Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

12 files changed, 136 insertions, 59 deletions

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 48c54960773..70079454ffd 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -114,15 +114,17 @@ struct nf_sockopt_ops {
         int set_optmin;
         int set_optmax;
         int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len);
+#ifdef CONFIG_COMPAT
         int (*compat_set)(struct sock *sk, int optval,
                         void __user *user, unsigned int len);
-
+#endif
         int get_optmin;
         int get_optmax;
         int (*get)(struct sock *sk, int optval, void __user *user, int *len);
+#ifdef CONFIG_COMPAT
         int (*compat_get)(struct sock *sk, int optval,
                         void __user *user, int *len);
-
+#endif
         /* Use the module struct to lock set/get code in place */
         struct module *owner;
 };
@@ -161,11 +163,8 @@ static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook,
                                  struct sk_buff *skb,
                                  struct net_device *indev,
                                  struct net_device *outdev,
-                                 int (*okfn)(struct sk_buff *), int thresh,
-                                 int cond)
+                                 int (*okfn)(struct sk_buff *), int thresh)
 {
-        if (!cond)
-                return 1;
 #ifndef CONFIG_NETFILTER_DEBUG
         if (list_empty(&nf_hooks[pf][hook]))
                 return 1;
@@ -177,7 +176,7 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
                           struct net_device *indev, struct net_device *outdev,
                           int (*okfn)(struct sk_buff *))
 {
-        return nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN, 1);
+        return nf_hook_thresh(pf, hook, skb, indev, outdev, okfn, INT_MIN);
 }
                    
 /* Activate hook; either okfn or kfree_skb called, unless a hook
@@ -197,36 +196,48 @@ static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
    coders :)
 */
 
-/* This is gross, but inline doesn't cut it for avoiding the function
-   call in fast path: gcc doesn't inline (needs value tracking?). --RR */
-
-/* HX: It's slightly less gross now. */
-
-#define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh)             \
-({int __ret;                                                                   \
-if ((__ret=nf_hook_thresh(pf, hook, (skb), indev, outdev, okfn, thresh, 1)) == 1)\
-        __ret = (okfn)(skb);                                                   \
-__ret;})
+static inline int
+NF_HOOK_THRESH(uint8_t pf, unsigned int hook, struct sk_buff *skb,
+               struct net_device *in, struct net_device *out,
+               int (*okfn)(struct sk_buff *), int thresh)
+{
+        int ret = nf_hook_thresh(pf, hook, skb, in, out, okfn, thresh);
+        if (ret == 1)
+                ret = okfn(skb);
+        return ret;
+}
 
-#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond)                 \
-({int __ret;                                                                   \
-if ((__ret=nf_hook_thresh(pf, hook, (skb), indev, outdev, okfn, INT_MIN, cond)) == 1)\
-        __ret = (okfn)(skb);                                                   \
-__ret;})
+static inline int
+NF_HOOK_COND(uint8_t pf, unsigned int hook, struct sk_buff *skb,
+             struct net_device *in, struct net_device *out,
+             int (*okfn)(struct sk_buff *), bool cond)
+{
+        int ret = 1;
+        if (cond ||
+            (ret = nf_hook_thresh(pf, hook, skb, in, out, okfn, INT_MIN) == 1))
+                ret = okfn(skb);
+        return ret;
+}
 
-#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) \
-        NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, INT_MIN)
+static inline int
+NF_HOOK(uint8_t pf, unsigned int hook, struct sk_buff *skb,
+        struct net_device *in, struct net_device *out,
+        int (*okfn)(struct sk_buff *))
+{
+        return NF_HOOK_THRESH(pf, hook, skb, in, out, okfn, INT_MIN);
+}
 
 /* Call setsockopt() */
 int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt,
                   unsigned int len);
 int nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt,
                   int *len);
-
+#ifdef CONFIG_COMPAT
 int compat_nf_setsockopt(struct sock *sk, u_int8_t pf, int optval,
                 char __user *opt, unsigned int len);
 int compat_nf_getsockopt(struct sock *sk, u_int8_t pf, int optval,
                 char __user *opt, int *len);
+#endif
 
