b76d042da 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -116,7 +116,7 @@ nf_nat_fn(unsigned int hooknum,
116 116
117 switch (ctinfo) { 117 switch (ctinfo) {
118 case IP_CT_RELATED: 118 case IP_CT_RELATED:
119 case IP_CT_RELATED+IP_CT_IS_REPLY: 119 case IP_CT_RELATED_REPLY:
120 if (ip_hdr(skb)->protocol == IPPROTO_ICMP) { 120 if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
121 if (!nf_nat_icmp_reply_translation(ct, ctinfo, 121 if (!nf_nat_icmp_reply_translation(ct, ctinfo,
122 hooknum, skb)) 122 hooknum, skb))
@@ -144,7 +144,7 @@ nf_nat_fn(unsigned int hooknum,
144 default: 144 default:
145 /* ESTABLISHED */ 145 /* ESTABLISHED */
146 NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED || 146 NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
147 ctinfo == (IP_CT_ESTABLISHED+IP_CT_IS_REPLY)); 147 ctinfo == IP_CT_ESTABLISHED_REPLY);
148 } 148 }
149 149
150 return nf_nat_packet(ct, ctinfo, hooknum, skb); 150 return nf_nat_packet(ct, ctinfo, hooknum, skb);
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index 413ab0754e1f..065fe405fb58 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -403,7 +403,8 @@ ipq_dev_drop(int ifindex)
403static inline void 403static inline void
404__ipq_rcv_skb(struct sk_buff *skb) 404__ipq_rcv_skb(struct sk_buff *skb)
405{ 405{
406 int status, type, pid, flags, nlmsglen, skblen; 406 int status, type, pid, flags;
407 unsigned int nlmsglen, skblen;
407 struct nlmsghdr *nlh; 408 struct nlmsghdr *nlh;
408 409
409 skblen = skb->len; 410 skblen = skb->len;
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index c8af58b22562..4111050a9fc5 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -160,7 +160,7 @@ static unsigned int ipv6_confirm(unsigned int hooknum,
160 160
161 /* This is where we call the helper: as the packet goes out. */ 161 /* This is where we call the helper: as the packet goes out. */
162 ct = nf_ct_get(skb, &ctinfo); 162 ct = nf_ct_get(skb, &ctinfo);
163 if (!ct || ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY) 163 if (!ct || ctinfo == IP_CT_RELATED_REPLY)
164 goto out; 164 goto out;
165 165
166 help = nfct_help(ct); 166 help = nfct_help(ct);
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 1df3c8b6bf47..7c05e7eacbc6 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -177,7 +177,7 @@ icmpv6_error_message(struct net *net, struct nf_conn *tmpl,
177 /* Update skb to refer to this connection */ 177 /* Update skb to refer to this connection */
178 skb->nfct = &nf_ct_tuplehash_to_ctrack(h)->ct_general; 178 skb->nfct = &nf_ct_tuplehash_to_ctrack(h)->ct_general;
179 skb->nfctinfo = *ctinfo; 179 skb->nfctinfo = *ctinfo;
180 return -NF_ACCEPT; 180 return NF_ACCEPT;
181} 181}
182 182
183static int 183static int
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 8041befc6555..42aa64b6b0b1 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -767,7 +767,7 @@ ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
767 if (!attr[IPSET_ATTR_SETNAME]) { 767 if (!attr[IPSET_ATTR_SETNAME]) {
768 for (i = 0; i < ip_set_max; i++) { 768 for (i = 0; i < ip_set_max; i++) {
769 if (ip_set_list[i] != NULL && ip_set_list[i]->ref) { 769 if (ip_set_list[i] != NULL && ip_set_list[i]->ref) {
770 ret = IPSET_ERR_BUSY; 770 ret = -IPSET_ERR_BUSY;
771 goto out; 771 goto out;
772 } 772 }
773 } 773 }
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index 4743e5402522..565a7c5b8818 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -146,8 +146,9 @@ hash_ipportnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
146{ 146{
147 const struct ip_set_hash *h = set->data; 147 const struct ip_set_hash *h = set->data;
148 ipset_adtfn adtfn = set->variant->adt[adt]; 148 ipset_adtfn adtfn = set->variant->adt[adt];
149 struct hash_ipportnet4_elem data = 149 struct hash_ipportnet4_elem data = {
