aboutsummaryrefslogtreecommitdiffstats
path: root/net/netfilter
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2008-04-14 06:50:43 -0400
committerDavid S. Miller <davem@davemloft.net>2008-04-14 06:50:43 -0400
commit334f8b2afd9652e20f67ddee4fec483ed860425b (patch)
tree35d4fb46a9dc145e831fe5da026f2bfd9ee6657c /net/netfilter
parent7477fd2e6b676fcd15861c2a96a7172f71afe0a5 (diff)
parentef1a5a50bbd509b8697dcd4d13017e9e0053867b (diff)
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.26
Diffstat (limited to 'net/netfilter')
-rw-r--r--net/netfilter/Kconfig10
-rw-r--r--net/netfilter/Makefile1
-rw-r--r--net/netfilter/nf_conntrack_amanda.c6
-rw-r--r--net/netfilter/nf_conntrack_core.c29
-rw-r--r--net/netfilter/nf_conntrack_extend.c3
-rw-r--r--net/netfilter/nf_conntrack_ftp.c9
-rw-r--r--net/netfilter/nf_conntrack_h323_main.c65
-rw-r--r--net/netfilter/nf_conntrack_helper.c2
-rw-r--r--net/netfilter/nf_conntrack_irc.c14
-rw-r--r--net/netfilter/nf_conntrack_l3proto_generic.c12
-rw-r--r--net/netfilter/nf_conntrack_netlink.c34
-rw-r--r--net/netfilter/nf_conntrack_pptp.c8
-rw-r--r--net/netfilter/nf_conntrack_proto.c9
-rw-r--r--net/netfilter/nf_conntrack_proto_dccp.c815
-rw-r--r--net/netfilter/nf_conntrack_proto_generic.c20
-rw-r--r--net/netfilter/nf_conntrack_proto_gre.c31
-rw-r--r--net/netfilter/nf_conntrack_proto_sctp.c50
-rw-r--r--net/netfilter/nf_conntrack_proto_tcp.c64
-rw-r--r--net/netfilter/nf_conntrack_proto_udp.c18
-rw-r--r--net/netfilter/nf_conntrack_proto_udplite.c55
-rw-r--r--net/netfilter/nf_conntrack_sane.c5
-rw-r--r--net/netfilter/nf_conntrack_sip.c21
-rw-r--r--net/netfilter/nf_conntrack_standalone.c131
-rw-r--r--net/netfilter/nf_conntrack_tftp.c10
-rw-r--r--net/netfilter/x_tables.c18
-rw-r--r--net/netfilter/xt_CONNSECMARK.c2
-rw-r--r--net/netfilter/xt_RATEEST.c2
-rw-r--r--net/netfilter/xt_connlimit.c10
-rw-r--r--net/netfilter/xt_conntrack.c4
-rw-r--r--net/netfilter/xt_dccp.c3
-rw-r--r--net/netfilter/xt_esp.c3
-rw-r--r--net/netfilter/xt_multiport.c6
-rw-r--r--net/netfilter/xt_policy.c2
-rw-r--r--net/netfilter/xt_rateest.c4
-rw-r--r--net/netfilter/xt_sctp.c6
-rw-r--r--net/netfilter/xt_tcpmss.c6
-rw-r--r--net/netfilter/xt_tcpudp.c9
-rw-r--r--net/netfilter/xt_time.c2
38 files changed, 1159 insertions, 340 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index daf5b881064d..c1fc0f1a641c 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -86,6 +86,16 @@ config NF_CONNTRACK_EVENTS
86 86
87 If unsure, say `N'. 87 If unsure, say `N'.
88 88
89config NF_CT_PROTO_DCCP
90 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'
91 depends on EXPERIMENTAL && NF_CONNTRACK
92 depends on NETFILTER_ADVANCED
93 help
94 With this option enabled, the layer 3 independent connection
95 tracking code will be able to do state tracking on DCCP connections.
96
97 If unsure, say 'N'.
98
89config NF_CT_PROTO_GRE 99config NF_CT_PROTO_GRE
90 tristate 100 tristate
91 depends on NF_CONNTRACK 101 depends on NF_CONNTRACK
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index ea7508387f95..5c4b183f6422 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -13,6 +13,7 @@ obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o
13obj-$(CONFIG_NF_CONNTRACK) += nf_conntrack.o 13obj-$(CONFIG_NF_CONNTRACK) += nf_conntrack.o
14 14
15# SCTP protocol connection tracking 15# SCTP protocol connection tracking
16obj-$(CONFIG_NF_CT_PROTO_DCCP) += nf_conntrack_proto_dccp.o
16obj-$(CONFIG_NF_CT_PROTO_GRE) += nf_conntrack_proto_gre.o 17obj-$(CONFIG_NF_CT_PROTO_GRE) += nf_conntrack_proto_gre.o
17obj-$(CONFIG_NF_CT_PROTO_SCTP) += nf_conntrack_proto_sctp.o 18obj-$(CONFIG_NF_CT_PROTO_SCTP) += nf_conntrack_proto_sctp.o
18obj-$(CONFIG_NF_CT_PROTO_UDPLITE) += nf_conntrack_proto_udplite.o 19obj-$(CONFIG_NF_CT_PROTO_UDPLITE) += nf_conntrack_proto_udplite.o
diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index d14585a19b7d..38aedeeaf4e1 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -53,7 +53,7 @@ enum amanda_strings {
53}; 53};
54 54
55static struct { 55static struct {
56 char *string; 56 const char *string;
57 size_t len; 57 size_t len;
58 struct ts_config *ts; 58 struct ts_config *ts;
59} search[] __read_mostly = { 59} search[] __read_mostly = {
@@ -91,7 +91,6 @@ static int amanda_help(struct sk_buff *skb,
91 char pbuf[sizeof("65535")], *tmp; 91 char pbuf[sizeof("65535")], *tmp;
92 u_int16_t len; 92 u_int16_t len;
93 __be16 port; 93 __be16 port;
94 int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
95 int ret = NF_ACCEPT; 94 int ret = NF_ACCEPT;
96 typeof(nf_nat_amanda_hook) nf_nat_amanda; 95 typeof(nf_nat_amanda_hook) nf_nat_amanda;
97 96
@@ -148,7 +147,8 @@ static int amanda_help(struct sk_buff *skb,
148 goto out; 147 goto out;
149 } 148 }
150 tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple; 149 tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
151 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, family, 150 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT,
151 nf_ct_l3num(ct),
152 &tuple->src.u3, &tuple->dst.u3, 152 &tuple->src.u3, &tuple->dst.u3,
153 IPPROTO_TCP, NULL, &port); 153 IPPROTO_TCP, NULL, &port);
154 154
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index b77eb56a87e3..4eac65c74ed0 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -94,7 +94,7 @@ static inline u_int32_t hash_conntrack(const struct nf_conntrack_tuple *tuple)
94 nf_conntrack_hash_rnd); 94 nf_conntrack_hash_rnd);
95} 95}
96 96
97int 97bool
98nf_ct_get_tuple(const struct sk_buff *skb, 98nf_ct_get_tuple(const struct sk_buff *skb,
99 unsigned int nhoff, 99 unsigned int nhoff,
100 unsigned int dataoff, 100 unsigned int dataoff,
@@ -108,7 +108,7 @@ nf_ct_get_tuple(const struct sk_buff *skb,
108 108
109 tuple->src.l3num = l3num; 109 tuple->src.l3num = l3num;
110 if (l3proto->pkt_to_tuple(skb, nhoff, tuple) == 0) 110 if (l3proto->pkt_to_tuple(skb, nhoff, tuple) == 0)
111 return 0; 111 return false;
112 112
113 tuple->dst.protonum = protonum; 113 tuple->dst.protonum = protonum;
114 tuple->dst.dir = IP_CT_DIR_ORIGINAL; 114 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
@@ -117,10 +117,8 @@ nf_ct_get_tuple(const struct sk_buff *skb,
117} 117}
118EXPORT_SYMBOL_GPL(nf_ct_get_tuple); 118EXPORT_SYMBOL_GPL(nf_ct_get_tuple);
119 119
120int nf_ct_get_tuplepr(const struct sk_buff *skb, 120bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff,
121 unsigned int nhoff, 121 u_int16_t l3num, struct nf_conntrack_tuple *tuple)
122 u_int16_t l3num,
123 struct nf_conntrack_tuple *tuple)
124{ 122{
125 struct nf_conntrack_l3proto *l3proto; 123 struct nf_conntrack_l3proto *l3proto;
126 struct nf_conntrack_l4proto *l4proto; 124 struct nf_conntrack_l4proto *l4proto;
@@ -134,7 +132,7 @@ int nf_ct_get_tuplepr(const struct sk_buff *skb,
134 ret = l3proto->get_l4proto(skb, nhoff, &protoff, &protonum); 132 ret = l3proto->get_l4proto(skb, nhoff, &protoff, &protonum);
135 if (ret != NF_ACCEPT) { 133 if (ret != NF_ACCEPT) {
136 rcu_read_unlock(); 134 rcu_read_unlock();
137 return 0; 135 return false;
138 } 136 }
139 137
140 l4proto = __nf_ct_l4proto_find(l3num, protonum); 138 l4proto = __nf_ct_l4proto_find(l3num, protonum);
@@ -147,7 +145,7 @@ int nf_ct_get_tuplepr(const struct sk_buff *skb,
147} 145}
148EXPORT_SYMBOL_GPL(nf_ct_get_tuplepr); 146EXPORT_SYMBOL_GPL(nf_ct_get_tuplepr);
149 147
150int 148bool
151nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, 149nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
152 const struct nf_conntrack_tuple *orig, 150 const struct nf_conntrack_tuple *orig,
153 const struct nf_conntrack_l3proto *l3proto, 151 const struct nf_conntrack_l3proto *l3proto,
@@ -157,7 +155,7 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
157 155
158 inverse->src.l3num = orig->src.l3num; 156 inverse->src.l3num = orig->src.l3num;
159 if (l3proto->invert_tuple(inverse, orig) == 0) 157 if (l3proto->invert_tuple(inverse, orig) == 0)
160 return 0; 158 return false;
161 159
162 inverse->dst.dir = !orig->dst.dir; 160 inverse->dst.dir = !orig->dst.dir;
163 161
@@ -194,8 +192,7 @@ destroy_conntrack(struct nf_conntrack *nfct)
194 * destroy_conntrack() MUST NOT be called with a write lock 192 * destroy_conntrack() MUST NOT be called with a write lock
195 * to nf_conntrack_lock!!! -HW */ 193 * to nf_conntrack_lock!!! -HW */
196 rcu_read_lock(); 194 rcu_read_lock();
197 l4proto = __nf_ct_l4proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.l3num, 195 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
198 ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum);
199 if (l4proto && l4proto->destroy) 196 if (l4proto && l4proto->destroy)
200 l4proto->destroy(ct); 197 l4proto->destroy(ct);
201 198
@@ -739,10 +736,10 @@ nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff *skb)
739} 736}
740EXPORT_SYMBOL_GPL(nf_conntrack_in); 737EXPORT_SYMBOL_GPL(nf_conntrack_in);
741 738
742int nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse, 739bool nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,
743 const struct nf_conntrack_tuple *orig) 740 const struct nf_conntrack_tuple *orig)
744{ 741{
745 int ret; 742 bool ret;
746 743
747 rcu_read_lock(); 744 rcu_read_lock();
748 ret = nf_ct_invert_tuple(inverse, orig, 745 ret = nf_ct_invert_tuple(inverse, orig,
@@ -766,10 +763,10 @@ void nf_conntrack_alter_reply(struct nf_conn *ct,
766 NF_CT_ASSERT(!nf_ct_is_confirmed(ct)); 763 NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
767 764
768 pr_debug("Altering reply tuple of %p to ", ct); 765 pr_debug("Altering reply tuple of %p to ", ct);
769 NF_CT_DUMP_TUPLE(newreply); 766 nf_ct_dump_tuple(newreply);
770 767
771 ct->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply; 768 ct->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;
772 if (ct->master || (help && help->expecting != 0)) 769 if (ct->master || (help && !hlist_empty(&help->expectations)))
773 return; 770 return;
774 771
775 rcu_read_lock(); 772 rcu_read_lock();
diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index 2bd9963b5b3e..bcc19fa4ed1e 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -71,6 +71,9 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
71 int i, newlen, newoff; 71 int i, newlen, newoff;
72 struct nf_ct_ext_type *t; 72 struct nf_ct_ext_type *t;
73 73
74 /* Conntrack must not be confirmed to avoid races on reallocation. */
75 NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
76
74 if (!ct->ext) 77 if (!ct->ext)
75 return nf_ct_ext_create(&ct->ext, id, gfp); 78 return nf_ct_ext_create(&ct->ext, id, gfp);
76 79
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 7eff876bb8bc..bb20672fe036 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -350,8 +350,9 @@ static int help(struct sk_buff *skb,
350 enum ip_conntrack_info ctinfo) 350 enum ip_conntrack_info ctinfo)
351{ 351{
352 unsigned int dataoff, datalen; 352 unsigned int dataoff, datalen;
353 struct tcphdr _tcph, *th; 353 const struct tcphdr *th;
354 char *fb_ptr; 354 struct tcphdr _tcph;
355 const char *fb_ptr;
355 int ret; 356 int ret;
356 u32 seq; 357 u32 seq;
357 int dir = CTINFO2DIR(ctinfo); 358 int dir = CTINFO2DIR(ctinfo);
@@ -405,7 +406,7 @@ static int help(struct sk_buff *skb,
405 406
406 /* Initialize IP/IPv6 addr to expected address (it's not mentioned 407 /* Initialize IP/IPv6 addr to expected address (it's not mentioned
407 in EPSV responses) */ 408 in EPSV responses) */
408 cmd.l3num = ct->tuplehash[dir].tuple.src.l3num; 409 cmd.l3num = nf_ct_l3num(ct);
409 memcpy(cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all, 410 memcpy(cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all,
410 sizeof(cmd.u3.all)); 411 sizeof(cmd.u3.all));
411 412
@@ -452,7 +453,7 @@ static int help(struct sk_buff *skb,
452 daddr = &ct->tuplehash[!dir].tuple.dst.u3; 453 daddr = &ct->tuplehash[!dir].tuple.dst.u3;
453 454
454 /* Update the ftp info */ 455 /* Update the ftp info */
455 if ((cmd.l3num == ct->tuplehash[dir].tuple.src.l3num) && 456 if ((cmd.l3num == nf_ct_l3num(ct)) &&
456 memcmp(&cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all, 457 memcmp(&cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all,
457 sizeof(cmd.u3.all))) { 458 sizeof(cmd.u3.all))) {
458 /* Enrico Scholz's passive FTP to partially RNAT'd ftp 459 /* Enrico Scholz's passive FTP to partially RNAT'd ftp
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 505052d495cf..95da1a24aab7 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -218,7 +218,6 @@ static int get_h245_addr(struct nf_conn *ct, const unsigned char *data,
218 union nf_inet_addr *addr, __be16 *port) 218 union nf_inet_addr *addr, __be16 *port)
219{ 219{
220 const unsigned char *p; 220 const unsigned char *p;
221 int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
222 int len; 221 int len;
223 222
224 if (taddr->choice != eH245_TransportAddress_unicastAddress) 223 if (taddr->choice != eH245_TransportAddress_unicastAddress)
@@ -226,13 +225,13 @@ static int get_h245_addr(struct nf_conn *ct, const unsigned char *data,
226 225
227 switch (taddr->unicastAddress.choice) { 226 switch (taddr->unicastAddress.choice) {
228 case eUnicastAddress_iPAddress: 227 case eUnicastAddress_iPAddress:
229 if (family != AF_INET) 228 if (nf_ct_l3num(ct) != AF_INET)
230 return 0; 229 return 0;
231 p = data + taddr->unicastAddress.iPAddress.network; 230 p = data + taddr->unicastAddress.iPAddress.network;
232 len = 4; 231 len = 4;
233 break; 232 break;
234 case eUnicastAddress_iP6Address: 233 case eUnicastAddress_iP6Address:
235 if (family != AF_INET6) 234 if (nf_ct_l3num(ct) != AF_INET6)
236 return 0; 235 return 0;
237 p = data + taddr->unicastAddress.iP6Address.network; 236 p = data + taddr->unicastAddress.iP6Address.network;
238 len = 16; 237 len = 16;
@@ -277,8 +276,7 @@ static int expect_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
277 /* Create expect for RTP */ 276 /* Create expect for RTP */
278 if ((rtp_exp = nf_ct_expect_alloc(ct)) == NULL) 277 if ((rtp_exp = nf_ct_expect_alloc(ct)) == NULL)
279 return -1; 278 return -1;
280 nf_ct_expect_init(rtp_exp, NF_CT_EXPECT_CLASS_DEFAULT, 279 nf_ct_expect_init(rtp_exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
281 ct->tuplehash[!dir].tuple.src.l3num,
282 &ct->tuplehash[!dir].tuple.src.u3, 280 &ct->tuplehash[!dir].tuple.src.u3,
283 &ct->tuplehash[!dir].tuple.dst.u3, 281 &ct->tuplehash[!dir].tuple.dst.u3,
284 IPPROTO_UDP, NULL, &rtp_port); 282 IPPROTO_UDP, NULL, &rtp_port);
@@ -288,8 +286,7 @@ static int expect_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
288 nf_ct_expect_put(rtp_exp); 286 nf_ct_expect_put(rtp_exp);
289 return -1; 287 return -1;
290 } 288 }
291 nf_ct_expect_init(rtcp_exp, NF_CT_EXPECT_CLASS_DEFAULT, 289 nf_ct_expect_init(rtcp_exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
292 ct->tuplehash[!dir].tuple.src.l3num,
293 &ct->tuplehash[!dir].tuple.src.u3, 290 &ct->tuplehash[!dir].tuple.src.u3,
294 &ct->tuplehash[!dir].tuple.dst.u3, 291 &ct->tuplehash[!dir].tuple.dst.u3,
295 IPPROTO_UDP, NULL, &rtcp_port); 292 IPPROTO_UDP, NULL, &rtcp_port);
@@ -306,9 +303,9 @@ static int expect_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