 /* Call this before modifying an existing packet: ensures it is
    modifiable and linear to the point you care about (writable_len).
@@ -325,8 +336,7 @@ static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook,
                                  struct sk_buff *skb,
                                  struct net_device *indev,
                                  struct net_device *outdev,
-                                 int (*okfn)(struct sk_buff *), int thresh,
-                                 int cond)
+                                 int (*okfn)(struct sk_buff *), int thresh)
 {
         return okfn(skb);
 }
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index 2aea50399c0..a5a63e41b8a 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -6,6 +6,7 @@ header-y += nfnetlink_queue.h
 header-y += xt_CLASSIFY.h
 header-y += xt_CONNMARK.h
 header-y += xt_CONNSECMARK.h
+header-y += xt_CT.h
 header-y += xt_DSCP.h
 header-y += xt_LED.h
 header-y += xt_MARK.h
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index a374787ed9b..c608677dda6 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -72,6 +72,28 @@ enum ip_conntrack_status {
         /* Connection has fixed timeout. */
         IPS_FIXED_TIMEOUT_BIT = 10,
         IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
+
+        /* Conntrack is a template */
+        IPS_TEMPLATE_BIT = 11,
+        IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
+};
+
+/* Connection tracking event types */
+enum ip_conntrack_events {
+        IPCT_NEW,               /* new conntrack */
+        IPCT_RELATED,           /* related conntrack */
+        IPCT_DESTROY,           /* destroyed conntrack */
+        IPCT_REPLY,             /* connection has seen two-way traffic */
+        IPCT_ASSURED,           /* connection status has changed to assured */
+        IPCT_PROTOINFO,         /* protocol information has changed */
+        IPCT_HELPER,            /* new helper has been set */
+        IPCT_MARK,              /* new mark has been set */
+        IPCT_NATSEQADJ,         /* NAT is doing sequence adjustment */
+        IPCT_SECMARK,           /* new security mark has been set */
+};
+
+enum ip_conntrack_expect_events {
+        IPEXP_NEW,              /* new expectation */
 };
 
 #ifdef __KERNEL__
diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index 23aa2ec6b7b..ff8cfbcf3b8 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -14,6 +14,7 @@ enum sip_expectation_classes {
         SIP_EXPECT_SIGNALLING,
         SIP_EXPECT_AUDIO,
         SIP_EXPECT_VIDEO,
+        SIP_EXPECT_IMAGE,
         __SIP_EXPECT_MAX
 };
 #define SIP_EXPECT_MAX  (__SIP_EXPECT_MAX - 1)
@@ -34,10 +35,10 @@ struct sdp_media_type {
 struct sip_handler {
         const char      *method;
         unsigned int    len;
-        int             (*request)(struct sk_buff *skb,
+        int             (*request)(struct sk_buff *skb, unsigned int dataoff,
                                    const char **dptr, unsigned int *datalen,
                                    unsigned int cseq);
-        int             (*response)(struct sk_buff *skb,
+        int             (*response)(struct sk_buff *skb, unsigned int dataoff,
                                     const char **dptr, unsigned int *datalen,
                                     unsigned int cseq, unsigned int code);
 };
@@ -84,7 +85,8 @@ enum sip_header_types {
         SIP_HDR_FROM,
         SIP_HDR_TO,
         SIP_HDR_CONTACT,
-        SIP_HDR_VIA,
+        SIP_HDR_VIA_UDP,
+        SIP_HDR_VIA_TCP,
         SIP_HDR_EXPIRES,
         SIP_HDR_CONTENT_LENGTH,
 };
@@ -100,33 +102,40 @@ enum sdp_header_types {
 };
 
