Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

8 files changed, 414 insertions, 38 deletions

diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
index 74358d1b3f4..e9c2ed8af86 100644
--- a/include/net/inet_hashtables.h
+++ b/include/net/inet_hashtables.h
@@ -245,7 +245,7 @@ static inline int inet_sk_listen_hashfn(const struct sock *sk)
 }
 
 /* Caller must disable local BH processing. */
-extern void __inet_inherit_port(struct sock *sk, struct sock *child);
+extern int __inet_inherit_port(struct sock *sk, struct sock *child);
 
 extern void inet_put_port(struct sock *sk);
 
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index f976885f686..b7bbd6c28cf 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -25,7 +25,9 @@
 #include <linux/ip.h>
 #include <linux/ipv6.h>                 /* for struct ipv6hdr */
 #include <net/ipv6.h>                   /* for ipv6_addr_copy */
-
+#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+#include <net/netfilter/nf_conntrack.h>
+#endif
 
 /* Connections' size value needed by ip_vs_ctl.c */
 extern int ip_vs_conn_tab_size;
@@ -134,24 +136,24 @@ static inline const char *ip_vs_dbg_addr(int af, char *buf, size_t buf_len,
                 if (net_ratelimit())                                    \
                         printk(KERN_DEBUG pr_fmt(msg), ##__VA_ARGS__);  \
         } while (0)
-#define IP_VS_DBG_PKT(level, pp, skb, ofs, msg)                         \
+#define IP_VS_DBG_PKT(level, af, pp, skb, ofs, msg)                     \
         do {                                                            \
                 if (level <= ip_vs_get_debug_level())                   \
-                        pp->debug_packet(pp, skb, ofs, msg);            \
+                        pp->debug_packet(af, pp, skb, ofs, msg);        \
         } while (0)
-#define IP_VS_DBG_RL_PKT(level, pp, skb, ofs, msg)                      \
+#define IP_VS_DBG_RL_PKT(level, af, pp, skb, ofs, msg)                  \
         do {                                                            \
                 if (level <= ip_vs_get_debug_level() &&                 \
                     net_ratelimit())                                    \
-                        pp->debug_packet(pp, skb, ofs, msg);            \
+                        pp->debug_packet(af, pp, skb, ofs, msg);        \
         } while (0)
 #else   /* NO DEBUGGING at ALL */
 #define IP_VS_DBG_BUF(level, msg...)  do {} while (0)
 #define IP_VS_ERR_BUF(msg...)  do {} while (0)
 #define IP_VS_DBG(level, msg...)  do {} while (0)
 #define IP_VS_DBG_RL(msg...)  do {} while (0)
-#define IP_VS_DBG_PKT(level, pp, skb, ofs, msg)         do {} while (0)
-#define IP_VS_DBG_RL_PKT(level, pp, skb, ofs, msg)      do {} while (0)
+#define IP_VS_DBG_PKT(level, af, pp, skb, ofs, msg)     do {} while (0)
+#define IP_VS_DBG_RL_PKT(level, af, pp, skb, ofs, msg)  do {} while (0)
 #endif
 
 #define IP_VS_BUG() BUG()
@@ -343,7 +345,7 @@ struct ip_vs_protocol {
 
         int (*app_conn_bind)(struct ip_vs_conn *cp);
 
-        void (*debug_packet)(struct ip_vs_protocol *pp,
+        void (*debug_packet)(int af, struct ip_vs_protocol *pp,
                              const struct sk_buff *skb,
                              int offset,
                              const char *msg);
@@ -355,6 +357,19 @@ struct ip_vs_protocol {
 
 extern struct ip_vs_protocol * ip_vs_proto_get(unsigned short proto);
 