306 if (nf_ct_expect_related(rtp_exp) == 0) { 303 if (nf_ct_expect_related(rtp_exp) == 0) {
307 if (nf_ct_expect_related(rtcp_exp) == 0) { 304 if (nf_ct_expect_related(rtcp_exp) == 0) {
308 pr_debug("nf_ct_h323: expect RTP "); 305 pr_debug("nf_ct_h323: expect RTP ");
309 NF_CT_DUMP_TUPLE(&rtp_exp->tuple); 306 nf_ct_dump_tuple(&rtp_exp->tuple);
310 pr_debug("nf_ct_h323: expect RTCP "); 307 pr_debug("nf_ct_h323: expect RTCP ");
311 NF_CT_DUMP_TUPLE(&rtcp_exp->tuple); 308 nf_ct_dump_tuple(&rtcp_exp->tuple);
312 } else { 309 } else {
313 nf_ct_unexpect_related(rtp_exp); 310 nf_ct_unexpect_related(rtp_exp);
314 ret = -1; 311 ret = -1;
@@ -346,8 +343,7 @@ static int expect_t120(struct sk_buff *skb,
346 /* Create expect for T.120 connections */ 343 /* Create expect for T.120 connections */
347 if ((exp = nf_ct_expect_alloc(ct)) == NULL) 344 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
348 return -1; 345 return -1;
349 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, 346 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
350 ct->tuplehash[!dir].tuple.src.l3num,
351 &ct->tuplehash[!dir].tuple.src.u3, 347 &ct->tuplehash[!dir].tuple.src.u3,
352 &ct->tuplehash[!dir].tuple.dst.u3, 348 &ct->tuplehash[!dir].tuple.dst.u3,
353 IPPROTO_TCP, NULL, &port); 349 IPPROTO_TCP, NULL, &port);
@@ -364,7 +360,7 @@ static int expect_t120(struct sk_buff *skb,
364 } else { /* Conntrack only */ 360 } else { /* Conntrack only */
365 if (nf_ct_expect_related(exp) == 0) { 361 if (nf_ct_expect_related(exp) == 0) {
366 pr_debug("nf_ct_h323: expect T.120 "); 362 pr_debug("nf_ct_h323: expect T.120 ");
367 NF_CT_DUMP_TUPLE(&exp->tuple); 363 nf_ct_dump_tuple(&exp->tuple);
368 } else 364 } else
369 ret = -1; 365 ret = -1;
370 } 366 }
@@ -586,7 +582,7 @@ static int h245_help(struct sk_buff *skb, unsigned int protoff,
586 while (get_tpkt_data(skb, protoff, ct, ctinfo, 582 while (get_tpkt_data(skb, protoff, ct, ctinfo,
587 &data, &datalen, &dataoff)) { 583 &data, &datalen, &dataoff)) {
588 pr_debug("nf_ct_h245: TPKT len=%d ", datalen); 584 pr_debug("nf_ct_h245: TPKT len=%d ", datalen);
589 NF_CT_DUMP_TUPLE(&ct->tuplehash[CTINFO2DIR(ctinfo)].tuple); 585 nf_ct_dump_tuple(&ct->tuplehash[CTINFO2DIR(ctinfo)].tuple);
590 586
591 /* Decode H.245 signal */ 587 /* Decode H.245 signal */
592 ret = DecodeMultimediaSystemControlMessage(data, datalen, 588 ret = DecodeMultimediaSystemControlMessage(data, datalen,
@@ -634,18 +630,17 @@ int get_h225_addr(struct nf_conn *ct, unsigned char *data,
634 union nf_inet_addr *addr, __be16 *port) 630 union nf_inet_addr *addr, __be16 *port)
635{ 631{
636 const unsigned char *p; 632 const unsigned char *p;
637 int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
638 int len; 633 int len;
639 634
640 switch (taddr->choice) { 635 switch (taddr->choice) {
641 case eTransportAddress_ipAddress: 636 case eTransportAddress_ipAddress:
642 if (family != AF_INET) 637 if (nf_ct_l3num(ct) != AF_INET)
643 return 0; 638 return 0;
644 p = data + taddr->ipAddress.ip; 639 p = data + taddr->ipAddress.ip;
645 len = 4; 640 len = 4;
646 break; 641 break;
647 case eTransportAddress_ip6Address: 642 case eTransportAddress_ip6Address:
648 if (family != AF_INET6) 643 if (nf_ct_l3num(ct) != AF_INET6)
649 return 0; 644 return 0;
650 p = data + taddr->ip6Address.ip; 645 p = data + taddr->ip6Address.ip;
651 len = 16; 646 len = 16;
@@ -683,8 +678,7 @@ static int expect_h245(struct sk_buff *skb, struct nf_conn *ct,
683 /* Create expect for h245 connection */ 678 /* Create expect for h245 connection */
684 if ((exp = nf_ct_expect_alloc(ct)) == NULL) 679 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
685 return -1; 680 return -1;
686 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, 681 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
687 ct->tuplehash[!dir].tuple.src.l3num,
688 &ct->tuplehash[!dir].tuple.src.u3, 682 &ct->tuplehash[!dir].tuple.src.u3,
689 &ct->tuplehash[!dir].tuple.dst.u3, 683 &ct->tuplehash[!dir].tuple.dst.u3,
690 IPPROTO_TCP, NULL, &port); 684 IPPROTO_TCP, NULL, &port);
@@ -701,7 +695,7 @@ static int expect_h245(struct sk_buff *skb, struct nf_conn *ct,
701 } else { /* Conntrack only */ 695 } else { /* Conntrack only */
702 if (nf_ct_expect_related(exp) == 0) { 696 if (nf_ct_expect_related(exp) == 0) {
703 pr_debug("nf_ct_q931: expect H.245 "); 697 pr_debug("nf_ct_q931: expect H.245 ");
704 NF_CT_DUMP_TUPLE(&exp->tuple); 698 nf_ct_dump_tuple(&exp->tuple);
705 } else 699 } else
706 ret = -1; 700 ret = -1;
707 } 701 }
@@ -792,7 +786,7 @@ static int expect_callforwarding(struct sk_buff *skb,
792 * we don't need to track the second call */ 786 * we don't need to track the second call */
793 if (callforward_filter && 787 if (callforward_filter &&
794 callforward_do_filter(&addr, &ct->tuplehash[!dir].tuple.src.u3, 788 callforward_do_filter(&addr, &ct->tuplehash[!dir].tuple.src.u3,
795 ct->tuplehash[!dir].tuple.src.l3num)) { 789 nf_ct_l3num(ct))) {
796 pr_debug("nf_ct_q931: Call Forwarding not tracked\n"); 790 pr_debug("nf_ct_q931: Call Forwarding not tracked\n");
797 return 0; 791 return 0;
798 } 792 }
@@ -800,8 +794,7 @@ static int expect_callforwarding(struct sk_buff *skb,
800 /* Create expect for the second call leg */ 794 /* Create expect for the second call leg */
801 if ((exp = nf_ct_expect_alloc(ct)) == NULL) 795 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
802 return -1; 796 return -1;
803 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, 797 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
804 ct->tuplehash[!dir].tuple.src.l3num,
805 &ct->tuplehash[!dir].tuple.src.u3, &addr, 798 &ct->tuplehash[!dir].tuple.src.u3, &addr,
806 IPPROTO_TCP, NULL, &port); 799 IPPROTO_TCP, NULL, &port);
807 exp->helper = nf_conntrack_helper_q931; 800 exp->helper = nf_conntrack_helper_q931;
@@ -817,7 +810,7 @@ static int expect_callforwarding(struct sk_buff *skb,
817 } else { /* Conntrack only */ 810 } else { /* Conntrack only */
818 if (nf_ct_expect_related(exp) == 0) { 811 if (nf_ct_expect_related(exp) == 0) {
819 pr_debug("nf_ct_q931: expect Call Forwarding "); 812 pr_debug("nf_ct_q931: expect Call Forwarding ");
820 NF_CT_DUMP_TUPLE(&exp->tuple); 813 nf_ct_dump_tuple(&exp->tuple);
821 } else 814 } else
822 ret = -1; 815 ret = -1;
823 } 816 }
@@ -1137,7 +1130,7 @@ static int q931_help(struct sk_buff *skb, unsigned int protoff,
1137 while (get_tpkt_data(skb, protoff, ct, ctinfo, 1130 while (get_tpkt_data(skb, protoff, ct, ctinfo,
1138 &data, &datalen, &dataoff)) { 1131 &data, &datalen, &dataoff)) {
1139 pr_debug("nf_ct_q931: TPKT len=%d ", datalen); 1132 pr_debug("nf_ct_q931: TPKT len=%d ", datalen);
1140 NF_CT_DUMP_TUPLE(&ct->tuplehash[CTINFO2DIR(ctinfo)].tuple); 1133 nf_ct_dump_tuple(&ct->tuplehash[CTINFO2DIR(ctinfo)].tuple);
1141 1134
1142 /* Decode Q.931 signal */ 1135 /* Decode Q.931 signal */
1143 ret = DecodeQ931(data, datalen, &q931); 1136 ret = DecodeQ931(data, datalen, &q931);
@@ -1272,8 +1265,7 @@ static int expect_q931(struct sk_buff *skb, struct nf_conn *ct,
1272 /* Create expect for Q.931 */ 1265 /* Create expect for Q.931 */
1273 if ((exp = nf_ct_expect_alloc(ct)) == NULL) 1266 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
1274 return -1; 1267 return -1;
1275 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, 1268 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
1276 ct->tuplehash[!dir].tuple.src.l3num,
1277 gkrouted_only ? /* only accept calls from GK? */ 1269 gkrouted_only ? /* only accept calls from GK? */
1278 &ct->tuplehash[!dir].tuple.src.u3 : NULL, 1270 &ct->tuplehash[!dir].tuple.src.u3 : NULL,
1279 &ct->tuplehash[!dir].tuple.dst.u3, 1271 &ct->tuplehash[!dir].tuple.dst.u3,
@@ -1287,7 +1279,7 @@ static int expect_q931(struct sk_buff *skb, struct nf_conn *ct,
1287 } else { /* Conntrack only */ 1279 } else { /* Conntrack only */
1288 if (nf_ct_expect_related(exp) == 0) { 1280 if (nf_ct_expect_related(exp) == 0) {
1289 pr_debug("nf_ct_ras: expect Q.931 "); 1281 pr_debug("nf_ct_ras: expect Q.931 ");
1290 NF_CT_DUMP_TUPLE(&exp->tuple); 1282 nf_ct_dump_tuple(&exp->tuple);
1291 1283
1292 /* Save port for looking up expect in processing RCF */ 1284 /* Save port for looking up expect in processing RCF */
1293 info->sig_port[dir] = port; 1285 info->sig_port[dir] = port;
@@ -1344,15 +1336,14 @@ static int process_gcf(struct sk_buff *skb, struct nf_conn *ct,
1344 /* Need new expect */ 1336 /* Need new expect */
1345 if ((exp = nf_ct_expect_alloc(ct)) == NULL) 1337 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
1346 return -1; 1338 return -1;
1347 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, 1339 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
1348 ct->tuplehash[!dir].tuple.src.l3num,
1349 &ct->tuplehash[!dir].tuple.src.u3, &addr, 1340 &ct->tuplehash[!dir].tuple.src.u3, &addr,
1350 IPPROTO_UDP, NULL, &port); 1341 IPPROTO_UDP, NULL, &port);
1351 exp->helper = nf_conntrack_helper_ras; 1342 exp->helper = nf_conntrack_helper_ras;
1352 1343
1353 if (nf_ct_expect_related(exp) == 0) { 1344 if (nf_ct_expect_related(exp) == 0) {
1354 pr_debug("nf_ct_ras: expect RAS "); 1345 pr_debug("nf_ct_ras: expect RAS ");
1355 NF_CT_DUMP_TUPLE(&exp->tuple); 1346 nf_ct_dump_tuple(&exp->tuple);
1356 } else 1347 } else
1357 ret = -1; 1348 ret = -1;
1358 1349
@@ -1436,7 +1427,7 @@ static int process_rcf(struct sk_buff *skb, struct nf_conn *ct,
1436 pr_debug("nf_ct_ras: set Q.931 expect " 1427 pr_debug("nf_ct_ras: set Q.931 expect "
1437 "timeout to %u seconds for", 1428 "timeout to %u seconds for",
1438 info->timeout); 1429 info->timeout);
1439 NF_CT_DUMP_TUPLE(&exp->tuple); 1430 nf_ct_dump_tuple(&exp->tuple);
1440 set_expect_timeout(exp, info->timeout); 1431 set_expect_timeout(exp, info->timeout);
1441 } 1432 }
1442 spin_unlock_bh(&nf_conntrack_lock); 1433 spin_unlock_bh(&nf_conntrack_lock);
@@ -1549,8 +1540,7 @@ static int process_acf(struct sk_buff *skb, struct nf_conn *ct,
1549 /* Need new expect */ 1540 /* Need new expect */
1550 if ((exp = nf_ct_expect_alloc(ct)) == NULL) 1541 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
1551 return -1; 1542 return -1;
1552 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, 1543 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
1553 ct->tuplehash[!dir].tuple.src.l3num,
1554 &ct->tuplehash[!dir].tuple.src.u3, &addr, 1544 &ct->tuplehash[!dir].tuple.src.u3, &addr,
1555 IPPROTO_TCP, NULL, &port); 1545 IPPROTO_TCP, NULL, &port);
1556 exp->flags = NF_CT_EXPECT_PERMANENT; 1546 exp->flags = NF_CT_EXPECT_PERMANENT;
@@ -1558,7 +1548,7 @@ static int process_acf(struct sk_buff *skb, struct nf_conn *ct,
1558 1548
1559 if (nf_ct_expect_related(exp) == 0) { 1549 if (nf_ct_expect_related(exp) == 0) {
1560 pr_debug("nf_ct_ras: expect Q.931 "); 1550 pr_debug("nf_ct_ras: expect Q.931 ");
1561 NF_CT_DUMP_TUPLE(&exp->tuple); 1551 nf_ct_dump_tuple(&exp->tuple);
1562 } else 1552 } else
1563 ret = -1; 1553 ret = -1;
1564 1554
@@ -1603,8 +1593,7 @@ static int process_lcf(struct sk_buff *skb, struct nf_conn *ct,
1603 /* Need new expect for call signal */ 1593 /* Need new expect for call signal */
1604 if ((exp = nf_ct_expect_alloc(ct)) == NULL) 1594 if ((exp = nf_ct_expect_alloc(ct)) == NULL)
1605 return -1; 1595 return -1;
1606 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, 1596 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
1607 ct->tuplehash[!dir].tuple.src.l3num,
1608 &ct->tuplehash[!dir].tuple.src.u3, &addr, 1597 &ct->tuplehash[!dir].tuple.src.u3, &addr,
1609 IPPROTO_TCP, NULL, &port); 1598 IPPROTO_TCP, NULL, &port);
1610 exp->flags = NF_CT_EXPECT_PERMANENT; 1599 exp->flags = NF_CT_EXPECT_PERMANENT;
@@ -1612,7 +1601,7 @@ static int process_lcf(struct sk_buff *skb, struct nf_conn *ct,
1612 1601
1613 if (nf_ct_expect_related(exp) == 0) { 1602 if (nf_ct_expect_related(exp) == 0) {
1614 pr_debug("nf_ct_ras: expect Q.931 "); 1603 pr_debug("nf_ct_ras: expect Q.931 ");
1615 NF_CT_DUMP_TUPLE(&exp->tuple); 1604 nf_ct_dump_tuple(&exp->tuple);
1616 } else 1605 } else
1617 ret = -1; 1606 ret = -1;
1618 1607
@@ -1716,7 +1705,7 @@ static int ras_help(struct sk_buff *skb, unsigned int protoff,
1716 if (data == NULL) 1705 if (data == NULL)
1717 goto accept; 1706 goto accept;
1718 pr_debug("nf_ct_ras: RAS message len=%d ", datalen); 1707 pr_debug("nf_ct_ras: RAS message len=%d ", datalen);
1719 NF_CT_DUMP_TUPLE(&ct->tuplehash[CTINFO2DIR(ctinfo)].tuple); 1708 nf_ct_dump_tuple(&ct->tuplehash[CTINFO2DIR(ctinfo)].tuple);
1720 1709
1721 /* Decode RAS message */ 1710 /* Decode RAS message */
1722 ret = DecodeRasMessage(data, datalen, &ras); 1711 ret = DecodeRasMessage(data, datalen, &ras);
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index e350f56d43c9..7d1b11703741 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -126,7 +126,7 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
126{ 126{
127 struct nf_conntrack_tuple_hash *h; 127 struct nf_conntrack_tuple_hash *h;
128 struct nf_conntrack_expect *exp; 128 struct nf_conntrack_expect *exp;
129 struct hlist_node *n, *next; 129 const struct hlist_node *n, *next;
130 unsigned int i; 130 unsigned int i;
131 131
132 mutex_lock(&nf_ct_helper_mutex); 132 mutex_lock(&nf_ct_helper_mutex);
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index 02f21cbe5ae7..1b1226d6653f 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -50,7 +50,7 @@ MODULE_PARM_DESC(max_dcc_channels, "max number of expected DCC channels per "
50module_param(dcc_timeout, uint, 0400); 50module_param(dcc_timeout, uint, 0400);
51MODULE_PARM_DESC(dcc_timeout, "timeout on for unestablished DCC channels"); 51MODULE_PARM_DESC(dcc_timeout, "timeout on for unestablished DCC channels");
52 52
53static const char *dccprotos[] = { 53static const char *const dccprotos[] = {
54 "SEND ", "CHAT ", "MOVE ", "TSEND ", "SCHAT " 54 "SEND ", "CHAT ", "MOVE ", "TSEND ", "SCHAT "
55}; 55};
56 56
@@ -65,7 +65,7 @@ static const char *dccprotos[] = {
65 * ad_beg_p returns pointer to first byte of addr data 65 * ad_beg_p returns pointer to first byte of addr data
66 * ad_end_p returns pointer to last byte of addr data 66 * ad_end_p returns pointer to last byte of addr data
67 */ 67 */
68static int parse_dcc(char *data, char *data_end, u_int32_t *ip, 68static int parse_dcc(char *data, const char *data_end, u_int32_t *ip,
69 u_int16_t *port, char **ad_beg_p, char **ad_end_p) 69 u_int16_t *port, char **ad_beg_p, char **ad_end_p)
70{ 70{
71 /* at least 12: "AAAAAAAA P\1\n" */ 71 /* at least 12: "AAAAAAAA P\1\n" */
@@ -93,9 +93,11 @@ static int help(struct sk_buff *skb, unsigned int protoff,
93 struct nf_conn *ct, enum ip_conntrack_info ctinfo) 93 struct nf_conn *ct, enum ip_conntrack_info ctinfo)
94{ 94{
95 unsigned int dataoff; 95 unsigned int dataoff;
96 struct iphdr *iph; 96 const struct iphdr *iph;
97 struct tcphdr _tcph, *th; 97 const struct tcphdr *th;
98 char *data, *data_limit, *ib_ptr; 98 struct tcphdr _tcph;
99 const char *data_limit;
100 char *data, *ib_ptr;
99 int dir = CTINFO2DIR(ctinfo); 101 int dir = CTINFO2DIR(ctinfo);
100 struct nf_conntrack_expect *exp; 102 struct nf_conntrack_expect *exp;