 extern unsigned int (*nf_nat_sip_hook)(struct sk_buff *skb,
+                                       unsigned int dataoff,
                                        const char **dptr,
                                        unsigned int *datalen);
+extern void (*nf_nat_sip_seq_adjust_hook)(struct sk_buff *skb, s16 off);
 extern unsigned int (*nf_nat_sip_expect_hook)(struct sk_buff *skb,
+                                              unsigned int dataoff,
                                               const char **dptr,
                                               unsigned int *datalen,
                                               struct nf_conntrack_expect *exp,
                                               unsigned int matchoff,
                                               unsigned int matchlen);
 extern unsigned int (*nf_nat_sdp_addr_hook)(struct sk_buff *skb,
-                                            const char **dptr,
                                             unsigned int dataoff,
+                                            const char **dptr,
                                             unsigned int *datalen,
+                                            unsigned int sdpoff,
                                             enum sdp_header_types type,
                                             enum sdp_header_types term,
                                             const union nf_inet_addr *addr);
 extern unsigned int (*nf_nat_sdp_port_hook)(struct sk_buff *skb,
+                                            unsigned int dataoff,
                                             const char **dptr,
                                             unsigned int *datalen,
                                             unsigned int matchoff,
                                             unsigned int matchlen,
                                             u_int16_t port);
 extern unsigned int (*nf_nat_sdp_session_hook)(struct sk_buff *skb,
-                                               const char **dptr,
                                                unsigned int dataoff,
+                                               const char **dptr,
                                                unsigned int *datalen,
+                                               unsigned int sdpoff,
                                                const union nf_inet_addr *addr);
 extern unsigned int (*nf_nat_sdp_media_hook)(struct sk_buff *skb,
+                                             unsigned int dataoff,
                                              const char **dptr,
                                              unsigned int *datalen,
                                              struct nf_conntrack_expect *rtp_exp,
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 49d321f3ccd..53923868c9b 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -73,11 +73,11 @@ struct nfnetlink_subsystem {
 extern int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n);
 extern int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n);
 
-extern int nfnetlink_has_listeners(unsigned int group);
-extern int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group, 
+extern int nfnetlink_has_listeners(struct net *net, unsigned int group);
+extern int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 pid, unsigned group,
                           int echo, gfp_t flags);
-extern void nfnetlink_set_err(u32 pid, u32 group, int error);
-extern int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags);
+extern void nfnetlink_set_err(struct net *net, u32 pid, u32 group, int error);
+extern int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u_int32_t pid, int flags);
 
 extern void nfnl_lock(void);
 extern void nfnl_unlock(void);
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
index ed4ef8d0b11..9ed534c991b 100644
--- a/include/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/linux/netfilter/nfnetlink_conntrack.h
@@ -40,6 +40,7 @@ enum ctattr_type {
         CTA_NAT_SEQ_ADJ_ORIG,
         CTA_NAT_SEQ_ADJ_REPLY,
         CTA_SECMARK,
+        CTA_ZONE,
         __CTA_MAX
 };
 #define CTA_MAX (__CTA_MAX - 1)
@@ -159,6 +160,7 @@ enum ctattr_expect {
         CTA_EXPECT_TIMEOUT,
         CTA_EXPECT_ID,
         CTA_EXPECT_HELP_NAME,
+        CTA_EXPECT_ZONE,
         __CTA_EXPECT_MAX
 };
 #define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 378f27ae777..a18119fb88f 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -93,8 +93,7 @@ struct _xt_align {
         __u64 u64;
 };
 
-#define XT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1))  \
-                        & ~(__alignof__(struct _xt_align)-1))
+#define XT_ALIGN(s) ALIGN((s), __alignof__(struct _xt_align))
 
 /* Standard return verdict, or do jump. */
 #define XT_STANDARD_TARGET ""
@@ -205,6 +204,7 @@ struct xt_match_param {
  * @hook_mask:  via which hooks the new rule is reachable
  */
 struct xt_mtchk_param {
+        struct net *net;
         const char *table;
         const void *entryinfo;
         const struct xt_match *match;
@@ -215,6 +215,7 @@ struct xt_mtchk_param {
 
 /* Match destructor parameters */
 struct xt_mtdtor_param {
+        struct net *net;
         const struct xt_match *match;
         void *matchinfo;
         u_int8_t family;
@@ -247,6 +248,7 @@ struct xt_target_param {
  * Other fields see above.
  */
 struct xt_tgchk_param {
+        struct net *net;
         const char *table;
         const void *entryinfo;
         const struct xt_target *target;
@@ -257,6 +259,7 @@ struct xt_tgchk_param {
 