150 { .cidr = h->nets[0].cidr || HOST_MASK }; 150 .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
151 };
151 152
152 if (data.cidr == 0) 153 if (data.cidr == 0)
153 return -EINVAL; 154 return -EINVAL;
@@ -394,8 +395,9 @@ hash_ipportnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
394{ 395{
395 const struct ip_set_hash *h = set->data; 396 const struct ip_set_hash *h = set->data;
396 ipset_adtfn adtfn = set->variant->adt[adt]; 397 ipset_adtfn adtfn = set->variant->adt[adt];
397 struct hash_ipportnet6_elem data = 398 struct hash_ipportnet6_elem data = {
398 { .cidr = h->nets[0].cidr || HOST_MASK }; 399 .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
400 };
399 401
400 if (data.cidr == 0) 402 if (data.cidr == 0)
401 return -EINVAL; 403 return -EINVAL;
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index c4db202b7da4..2aeeabcd5a21 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -131,7 +131,9 @@ hash_net4_kadt(struct ip_set *set, const struct sk_buff *skb,
131{ 131{
132 const struct ip_set_hash *h = set->data; 132 const struct ip_set_hash *h = set->data;
133 ipset_adtfn adtfn = set->variant->adt[adt]; 133 ipset_adtfn adtfn = set->variant->adt[adt];
134 struct hash_net4_elem data = { .cidr = h->nets[0].cidr || HOST_MASK }; 134 struct hash_net4_elem data = {
135 .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
136 };
135 137
136 if (data.cidr == 0) 138 if (data.cidr == 0)
137 return -EINVAL; 139 return -EINVAL;
@@ -296,7 +298,9 @@ hash_net6_kadt(struct ip_set *set, const struct sk_buff *skb,
296{ 298{
297 const struct ip_set_hash *h = set->data; 299 const struct ip_set_hash *h = set->data;
298 ipset_adtfn adtfn = set->variant->adt[adt]; 300 ipset_adtfn adtfn = set->variant->adt[adt];
299 struct hash_net6_elem data = { .cidr = h->nets[0].cidr || HOST_MASK }; 301 struct hash_net6_elem data = {
302 .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
303 };
300 304
301 if (data.cidr == 0) 305 if (data.cidr == 0)
302 return -EINVAL; 306 return -EINVAL;
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index d2a40362dd3a..e50d9bb8820b 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -144,7 +144,8 @@ hash_netport4_kadt(struct ip_set *set, const struct sk_buff *skb,
144 const struct ip_set_hash *h = set->data; 144 const struct ip_set_hash *h = set->data;
145 ipset_adtfn adtfn = set->variant->adt[adt]; 145 ipset_adtfn adtfn = set->variant->adt[adt];
146 struct hash_netport4_elem data = { 146 struct hash_netport4_elem data = {
147 .cidr = h->nets[0].cidr || HOST_MASK }; 147 .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
148 };
148 149
149 if (data.cidr == 0) 150 if (data.cidr == 0)
150 return -EINVAL; 151 return -EINVAL;
@@ -357,7 +358,8 @@ hash_netport6_kadt(struct ip_set *set, const struct sk_buff *skb,
357 const struct ip_set_hash *h = set->data; 358 const struct ip_set_hash *h = set->data;
358 ipset_adtfn adtfn = set->variant->adt[adt]; 359 ipset_adtfn adtfn = set->variant->adt[adt];
359 struct hash_netport6_elem data = { 360 struct hash_netport6_elem data = {
360 .cidr = h->nets[0].cidr || HOST_MASK }; 361 .cidr = h->nets[0].cidr ? h->nets[0].cidr : HOST_MASK
362 };
361 363
362 if (data.cidr == 0) 364 if (data.cidr == 0)
363 return -EINVAL; 365 return -EINVAL;
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index bfa808f4da13..55af2242bccd 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1772,7 +1772,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
1772 .owner = THIS_MODULE, 1772 .owner = THIS_MODULE,
1773 .pf = PF_INET, 1773 .pf = PF_INET,
1774 .hooknum = NF_INET_LOCAL_IN, 1774 .hooknum = NF_INET_LOCAL_IN,
1775 .priority = 99, 1775 .priority = NF_IP_PRI_NAT_SRC - 2,
1776 }, 1776 },