101 struct nf_conntrack_tuple *tuple; 103 struct nf_conntrack_tuple *tuple;
@@ -159,7 +161,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
159 /* we have at least 161 /* we have at least
160 * (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid 162 * (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid
161 * data left (== 14/13 bytes) */ 163 * data left (== 14/13 bytes) */
162 if (parse_dcc((char *)data, data_limit, &dcc_ip, 164 if (parse_dcc(data, data_limit, &dcc_ip,
163 &dcc_port, &addr_beg_p, &addr_end_p)) { 165 &dcc_port, &addr_beg_p, &addr_end_p)) {
164 pr_debug("unable to parse dcc command\n"); 166 pr_debug("unable to parse dcc command\n");
165 continue; 167 continue;
diff --git a/net/netfilter/nf_conntrack_l3proto_generic.c b/net/netfilter/nf_conntrack_l3proto_generic.c
index 8e914e5ffea8..e7eb807fe07d 100644
--- a/net/netfilter/nf_conntrack_l3proto_generic.c
+++ b/net/netfilter/nf_conntrack_l3proto_generic.c
@@ -31,22 +31,22 @@
31#include <net/netfilter/nf_conntrack_core.h> 31#include <net/netfilter/nf_conntrack_core.h>
32#include <net/netfilter/ipv4/nf_conntrack_ipv4.h> 32#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
33 33
34static int generic_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff, 34static bool generic_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
35 struct nf_conntrack_tuple *tuple) 35 struct nf_conntrack_tuple *tuple)
36{ 36{
37 memset(&tuple->src.u3, 0, sizeof(tuple->src.u3)); 37 memset(&tuple->src.u3, 0, sizeof(tuple->src.u3));
38 memset(&tuple->dst.u3, 0, sizeof(tuple->dst.u3)); 38 memset(&tuple->dst.u3, 0, sizeof(tuple->dst.u3));
39 39
40 return 1; 40 return true;
41} 41}
42 42
43static int generic_invert_tuple(struct nf_conntrack_tuple *tuple, 43static bool generic_invert_tuple(struct nf_conntrack_tuple *tuple,
44 const struct nf_conntrack_tuple *orig) 44 const struct nf_conntrack_tuple *orig)
45{ 45{
46 memset(&tuple->src.u3, 0, sizeof(tuple->src.u3)); 46 memset(&tuple->src.u3, 0, sizeof(tuple->src.u3));
47 memset(&tuple->dst.u3, 0, sizeof(tuple->dst.u3)); 47 memset(&tuple->dst.u3, 0, sizeof(tuple->dst.u3));
48 48
49 return 1; 49 return true;
50} 50}
51 51
52static int generic_print_tuple(struct seq_file *s, 52static int generic_print_tuple(struct seq_file *s,
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 4a1b42b2b7a5..16774ecd1c4e 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -145,10 +145,11 @@ nla_put_failure:
145static inline int 145static inline int
146ctnetlink_dump_protoinfo(struct sk_buff *skb, const struct nf_conn *ct) 146ctnetlink_dump_protoinfo(struct sk_buff *skb, const struct nf_conn *ct)
147{ 147{
148 struct nf_conntrack_l4proto *l4proto = nf_ct_l4proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num, ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum); 148 struct nf_conntrack_l4proto *l4proto;
149 struct nlattr *nest_proto; 149 struct nlattr *nest_proto;
150 int ret; 150 int ret;
151 151
152 l4proto = nf_ct_l4proto_find_get(nf_ct_l3num(ct), nf_ct_protonum(ct));
152 if (!l4proto->to_nlattr) { 153 if (!l4proto->to_nlattr) {
153 nf_ct_l4proto_put(l4proto); 154 nf_ct_l4proto_put(l4proto);
154 return 0; 155 return 0;
@@ -368,8 +369,7 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
368 nfmsg = NLMSG_DATA(nlh); 369 nfmsg = NLMSG_DATA(nlh);
369 370
370 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0; 371 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0;
371 nfmsg->nfgen_family = 372 nfmsg->nfgen_family = nf_ct_l3num(ct);
372 ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
373 nfmsg->version = NFNETLINK_V0; 373 nfmsg->version = NFNETLINK_V0;
374 nfmsg->res_id = 0; 374 nfmsg->res_id = 0;
375 375
@@ -454,7 +454,7 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
454 nfmsg = NLMSG_DATA(nlh); 454 nfmsg = NLMSG_DATA(nlh);
455 455
456 nlh->nlmsg_flags = flags; 456 nlh->nlmsg_flags = flags;
457 nfmsg->nfgen_family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num; 457 nfmsg->nfgen_family = nf_ct_l3num(ct);
458 nfmsg->version = NFNETLINK_V0; 458 nfmsg->version = NFNETLINK_V0;
459 nfmsg->res_id = 0; 459 nfmsg->res_id = 0;
460 460
@@ -535,8 +535,6 @@ static int ctnetlink_done(struct netlink_callback *cb)
535 return 0; 535 return 0;
536} 536}
537 537
538#define L3PROTO(ct) (ct)->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num
539
540static int 538static int
541ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 539ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
542{ 540{
@@ -558,7 +556,7 @@ restart:
558 /* Dump entries of a given L3 protocol number. 556 /* Dump entries of a given L3 protocol number.
559 * If it is not specified, ie. l3proto == 0, 557 * If it is not specified, ie. l3proto == 0,
560 * then dump everything. */ 558 * then dump everything. */
561 if (l3proto && L3PROTO(ct) != l3proto) 559 if (l3proto && nf_ct_l3num(ct) != l3proto)
562 continue; 560 continue;
563 if (cb->args[1]) { 561 if (cb->args[1]) {
564 if (ct != last) 562 if (ct != last)
@@ -704,20 +702,11 @@ static int nfnetlink_parse_nat_proto(struct nlattr *attr,
704 if (err < 0) 702 if (err < 0)
705 return err; 703 return err;
706 704
707 npt = nf_nat_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum); 705 npt = nf_nat_proto_find_get(nf_ct_protonum(ct));
708 706 if (npt->nlattr_to_range)
709 if (!npt->nlattr_to_range) { 707 err = npt->nlattr_to_range(tb, range);
710 nf_nat_proto_put(npt);
711 return 0;
712 }
713
714 /* nlattr_to_range returns 1 if it parsed, 0 if not, neg. on error */
715 if (npt->nlattr_to_range(tb, range) > 0)
716 range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
717
718 nf_nat_proto_put(npt); 708 nf_nat_proto_put(npt);
719 709 return err;
720 return 0;
721} 710}
722 711
723static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = { 712static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = {
@@ -1010,14 +999,11 @@ ctnetlink_change_protoinfo(struct nf_conn *ct, struct nlattr *cda[])
1010{ 999{
1011 struct nlattr *tb[CTA_PROTOINFO_MAX+1], *attr = cda[CTA_PROTOINFO]; 1000 struct nlattr *tb[CTA_PROTOINFO_MAX+1], *attr = cda[CTA_PROTOINFO];
1012 struct nf_conntrack_l4proto *l4proto; 1001 struct nf_conntrack_l4proto *l4proto;
1013 u_int16_t npt = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
1014 u_int16_t l3num = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
1015 int err = 0; 1002 int err = 0;
1016 1003
1017 nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, NULL); 1004 nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, NULL);
1018 1005
1019 l4proto = nf_ct_l4proto_find_get(l3num, npt); 1006 l4proto = nf_ct_l4proto_find_get(nf_ct_l3num(ct), nf_ct_protonum(ct));
1020
1021 if (l4proto->from_nlattr) 1007 if (l4proto->from_nlattr)
1022 err = l4proto->from_nlattr(tb, ct); 1008 err = l4proto->from_nlattr(tb, ct);
1023 nf_ct_l4proto_put(l4proto); 1009 nf_ct_l4proto_put(l4proto);
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index 8fd83470d1b3..97e54b0e43a3 100644
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -119,7 +119,7 @@ static void pptp_expectfn(struct nf_conn *ct,
119 /* obviously this tuple inversion only works until you do NAT */ 119 /* obviously this tuple inversion only works until you do NAT */
120 nf_ct_invert_tuplepr(&inv_t, &exp->tuple); 120 nf_ct_invert_tuplepr(&inv_t, &exp->tuple);
121 pr_debug("trying to unexpect other dir: "); 121 pr_debug("trying to unexpect other dir: ");
122 NF_CT_DUMP_TUPLE(&inv_t); 122 nf_ct_dump_tuple(&inv_t);
123 123
124 exp_other = nf_ct_expect_find_get(&inv_t); 124 exp_other = nf_ct_expect_find_get(&inv_t);
125 if (exp_other) { 125 if (exp_other) {
@@ -141,7 +141,7 @@ static int destroy_sibling_or_exp(const struct nf_conntrack_tuple *t)
141 struct nf_conn *sibling; 141 struct nf_conn *sibling;
142 142
143 pr_debug("trying to timeout ct or exp for tuple "); 143 pr_debug("trying to timeout ct or exp for tuple ");
144 NF_CT_DUMP_TUPLE(t); 144 nf_ct_dump_tuple(t);
145 145
146 h = nf_conntrack_find_get(t); 146 h = nf_conntrack_find_get(t);
147 if (h) { 147 if (h) {
@@ -209,7 +209,7 @@ static int exp_gre(struct nf_conn *ct, __be16 callid, __be16 peer_callid)
209 /* original direction, PNS->PAC */ 209 /* original direction, PNS->PAC */
210 dir = IP_CT_DIR_ORIGINAL; 210 dir = IP_CT_DIR_ORIGINAL;
211 nf_ct_expect_init(exp_orig, NF_CT_EXPECT_CLASS_DEFAULT, 211 nf_ct_expect_init(exp_orig, NF_CT_EXPECT_CLASS_DEFAULT,
212 ct->tuplehash[dir].tuple.src.l3num, 212 nf_ct_l3num(ct),
213 &ct->tuplehash[dir].tuple.src.u3, 213 &ct->tuplehash[dir].tuple.src.u3,
214 &ct->tuplehash[dir].tuple.dst.u3, 214 &ct->tuplehash[dir].tuple.dst.u3,
215 IPPROTO_GRE, &peer_callid, &callid); 215 IPPROTO_GRE, &peer_callid, &callid);
@@ -218,7 +218,7 @@ static int exp_gre(struct nf_conn *ct, __be16 callid, __be16 peer_callid)
218 /* reply direction, PAC->PNS */ 218 /* reply direction, PAC->PNS */
219 dir = IP_CT_DIR_REPLY; 219 dir = IP_CT_DIR_REPLY;
220 nf_ct_expect_init(exp_reply, NF_CT_EXPECT_CLASS_DEFAULT, 220 nf_ct_expect_init(exp_reply, NF_CT_EXPECT_CLASS_DEFAULT,
221 ct->tuplehash[dir].tuple.src.l3num, 221 nf_ct_l3num(ct),
222 &ct->tuplehash[dir].tuple.src.u3, 222 &ct->tuplehash[dir].tuple.src.u3,
223 &ct->tuplehash[dir].tuple.dst.u3, 223 &ct->tuplehash[dir].tuple.dst.u3,
224 IPPROTO_GRE, &callid, &peer_callid); 224 IPPROTO_GRE, &callid, &peer_callid);
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index 8595b5946acf..a49fc932629b 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -146,18 +146,15 @@ EXPORT_SYMBOL_GPL(nf_ct_l3proto_module_put);
146 146
147static int kill_l3proto(struct nf_conn *i, void *data) 147static int kill_l3proto(struct nf_conn *i, void *data)
148{ 148{
149 return (i->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num == 149 return nf_ct_l3num(i) == ((struct nf_conntrack_l3proto *)data)->l3proto;
150 ((struct nf_conntrack_l3proto *)data)->l3proto);
151} 150}
152 151
153static int kill_l4proto(struct nf_conn *i, void *data) 152static int kill_l4proto(struct nf_conn *i, void *data)
154{ 153{
155 struct nf_conntrack_l4proto *l4proto; 154 struct nf_conntrack_l4proto *l4proto;
156 l4proto = (struct nf_conntrack_l4proto *)data; 155 l4proto = (struct nf_conntrack_l4proto *)data;
157 return (i->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum == 156 return nf_ct_protonum(i) == l4proto->l4proto &&
158 l4proto->l4proto) && 157 nf_ct_l3num(i) == l4proto->l3proto;
159 (i->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num ==
160 l4proto->l3proto);
161} 158}
162 159
163static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto) 160static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
new file mode 100644
index 000000000000..afb4a1861d2c
--- /dev/null
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -0,0 +1,815 @@
1/*
2 * DCCP connection tracking protocol helper
3 *
4 * Copyright (c) 2005, 2006, 2008 Patrick McHardy <kaber@trash.net>
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
9 *
10 */
11#include <linux/kernel.h>
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/sysctl.h>
15#include <linux/spinlock.h>
16#include <linux/skbuff.h>
17#include <linux/dccp.h>
18
19#include <linux/netfilter/nfnetlink_conntrack.h>
20#include <net/netfilter/nf_conntrack.h>
21#include <net/netfilter/nf_conntrack_l4proto.h>
22#include <net/netfilter/nf_log.h>
23
24static DEFINE_RWLOCK(dccp_lock);
25
26static int nf_ct_dccp_loose __read_mostly = 1;
27
28/* Timeouts are based on values from RFC4340:
29 *
30 * - REQUEST:
31 *
32 * 8.1.2. Client Request
33 *
34 * A client MAY give up on its DCCP-Requests after some time
35 * (3 minutes, for example).
36 *
37 * - RESPOND:
38 *
39 * 8.1.3. Server Response
40 *
41 * It MAY also leave the RESPOND state for CLOSED after a timeout of
42 * not less than 4MSL (8 minutes);
43 *
44 * - PARTOPEN:
45 *
46 * 8.1.5. Handshake Completion
47 *
48 * If the client remains in PARTOPEN for more than 4MSL (8 minutes),
49 * it SHOULD reset the connection with Reset Code 2, "Aborted".
50 *
51 * - OPEN:
52 *
53 * The DCCP timestamp overflows after 11.9 hours. If the connection
54 * stays idle this long the sequence number won't be recognized
55 * as valid anymore.
56 *
57 * - CLOSEREQ/CLOSING:
58 *
59 * 8.3. Termination
60 *
61 * The retransmission timer should initially be set to go off in two
62 * round-trip times and should back off to not less than once every
63 * 64 seconds ...
64 *
65 * - TIMEWAIT:
66 *
67 * 4.3. States
68 *
69 * A server or client socket remains in this state for 2MSL (4 minutes)
70 * after the connection has been town down, ...
71 */
72
73#define DCCP_MSL (2 * 60 * HZ)
74
75static unsigned int dccp_timeout[CT_DCCP_MAX + 1] __read_mostly = {
76 [CT_DCCP_REQUEST] = 2 * DCCP_MSL,
77 [CT_DCCP_RESPOND] = 4 * DCCP_MSL,
78 [CT_DCCP_PARTOPEN] = 4 * DCCP_MSL,
79 [CT_DCCP_OPEN] = 12 * 3600 * HZ,
80 [CT_DCCP_CLOSEREQ] = 64 * HZ,
81 [CT_DCCP_CLOSING] = 64 * HZ,
82 [CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL,
83};
84
85static const char * const dccp_state_names[] = {
86 [CT_DCCP_NONE] = "NONE",
87 [CT_DCCP_REQUEST] = "REQUEST",
88 [CT_DCCP_RESPOND] = "RESPOND",
89 [CT_DCCP_PARTOPEN] = "PARTOPEN",
90 [CT_DCCP_OPEN] = "OPEN",
91 [CT_DCCP_CLOSEREQ] = "CLOSEREQ",
92 [CT_DCCP_CLOSING] = "CLOSING",
93 [CT_DCCP_TIMEWAIT] = "TIMEWAIT",
94 [CT_DCCP_IGNORE] = "IGNORE",
95 [CT_DCCP_INVALID] = "INVALID",
96};
97
98#define sNO CT_DCCP_NONE
99#define sRQ CT_DCCP_REQUEST
100#define sRS CT_DCCP_RESPOND
101#define sPO CT_DCCP_PARTOPEN
102#define sOP CT_DCCP_OPEN
103#define sCR CT_DCCP_CLOSEREQ
104#define sCG CT_DCCP_CLOSING
105#define sTW CT_DCCP_TIMEWAIT
106#define sIG CT_DCCP_IGNORE
107#define sIV CT_DCCP_INVALID
108
109/*
110 * DCCP state transistion table
111 *
112 * The assumption is the same as for TCP tracking:
113 *
114 * We are the man in the middle. All the packets go through us but might
115 * get lost in transit to the destination. It is assumed that the destination
116 * can't receive segments we haven't seen.
117 *
118 * The following states exist:
119 *
120 * NONE: Initial state, expecting Request
121 * REQUEST: Request seen, waiting for Response from server
122 * RESPOND: Response from server seen, waiting for Ack from client
123 * PARTOPEN: Ack after Response seen, waiting for packet other than Response,
124 * Reset or Sync from server
125 * OPEN: Packet other than Response, Reset or Sync seen
126 * CLOSEREQ: CloseReq from server seen, expecting Close from client
127 * CLOSING: Close seen, expecting Reset
128 * TIMEWAIT: Reset seen
129 * IGNORE: Not determinable whether packet is valid
130 *
131 * Some states exist only on one side of the connection: REQUEST, RESPOND,
132 * PARTOPEN, CLOSEREQ. For the other side these states are equivalent to
133 * the one it was in before.
134 *
135 * Packets are marked as ignored (sIG) if we don't know if they're valid
136 * (for example a reincarnation of a connection we didn't notice is dead
137 * already) and the server may send back a connection closing Reset or a
138 * Response. They're also used for Sync/SyncAck packets, which we don't
139 * care about.