+struct ip_vs_conn_param {
+        const union nf_inet_addr        *caddr;
+        const union nf_inet_addr        *vaddr;
+        __be16                          cport;
+        __be16                          vport;
+        __u16                           protocol;
+        u16                             af;
+
+        const struct ip_vs_pe           *pe;
+        char                            *pe_data;
+        __u8                            pe_data_len;
+};
+
 /*
  *      IP_VS structure allocated for each dynamically scheduled connection
  */
@@ -366,6 +381,7 @@ struct ip_vs_conn {
         union nf_inet_addr       caddr;          /* client address */
         union nf_inet_addr       vaddr;          /* virtual address */
         union nf_inet_addr       daddr;          /* destination address */
+        volatile __u32           flags;          /* status flags */
         __be16                   cport;
         __be16                   vport;
         __be16                   dport;
@@ -378,7 +394,6 @@ struct ip_vs_conn {
 
         /* Flags and state transition */
         spinlock_t              lock;           /* lock for state transition */
-        volatile __u16          flags;          /* status flags */
         volatile __u16          state;          /* state info */
         volatile __u16          old_state;      /* old state, to be used for
                                                  * state transition triggerd
@@ -394,6 +409,7 @@ struct ip_vs_conn {
         /* packet transmitter for different forwarding methods.  If it
            mangles the packet, it must return NF_DROP or better NF_STOLEN,
            otherwise this must be changed to a sk_buff **.
+           NF_ACCEPT can be returned when destination is local.
          */
         int (*packet_xmit)(struct sk_buff *skb, struct ip_vs_conn *cp,
                            struct ip_vs_protocol *pp);
@@ -405,6 +421,9 @@ struct ip_vs_conn {
         void                    *app_data;      /* Application private data */
         struct ip_vs_seq        in_seq;         /* incoming seq. struct */
         struct ip_vs_seq        out_seq;        /* outgoing seq. struct */
+
+        char                    *pe_data;
+        __u8                    pe_data_len;
 };
 
 
@@ -426,6 +445,7 @@ struct ip_vs_service_user_kern {
 
         /* virtual service options */
         char                    *sched_name;
+        char                    *pe_name;
         unsigned                flags;          /* virtual service flags */
         unsigned                timeout;        /* persistent timeout in sec */
         u32                     netmask;        /* persistent netmask */
@@ -475,6 +495,9 @@ struct ip_vs_service {
         struct ip_vs_scheduler  *scheduler;    /* bound scheduler object */
         rwlock_t                sched_lock;    /* lock sched_data */
         void                    *sched_data;   /* scheduler application data */
+
+        /* alternate persistence engine */
+        struct ip_vs_pe         *pe;
 };
 
 
@@ -507,6 +530,10 @@ struct ip_vs_dest {
         spinlock_t              dst_lock;       /* lock of dst_cache */
         struct dst_entry        *dst_cache;     /* destination cache entry */
         u32                     dst_rtos;       /* RT_TOS(tos) for dst */
+        u32                     dst_cookie;
+#ifdef CONFIG_IP_VS_IPV6
+        struct in6_addr         dst_saddr;
+#endif
 
         /* for virtual service */
         struct ip_vs_service    *svc;           /* service it belongs to */
@@ -538,6 +565,21 @@ struct ip_vs_scheduler {
                                        const struct sk_buff *skb);
 };
 
+/* The persistence engine object */
+struct ip_vs_pe {
+        struct list_head        n_list;         /* d-linked list head */
+        char                    *name;          /* scheduler name */
+        atomic_t                refcnt;         /* reference counter */
+        struct module           *module;        /* THIS_MODULE/NULL */
+
+        /* get the connection template, if any */
+        int (*fill_param)(struct ip_vs_conn_param *p, struct sk_buff *skb);
+        bool (*ct_match)(const struct ip_vs_conn_param *p,
+                         struct ip_vs_conn *ct);
+        u32 (*hashkey_raw)(const struct ip_vs_conn_param *p, u32 initval,
+                           bool inverse);
+        int (*show_pe_data)(const struct ip_vs_conn *cp, char *buf);
+};
 