1777 /* After packet filtering, forward packet through VS/DR, VS/TUN, 1777 /* After packet filtering, forward packet through VS/DR, VS/TUN,
1778 * or VS/NAT(change destination), so that filtering rules can be 1778 * or VS/NAT(change destination), so that filtering rules can be
@@ -1782,7 +1782,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
1782 .owner = THIS_MODULE, 1782 .owner = THIS_MODULE,
1783 .pf = PF_INET, 1783 .pf = PF_INET,
1784 .hooknum = NF_INET_LOCAL_IN, 1784 .hooknum = NF_INET_LOCAL_IN,
1785 .priority = 101, 1785 .priority = NF_IP_PRI_NAT_SRC - 1,
1786 }, 1786 },
1787 /* Before ip_vs_in, change source only for VS/NAT */ 1787 /* Before ip_vs_in, change source only for VS/NAT */
1788 { 1788 {
@@ -1790,7 +1790,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
1790 .owner = THIS_MODULE, 1790 .owner = THIS_MODULE,
1791 .pf = PF_INET, 1791 .pf = PF_INET,
1792 .hooknum = NF_INET_LOCAL_OUT, 1792 .hooknum = NF_INET_LOCAL_OUT,
1793 .priority = -99, 1793 .priority = NF_IP_PRI_NAT_DST + 1,
1794 }, 1794 },
1795 /* After mangle, schedule and forward local requests */ 1795 /* After mangle, schedule and forward local requests */
1796 { 1796 {
@@ -1798,7 +1798,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
1798 .owner = THIS_MODULE, 1798 .owner = THIS_MODULE,
1799 .pf = PF_INET, 1799 .pf = PF_INET,
1800 .hooknum = NF_INET_LOCAL_OUT, 1800 .hooknum = NF_INET_LOCAL_OUT,
1801 .priority = -98, 1801 .priority = NF_IP_PRI_NAT_DST + 2,
1802 }, 1802 },
1803 /* After packet filtering (but before ip_vs_out_icmp), catch icmp 1803 /* After packet filtering (but before ip_vs_out_icmp), catch icmp
1804 * destined for 0.0.0.0/0, which is for incoming IPVS connections */ 1804 * destined for 0.0.0.0/0, which is for incoming IPVS connections */
@@ -1824,7 +1824,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
1824 .owner = THIS_MODULE, 1824 .owner = THIS_MODULE,
1825 .pf = PF_INET6, 1825 .pf = PF_INET6,
1826 .hooknum = NF_INET_LOCAL_IN, 1826 .hooknum = NF_INET_LOCAL_IN,
1827 .priority = 99, 1827 .priority = NF_IP6_PRI_NAT_SRC - 2,
1828 }, 1828 },
1829 /* After packet filtering, forward packet through VS/DR, VS/TUN, 1829 /* After packet filtering, forward packet through VS/DR, VS/TUN,
1830 * or VS/NAT(change destination), so that filtering rules can be 1830 * or VS/NAT(change destination), so that filtering rules can be
@@ -1834,7 +1834,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
1834 .owner = THIS_MODULE, 1834 .owner = THIS_MODULE,
1835 .pf = PF_INET6, 1835 .pf = PF_INET6,
1836 .hooknum = NF_INET_LOCAL_IN, 1836 .hooknum = NF_INET_LOCAL_IN,
1837 .priority = 101, 1837 .priority = NF_IP6_PRI_NAT_SRC - 1,
1838 }, 1838 },
1839 /* Before ip_vs_in, change source only for VS/NAT */ 1839 /* Before ip_vs_in, change source only for VS/NAT */
1840 { 1840 {
@@ -1842,7 +1842,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
1842 .owner = THIS_MODULE, 1842 .owner = THIS_MODULE,
1843 .pf = PF_INET, 1843 .pf = PF_INET,
1844 .hooknum = NF_INET_LOCAL_OUT, 1844 .hooknum = NF_INET_LOCAL_OUT,
1845 .priority = -99, 1845 .priority = NF_IP6_PRI_NAT_DST + 1,
1846 }, 1846 },
1847 /* After mangle, schedule and forward local requests */ 1847 /* After mangle, schedule and forward local requests */
1848 { 1848 {
@@ -1850,7 +1850,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
1850 .owner = THIS_MODULE, 1850 .owner = THIS_MODULE,
1851 .pf = PF_INET6, 1851 .pf = PF_INET6,
1852 .hooknum = NF_INET_LOCAL_OUT, 1852 .hooknum = NF_INET_LOCAL_OUT,
1853 .priority = -98, 1853 .priority = NF_IP6_PRI_NAT_DST + 2,
1854 }, 1854 },
1855 /* After packet filtering (but before ip_vs_out_icmp), catch icmp 1855 /* After packet filtering (but before ip_vs_out_icmp), catch icmp
1856 * destined for 0.0.0.0/0, which is for incoming IPVS connections */ 1856 * destined for 0.0.0.0/0, which is for incoming IPVS connections */