140 */
141static const u_int8_t
142dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] = {
143 [CT_DCCP_ROLE_CLIENT] = {
144 [DCCP_PKT_REQUEST] = {
145 /*
146 * sNO -> sRQ Regular Request
147 * sRQ -> sRQ Retransmitted Request or reincarnation
148 * sRS -> sRS Retransmitted Request (apparently Response
149 * got lost after we saw it) or reincarnation
150 * sPO -> sIG Ignore, conntrack might be out of sync
151 * sOP -> sIG Ignore, conntrack might be out of sync
152 * sCR -> sIG Ignore, conntrack might be out of sync
153 * sCG -> sIG Ignore, conntrack might be out of sync
154 * sTW -> sRQ Reincarnation
155 *
156 * sNO, sRQ, sRS, sPO. sOP, sCR, sCG, sTW, */
157 sRQ, sRQ, sRS, sIG, sIG, sIG, sIG, sRQ,
158 },
159 [DCCP_PKT_RESPONSE] = {
160 /*
161 * sNO -> sIV Invalid
162 * sRQ -> sIG Ignore, might be response to ignored Request
163 * sRS -> sIG Ignore, might be response to ignored Request
164 * sPO -> sIG Ignore, might be response to ignored Request
165 * sOP -> sIG Ignore, might be response to ignored Request
166 * sCR -> sIG Ignore, might be response to ignored Request
167 * sCG -> sIG Ignore, might be response to ignored Request
168 * sTW -> sIV Invalid, reincarnation in reverse direction
169 * goes through sRQ
170 *
171 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
172 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIV,
173 },
174 [DCCP_PKT_ACK] = {
175 /*
176 * sNO -> sIV No connection
177 * sRQ -> sIV No connection
178 * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.)
179 * sPO -> sPO Retransmitted Ack for Response, remain in PARTOPEN
180 * sOP -> sOP Regular ACK, remain in OPEN
181 * sCR -> sCR Ack in CLOSEREQ MAY be processed (8.3.)
182 * sCG -> sCG Ack in CLOSING MAY be processed (8.3.)
183 * sTW -> sIV
184 *
185 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
186 sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
187 },
188 [DCCP_PKT_DATA] = {
189 /*
190 * sNO -> sIV No connection
191 * sRQ -> sIV No connection
192 * sRS -> sIV No connection
193 * sPO -> sIV MUST use DataAck in PARTOPEN state (8.1.5.)
194 * sOP -> sOP Regular Data packet
195 * sCR -> sCR Data in CLOSEREQ MAY be processed (8.3.)
196 * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
197 * sTW -> sIV
198 *
199 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
200 sIV, sIV, sIV, sIV, sOP, sCR, sCG, sIV,
201 },
202 [DCCP_PKT_DATAACK] = {
203 /*
204 * sNO -> sIV No connection
205 * sRQ -> sIV No connection
206 * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.)
207 * sPO -> sPO Remain in PARTOPEN state
208 * sOP -> sOP Regular DataAck packet in OPEN state
209 * sCR -> sCR DataAck in CLOSEREQ MAY be processed (8.3.)
210 * sCG -> sCG DataAck in CLOSING MAY be processed (8.3.)
211 * sTW -> sIV
212 *
213 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
214 sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
215 },
216 [DCCP_PKT_CLOSEREQ] = {
217 /*
218 * CLOSEREQ may only be sent by the server.
219 *
220 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
221 sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV
222 },
223 [DCCP_PKT_CLOSE] = {
224 /*
225 * sNO -> sIV No connection
226 * sRQ -> sIV No connection
227 * sRS -> sIV No connection
228 * sPO -> sCG Client-initiated close
229 * sOP -> sCG Client-initiated close
230 * sCR -> sCG Close in response to CloseReq (8.3.)
231 * sCG -> sCG Retransmit
232 * sTW -> sIV Late retransmit, already in TIME_WAIT
233 *
234 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
235 sIV, sIV, sIV, sCG, sCG, sCG, sIV, sIV
236 },
237 [DCCP_PKT_RESET] = {
238 /*
239 * sNO -> sIV No connection
240 * sRQ -> sTW Sync received or timeout, SHOULD send Reset (8.1.1.)
241 * sRS -> sTW Response received without Request
242 * sPO -> sTW Timeout, SHOULD send Reset (8.1.5.)
243 * sOP -> sTW Connection reset
244 * sCR -> sTW Connection reset
245 * sCG -> sTW Connection reset
246 * sTW -> sIG Ignore (don't refresh timer)
247 *
248 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
249 sIV, sTW, sTW, sTW, sTW, sTW, sTW, sIG
250 },
251 [DCCP_PKT_SYNC] = {
252 /*
253 * We currently ignore Sync packets
254 *
255 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
256 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
257 },
258 [DCCP_PKT_SYNCACK] = {
259 /*
260 * We currently ignore SyncAck packets
261 *
262 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
263 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
264 },
265 },
266 [CT_DCCP_ROLE_SERVER] = {
267 [DCCP_PKT_REQUEST] = {
268 /*
269 * sNO -> sIV Invalid
270 * sRQ -> sIG Ignore, conntrack might be out of sync
271 * sRS -> sIG Ignore, conntrack might be out of sync
272 * sPO -> sIG Ignore, conntrack might be out of sync
273 * sOP -> sIG Ignore, conntrack might be out of sync
274 * sCR -> sIG Ignore, conntrack might be out of sync
275 * sCG -> sIG Ignore, conntrack might be out of sync
276 * sTW -> sRQ Reincarnation, must reverse roles
277 *
278 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
279 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sRQ
280 },
281 [DCCP_PKT_RESPONSE] = {
282 /*
283 * sNO -> sIV Response without Request
284 * sRQ -> sRS Response to clients Request
285 * sRS -> sRS Retransmitted Response (8.1.3. SHOULD NOT)
286 * sPO -> sIG Response to an ignored Request or late retransmit
287 * sOP -> sIG Ignore, might be response to ignored Request
288 * sCR -> sIG Ignore, might be response to ignored Request
289 * sCG -> sIG Ignore, might be response to ignored Request
290 * sTW -> sIV Invalid, Request from client in sTW moves to sRQ
291 *
292 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
293 sIV, sRS, sRS, sIG, sIG, sIG, sIG, sIV
294 },
295 [DCCP_PKT_ACK] = {
296 /*
297 * sNO -> sIV No connection
298 * sRQ -> sIV No connection
299 * sRS -> sIV No connection
300 * sPO -> sOP Enter OPEN state (8.1.5.)
301 * sOP -> sOP Regular Ack in OPEN state
302 * sCR -> sIV Waiting for Close from client
303 * sCG -> sCG Ack in CLOSING MAY be processed (8.3.)
304 * sTW -> sIV
305 *
306 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
307 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
308 },
309 [DCCP_PKT_DATA] = {
310 /*
311 * sNO -> sIV No connection
312 * sRQ -> sIV No connection
313 * sRS -> sIV No connection
314 * sPO -> sOP Enter OPEN state (8.1.5.)
315 * sOP -> sOP Regular Data packet in OPEN state
316 * sCR -> sIV Waiting for Close from client
317 * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
318 * sTW -> sIV
319 *
320 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
321 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
322 },
323 [DCCP_PKT_DATAACK] = {
324 /*
325 * sNO -> sIV No connection
326 * sRQ -> sIV No connection
327 * sRS -> sIV No connection
328 * sPO -> sOP Enter OPEN state (8.1.5.)
329 * sOP -> sOP Regular DataAck in OPEN state
330 * sCR -> sIV Waiting for Close from client
331 * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
332 * sTW -> sIV
333 *
334 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
335 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
336 },
337 [DCCP_PKT_CLOSEREQ] = {
338 /*
339 * sNO -> sIV No connection
340 * sRQ -> sIV No connection
341 * sRS -> sIV No connection
342 * sPO -> sOP -> sCR Move directly to CLOSEREQ (8.1.5.)
343 * sOP -> sCR CloseReq in OPEN state
344 * sCR -> sCR Retransmit
345 * sCG -> sCR Simultaneous close, client sends another Close
346 * sTW -> sIV Already closed
347 *
348 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
349 sIV, sIV, sIV, sCR, sCR, sCR, sCR, sIV
350 },
351 [DCCP_PKT_CLOSE] = {
352 /*
353 * sNO -> sIV No connection
354 * sRQ -> sIV No connection
355 * sRS -> sIV No connection
356 * sPO -> sOP -> sCG Move direcly to CLOSING
357 * sOP -> sCG Move to CLOSING
358 * sCR -> sIV Close after CloseReq is invalid
359 * sCG -> sCG Retransmit
360 * sTW -> sIV Already closed
361 *
362 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
363 sIV, sIV, sIV, sCG, sCG, sIV, sCG, sIV
364 },
365 [DCCP_PKT_RESET] = {
366 /*
367 * sNO -> sIV No connection
368 * sRQ -> sTW Reset in response to Request
369 * sRS -> sTW Timeout, SHOULD send Reset (8.1.3.)
370 * sPO -> sTW Timeout, SHOULD send Reset (8.1.3.)
371 * sOP -> sTW
372 * sCR -> sTW
373 * sCG -> sTW
374 * sTW -> sIG Ignore (don't refresh timer)
375 *
376 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW, sTW */
377 sIV, sTW, sTW, sTW, sTW, sTW, sTW, sTW, sIG
378 },
379 [DCCP_PKT_SYNC] = {
380 /*
381 * We currently ignore Sync packets
382 *
383 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
384 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
385 },
386 [DCCP_PKT_SYNCACK] = {
387 /*
388 * We currently ignore SyncAck packets
389 *
390 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
391 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
392 },
393 },
394};
395
396static bool dccp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
397 struct nf_conntrack_tuple *tuple)
398{
399 struct dccp_hdr _hdr, *dh;
400
401 dh = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
402 if (dh == NULL)
403 return false;
404
405 tuple->src.u.dccp.port = dh->dccph_sport;
406 tuple->dst.u.dccp.port = dh->dccph_dport;
407 return true;
408}
409
410static bool dccp_invert_tuple(struct nf_conntrack_tuple *inv,
411 const struct nf_conntrack_tuple *tuple)
412{
413 inv->src.u.dccp.port = tuple->dst.u.dccp.port;
414 inv->dst.u.dccp.port = tuple->src.u.dccp.port;
415 return true;
416}
417
418static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
419 unsigned int dataoff)
420{
421 struct dccp_hdr _dh, *dh;
422 const char *msg;
423 u_int8_t state;
424
425 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
426 BUG_ON(dh == NULL);
427
428 state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
429 switch (state) {
430 default:
431 if (nf_ct_dccp_loose == 0) {
432 msg = "nf_ct_dccp: not picking up existing connection ";
433 goto out_invalid;
434 }
435 case CT_DCCP_REQUEST:
436 break;
437 case CT_DCCP_INVALID:
438 msg = "nf_ct_dccp: invalid state transition ";
439 goto out_invalid;
440 }
441
442 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
443 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
444 ct->proto.dccp.state = CT_DCCP_NONE;
445 return true;
446
447out_invalid:
448 if (LOG_INVALID(IPPROTO_DCCP))
449 nf_log_packet(nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL, msg);
450 return false;
451}
452
453static u64 dccp_ack_seq(const struct dccp_hdr *dh)
454{
455 const struct dccp_hdr_ack_bits *dhack;
456
457 dhack = (void *)dh + __dccp_basic_hdr_len(dh);
458 return ((u64)ntohs(dhack->dccph_ack_nr_high) << 32) +
459 ntohl(dhack->dccph_ack_nr_low);
460}
461
462static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
463 unsigned int dataoff, enum ip_conntrack_info ctinfo,
464 int pf, unsigned int hooknum)
465{
466 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
467 struct dccp_hdr _dh, *dh;
468 u_int8_t type, old_state, new_state;
469 enum ct_dccp_roles role;
470
471 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
472 BUG_ON(dh == NULL);
473 type = dh->dccph_type;
474
475 if (type == DCCP_PKT_RESET &&
476 !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
477 /* Tear down connection immediately if only reply is a RESET */
478 if (del_timer(&ct->timeout))
479 ct->timeout.function((unsigned long)ct);
480 return NF_ACCEPT;
481 }
482
483 write_lock_bh(&dccp_lock);
484
485 role = ct->proto.dccp.role[dir];
486 old_state = ct->proto.dccp.state;
487 new_state = dccp_state_table[role][type][old_state];
488
489 switch (new_state) {
490 case CT_DCCP_REQUEST:
491 if (old_state == CT_DCCP_TIMEWAIT &&
492 role == CT_DCCP_ROLE_SERVER) {
493 /* Reincarnation in the reverse direction: reopen and
494 * reverse client/server roles. */
495 ct->proto.dccp.role[dir] = CT_DCCP_ROLE_CLIENT;
496 ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_SERVER;
497 }
498 break;
499 case CT_DCCP_RESPOND:
500 if (old_state == CT_DCCP_REQUEST)
501 ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
502 break;
503 case CT_DCCP_PARTOPEN:
504 if (old_state == CT_DCCP_RESPOND &&
505 type == DCCP_PKT_ACK &&
506 dccp_ack_seq(dh) == ct->proto.dccp.handshake_seq)
507 set_bit(IPS_ASSURED_BIT, &ct->status);
508 break;
509 case CT_DCCP_IGNORE:
510 /*
511 * Connection tracking might be out of sync, so we ignore
512 * packets that might establish a new connection and resync
513 * if the server responds with a valid Response.