 /*
  *      The application module object (a.k.a. app incarnation)
@@ -556,11 +598,19 @@ struct ip_vs_app {
         __be16                  port;           /* port number in net order */
         atomic_t                usecnt;         /* usage counter */
 
-        /* output hook: return false if can't linearize. diff set for TCP.  */
+        /*
+         * output hook: Process packet in inout direction, diff set for TCP.
+         * Return: 0=Error, 1=Payload Not Mangled/Mangled but checksum is ok,
+         *         2=Mangled but checksum was not updated
+         */
         int (*pkt_out)(struct ip_vs_app *, struct ip_vs_conn *,
                        struct sk_buff *, int *diff);
 
-        /* input hook: return false if can't linearize. diff set for TCP. */
+        /*
+         * input hook: Process packet in outin direction, diff set for TCP.
+         * Return: 0=Error, 1=Payload Not Mangled/Mangled but checksum is ok,
+         *         2=Mangled but checksum was not updated
+         */
         int (*pkt_in)(struct ip_vs_app *, struct ip_vs_conn *,
                       struct sk_buff *, int *diff);
 
@@ -624,13 +674,25 @@ enum {
         IP_VS_DIR_LAST,
 };
 
-extern struct ip_vs_conn *ip_vs_conn_in_get
-(int af, int protocol, const union nf_inet_addr *s_addr, __be16 s_port,
- const union nf_inet_addr *d_addr, __be16 d_port);
+static inline void ip_vs_conn_fill_param(int af, int protocol,
+                                         const union nf_inet_addr *caddr,
+                                         __be16 cport,
+                                         const union nf_inet_addr *vaddr,
+                                         __be16 vport,
+                                         struct ip_vs_conn_param *p)
+{
+        p->af = af;
+        p->protocol = protocol;
+        p->caddr = caddr;
+        p->cport = cport;
+        p->vaddr = vaddr;
+        p->vport = vport;
+        p->pe = NULL;
+        p->pe_data = NULL;
+}
 
-extern struct ip_vs_conn *ip_vs_ct_in_get
-(int af, int protocol, const union nf_inet_addr *s_addr, __be16 s_port,
- const union nf_inet_addr *d_addr, __be16 d_port);
+struct ip_vs_conn *ip_vs_conn_in_get(const struct ip_vs_conn_param *p);
+struct ip_vs_conn *ip_vs_ct_in_get(const struct ip_vs_conn_param *p);
 
 struct ip_vs_conn * ip_vs_conn_in_get_proto(int af, const struct sk_buff *skb,
                                             struct ip_vs_protocol *pp,
@@ -638,9 +700,7 @@ struct ip_vs_conn * ip_vs_conn_in_get_proto(int af, const struct sk_buff *skb,
                                             unsigned int proto_off,
                                             int inverse);
 
-extern struct ip_vs_conn *ip_vs_conn_out_get
-(int af, int protocol, const union nf_inet_addr *s_addr, __be16 s_port,
- const union nf_inet_addr *d_addr, __be16 d_port);
+struct ip_vs_conn *ip_vs_conn_out_get(const struct ip_vs_conn_param *p);
 
 struct ip_vs_conn * ip_vs_conn_out_get_proto(int af, const struct sk_buff *skb,
                                              struct ip_vs_protocol *pp,
@@ -656,11 +716,10 @@ static inline void __ip_vs_conn_put(struct ip_vs_conn *cp)
 extern void ip_vs_conn_put(struct ip_vs_conn *cp);
 extern void ip_vs_conn_fill_cport(struct ip_vs_conn *cp, __be16 cport);
 