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 2e1c11f78419..f7af8b866017 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -850,7 +850,7 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl,
850 850
851 /* It exists; we have (non-exclusive) reference. */ 851 /* It exists; we have (non-exclusive) reference. */
852 if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) { 852 if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) {
853 *ctinfo = IP_CT_ESTABLISHED + IP_CT_IS_REPLY; 853 *ctinfo = IP_CT_ESTABLISHED_REPLY;
854 /* Please set reply bit if this packet OK */ 854 /* Please set reply bit if this packet OK */
855 *set_reply = 1; 855 *set_reply = 1;
856 } else { 856 } else {
@@ -922,6 +922,9 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
922 ret = -ret; 922 ret = -ret;
923 goto out; 923 goto out;
924 } 924 }
925 /* ICMP[v6] protocol trackers may assign one conntrack. */
926 if (skb->nfct)
927 goto out;
925 } 928 }
926 929
927 ct = resolve_normal_ct(net, tmpl, skb, dataoff, pf, protonum, 930 ct = resolve_normal_ct(net, tmpl, skb, dataoff, pf, protonum,
@@ -1143,7 +1146,7 @@ static void nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb)
1143 /* This ICMP is in reverse direction to the packet which caused it */ 1146 /* This ICMP is in reverse direction to the packet which caused it */
1144 ct = nf_ct_get(skb, &ctinfo); 1147 ct = nf_ct_get(skb, &ctinfo);
1145 if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) 1148 if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
1146 ctinfo = IP_CT_RELATED + IP_CT_IS_REPLY; 1149 ctinfo = IP_CT_RELATED_REPLY;
1147 else 1150 else
1148 ctinfo = IP_CT_RELATED; 1151 ctinfo = IP_CT_RELATED;
1149 1152
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index e17cb7c7dd8f..6f5801eac999 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -368,7 +368,7 @@ static int help(struct sk_buff *skb,
368 368
369 /* Until there's been traffic both ways, don't look in packets. */ 369 /* Until there's been traffic both ways, don't look in packets. */
370 if (ctinfo != IP_CT_ESTABLISHED && 370 if (ctinfo != IP_CT_ESTABLISHED &&
371 ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) { 371 ctinfo != IP_CT_ESTABLISHED_REPLY) {
372 pr_debug("ftp: Conntrackinfo = %u\n", ctinfo); 372 pr_debug("ftp: Conntrackinfo = %u\n", ctinfo);
373 return NF_ACCEPT; 373 return NF_ACCEPT;
374 } 374 }
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 18b2ce5c8ced..f03c2d4539f6 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -571,10 +571,9 @@ static int h245_help(struct sk_buff *skb, unsigned int protoff,
571 int ret; 571 int ret;
572 572
573 /* Until there's been traffic both ways, don't look in packets. */ 573 /* Until there's been traffic both ways, don't look in packets. */
574 if (ctinfo != IP_CT_ESTABLISHED && 574 if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
575 ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
576 return NF_ACCEPT; 575 return NF_ACCEPT;
577 } 576
578 pr_debug("nf_ct_h245: skblen = %u\n", skb->len); 577 pr_debug("nf_ct_h245: skblen = %u\n", skb->len);
579 578
580 spin_lock_bh(&nf_h323_lock); 579 spin_lock_bh(&nf_h323_lock);
@@ -1125,10 +1124,9 @@ static int q931_help(struct sk_buff *skb, unsigned int protoff,
1125 int ret; 1124 int ret;
1126 1125
1127 /* Until there's been traffic both ways, don't look in packets. */ 1126 /* Until there's been traffic both ways, don't look in packets. */
1128 if (ctinfo != IP_CT_ESTABLISHED && 1127 if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
1129 ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
1130 return NF_ACCEPT; 1128 return NF_ACCEPT;
1131 } 1129
1132 pr_debug("nf_ct_q931: skblen = %u\n", skb->len); 1130 pr_debug("nf_ct_q931: skblen = %u\n", skb->len);
1133 1131