514 */
515 if (ct->proto.dccp.last_dir == !dir &&
516 ct->proto.dccp.last_pkt == DCCP_PKT_REQUEST &&
517 type == DCCP_PKT_RESPONSE) {
518 ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_CLIENT;
519 ct->proto.dccp.role[dir] = CT_DCCP_ROLE_SERVER;
520 ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
521 new_state = CT_DCCP_RESPOND;
522 break;
523 }
524 ct->proto.dccp.last_dir = dir;
525 ct->proto.dccp.last_pkt = type;
526
527 write_unlock_bh(&dccp_lock);
528 if (LOG_INVALID(IPPROTO_DCCP))
529 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
530 "nf_ct_dccp: invalid packet ignored ");
531 return NF_ACCEPT;
532 case CT_DCCP_INVALID:
533 write_unlock_bh(&dccp_lock);
534 if (LOG_INVALID(IPPROTO_DCCP))
535 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
536 "nf_ct_dccp: invalid state transition ");
537 return -NF_ACCEPT;
538 }
539
540 ct->proto.dccp.last_dir = dir;
541 ct->proto.dccp.last_pkt = type;
542 ct->proto.dccp.state = new_state;
543 write_unlock_bh(&dccp_lock);
544 nf_ct_refresh_acct(ct, ctinfo, skb, dccp_timeout[new_state]);
545
546 return NF_ACCEPT;
547}
548
549static int dccp_error(struct sk_buff *skb, unsigned int dataoff,
550 enum ip_conntrack_info *ctinfo, int pf,
551 unsigned int hooknum)
552{
553 struct dccp_hdr _dh, *dh;
554 unsigned int dccp_len = skb->len - dataoff;
555 unsigned int cscov;
556 const char *msg;
557
558 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
559 if (dh == NULL) {
560 msg = "nf_ct_dccp: short packet ";
561 goto out_invalid;
562 }
563
564 if (dh->dccph_doff * 4 < sizeof(struct dccp_hdr) ||
565 dh->dccph_doff * 4 > dccp_len) {
566 msg = "nf_ct_dccp: truncated/malformed packet ";
567 goto out_invalid;
568 }
569
570 cscov = dccp_len;
571 if (dh->dccph_cscov) {
572 cscov = (dh->dccph_cscov - 1) * 4;
573 if (cscov > dccp_len) {
574 msg = "nf_ct_dccp: bad checksum coverage ";
575 goto out_invalid;
576 }
577 }
578
579 if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING &&
580 nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_DCCP,
581 pf)) {
582 msg = "nf_ct_dccp: bad checksum ";
583 goto out_invalid;
584 }
585
586 if (dh->dccph_type >= DCCP_PKT_INVALID) {
587 msg = "nf_ct_dccp: reserved packet type ";
588 goto out_invalid;
589 }
590
591 return NF_ACCEPT;
592
593out_invalid:
594 if (LOG_INVALID(IPPROTO_DCCP))
595 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, msg);
596 return -NF_ACCEPT;
597}
598
599static int dccp_print_tuple(struct seq_file *s,
600 const struct nf_conntrack_tuple *tuple)
601{
602 return seq_printf(s, "sport=%hu dport=%hu ",
603 ntohs(tuple->src.u.dccp.port),
604 ntohs(tuple->dst.u.dccp.port));
605}
606
607static int dccp_print_conntrack(struct seq_file *s, const struct nf_conn *ct)
608{
609 return seq_printf(s, "%s ", dccp_state_names[ct->proto.dccp.state]);
610}
611
612#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
613static int dccp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
614 const struct nf_conn *ct)
615{
616 struct nlattr *nest_parms;
617
618 read_lock_bh(&dccp_lock);
619 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_DCCP | NLA_F_NESTED);
620 if (!nest_parms)
621 goto nla_put_failure;
622 NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state);
623 nla_nest_end(skb, nest_parms);
624 read_unlock_bh(&dccp_lock);
625 return 0;
626
627nla_put_failure:
628 read_unlock_bh(&dccp_lock);
629 return -1;
630}
631
632static const struct nla_policy dccp_nla_policy[CTA_PROTOINFO_DCCP_MAX + 1] = {
633 [CTA_PROTOINFO_DCCP_STATE] = { .type = NLA_U8 },
634};
635
636static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct)
637{
638 struct nlattr *attr = cda[CTA_PROTOINFO_DCCP];
639 struct nlattr *tb[CTA_PROTOINFO_DCCP_MAX + 1];
640 int err;
641
642 if (!attr)
643 return 0;
644
645 err = nla_parse_nested(tb, CTA_PROTOINFO_DCCP_MAX, attr,
646 dccp_nla_policy);
647 if (err < 0)
648 return err;
649
650 if (!tb[CTA_PROTOINFO_DCCP_STATE] ||
651 nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]) >= CT_DCCP_IGNORE)
652 return -EINVAL;
653
654 write_lock_bh(&dccp_lock);
655 ct->proto.dccp.state = nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]);
656 write_unlock_bh(&dccp_lock);
657 return 0;
658}
659#endif
660
661#ifdef CONFIG_SYSCTL
662static unsigned int dccp_sysctl_table_users;
663static struct ctl_table_header *dccp_sysctl_header;
664static ctl_table dccp_sysctl_table[] = {
665 {
666 .ctl_name = CTL_UNNUMBERED,
667 .procname = "nf_conntrack_dccp_timeout_request",
668 .data = &dccp_timeout[CT_DCCP_REQUEST],
669 .maxlen = sizeof(unsigned int),
670 .mode = 0644,
671 .proc_handler = proc_dointvec_jiffies,
672 },
673 {
674 .ctl_name = CTL_UNNUMBERED,
675 .procname = "nf_conntrack_dccp_timeout_respond",
676 .data = &dccp_timeout[CT_DCCP_RESPOND],
677 .maxlen = sizeof(unsigned int),
678 .mode = 0644,
679 .proc_handler = proc_dointvec_jiffies,
680 },
681 {
682 .ctl_name = CTL_UNNUMBERED,
683 .procname = "nf_conntrack_dccp_timeout_partopen",
684 .data = &dccp_timeout[CT_DCCP_PARTOPEN],
685 .maxlen = sizeof(unsigned int),
686 .mode = 0644,
687 .proc_handler = proc_dointvec_jiffies,
688 },
689 {
690 .ctl_name = CTL_UNNUMBERED,
691 .procname = "nf_conntrack_dccp_timeout_open",
692 .data = &dccp_timeout[CT_DCCP_OPEN],
693 .maxlen = sizeof(unsigned int),
694 .mode = 0644,
695 .proc_handler = proc_dointvec_jiffies,
696 },
697 {
698 .ctl_name = CTL_UNNUMBERED,
699 .procname = "nf_conntrack_dccp_timeout_closereq",
700 .data = &dccp_timeout[CT_DCCP_CLOSEREQ],
701 .maxlen = sizeof(unsigned int),
702 .mode = 0644,
703 .proc_handler = proc_dointvec_jiffies,
704 },
705 {
706 .ctl_name = CTL_UNNUMBERED,
707 .procname = "nf_conntrack_dccp_timeout_closing",
708 .data = &dccp_timeout[CT_DCCP_CLOSING],
709 .maxlen = sizeof(unsigned int),
710 .mode = 0644,
711 .proc_handler = proc_dointvec_jiffies,
712 },
713 {
714 .ctl_name = CTL_UNNUMBERED,
715 .procname = "nf_conntrack_dccp_timeout_timewait",
716 .data = &dccp_timeout[CT_DCCP_TIMEWAIT],
717 .maxlen = sizeof(unsigned int),
718 .mode = 0644,
719 .proc_handler = proc_dointvec_jiffies,
720 },
721 {
722 .ctl_name = CTL_UNNUMBERED,
723 .procname = "nf_conntrack_dccp_loose",
724 .data = &nf_ct_dccp_loose,
725 .maxlen = sizeof(nf_ct_dccp_loose),
726 .mode = 0644,
727 .proc_handler = proc_dointvec,
728 },
729 {
730 .ctl_name = 0,
731 }
732};
733#endif /* CONFIG_SYSCTL */
734
735static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = {
736 .l3proto = AF_INET,
737 .l4proto = IPPROTO_DCCP,
738 .name = "dccp",
739 .pkt_to_tuple = dccp_pkt_to_tuple,
740 .invert_tuple = dccp_invert_tuple,
741 .new = dccp_new,
742 .packet = dccp_packet,
743 .error = dccp_error,
744 .print_tuple = dccp_print_tuple,
745 .print_conntrack = dccp_print_conntrack,
746#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
747 .to_nlattr = dccp_to_nlattr,
748 .from_nlattr = nlattr_to_dccp,
749 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
750 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
751 .nla_policy = nf_ct_port_nla_policy,
752#endif
753#ifdef CONFIG_SYSCTL
754 .ctl_table_users = &dccp_sysctl_table_users,
755 .ctl_table_header = &dccp_sysctl_header,
756 .ctl_table = dccp_sysctl_table,
757#endif
758};
759
760static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = {
761 .l3proto = AF_INET6,
762 .l4proto = IPPROTO_DCCP,
763 .name = "dccp",
764 .pkt_to_tuple = dccp_pkt_to_tuple,
765 .invert_tuple = dccp_invert_tuple,
766 .new = dccp_new,
767 .packet = dccp_packet,
768 .error = dccp_error,
769 .print_tuple = dccp_print_tuple,
770 .print_conntrack = dccp_print_conntrack,
771#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
772 .to_nlattr = dccp_to_nlattr,
773 .from_nlattr = nlattr_to_dccp,
774 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
775 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
776 .nla_policy = nf_ct_port_nla_policy,
777#endif
778#ifdef CONFIG_SYSCTL
779 .ctl_table_users = &dccp_sysctl_table_users,
780 .ctl_table_header = &dccp_sysctl_header,
781 .ctl_table = dccp_sysctl_table,
782#endif
783};
784
785static int __init nf_conntrack_proto_dccp_init(void)
786{
787 int err;
788
789 err = nf_conntrack_l4proto_register(&dccp_proto4);
790 if (err < 0)
791 goto err1;
792
793 err = nf_conntrack_l4proto_register(&dccp_proto6);
794 if (err < 0)
795 goto err2;
796 return 0;
797
798err2:
799 nf_conntrack_l4proto_unregister(&dccp_proto4);
800err1:
801 return err;
802}
803
804static void __exit nf_conntrack_proto_dccp_fini(void)
805{
806 nf_conntrack_l4proto_unregister(&dccp_proto6);
807 nf_conntrack_l4proto_unregister(&dccp_proto4);
808}
809
810module_init(nf_conntrack_proto_dccp_init);
811module_exit(nf_conntrack_proto_dccp_fini);
812
813MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
814MODULE_DESCRIPTION("DCCP connection tracking protocol helper");
815MODULE_LICENSE("GPL");
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index 55458915575f..e31b0e7bd0b1 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -14,23 +14,23 @@
14 14
15static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ; 15static unsigned int nf_ct_generic_timeout __read_mostly = 600*HZ;
16 16
17static int generic_pkt_to_tuple(const struct sk_buff *skb, 17static bool generic_pkt_to_tuple(const struct sk_buff *skb,
18 unsigned int dataoff, 18 unsigned int dataoff,
19 struct nf_conntrack_tuple *tuple) 19 struct nf_conntrack_tuple *tuple)
20{ 20{
21 tuple->src.u.all = 0; 21 tuple->src.u.all = 0;
22 tuple->dst.u.all = 0; 22 tuple->dst.u.all = 0;
23 23
24 return 1; 24 return true;
25} 25}
26 26
27static int generic_invert_tuple(struct nf_conntrack_tuple *tuple, 27static bool generic_invert_tuple(struct nf_conntrack_tuple *tuple,
28 const struct nf_conntrack_tuple *orig) 28 const struct nf_conntrack_tuple *orig)
29{ 29{
30 tuple->src.u.all = 0; 30 tuple->src.u.all = 0;
31 tuple->dst.u.all = 0; 31 tuple->dst.u.all = 0;
32 32
33 return 1; 33 return true;
34} 34}
35 35
36/* Print out the per-protocol part of the tuple. */ 36/* Print out the per-protocol part of the tuple. */
@@ -53,10 +53,10 @@ static int packet(struct nf_conn *ct,
53} 53}
54 54
55/* Called when a new connection for this protocol found. */ 55/* Called when a new connection for this protocol found. */
56static int new(struct nf_conn *ct, const struct sk_buff *skb, 56static bool new(struct nf_conn *ct, const struct sk_buff *skb,
57 unsigned int dataoff) 57 unsigned int dataoff)
58{ 58{
59 return 1; 59 return true;
60} 60}
61 61
62#ifdef CONFIG_SYSCTL 62#ifdef CONFIG_SYSCTL
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index e10024a1b666..654a4f7f12c6 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -82,7 +82,7 @@ static __be16 gre_keymap_lookup(struct nf_conntrack_tuple *t)
82 read_unlock_bh(&nf_ct_gre_lock); 82 read_unlock_bh(&nf_ct_gre_lock);
83 83
84 pr_debug("lookup src key 0x%x for ", key); 84 pr_debug("lookup src key 0x%x for ", key);
85 NF_CT_DUMP_TUPLE(t); 85 nf_ct_dump_tuple(t);
86 86
87 return key; 87 return key;
88} 88}
@@ -113,7 +113,7 @@ int nf_ct_gre_keymap_add(struct nf_conn *ct, enum ip_conntrack_dir dir,
113 *kmp = km; 113 *kmp = km;
114 114
115 pr_debug("adding new entry %p: ", km); 115 pr_debug("adding new entry %p: ", km);
116 NF_CT_DUMP_TUPLE(&km->tuple); 116 nf_ct_dump_tuple(&km->tuple);
117 117
118 write_lock_bh(&nf_ct_gre_lock); 118 write_lock_bh(&nf_ct_gre_lock);
119 list_add_tail(&km->list, &gre_keymap_list); 119 list_add_tail(&km->list, &gre_keymap_list);
@@ -148,18 +148,17 @@ EXPORT_SYMBOL_GPL(nf_ct_gre_keymap_destroy);
148/* PUBLIC CONNTRACK PROTO HELPER FUNCTIONS */ 148/* PUBLIC CONNTRACK PROTO HELPER FUNCTIONS */
149 149
150/* invert gre part of tuple */ 150/* invert gre part of tuple */
151static int gre_invert_tuple(struct nf_conntrack_tuple *tuple, 151static bool gre_invert_tuple(struct nf_conntrack_tuple *tuple,
152 const struct nf_conntrack_tuple *orig) 152 const struct nf_conntrack_tuple *orig)
153{ 153{
154 tuple->dst.u.gre.key = orig->src.u.gre.key; 154 tuple->dst.u.gre.key = orig->src.u.gre.key;
155 tuple->src.u.gre.key = orig->dst.u.gre.key; 155 tuple->src.u.gre.key = orig->dst.u.gre.key;
156 return 1; 156 return true;
157} 157}
158 158
159/* gre hdr info to tuple */ 159/* gre hdr info to tuple */
160static int gre_pkt_to_tuple(const struct sk_buff *skb, 160static bool gre_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
161 unsigned int dataoff, 161 struct nf_conntrack_tuple *tuple)
162 struct nf_conntrack_tuple *tuple)
163{ 162{
164 const struct gre_hdr_pptp *pgrehdr; 163 const struct gre_hdr_pptp *pgrehdr;
165 struct gre_hdr_pptp _pgrehdr; 164 struct gre_hdr_pptp _pgrehdr;
@@ -173,24 +172,24 @@ static int gre_pkt_to_tuple(const struct sk_buff *skb,
173 /* try to behave like "nf_conntrack_proto_generic" */ 172 /* try to behave like "nf_conntrack_proto_generic" */
174 tuple->src.u.all = 0; 173 tuple->src.u.all = 0;
175 tuple->dst.u.all = 0; 174 tuple->dst.u.all = 0;
176 return 1; 175 return true;
177 } 176 }
178 177
179 /* PPTP header is variable length, only need up to the call_id field */ 178 /* PPTP header is variable length, only need up to the call_id field */
180 pgrehdr = skb_header_pointer(skb, dataoff, 8, &_pgrehdr); 179 pgrehdr = skb_header_pointer(skb, dataoff, 8, &_pgrehdr);
181 if (!pgrehdr) 180 if (!pgrehdr)
182 return 1; 181 return true;
183 182
184 if (ntohs(grehdr->protocol) != GRE_PROTOCOL_PPTP) { 183 if (ntohs(grehdr->protocol) != GRE_PROTOCOL_PPTP) {
185 pr_debug("GRE_VERSION_PPTP but unknown proto\n"); 184 pr_debug("GRE_VERSION_PPTP but unknown proto\n");
186 return 0; 185 return false;
187 } 186 }
188 187
189 tuple->dst.u.gre.key = pgrehdr->call_id; 188 tuple->dst.u.gre.key = pgrehdr->call_id;
190 srckey = gre_keymap_lookup(tuple); 189 srckey = gre_keymap_lookup(tuple);
191 tuple->src.u.gre.key = srckey; 190 tuple->src.u.gre.key = srckey;
192 191
193 return 1; 192 return true;
194} 193}
195 194
196/* print gre part of tuple */ 195/* print gre part of tuple */
@@ -235,18 +234,18 @@ static int gre_packet(struct nf_conn *ct,
235} 234}
236 235
237/* Called when a new connection for this protocol found. */ 236/* Called when a new connection for this protocol found. */
238static int gre_new(struct nf_conn *ct, const struct sk_buff *skb, 237static bool gre_new(struct nf_conn *ct, const struct sk_buff *skb,
239 unsigned int dataoff) 238 unsigned int dataoff)
240{ 239{
241 pr_debug(": "); 240 pr_debug(": ");
242 NF_CT_DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); 241 nf_ct_dump_tuple(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
243 242
244 /* initialize to sane value. Ideally a conntrack helper 243 /* initialize to sane value. Ideally a conntrack helper
245 * (e.g. in case of pptp) is increasing them */ 244 * (e.g. in case of pptp) is increasing them */
246 ct->proto.gre.stream_timeout = GRE_STREAM_TIMEOUT; 245 ct->proto.gre.stream_timeout = GRE_STREAM_TIMEOUT;
247 ct->proto.gre.timeout = GRE_TIMEOUT; 246 ct->proto.gre.timeout = GRE_TIMEOUT;
248 247
249 return 1; 248 return true;
250} 249}
251 250
252/* Called when a conntrack entry has already been removed from the hashes 251/* Called when a conntrack entry has already been removed from the hashes
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index f9a08370dbb3..cbf2e27a22b2 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -33,7 +33,7 @@ static DEFINE_RWLOCK(sctp_lock);
33 33
34 And so for me for SCTP :D -Kiran */ 34 And so for me for SCTP :D -Kiran */
35 35
36static const char *sctp_conntrack_names[] = { 36static const char *const sctp_conntrack_names[] = {
37 "NONE", 37 "NONE",
38 "CLOSED", 38 "CLOSED",
39 "COOKIE_WAIT", 39 "COOKIE_WAIT",
@@ -130,28 +130,28 @@ static const u8 sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = {
130 } 130 }
131}; 131};
132 132
133static int sctp_pkt_to_tuple(const struct sk_buff *skb, 133static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
134 unsigned int dataoff, 134 struct nf_conntrack_tuple *tuple)
135 struct nf_conntrack_tuple *tuple)
136{ 135{
137 sctp_sctphdr_t _hdr, *hp; 136 const struct sctphdr *hp;
137 struct sctphdr _hdr;
138 138
139 /* Actually only need first 8 bytes. */ 139 /* Actually only need first 8 bytes. */
140 hp = skb_header_pointer(skb, dataoff, 8, &_hdr); 140 hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
141 if (hp == NULL) 141 if (hp == NULL)
142 return 0; 142 return false;
143 143
144 tuple->src.u.sctp.port = hp->source; 144 tuple->src.u.sctp.port = hp->source;
145 tuple->dst.u.sctp.port = hp->dest; 145 tuple->dst.u.sctp.port = hp->dest;
146 return 1; 146 return true;
147} 147}
148 148
149static int sctp_invert_tuple(struct nf_conntrack_tuple *tuple, 149static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
150 const struct nf_conntrack_tuple *orig) 150 const struct nf_conntrack_tuple *orig)
151{ 151{
152 tuple->src.u.sctp.port = orig->dst.u.sctp.port; 152 tuple->src.u.sctp.port = orig->dst.u.sctp.port;
153 tuple->dst.u.sctp.port = orig->src.u.sctp.port; 153 tuple->dst.u.sctp.port = orig->src.u.sctp.port;
154 return 1; 154 return true;
155} 155}
156 156
157/* Print out the per-protocol part of the tuple. */ 157/* Print out the per-protocol part of the tuple. */
@@ -292,8 +292,10 @@ static int sctp_packet(struct nf_conn *ct,
292{ 292{
293 enum sctp_conntrack new_state, old_state; 293 enum sctp_conntrack new_state, old_state;
294 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 294 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
295 sctp_sctphdr_t _sctph, *sh; 295 const struct sctphdr *sh;
296 sctp_chunkhdr_t _sch, *sch; 296 struct sctphdr _sctph;
297 const struct sctp_chunkhdr *sch;
298 struct sctp_chunkhdr _sch;
297 u_int32_t offset, count; 299 u_int32_t offset, count;
298 unsigned long map[256 / sizeof(unsigned long)] = { 0 }; 300 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
299 301
@@ -390,27 +392,29 @@ out:
390} 392}
391 393
392/* Called when a new connection for this protocol found. */ 394/* Called when a new connection for this protocol found. */
393static int sctp_new(struct nf_conn *ct, const struct sk_buff *skb, 395static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
394 unsigned int dataoff) 396 unsigned int dataoff)
395{ 397{
396 enum sctp_conntrack new_state; 398 enum sctp_conntrack new_state;
397 sctp_sctphdr_t _sctph, *sh; 399 const struct sctphdr *sh;
398 sctp_chunkhdr_t _sch, *sch; 400 struct sctphdr _sctph;
401 const struct sctp_chunkhdr *sch;
402 struct sctp_chunkhdr _sch;
399 u_int32_t offset, count; 403 u_int32_t offset, count;
400 unsigned long map[256 / sizeof(unsigned long)] = { 0 }; 404 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
401 405
402 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph); 406 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
403 if (sh == NULL) 407 if (sh == NULL)
404 return 0; 408 return false;
405 409
406 if (do_basic_checks(ct, skb, dataoff, map) != 0) 410 if (do_basic_checks(ct, skb, dataoff, map) != 0)
407 return 0; 411 return false;
408 412
409 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */ 413 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
410 if (test_bit(SCTP_CID_ABORT, map) || 414 if (test_bit(SCTP_CID_ABORT, map) ||
411 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) || 415 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
412 test_bit(SCTP_CID_COOKIE_ACK, map)) 416 test_bit(SCTP_CID_COOKIE_ACK, map))
413 return 0; 417 return false;
414 418
415 new_state = SCTP_CONNTRACK_MAX; 419 new_state = SCTP_CONNTRACK_MAX;
416 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 420 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
@@ -422,7 +426,7 @@ static int sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
422 if (new_state == SCTP_CONNTRACK_NONE || 426 if (new_state == SCTP_CONNTRACK_NONE ||
423 new_state == SCTP_CONNTRACK_MAX) { 427 new_state == SCTP_CONNTRACK_MAX) {
424 pr_debug("nf_conntrack_sctp: invalid new deleting.\n"); 428 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
425 return 0; 429 return false;
426 } 430 }
427 431
428 /* Copy the vtag into the state info */ 432 /* Copy the vtag into the state info */
@@ -433,7 +437,7 @@ static int sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
433 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t), 437 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
434 sizeof(_inithdr), &_inithdr); 438 sizeof(_inithdr), &_inithdr);
435 if (ih == NULL) 439 if (ih == NULL)
436 return 0; 440 return false;
437 441
438 pr_debug("Setting vtag %x for new conn\n", 442 pr_debug("Setting vtag %x for new conn\n",
439 ih->init_tag); 443 ih->init_tag);
@@ -442,7 +446,7 @@ static int sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
442 ih->init_tag; 446 ih->init_tag;
443 } else { 447 } else {
444 /* Sec 8.5.1 (A) */ 448 /* Sec 8.5.1 (A) */
445 return 0; 449 return false;
446 } 450 }
447 } 451 }
448 /* If it is a shutdown ack OOTB packet, we expect a return 452 /* If it is a shutdown ack OOTB packet, we expect a return
@@ -456,7 +460,7 @@ static int sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
456 ct->proto.sctp.state = new_state; 460 ct->proto.sctp.state = new_state;
457 } 461 }
458 462
459 return 1; 463 return true;
460} 464}
461 465
462#ifdef CONFIG_SYSCTL 466#ifdef CONFIG_SYSCTL
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 62567959b66e..ba94004fe323 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -257,9 +257,8 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
257 } 257 }
258}; 258};
259 259
260static int tcp_pkt_to_tuple(const struct sk_buff *skb, 260static bool tcp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
261 unsigned int dataoff, 261 struct nf_conntrack_tuple *tuple)
262 struct nf_conntrack_tuple *tuple)
263{ 262{
264 const struct tcphdr *hp; 263 const struct tcphdr *hp;
265 struct tcphdr _hdr; 264 struct tcphdr _hdr;
@@ -267,20 +266,20 @@ static int tcp_pkt_to_tuple(const struct sk_buff *skb,
267 /* Actually only need first 8 bytes. */ 266 /* Actually only need first 8 bytes. */
268 hp = skb_header_pointer(skb, dataoff, 8, &_hdr); 267 hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
269 if (hp == NULL) 268 if (hp == NULL)
270 return 0; 269 return false;
271 270
272 tuple->src.u.tcp.port = hp->source; 271 tuple->src.u.tcp.port = hp->source;
273 tuple->dst.u.tcp.port = hp->dest; 272 tuple->dst.u.tcp.port = hp->dest;
274 273
275 return 1; 274 return true;
276} 275}
277 276
278static int tcp_invert_tuple(struct nf_conntrack_tuple *tuple, 277static bool tcp_invert_tuple(struct nf_conntrack_tuple *tuple,
279 const struct nf_conntrack_tuple *orig) 278 const struct nf_conntrack_tuple *orig)
280{ 279{
281 tuple->src.u.tcp.port = orig->dst.u.tcp.port; 280 tuple->src.u.tcp.port = orig->dst.u.tcp.port;
282 tuple->dst.u.tcp.port = orig->src.u.tcp.port; 281 tuple->dst.u.tcp.port = orig->src.u.tcp.port;
283 return 1; 282 return true;
284} 283}
285 284
286/* Print out the per-protocol part of the tuple. */ 285/* Print out the per-protocol part of the tuple. */
@@ -478,20 +477,20 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
478 } 477 }
479} 478}
480 479
481static int tcp_in_window(const struct nf_conn *ct, 480static bool tcp_in_window(const struct nf_conn *ct,
482 struct ip_ct_tcp *state, 481 struct ip_ct_tcp *state,
483 enum ip_conntrack_dir dir, 482 enum ip_conntrack_dir dir,
484 unsigned int index, 483 unsigned int index,
485 const struct sk_buff *skb, 484 const struct sk_buff *skb,
486 unsigned int dataoff, 485 unsigned int dataoff,
487 const struct tcphdr *tcph, 486 const struct tcphdr *tcph,
488 int pf) 487 int pf)
489{ 488{
490 struct ip_ct_tcp_state *sender = &state->seen[dir]; 489 struct ip_ct_tcp_state *sender = &state->seen[dir];
491 struct ip_ct_tcp_state *receiver = &state->seen[!dir]; 490 struct ip_ct_tcp_state *receiver = &state->seen[!dir];
492 const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple; 491 const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
493 __u32 seq, ack, sack, end, win, swin; 492 __u32 seq, ack, sack, end, win, swin;
494 int res; 493 bool res;
495 494
496 /* 495 /*
497 * Get the required data from the packet. 496 * Get the required data from the packet.