 /* Target destructor parameters */
 struct xt_tgdtor_param {
+        struct net *net;
         const struct xt_target *target;
         void *targinfo;
         u_int8_t family;
@@ -281,11 +284,11 @@ struct xt_match {
 
         /* Called when entry of this type deleted. */
         void (*destroy)(const struct xt_mtdtor_param *);
-
+#ifdef CONFIG_COMPAT
         /* Called when userspace align differs from kernel space one */
-        void (*compat_from_user)(void *dst, void *src);
-        int (*compat_to_user)(void __user *dst, void *src);
-
+        void (*compat_from_user)(void *dst, const void *src);
+        int (*compat_to_user)(void __user *dst, const void *src);
+#endif
         /* Set this to THIS_MODULE if you are a module, otherwise NULL */
         struct module *me;
 
@@ -294,7 +297,9 @@ struct xt_match {
 
         const char *table;
         unsigned int matchsize;
+#ifdef CONFIG_COMPAT
         unsigned int compatsize;
+#endif
         unsigned int hooks;
         unsigned short proto;
 
@@ -321,17 +326,19 @@ struct xt_target {
 
         /* Called when entry of this type deleted. */
         void (*destroy)(const struct xt_tgdtor_param *);
-
+#ifdef CONFIG_COMPAT
         /* Called when userspace align differs from kernel space one */
-        void (*compat_from_user)(void *dst, void *src);
-        int (*compat_to_user)(void __user *dst, void *src);
-
+        void (*compat_from_user)(void *dst, const void *src);
+        int (*compat_to_user)(void __user *dst, const void *src);
+#endif
         /* Set this to THIS_MODULE if you are a module, otherwise NULL */
         struct module *me;
 
         const char *table;
         unsigned int targetsize;
+#ifdef CONFIG_COMPAT
         unsigned int compatsize;
+#endif
         unsigned int hooks;
         unsigned short proto;
 
@@ -353,6 +360,7 @@ struct xt_table {
         struct module *me;
 
         u_int8_t af;            /* address/protocol family */
+        int priority;           /* hook order */
 
         /* A unique name... */
         const char name[XT_TABLE_MAXNAMELEN];
@@ -514,6 +522,9 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
         return ret;
 }
 
+extern struct nf_hook_ops *xt_hook_link(const struct xt_table *, nf_hookfn *);
+extern void xt_hook_unlink(const struct xt_table *, struct nf_hook_ops *);
+
 #ifdef CONFIG_COMPAT
 #include <net/compat.h>
 
@@ -554,11 +565,7 @@ struct compat_xt_entry_target {
  * current task alignment */
 
 struct compat_xt_counters {
-#if defined(CONFIG_X86_64) || defined(CONFIG_IA64)
-        u_int32_t cnt[4];
-#else
-        u_int64_t cnt[2];
-#endif
+        compat_u64 pcnt, bcnt;                  /* Packet and byte counters */
 };
 
 struct compat_xt_counters_info {
@@ -567,26 +574,32 @@ struct compat_xt_counters_info {
         struct compat_xt_counters counters[0];
 };
 
-#define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \
-                & ~(__alignof__(struct compat_xt_counters)-1))
+struct _compat_xt_align {
+        __u8 u8;
+        __u16 u16;
+        __u32 u32;
+        compat_u64 u64;
+};
+
+#define COMPAT_XT_ALIGN(s) ALIGN((s), __alignof__(struct _compat_xt_align))
 
 extern void xt_compat_lock(u_int8_t af);
 extern void xt_compat_unlock(u_int8_t af);
 
 extern int xt_compat_add_offset(u_int8_t af, unsigned int offset, short delta);
 extern void xt_compat_flush_offsets(u_int8_t af);
-extern short xt_compat_calc_jump(u_int8_t af, unsigned int offset);
+extern int xt_compat_calc_jump(u_int8_t af, unsigned int offset);
 