1134 spin_lock_bh(&nf_h323_lock); 1132 spin_lock_bh(&nf_h323_lock);
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index b394aa318776..4f9390b98697 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -125,8 +125,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
125 return NF_ACCEPT; 125 return NF_ACCEPT;
126 126
127 /* Until there's been traffic both ways, don't look in packets. */ 127 /* Until there's been traffic both ways, don't look in packets. */
128 if (ctinfo != IP_CT_ESTABLISHED && 128 if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
129 ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
130 return NF_ACCEPT; 129 return NF_ACCEPT;
131 130
132 /* Not a full tcp header? */ 131 /* Not a full tcp header? */
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index 088944824e13..2fd4565144de 100644
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -519,8 +519,7 @@ conntrack_pptp_help(struct sk_buff *skb, unsigned int protoff,
519 u_int16_t msg; 519 u_int16_t msg;
520 520
521 /* don't do any tracking before tcp handshake complete */ 521 /* don't do any tracking before tcp handshake complete */
522 if (ctinfo != IP_CT_ESTABLISHED && 522 if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
523 ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
524 return NF_ACCEPT; 523 return NF_ACCEPT;
525 524
526 nexthdr_off = protoff; 525 nexthdr_off = protoff;
diff --git a/net/netfilter/nf_conntrack_sane.c b/net/netfilter/nf_conntrack_sane.c
index d9e27734b2a2..8501823b3f9b 100644
--- a/net/netfilter/nf_conntrack_sane.c
+++ b/net/netfilter/nf_conntrack_sane.c
@@ -78,7 +78,7 @@ static int help(struct sk_buff *skb,
78 ct_sane_info = &nfct_help(ct)->help.ct_sane_info; 78 ct_sane_info = &nfct_help(ct)->help.ct_sane_info;
79 /* Until there's been traffic both ways, don't look in packets. */ 79 /* Until there's been traffic both ways, don't look in packets. */
80 if (ctinfo != IP_CT_ESTABLISHED && 80 if (ctinfo != IP_CT_ESTABLISHED &&
81 ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) 81 ctinfo != IP_CT_ESTABLISHED_REPLY)
82 return NF_ACCEPT; 82 return NF_ACCEPT;
83 83
84 /* Not a full tcp header? */ 84 /* Not a full tcp header? */
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index cb5a28581782..93faf6a3a637 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1423,7 +1423,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
1423 typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust; 1423 typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;
1424 1424
1425 if (ctinfo != IP_CT_ESTABLISHED && 1425 if (ctinfo != IP_CT_ESTABLISHED &&
1426 ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) 1426 ctinfo != IP_CT_ESTABLISHED_REPLY)
1427 return NF_ACCEPT; 1427 return NF_ACCEPT;
1428 1428
1429 /* No Data ? */ 1429 /* No Data ? */
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 9cc46356b577..fe39f7e913df 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -143,9 +143,9 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,
143 ct = nf_ct_get(skb, &ctinfo); 143 ct = nf_ct_get(skb, &ctinfo);
144 if (ct && !nf_ct_is_untracked(ct) && 144 if (ct && !nf_ct_is_untracked(ct) &&
145 ((iph->protocol != IPPROTO_ICMP && 145 ((iph->protocol != IPPROTO_ICMP &&
146 ctinfo == IP_CT_IS_REPLY + IP_CT_ESTABLISHED) || 146 ctinfo == IP_CT_ESTABLISHED_REPLY) ||
147 (iph->protocol == IPPROTO_ICMP && 147 (iph->protocol == IPPROTO_ICMP &&
148 ctinfo == IP_CT_IS_REPLY + IP_CT_RELATED)) && 148 ctinfo == IP_CT_RELATED_REPLY)) &&
149 (ct->status & IPS_SRC_NAT_DONE)) { 149 (ct->status & IPS_SRC_NAT_DONE)) {
150 150
151 daddr = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip; 151 daddr = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip;
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-24 09:46:13 -0500