@@ -506,7 +505,7 @@ static int tcp_in_window(const struct nf_conn *ct,
506 505
507 pr_debug("tcp_in_window: START\n"); 506 pr_debug("tcp_in_window: START\n");
508 pr_debug("tcp_in_window: "); 507 pr_debug("tcp_in_window: ");
509 NF_CT_DUMP_TUPLE(tuple); 508 nf_ct_dump_tuple(tuple);
510 pr_debug("seq=%u ack=%u sack=%u win=%u end=%u\n", 509 pr_debug("seq=%u ack=%u sack=%u win=%u end=%u\n",
511 seq, ack, sack, win, end); 510 seq, ack, sack, win, end);
512 pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i " 511 pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
@@ -593,7 +592,7 @@ static int tcp_in_window(const struct nf_conn *ct,
593 seq = end = sender->td_end; 592 seq = end = sender->td_end;
594 593
595 pr_debug("tcp_in_window: "); 594 pr_debug("tcp_in_window: ");
596 NF_CT_DUMP_TUPLE(tuple); 595 nf_ct_dump_tuple(tuple);
597 pr_debug("seq=%u ack=%u sack =%u win=%u end=%u\n", 596 pr_debug("seq=%u ack=%u sack =%u win=%u end=%u\n",
598 seq, ack, sack, win, end); 597 seq, ack, sack, win, end);
599 pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i " 598 pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
@@ -657,12 +656,12 @@ static int tcp_in_window(const struct nf_conn *ct,
657 state->retrans = 0; 656 state->retrans = 0;
658 } 657 }
659 } 658 }
660 res = 1; 659 res = true;
661 } else { 660 } else {
662 res = 0; 661 res = false;
663 if (sender->flags & IP_CT_TCP_FLAG_BE_LIBERAL || 662 if (sender->flags & IP_CT_TCP_FLAG_BE_LIBERAL ||
664 nf_ct_tcp_be_liberal) 663 nf_ct_tcp_be_liberal)
665 res = 1; 664 res = true;
666 if (!res && LOG_INVALID(IPPROTO_TCP)) 665 if (!res && LOG_INVALID(IPPROTO_TCP))
667 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 666 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
668 "nf_ct_tcp: %s ", 667 "nf_ct_tcp: %s ",
@@ -676,7 +675,7 @@ static int tcp_in_window(const struct nf_conn *ct,
676 : "SEQ is over the upper bound (over the window of the receiver)"); 675 : "SEQ is over the upper bound (over the window of the receiver)");
677 } 676 }
678 677
679 pr_debug("tcp_in_window: res=%i sender end=%u maxend=%u maxwin=%u " 678 pr_debug("tcp_in_window: res=%u sender end=%u maxend=%u maxwin=%u "
680 "receiver end=%u maxend=%u maxwin=%u\n", 679 "receiver end=%u maxend=%u maxwin=%u\n",
681 res, sender->td_end, sender->td_maxend, sender->td_maxwin, 680 res, sender->td_end, sender->td_maxend, sender->td_maxwin,
682 receiver->td_end, receiver->td_maxend, receiver->td_maxwin); 681 receiver->td_end, receiver->td_maxend, receiver->td_maxwin);
@@ -937,7 +936,7 @@ static int tcp_packet(struct nf_conn *ct,
937 ct->proto.tcp.last_dir = dir; 936 ct->proto.tcp.last_dir = dir;
938 937
939 pr_debug("tcp_conntracks: "); 938 pr_debug("tcp_conntracks: ");
940 NF_CT_DUMP_TUPLE(tuple); 939 nf_ct_dump_tuple(tuple);
941 pr_debug("syn=%i ack=%i fin=%i rst=%i old=%i new=%i\n", 940 pr_debug("syn=%i ack=%i fin=%i rst=%i old=%i new=%i\n",
942 (th->syn ? 1 : 0), (th->ack ? 1 : 0), 941 (th->syn ? 1 : 0), (th->ack ? 1 : 0),
943 (th->fin ? 1 : 0), (th->rst ? 1 : 0), 942 (th->fin ? 1 : 0), (th->rst ? 1 : 0),
@@ -982,9 +981,8 @@ static int tcp_packet(struct nf_conn *ct,
982} 981}
983 982
984/* Called when a new connection for this protocol found. */ 983/* Called when a new connection for this protocol found. */
985static int tcp_new(struct nf_conn *ct, 984static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
986 const struct sk_buff *skb, 985 unsigned int dataoff)
987 unsigned int dataoff)
988{ 986{
989 enum tcp_conntrack new_state; 987 enum tcp_conntrack new_state;
990 const struct tcphdr *th; 988 const struct tcphdr *th;
@@ -1003,7 +1001,7 @@ static int tcp_new(struct nf_conn *ct,
1003 /* Invalid: delete conntrack */ 1001 /* Invalid: delete conntrack */
1004 if (new_state >= TCP_CONNTRACK_MAX) { 1002 if (new_state >= TCP_CONNTRACK_MAX) {
1005 pr_debug("nf_ct_tcp: invalid new deleting.\n"); 1003 pr_debug("nf_ct_tcp: invalid new deleting.\n");
1006 return 0; 1004 return false;
1007 } 1005 }
1008 1006
1009 if (new_state == TCP_CONNTRACK_SYN_SENT) { 1007 if (new_state == TCP_CONNTRACK_SYN_SENT) {
@@ -1021,7 +1019,7 @@ static int tcp_new(struct nf_conn *ct,
1021 ct->proto.tcp.seen[1].flags = 0; 1019 ct->proto.tcp.seen[1].flags = 0;
1022 } else if (nf_ct_tcp_loose == 0) { 1020 } else if (nf_ct_tcp_loose == 0) {
1023 /* Don't try to pick up connections. */ 1021 /* Don't try to pick up connections. */
1024 return 0; 1022 return false;
1025 } else { 1023 } else {
1026 /* 1024 /*
1027 * We are in the middle of a connection, 1025 * We are in the middle of a connection,
@@ -1061,7 +1059,7 @@ static int tcp_new(struct nf_conn *ct,
1061 sender->td_scale, 1059 sender->td_scale,
1062 receiver->td_end, receiver->td_maxend, receiver->td_maxwin, 1060 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
1063 receiver->td_scale); 1061 receiver->td_scale);
1064 return 1; 1062 return true;
1065} 1063}
1066 1064
1067#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 1065#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
@@ -1129,11 +1127,13 @@ static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct)
1129 if (err < 0) 1127 if (err < 0)
1130 return err; 1128 return err;
1131 1129
1132 if (!tb[CTA_PROTOINFO_TCP_STATE]) 1130 if (tb[CTA_PROTOINFO_TCP_STATE] &&
1131 nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]) >= TCP_CONNTRACK_MAX)
1133 return -EINVAL; 1132 return -EINVAL;
1134 1133
1135 write_lock_bh(&tcp_lock); 1134 write_lock_bh(&tcp_lock);
1136 ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]); 1135 if (tb[CTA_PROTOINFO_TCP_STATE])
1136 ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]);
1137 1137
1138 if (tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]) { 1138 if (tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]) {
1139 struct nf_ct_tcp_flags *attr = 1139 struct nf_ct_tcp_flags *attr =
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index b8a35cc06416..8b21762e65de 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -26,7 +26,7 @@
26static unsigned int nf_ct_udp_timeout __read_mostly = 30*HZ; 26static unsigned int nf_ct_udp_timeout __read_mostly = 30*HZ;
27static unsigned int nf_ct_udp_timeout_stream __read_mostly = 180*HZ; 27static unsigned int nf_ct_udp_timeout_stream __read_mostly = 180*HZ;
28 28
29static int udp_pkt_to_tuple(const struct sk_buff *skb, 29static bool udp_pkt_to_tuple(const struct sk_buff *skb,
30 unsigned int dataoff, 30 unsigned int dataoff,
31 struct nf_conntrack_tuple *tuple) 31 struct nf_conntrack_tuple *tuple)
32{ 32{
@@ -36,20 +36,20 @@ static int udp_pkt_to_tuple(const struct sk_buff *skb,
36 /* Actually only need first 8 bytes. */ 36 /* Actually only need first 8 bytes. */
37 hp = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr); 37 hp = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
38 if (hp == NULL) 38 if (hp == NULL)
39 return 0; 39 return false;
40 40
41 tuple->src.u.udp.port = hp->source; 41 tuple->src.u.udp.port = hp->source;
42 tuple->dst.u.udp.port = hp->dest; 42 tuple->dst.u.udp.port = hp->dest;
43 43
44 return 1; 44 return true;
45} 45}
46 46
47static int udp_invert_tuple(struct nf_conntrack_tuple *tuple, 47static bool udp_invert_tuple(struct nf_conntrack_tuple *tuple,
48 const struct nf_conntrack_tuple *orig) 48 const struct nf_conntrack_tuple *orig)
49{ 49{
50 tuple->src.u.udp.port = orig->dst.u.udp.port; 50 tuple->src.u.udp.port = orig->dst.u.udp.port;
51 tuple->dst.u.udp.port = orig->src.u.udp.port; 51 tuple->dst.u.udp.port = orig->src.u.udp.port;
52 return 1; 52 return true;
53} 53}
54 54
55/* Print out the per-protocol part of the tuple. */ 55/* Print out the per-protocol part of the tuple. */
@@ -83,10 +83,10 @@ static int udp_packet(struct nf_conn *ct,
83} 83}
84 84
85/* Called when a new connection for this protocol found. */ 85/* Called when a new connection for this protocol found. */
86static int udp_new(struct nf_conn *ct, const struct sk_buff *skb, 86static bool udp_new(struct nf_conn *ct, const struct sk_buff *skb,
87 unsigned int dataoff) 87 unsigned int dataoff)
88{ 88{
89 return 1; 89 return true;
90} 90}
91 91
92static int udp_error(struct sk_buff *skb, unsigned int dataoff, 92static int udp_error(struct sk_buff *skb, unsigned int dataoff,
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index 9dd03c7aeac6..1fa62f3c24f1 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -27,28 +27,28 @@
27static unsigned int nf_ct_udplite_timeout __read_mostly = 30*HZ; 27static unsigned int nf_ct_udplite_timeout __read_mostly = 30*HZ;
28static unsigned int nf_ct_udplite_timeout_stream __read_mostly = 180*HZ; 28static unsigned int nf_ct_udplite_timeout_stream __read_mostly = 180*HZ;
29 29
30static int udplite_pkt_to_tuple(const struct sk_buff *skb, 30static bool udplite_pkt_to_tuple(const struct sk_buff *skb,
31 unsigned int dataoff, 31 unsigned int dataoff,
32 struct nf_conntrack_tuple *tuple) 32 struct nf_conntrack_tuple *tuple)
33{ 33{
34 const struct udphdr *hp; 34 const struct udphdr *hp;
35 struct udphdr _hdr; 35 struct udphdr _hdr;
36 36
37 hp = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr); 37 hp = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
38 if (hp == NULL) 38 if (hp == NULL)
39 return 0; 39 return false;
40 40
41 tuple->src.u.udp.port = hp->source; 41 tuple->src.u.udp.port = hp->source;
42 tuple->dst.u.udp.port = hp->dest; 42 tuple->dst.u.udp.port = hp->dest;
43 return 1; 43 return true;
44} 44}
45 45
46static int udplite_invert_tuple(struct nf_conntrack_tuple *tuple, 46static bool udplite_invert_tuple(struct nf_conntrack_tuple *tuple,
47 const struct nf_conntrack_tuple *orig) 47 const struct nf_conntrack_tuple *orig)
48{ 48{
49 tuple->src.u.udp.port = orig->dst.u.udp.port; 49 tuple->src.u.udp.port = orig->dst.u.udp.port;
50 tuple->dst.u.udp.port = orig->src.u.udp.port; 50 tuple->dst.u.udp.port = orig->src.u.udp.port;
51 return 1; 51 return true;
52} 52}
53 53
54/* Print out the per-protocol part of the tuple. */ 54/* Print out the per-protocol part of the tuple. */
@@ -83,10 +83,10 @@ static int udplite_packet(struct nf_conn *ct,
83} 83}
84 84
85/* Called when a new connection for this protocol found. */ 85/* Called when a new connection for this protocol found. */
86static int udplite_new(struct nf_conn *ct, const struct sk_buff *skb, 86static bool udplite_new(struct nf_conn *ct, const struct sk_buff *skb,
87 unsigned int dataoff) 87 unsigned int dataoff)
88{ 88{
89 return 1; 89 return true;
90} 90}
91 91
92static int udplite_error(struct sk_buff *skb, unsigned int dataoff, 92static int udplite_error(struct sk_buff *skb, unsigned int dataoff,
@@ -127,32 +127,13 @@ static int udplite_error(struct sk_buff *skb, unsigned int dataoff,
127 } 127 }
128 128
129 /* Checksum invalid? Ignore. */ 129 /* Checksum invalid? Ignore. */
130 if (nf_conntrack_checksum && !skb_csum_unnecessary(skb) && 130 if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING &&
131 hooknum == NF_INET_PRE_ROUTING) { 131 nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_UDP,
132 if (pf == PF_INET) { 132 pf)) {
133 struct iphdr *iph = ip_hdr(skb); 133 if (LOG_INVALID(IPPROTO_UDPLITE))
134 134 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
135 skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr, 135 "nf_ct_udplite: bad UDPLite checksum ");
136 udplen, IPPROTO_UDPLITE, 0); 136 return -NF_ACCEPT;
137 } else {
138 struct ipv6hdr *ipv6h = ipv6_hdr(skb);
139 __wsum hsum = skb_checksum(skb, 0, dataoff, 0);
140
141 skb->csum = ~csum_unfold(
142 csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr,
143 udplen, IPPROTO_UDPLITE,
144 csum_sub(0, hsum)));
145 }
146
147 skb->ip_summed = CHECKSUM_NONE;
148 if (__skb_checksum_complete_head(skb, dataoff + cscov)) {
149 if (LOG_INVALID(IPPROTO_UDPLITE))
150 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
151 "nf_ct_udplite: bad UDPLite "
152 "checksum ");
153 return -NF_ACCEPT;
154 }
155 skb->ip_summed = CHECKSUM_UNNECESSARY;
156 } 137 }
157 138
158 return NF_ACCEPT; 139 return NF_ACCEPT;
diff --git a/net/netfilter/nf_conntrack_sane.c b/net/netfilter/nf_conntrack_sane.c
index 7542e25eede3..a94294b2b23c 100644
--- a/net/netfilter/nf_conntrack_sane.c
+++ b/net/netfilter/nf_conntrack_sane.c
@@ -72,7 +72,6 @@ static int help(struct sk_buff *skb,
72 struct nf_conntrack_tuple *tuple; 72 struct nf_conntrack_tuple *tuple;
73 struct sane_request *req; 73 struct sane_request *req;
74 struct sane_reply_net_start *reply; 74 struct sane_reply_net_start *reply;
75 int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
76 75
77 ct_sane_info = &nfct_help(ct)->help.ct_sane_info; 76 ct_sane_info = &nfct_help(ct)->help.ct_sane_info;
78 /* Until there's been traffic both ways, don't look in packets. */ 77 /* Until there's been traffic both ways, don't look in packets. */
@@ -143,12 +142,12 @@ static int help(struct sk_buff *skb,
143 } 142 }
144 143
145 tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple; 144 tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
146 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, family, 145 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, nf_ct_l3num(ct),
147 &tuple->src.u3, &tuple->dst.u3, 146 &tuple->src.u3, &tuple->dst.u3,
148 IPPROTO_TCP, NULL, &reply->port); 147 IPPROTO_TCP, NULL, &reply->port);
149 148
150 pr_debug("nf_ct_sane: expect: "); 149 pr_debug("nf_ct_sane: expect: ");
151 NF_CT_DUMP_TUPLE(&exp->tuple); 150 nf_ct_dump_tuple(&exp->tuple);
152 151