 extern int xt_compat_match_offset(const struct xt_match *match);
 extern int xt_compat_match_from_user(struct xt_entry_match *m,
                                      void **dstptr, unsigned int *size);
-extern int xt_compat_match_to_user(struct xt_entry_match *m,
+extern int xt_compat_match_to_user(const struct xt_entry_match *m,
                                    void __user **dstptr, unsigned int *size);
 
 extern int xt_compat_target_offset(const struct xt_target *target);
 extern void xt_compat_target_from_user(struct xt_entry_target *t,
                                        void **dstptr, unsigned int *size);
-extern int xt_compat_target_to_user(struct xt_entry_target *t,
+extern int xt_compat_target_to_user(const struct xt_entry_target *t,
                                     void __user **dstptr, unsigned int *size);
 
 #endif /* CONFIG_COMPAT */
diff --git a/include/linux/netfilter/xt_CT.h b/include/linux/netfilter/xt_CT.h
new file mode 100644
index 00000000000..1b564106891
--- /dev/null
+++ b/include/linux/netfilter/xt_CT.h
@@ -0,0 +1,17 @@
+#ifndef _XT_CT_H
+#define _XT_CT_H
+
+#define XT_CT_NOTRACK   0x1
+
+struct xt_ct_target_info {
+        u_int16_t       flags;
+        u_int16_t       zone;
+        u_int32_t       ct_events;
+        u_int32_t       exp_events;
+        char            helper[16];
+
+        /* Used internally by the kernel */
+        struct nf_conn  *ct __attribute__((aligned(8)));
+};
+
+#endif /* _XT_CT_H */
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index f2336523a9d..0b33980611b 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -258,6 +258,7 @@ struct arpt_error {
         .target.errorname = "ERROR",                                           \
 }
 
+extern void *arpt_alloc_initial_table(const struct xt_table *);
 extern struct xt_table *arpt_register_table(struct net *net,
                                             const struct xt_table *table,
                                             const struct arpt_replace *repl);
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h
index 3cc40c131cc..1c6f0c5f530 100644
--- a/include/linux/netfilter_bridge/ebtables.h
+++ b/include/linux/netfilter_bridge/ebtables.h
@@ -289,7 +289,7 @@ struct ebt_table {
                      ~(__alignof__(struct ebt_replace)-1))
 extern struct ebt_table *ebt_register_table(struct net *net,
                                             const struct ebt_table *table);
-extern void ebt_unregister_table(struct ebt_table *table);
+extern void ebt_unregister_table(struct net *net, struct ebt_table *table);
 extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb,
    const struct net_device *in, const struct net_device *out,
    struct ebt_table *table);
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 27b3f580730..364973b4213 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -242,7 +242,7 @@ extern void ipt_init(void) __init;
 extern struct xt_table *ipt_register_table(struct net *net,
                                            const struct xt_table *table,
                                            const struct ipt_replace *repl);
-extern void ipt_unregister_table(struct xt_table *table);
+extern void ipt_unregister_table(struct net *net, struct xt_table *table);
 
 /* Standard entry. */
 struct ipt_standard {
@@ -282,6 +282,7 @@ struct ipt_error {
         .target.errorname = "ERROR",                                           \
 }
 
+extern void *ipt_alloc_initial_table(const struct xt_table *);
 extern unsigned int ipt_do_table(struct sk_buff *skb,
                                  unsigned int hook,
                                  const struct net_device *in,
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index b31050d20ae..8031eb486a1 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -297,10 +297,11 @@ ip6t_get_target(struct ip6t_entry *e)
 #include <linux/init.h>
 extern void ip6t_init(void) __init;
 
+extern void *ip6t_alloc_initial_table(const struct xt_table *);
 extern struct xt_table *ip6t_register_table(struct net *net,
                                             const struct xt_table *table,
                                             const struct ip6t_replace *repl);
-extern void ip6t_unregister_table(struct xt_table *table);
+extern void ip6t_unregister_table(struct net *net, struct xt_table *table);
 extern unsigned int ip6t_do_table(struct sk_buff *skb,
                                   unsigned int hook,
                                   const struct net_device *in,