153 /* Can't expect this? Best to drop packet now. */ 152 /* Can't expect this? Best to drop packet now. */
154 if (nf_ct_expect_related(exp) != 0) 153 if (nf_ct_expect_related(exp) != 0)
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index da5dec6e6158..65b3ba57a3b7 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -142,10 +142,10 @@ static int parse_addr(const struct nf_conn *ct, const char *cp,
142 const char *limit) 142 const char *limit)
143{ 143{
144 const char *end; 144 const char *end;
145 int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
146 int ret = 0; 145 int ret = 0;
147 146
148 switch (family) { 147 memset(addr, 0, sizeof(*addr));
148 switch (nf_ct_l3num(ct)) {
149 case AF_INET: 149 case AF_INET:
150 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end); 150 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
151 break; 151 break;
@@ -739,7 +739,6 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb,
739 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 739 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
740 union nf_inet_addr *saddr; 740 union nf_inet_addr *saddr;
741 struct nf_conntrack_tuple tuple; 741 struct nf_conntrack_tuple tuple;
742 int family = ct->tuplehash[!dir].tuple.src.l3num;
743 int direct_rtp = 0, skip_expect = 0, ret = NF_DROP; 742 int direct_rtp = 0, skip_expect = 0, ret = NF_DROP;
744 u_int16_t base_port; 743 u_int16_t base_port;
745 __be16 rtp_port, rtcp_port; 744 __be16 rtp_port, rtcp_port;
@@ -769,7 +768,7 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb,
769 memset(&tuple, 0, sizeof(tuple)); 768 memset(&tuple, 0, sizeof(tuple));
770 if (saddr) 769 if (saddr)
771 tuple.src.u3 = *saddr; 770 tuple.src.u3 = *saddr;
772 tuple.src.l3num = family; 771 tuple.src.l3num = nf_ct_l3num(ct);
773 tuple.dst.protonum = IPPROTO_UDP; 772 tuple.dst.protonum = IPPROTO_UDP;
774 tuple.dst.u3 = *daddr; 773 tuple.dst.u3 = *daddr;
775 tuple.dst.u.udp.port = port; 774 tuple.dst.u.udp.port = port;
@@ -814,13 +813,13 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb,
814 rtp_exp = nf_ct_expect_alloc(ct); 813 rtp_exp = nf_ct_expect_alloc(ct);
815 if (rtp_exp == NULL) 814 if (rtp_exp == NULL)
816 goto err1; 815 goto err1;
817 nf_ct_expect_init(rtp_exp, class, family, saddr, daddr, 816 nf_ct_expect_init(rtp_exp, class, nf_ct_l3num(ct), saddr, daddr,
818 IPPROTO_UDP, NULL, &rtp_port); 817 IPPROTO_UDP, NULL, &rtp_port);
819 818
820 rtcp_exp = nf_ct_expect_alloc(ct); 819 rtcp_exp = nf_ct_expect_alloc(ct);
821 if (rtcp_exp == NULL) 820 if (rtcp_exp == NULL)
822 goto err2; 821 goto err2;
823 nf_ct_expect_init(rtcp_exp, class, family, saddr, daddr, 822 nf_ct_expect_init(rtcp_exp, class, nf_ct_l3num(ct), saddr, daddr,
824 IPPROTO_UDP, NULL, &rtcp_port); 823 IPPROTO_UDP, NULL, &rtcp_port);
825 824
826 nf_nat_sdp_media = rcu_dereference(nf_nat_sdp_media_hook); 825 nf_nat_sdp_media = rcu_dereference(nf_nat_sdp_media_hook);
@@ -870,7 +869,6 @@ static int process_sdp(struct sk_buff *skb,
870{ 869{
871 enum ip_conntrack_info ctinfo; 870 enum ip_conntrack_info ctinfo;
872 struct nf_conn *ct = nf_ct_get(skb, &ctinfo); 871 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
873 int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
874 unsigned int matchoff, matchlen; 872 unsigned int matchoff, matchlen;
875 unsigned int mediaoff, medialen; 873 unsigned int mediaoff, medialen;
876 unsigned int sdpoff; 874 unsigned int sdpoff;
@@ -885,8 +883,8 @@ static int process_sdp(struct sk_buff *skb,
885 typeof(nf_nat_sdp_session_hook) nf_nat_sdp_session; 883 typeof(nf_nat_sdp_session_hook) nf_nat_sdp_session;
886 884
887 nf_nat_sdp_addr = rcu_dereference(nf_nat_sdp_addr_hook); 885 nf_nat_sdp_addr = rcu_dereference(nf_nat_sdp_addr_hook);
888 c_hdr = family == AF_INET ? SDP_HDR_CONNECTION_IP4 : 886 c_hdr = nf_ct_l3num(ct) == AF_INET ? SDP_HDR_CONNECTION_IP4 :
889 SDP_HDR_CONNECTION_IP6; 887 SDP_HDR_CONNECTION_IP6;
890 888
891 /* Find beginning of session description */ 889 /* Find beginning of session description */
892 if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen, 890 if (ct_sip_get_sdp_header(ct, *dptr, 0, *datalen,
@@ -1033,7 +1031,6 @@ static int process_register_request(struct sk_buff *skb,
1033 struct nf_conn *ct = nf_ct_get(skb, &ctinfo); 1031 struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
1034 struct nf_conn_help *help = nfct_help(ct); 1032 struct nf_conn_help *help = nfct_help(ct);
1035 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 1033 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
1036 int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
1037 unsigned int matchoff, matchlen; 1034 unsigned int matchoff, matchlen;
1038 struct nf_conntrack_expect *exp; 1035 struct nf_conntrack_expect *exp;
1039 union nf_inet_addr *saddr, daddr; 1036 union nf_inet_addr *saddr, daddr;
@@ -1088,8 +1085,8 @@ static int process_register_request(struct sk_buff *skb,
1088 if (sip_direct_signalling) 1085 if (sip_direct_signalling)
1089 saddr = &ct->tuplehash[!dir].tuple.src.u3; 1086 saddr = &ct->tuplehash[!dir].tuple.src.u3;
1090 1087
1091 nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, family, saddr, &daddr, 1088 nf_ct_expect_init(exp, SIP_EXPECT_SIGNALLING, nf_ct_l3num(ct),
1092 IPPROTO_UDP, NULL, &port); 1089 saddr, &daddr, IPPROTO_UDP, NULL, &port);
1093 exp->timeout.expires = sip_timeout * HZ; 1090 exp->timeout.expires = sip_timeout * HZ;
1094 exp->helper = nfct_help(ct)->helper; 1091 exp->helper = nfct_help(ct)->helper;
1095 exp->flags = NF_CT_EXPECT_PERMANENT | NF_CT_EXPECT_INACTIVE; 1092 exp->flags = NF_CT_EXPECT_PERMANENT | NF_CT_EXPECT_INACTIVE;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 9d0b8bb4113c..b59871f6bdda 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -127,21 +127,14 @@ static int ct_seq_show(struct seq_file *s, void *v)
127 if (NF_CT_DIRECTION(hash)) 127 if (NF_CT_DIRECTION(hash))
128 return 0; 128 return 0;
129 129
130 l3proto = __nf_ct_l3proto_find(ct->tuplehash[IP_CT_DIR_ORIGINAL] 130 l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct));
131 .tuple.src.l3num);
132
133 NF_CT_ASSERT(l3proto); 131 NF_CT_ASSERT(l3proto);
134 l4proto = __nf_ct_l4proto_find(ct->tuplehash[IP_CT_DIR_ORIGINAL] 132 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
135 .tuple.src.l3num,
136 ct->tuplehash[IP_CT_DIR_ORIGINAL]
137 .tuple.dst.protonum);
138 NF_CT_ASSERT(l4proto); 133 NF_CT_ASSERT(l4proto);
139 134
140 if (seq_printf(s, "%-8s %u %-8s %u %ld ", 135 if (seq_printf(s, "%-8s %u %-8s %u %ld ",
141 l3proto->name, 136 l3proto->name, nf_ct_l3num(ct),
142 ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num, 137 l4proto->name, nf_ct_protonum(ct),
143 l4proto->name,
144 ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum,
145 timer_pending(&ct->timeout) 138 timer_pending(&ct->timeout)
146 ? (long)(ct->timeout.expires - jiffies)/HZ : 0) != 0) 139 ? (long)(ct->timeout.expires - jiffies)/HZ : 0) != 0)
147 return -ENOSPC; 140 return -ENOSPC;
@@ -295,6 +288,41 @@ static const struct file_operations ct_cpu_seq_fops = {
295 .llseek = seq_lseek, 288 .llseek = seq_lseek,
296 .release = seq_release, 289 .release = seq_release,
297}; 290};
291
292static int nf_conntrack_standalone_init_proc(void)
293{
294 struct proc_dir_entry *pde;
295
296 pde = proc_net_fops_create(&init_net, "nf_conntrack", 0440, &ct_file_ops);
297 if (!pde)
298 goto out_nf_conntrack;
299 pde = create_proc_entry("nf_conntrack", S_IRUGO, init_net.proc_net_stat);
300 if (!pde)
301 goto out_stat_nf_conntrack;
302 pde->proc_fops = &ct_cpu_seq_fops;
303 pde->owner = THIS_MODULE;
304 return 0;
305
306out_stat_nf_conntrack:
307 proc_net_remove(&init_net, "nf_conntrack");
308out_nf_conntrack:
309 return -ENOMEM;
310}
311
312static void nf_conntrack_standalone_fini_proc(void)
313{
314 remove_proc_entry("nf_conntrack", init_net.proc_net_stat);
315 proc_net_remove(&init_net, "nf_conntrack");
316}
317#else
318static int nf_conntrack_standalone_init_proc(void)
319{
320 return 0;
321}
322
323static void nf_conntrack_standalone_fini_proc(void)
324{
325}
298#endif /* CONFIG_PROC_FS */ 326#endif /* CONFIG_PROC_FS */
299 327
300/* Sysctl support */ 328/* Sysctl support */
@@ -390,60 +418,61 @@ static struct ctl_path nf_ct_path[] = {
390}; 418};
391 419
392EXPORT_SYMBOL_GPL(nf_ct_log_invalid); 420EXPORT_SYMBOL_GPL(nf_ct_log_invalid);
421
422static int nf_conntrack_standalone_init_sysctl(void)
423{
424 nf_ct_sysctl_header =
425 register_sysctl_paths(nf_ct_path, nf_ct_netfilter_table);
426 if (nf_ct_sysctl_header == NULL) {
427 printk("nf_conntrack: can't register to sysctl.\n");
428 return -ENOMEM;
429 }
430 return 0;
431
432}
433
434static void nf_conntrack_standalone_fini_sysctl(void)
435{
436 unregister_sysctl_table(nf_ct_sysctl_header);
437}
438#else
439static int nf_conntrack_standalone_init_sysctl(void)
440{
441 return 0;
442}
443
444static void nf_conntrack_standalone_fini_sysctl(void)
445{
446}
393#endif /* CONFIG_SYSCTL */ 447#endif /* CONFIG_SYSCTL */
394 448
395static int __init nf_conntrack_standalone_init(void) 449static int __init nf_conntrack_standalone_init(void)
396{ 450{
397#ifdef CONFIG_PROC_FS 451 int ret;
398 struct proc_dir_entry *proc;
399#endif
400 int ret = 0;
401 452
402 ret = nf_conntrack_init(); 453 ret = nf_conntrack_init();
403 if (ret < 0) 454 if (ret < 0)
404 return ret; 455 goto out;
405 456 ret = nf_conntrack_standalone_init_proc();
406#ifdef CONFIG_PROC_FS 457 if (ret < 0)
407 proc = proc_net_fops_create(&init_net, "nf_conntrack", 0440, &ct_file_ops); 458 goto out_proc;
408 if (!proc) goto cleanup_init; 459 ret = nf_conntrack_standalone_init_sysctl();
409 460 if (ret < 0)
410 if (!proc_create("nf_conntrack", S_IRUGO, 461 goto out_sysctl;
411 init_net.proc_net_stat, &ct_cpu_seq_fops)) 462 return 0;
412 goto cleanup_proc;
413#endif
414#ifdef CONFIG_SYSCTL
415 nf_ct_sysctl_header = register_sysctl_paths(nf_ct_path,
416 nf_ct_netfilter_table);
417 if (nf_ct_sysctl_header == NULL) {
418 printk("nf_conntrack: can't register to sysctl.\n");
419 ret = -ENOMEM;
420 goto cleanup_proc_stat;
421 }
422#endif
423 return ret;
424 463
425#ifdef CONFIG_SYSCTL 464out_sysctl:
426 cleanup_proc_stat: 465 nf_conntrack_standalone_fini_proc();
427#endif 466out_proc:
428#ifdef CONFIG_PROC_FS
429 remove_proc_entry("nf_conntrack", init_net. proc_net_stat);
430 cleanup_proc:
431 proc_net_remove(&init_net, "nf_conntrack");
432 cleanup_init:
433#endif /* CNFIG_PROC_FS */
434 nf_conntrack_cleanup(); 467 nf_conntrack_cleanup();
468out:
435 return ret; 469 return ret;
436} 470}
437 471
438static void __exit nf_conntrack_standalone_fini(void) 472static void __exit nf_conntrack_standalone_fini(void)
439{ 473{
440#ifdef CONFIG_SYSCTL 474 nf_conntrack_standalone_fini_sysctl();
441 unregister_sysctl_table(nf_ct_sysctl_header); 475 nf_conntrack_standalone_fini_proc();
442#endif
443#ifdef CONFIG_PROC_FS
444 remove_proc_entry("nf_conntrack", init_net.proc_net_stat);
445 proc_net_remove(&init_net, "nf_conntrack");
446#endif /* CNFIG_PROC_FS */
447 nf_conntrack_cleanup(); 476 nf_conntrack_cleanup();
448} 477}
449 478
diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack_tftp.c
index a28341b30f21..f57f6e7a71ee 100644
--- a/net/netfilter/nf_conntrack_tftp.c
+++ b/net/netfilter/nf_conntrack_tftp.c
@@ -44,7 +44,6 @@ static int tftp_help(struct sk_buff *skb,
44 struct nf_conntrack_expect *exp; 44 struct nf_conntrack_expect *exp;
45 struct nf_conntrack_tuple *tuple; 45 struct nf_conntrack_tuple *tuple;
46 unsigned int ret = NF_ACCEPT; 46 unsigned int ret = NF_ACCEPT;
47 int family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
48 typeof(nf_nat_tftp_hook) nf_nat_tftp; 47 typeof(nf_nat_tftp_hook) nf_nat_tftp;
49 48
50 tfh = skb_header_pointer(skb, protoff + sizeof(struct udphdr), 49 tfh = skb_header_pointer(skb, protoff + sizeof(struct udphdr),
@@ -56,19 +55,20 @@ static int tftp_help(struct sk_buff *skb,
56 case TFTP_OPCODE_READ: 55 case TFTP_OPCODE_READ:
57 case TFTP_OPCODE_WRITE: 56 case TFTP_OPCODE_WRITE:
58 /* RRQ and WRQ works the same way */ 57 /* RRQ and WRQ works the same way */
59 NF_CT_DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); 58 nf_ct_dump_tuple(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
60 NF_CT_DUMP_TUPLE(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); 59 nf_ct_dump_tuple(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
61 60
62 exp = nf_ct_expect_alloc(ct); 61 exp = nf_ct_expect_alloc(ct);
63 if (exp == NULL) 62 if (exp == NULL)
64 return NF_DROP; 63 return NF_DROP;
65 tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple; 64 tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
66 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, family, 65 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT,
66 nf_ct_l3num(ct),
67 &tuple->src.u3, &tuple->dst.u3, 67 &tuple->src.u3, &tuple->dst.u3,
68 IPPROTO_UDP, NULL, &tuple->dst.u.udp.port); 68 IPPROTO_UDP, NULL, &tuple->dst.u.udp.port);
69 69
70 pr_debug("expect: "); 70 pr_debug("expect: ");
71 NF_CT_DUMP_TUPLE(&exp->tuple); 71 nf_ct_dump_tuple(&exp->tuple);
72 72
73 nf_nat_tftp = rcu_dereference(nf_nat_tftp_hook); 73 nf_nat_tftp = rcu_dereference(nf_nat_tftp_hook);
74 if (nf_nat_tftp && ct->status & IPS_NAT_MASK) 74 if (nf_nat_tftp && ct->status & IPS_NAT_MASK)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 0bd95680a494..f52f7f810ac4 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -58,7 +58,7 @@ static struct xt_af *xt;
58#define duprintf(format, args...) 58#define duprintf(format, args...)
59#endif 59#endif
60 60
61static const char *xt_prefix[NPROTO] = { 61static const char *const xt_prefix[NPROTO] = {
62 [AF_INET] = "ip", 62 [AF_INET] = "ip",
63 [AF_INET6] = "ip6", 63 [AF_INET6] = "ip6",
64 [NF_ARP] = "arp", 64 [NF_ARP] = "arp",
@@ -248,7 +248,7 @@ EXPORT_SYMBOL_GPL(xt_request_find_target);
248 248
249static int match_revfn(int af, const char *name, u8 revision, int *bestp) 249static int match_revfn(int af, const char *name, u8 revision, int *bestp)
250{ 250{
251 struct xt_match *m; 251 const struct xt_match *m;
252 int have_rev = 0; 252 int have_rev = 0;
253 253
254 list_for_each_entry(m, &xt[af].match, list) { 254 list_for_each_entry(m, &xt[af].match, list) {
@@ -264,7 +264,7 @@ static int match_revfn(int af, const char *name, u8 revision, int *bestp)
264 264
265static int target_revfn(int af, const char *name, u8 revision, int *bestp) 265static int target_revfn(int af, const char *name, u8 revision, int *bestp)
266{ 266{
267 struct xt_target *t; 267 const struct xt_target *t;
268 int have_rev = 0; 268 int have_rev = 0;
269 269
270 list_for_each_entry(t, &xt[af].target, list) { 270 list_for_each_entry(t, &xt[af].target, list) {
@@ -385,7 +385,7 @@ short xt_compat_calc_jump(int af, unsigned int offset)
385} 385}
386EXPORT_SYMBOL_GPL(xt_compat_calc_jump); 386EXPORT_SYMBOL_GPL(xt_compat_calc_jump);
387 387
388int xt_compat_match_offset(struct xt_match *match) 388int xt_compat_match_offset(const struct xt_match *match)
389{ 389{
390 u_int16_t csize = match->compatsize ? : match->matchsize; 390 u_int16_t csize = match->compatsize ? : match->matchsize;
391 return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize); 391 return XT_ALIGN(match->matchsize) - COMPAT_XT_ALIGN(csize);
@@ -395,7 +395,7 @@ EXPORT_SYMBOL_GPL(xt_compat_match_offset);
395int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr, 395int xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
396 unsigned int *size) 396 unsigned int *size)
397{ 397{
398 struct xt_match *match = m->u.kernel.match; 398 const struct xt_match *match = m->u.kernel.match;
399 struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m; 399 struct compat_xt_entry_match *cm = (struct compat_xt_entry_match *)m;
400 int pad, off = xt_compat_match_offset(match); 400 int pad, off = xt_compat_match_offset(match);
401 u_int16_t msize = cm->u.user.match_size; 401 u_int16_t msize = cm->u.user.match_size;
@@ -422,7 +422,7 @@ EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
422int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr, 422int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr,
423 unsigned int *size) 423 unsigned int *size)
424{ 424{
425 struct xt_match *match = m->u.kernel.match; 425 const struct xt_match *match = m->u.kernel.match;
426 struct compat_xt_entry_match __user *cm = *dstptr; 426 struct compat_xt_entry_match __user *cm = *dstptr;
427 int off = xt_compat_match_offset(match); 427 int off = xt_compat_match_offset(match);
428 u_int16_t msize = m->u.user.match_size - off; 428 u_int16_t msize = m->u.user.match_size - off;
@@ -479,7 +479,7 @@ int xt_check_target(const struct xt_target *target, unsigned short family,
479EXPORT_SYMBOL_GPL(xt_check_target); 479EXPORT_SYMBOL_GPL(xt_check_target);
480 480
481#ifdef CONFIG_COMPAT 481#ifdef CONFIG_COMPAT
482int xt_compat_target_offset(struct xt_target *target) 482int xt_compat_target_offset(const struct xt_target *target)
483{ 483{
484 u_int16_t csize = target->compatsize ? : target->targetsize; 484 u_int16_t csize = target->compatsize ? : target->targetsize;
485 return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize); 485 return XT_ALIGN(target->targetsize) - COMPAT_XT_ALIGN(csize);
@@ -489,7 +489,7 @@ EXPORT_SYMBOL_GPL(xt_compat_target_offset);
489void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, 489void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
490 unsigned int *size) 490 unsigned int *size)
491{ 491{
492 struct xt_target *target = t->u.kernel.target; 492 const struct xt_target *target = t->u.kernel.target;
493 struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; 493 struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
494 int pad, off = xt_compat_target_offset(target); 494 int pad, off = xt_compat_target_offset(target);
495 u_int16_t tsize = ct->u.user.target_size; 495 u_int16_t tsize = ct->u.user.target_size;
@@ -515,7 +515,7 @@ EXPORT_SYMBOL_GPL(xt_compat_target_from_user);
515int xt_compat_target_to_user(struct xt_entry_target *t, void __user **dstptr, 515int xt_compat_target_to_user(struct xt_entry_target *t, void __user **dstptr,
516 unsigned int *size) 516 unsigned int *size)
517{ 517{
518 struct xt_target *target = t->u.kernel.target; 518 const struct xt_target *target = t->u.kernel.target;
519 struct compat_xt_entry_target __user *ct = *dstptr; 519 struct compat_xt_entry_target __user *ct = *dstptr;
520 int off = xt_compat_target_offset(target); 520 int off = xt_compat_target_offset(target);
521 u_int16_t tsize = t->u.user.target_size - off; 521 u_int16_t tsize = t->u.user.target_size - off;
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index 1faa9136195d..211189eb2b67 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -55,7 +55,7 @@ static void secmark_save(const struct sk_buff *skb)
55static void secmark_restore(struct sk_buff *skb) 55static void secmark_restore(struct sk_buff *skb)
56{ 56{
57 if (!skb->secmark) { 57 if (!skb->secmark) {
58 struct nf_conn *ct; 58 const struct nf_conn *ct;
59 enum ip_conntrack_info ctinfo; 59 enum ip_conntrack_info ctinfo;
60 60
61 ct = nf_ct_get(skb, &ctinfo); 61 ct = nf_ct_get(skb, &ctinfo);
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index 24c73ba31eaa..64d6ad380293 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -96,7 +96,7 @@ xt_rateest_tg_checkentry(const char *tablename,
96 void *targinfo, 96 void *targinfo,
97 unsigned int hook_mask) 97 unsigned int hook_mask)
98{ 98{
99 struct xt_rateest_target_info *info = (void *)targinfo; 99 struct xt_rateest_target_info *info = targinfo;
100 struct xt_rateest *est; 100 struct xt_rateest *est;
101 struct { 101 struct {
102 struct nlattr opt; 102 struct nlattr opt;
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 3b0111933f60..2e89a00df92c 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -72,9 +72,7 @@ connlimit_iphash6(const union nf_inet_addr *addr,
72 72
73static inline bool already_closed(const struct nf_conn *conn) 73static inline bool already_closed(const struct nf_conn *conn)
74{ 74{
75 u_int16_t proto = conn->tuplehash[0].tuple.dst.protonum; 75 if (nf_ct_protonum(conn) == IPPROTO_TCP)
76
77 if (proto == IPPROTO_TCP)
78 return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT; 76 return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT;
79 else 77 else
80 return 0; 78 return 0;
@@ -106,10 +104,10 @@ static int count_them(struct xt_connlimit_data *data,
106 const union nf_inet_addr *mask, 104 const union nf_inet_addr *mask,
107 const struct xt_match *match) 105 const struct xt_match *match)
108{ 106{
109 struct nf_conntrack_tuple_hash *found; 107 const struct nf_conntrack_tuple_hash *found;
110 struct xt_connlimit_conn *conn; 108 struct xt_connlimit_conn *conn;
111 struct xt_connlimit_conn *tmp; 109 struct xt_connlimit_conn *tmp;
112 struct nf_conn *found_ct; 110 const struct nf_conn *found_ct;
113 struct list_head *hash; 111 struct list_head *hash;
114 bool addit = true; 112 bool addit = true;
115 int matches = 0; 113 int matches = 0;
@@ -256,7 +254,7 @@ connlimit_mt_check(const char *tablename, const void *ip,
256static void 254static void
257connlimit_mt_destroy(const struct xt_match *match, void *matchinfo) 255connlimit_mt_destroy(const struct xt_match *match, void *matchinfo)
258{ 256{
259 struct xt_connlimit_info *info = matchinfo; 257 const struct xt_connlimit_info *info = matchinfo;
260 struct xt_connlimit_conn *conn; 258 struct xt_connlimit_conn *conn;
261 struct xt_connlimit_conn *tmp; 259 struct xt_connlimit_conn *tmp;
262 struct list_head *hash = info->data->iphash; 260 struct list_head *hash = info->data->iphash;
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 0c50b2894055..d61412f58ef7 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -65,7 +65,7 @@ conntrack_mt_v0(const struct sk_buff *skb, const struct net_device *in,
65 } 65 }
66 66
67 if (sinfo->flags & XT_CONNTRACK_PROTO && 67 if (sinfo->flags & XT_CONNTRACK_PROTO &&
68 FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum != 68 FWINV(nf_ct_protonum(ct) !=
69 sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum, 69 sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum,
70 XT_CONNTRACK_PROTO)) 70 XT_CONNTRACK_PROTO))
71 return false; 71 return false;
@@ -174,7 +174,7 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo1 *info,
174 174
175 tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple; 175 tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
176 if ((info->match_flags & XT_CONNTRACK_PROTO) && 176 if ((info->match_flags & XT_CONNTRACK_PROTO) &&
177 (tuple->dst.protonum == info->l4proto) ^ 177 (nf_ct_protonum(ct) == info->l4proto) ^
178 !(info->invert_flags & XT_CONNTRACK_PROTO)) 178 !(info->invert_flags & XT_CONNTRACK_PROTO))
179 return false; 179 return false;
180 180
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 667f45e72cd9..8b6522186d9f 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -98,7 +98,8 @@ dccp_mt(const struct sk_buff *skb, const struct net_device *in,
98 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop) 98 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
99{ 99{
100 const struct xt_dccp_info *info = matchinfo; 100 const struct xt_dccp_info *info = matchinfo;
101 struct dccp_hdr _dh, *dh; 101 const struct dccp_hdr *dh;
102 struct dccp_hdr _dh;
102 103
103 if (offset) 104 if (offset)
104 return false; 105 return false;
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 71c7c3785266..a133eb9b23e1 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -47,7 +47,8 @@ esp_mt(const struct sk_buff *skb, const struct net_device *in,
47 const struct net_device *out, const struct xt_match *match, 47 const struct net_device *out, const struct xt_match *match,
48 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop) 48 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
49{ 49{
50 struct ip_esp_hdr _esp, *eh; 50 const struct ip_esp_hdr *eh;
51 struct ip_esp_hdr _esp;
51 const struct xt_esp *espinfo = matchinfo; 52 const struct xt_esp *espinfo = matchinfo;
52 53
53 /* Must not be a fragment. */ 54 /* Must not be a fragment. */
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index 31daa8192422..fd88c489b70e 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -100,7 +100,8 @@ multiport_mt_v0(const struct sk_buff *skb, const struct net_device *in,
100 const void *matchinfo, int offset, unsigned int protoff, 100 const void *matchinfo, int offset, unsigned int protoff,
101 bool *hotdrop) 101 bool *hotdrop)
102{ 102{
103 __be16 _ports[2], *pptr; 103 const __be16 *pptr;
104 __be16 _ports[2];
104 const struct xt_multiport *multiinfo = matchinfo; 105 const struct xt_multiport *multiinfo = matchinfo;
105 106
106 if (offset) 107 if (offset)
@@ -126,7 +127,8 @@ multiport_mt(const struct sk_buff *skb, const struct net_device *in,
126 const void *matchinfo, int offset, unsigned int protoff, 127 const void *matchinfo, int offset, unsigned int protoff,
127 bool *hotdrop) 128 bool *hotdrop)
128{ 129{
129 __be16 _ports[2], *pptr; 130 const __be16 *pptr;
131 __be16 _ports[2];
130 const struct xt_multiport_v1 *multiinfo = matchinfo; 132 const struct xt_multiport_v1 *multiinfo = matchinfo;
131 133
132 if (offset) 134 if (offset)
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 9e918add2282..d351582b2a3d 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -136,7 +136,7 @@ policy_mt_check(const char *tablename, const void *ip_void,
136 const struct xt_match *match, void *matchinfo, 136 const struct xt_match *match, void *matchinfo,
137 unsigned int hook_mask) 137 unsigned int hook_mask)
138{ 138{
139 struct xt_policy_info *info = matchinfo; 139 const struct xt_policy_info *info = matchinfo;
140 140
141 if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) { 141 if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
142 printk(KERN_ERR "xt_policy: neither incoming nor " 142 printk(KERN_ERR "xt_policy: neither incoming nor "
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index fdb86a515146..ebd84f1b4f62 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -86,7 +86,7 @@ static bool xt_rateest_mt_checkentry(const char *tablename,
86 void *matchinfo, 86 void *matchinfo,
87 unsigned int hook_mask) 87 unsigned int hook_mask)
88{ 88{
89 struct xt_rateest_match_info *info = (void *)matchinfo; 89 struct xt_rateest_match_info *info = matchinfo;
90 struct xt_rateest *est1, *est2; 90 struct xt_rateest *est1, *est2;
91 91
92 if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS | 92 if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS |
@@ -130,7 +130,7 @@ err1:
130static void xt_rateest_mt_destroy(const struct xt_match *match, 130static void xt_rateest_mt_destroy(const struct xt_match *match,
131 void *matchinfo) 131 void *matchinfo)
132{ 132{
133 struct xt_rateest_match_info *info = (void *)matchinfo; 133 struct xt_rateest_match_info *info = matchinfo;
134 134
135 xt_rateest_put(info->est1); 135 xt_rateest_put(info->est1);
136 if (info->est2) 136 if (info->est2)
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index b718ec64333d..e6e4681fa047 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -46,7 +46,8 @@ match_packet(const struct sk_buff *skb,
46 bool *hotdrop) 46 bool *hotdrop)
47{ 47{
48 u_int32_t chunkmapcopy[256 / sizeof (u_int32_t)]; 48 u_int32_t chunkmapcopy[256 / sizeof (u_int32_t)];
49 sctp_chunkhdr_t _sch, *sch; 49 const sctp_chunkhdr_t *sch;
50 sctp_chunkhdr_t _sch;
50 int chunk_match_type = info->chunk_match_type; 51 int chunk_match_type = info->chunk_match_type;
51 const struct xt_sctp_flag_info *flag_info = info->flag_info; 52 const struct xt_sctp_flag_info *flag_info = info->flag_info;
52 int flag_count = info->flag_count; 53 int flag_count = info->flag_count;
@@ -121,7 +122,8 @@ sctp_mt(const struct sk_buff *skb, const struct net_device *in,
121 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop) 122 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
122{ 123{
123 const struct xt_sctp_info *info = matchinfo; 124 const struct xt_sctp_info *info = matchinfo;
124 sctp_sctphdr_t _sh, *sh; 125 const sctp_sctphdr_t *sh;
126 sctp_sctphdr_t _sh;
125 127
126 if (offset) { 128 if (offset) {
127 duprintf("Dropping non-first fragment.. FIXME\n"); 129 duprintf("Dropping non-first fragment.. FIXME\n");
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index d7a5b27fe81e..6771bf01275b 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -31,9 +31,11 @@ tcpmss_mt(const struct sk_buff *skb, const struct net_device *in,
31 bool *hotdrop) 31 bool *hotdrop)
32{ 32{
33 const struct xt_tcpmss_match_info *info = matchinfo; 33 const struct xt_tcpmss_match_info *info = matchinfo;
34 struct tcphdr _tcph, *th; 34 const struct tcphdr *th;
35 struct tcphdr _tcph;
35 /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */ 36 /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
36 u8 _opt[15 * 4 - sizeof(_tcph)], *op; 37 const u_int8_t *op;
38 u8 _opt[15 * 4 - sizeof(_tcph)];
37 unsigned int i, optlen; 39 unsigned int i, optlen;
38 40
39 /* If we don't have the whole header, drop packet. */ 41 /* If we don't have the whole header, drop packet. */
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 4fa3b669f691..951b06b8d701 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -42,7 +42,8 @@ tcp_find_option(u_int8_t option,
42 bool *hotdrop) 42 bool *hotdrop)
43{ 43{
44 /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */ 44 /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */
45 u_int8_t _opt[60 - sizeof(struct tcphdr)], *op; 45 const u_int8_t *op;
46 u_int8_t _opt[60 - sizeof(struct tcphdr)];
46 unsigned int i; 47 unsigned int i;
47 48
48 duprintf("tcp_match: finding option\n"); 49 duprintf("tcp_match: finding option\n");
@@ -72,7 +73,8 @@ tcp_mt(const struct sk_buff *skb, const struct net_device *in,
72 const struct net_device *out, const struct xt_match *match, 73 const struct net_device *out, const struct xt_match *match,
73 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop) 74 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
74{ 75{
75 struct tcphdr _tcph, *th; 76 const struct tcphdr *th;
77 struct tcphdr _tcph;
76 const struct xt_tcp *tcpinfo = matchinfo; 78 const struct xt_tcp *tcpinfo = matchinfo;
77 79
78 if (offset) { 80 if (offset) {
@@ -144,7 +146,8 @@ udp_mt(const struct sk_buff *skb, const struct net_device *in,
144 const struct net_device *out, const struct xt_match *match, 146 const struct net_device *out, const struct xt_match *match,
145 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop) 147 const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
146{ 148{
147 struct udphdr _udph, *uh; 149 const struct udphdr *uh;
150 struct udphdr _udph;
148 const struct xt_udp *udpinfo = matchinfo; 151 const struct xt_udp *udpinfo = matchinfo;
149 152
150 /* Must not be a fragment. */ 153 /* Must not be a fragment. */
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 9fa2e0824708..ed76baab4734 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -223,7 +223,7 @@ time_mt_check(const char *tablename, const void *ip,
223 const struct xt_match *match, void *matchinfo, 223 const struct xt_match *match, void *matchinfo,
224 unsigned int hook_mask) 224 unsigned int hook_mask)
225{ 225{
226 struct xt_time_info *info = matchinfo; 226 const struct xt_time_info *info = matchinfo;
227 227
228 if (info->daytime_start > XT_TIME_MAX_DAYTIME || 228 if (info->daytime_start > XT_TIME_MAX_DAYTIME ||
229 info->daytime_stop > XT_TIME_MAX_DAYTIME) { 229 info->daytime_stop > XT_TIME_MAX_DAYTIME) {
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-15 06:24:42 -0500