-extern struct ip_vs_conn *
-ip_vs_conn_new(int af, int proto, const union nf_inet_addr *caddr, __be16 cport,
-               const union nf_inet_addr *vaddr, __be16 vport,
-               const union nf_inet_addr *daddr, __be16 dport, unsigned flags,
-               struct ip_vs_dest *dest);
+struct ip_vs_conn *ip_vs_conn_new(const struct ip_vs_conn_param *p,
+                                  const union nf_inet_addr *daddr,
+                                  __be16 dport, unsigned flags,
+                                  struct ip_vs_dest *dest);
 extern void ip_vs_conn_expire_now(struct ip_vs_conn *cp);
 
 extern const char * ip_vs_state_name(__u16 proto, int state);
@@ -751,6 +810,12 @@ extern int ip_vs_app_pkt_in(struct ip_vs_conn *, struct sk_buff *skb);
 extern int ip_vs_app_init(void);
 extern void ip_vs_app_cleanup(void);
 
+void ip_vs_bind_pe(struct ip_vs_service *svc, struct ip_vs_pe *pe);
+void ip_vs_unbind_pe(struct ip_vs_service *svc);
+int register_ip_vs_pe(struct ip_vs_pe *pe);
+int unregister_ip_vs_pe(struct ip_vs_pe *pe);
+extern struct ip_vs_pe *ip_vs_pe_get(const char *name);
+extern void ip_vs_pe_put(struct ip_vs_pe *pe);
 
 /*
  *      IPVS protocol functions (from ip_vs_proto.c)
@@ -763,7 +828,8 @@ extern int
 ip_vs_set_state_timeout(int *table, int num, const char *const *names,
                         const char *name, int to);
 extern void
-ip_vs_tcpudp_debug_packet(struct ip_vs_protocol *pp, const struct sk_buff *skb,
+ip_vs_tcpudp_debug_packet(int af, struct ip_vs_protocol *pp,
+                          const struct sk_buff *skb,
                           int offset, const char *msg);
 
 extern struct ip_vs_protocol ip_vs_protocol_tcp;
@@ -785,7 +851,8 @@ extern int ip_vs_unbind_scheduler(struct ip_vs_service *svc);
 extern struct ip_vs_scheduler *ip_vs_scheduler_get(const char *sched_name);
 extern void ip_vs_scheduler_put(struct ip_vs_scheduler *scheduler);
 extern struct ip_vs_conn *
-ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb);
+ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,
+               struct ip_vs_protocol *pp, int *ignored);
 extern int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
                         struct ip_vs_protocol *pp);
 
@@ -798,6 +865,8 @@ extern int sysctl_ip_vs_expire_nodest_conn;
 extern int sysctl_ip_vs_expire_quiescent_template;
 extern int sysctl_ip_vs_sync_threshold[2];
 extern int sysctl_ip_vs_nat_icmp_send;
+extern int sysctl_ip_vs_conntrack;
+extern int sysctl_ip_vs_snat_reroute;
 extern struct ip_vs_stats ip_vs_stats;
 extern const struct ctl_path net_vs_ctl_path[];
 
@@ -955,8 +1024,65 @@ static inline __wsum ip_vs_check_diff2(__be16 old, __be16 new, __wsum oldsum)
         return csum_partial(diff, sizeof(diff), oldsum);
 }
 
+/*
+ * Forget current conntrack (unconfirmed) and attach notrack entry
+ */
+static inline void ip_vs_notrack(struct sk_buff *skb)
+{
+#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+        enum ip_conntrack_info ctinfo;
+        struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
+
+        if (!ct || !nf_ct_is_untracked(ct)) {
+                nf_reset(skb);
+                skb->nfct = &nf_ct_untracked_get()->ct_general;
+                skb->nfctinfo = IP_CT_NEW;
+                nf_conntrack_get(skb->nfct);
+        }
+#endif
+}
+
+#ifdef CONFIG_IP_VS_NFCT
+/*
+ *      Netfilter connection tracking
+ *      (from ip_vs_nfct.c)
+ */
+static inline int ip_vs_conntrack_enabled(void)
+{
+        return sysctl_ip_vs_conntrack;
+}
+
 extern void ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp,
                                    int outin);
+extern int ip_vs_confirm_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp);
+extern void ip_vs_nfct_expect_related(struct sk_buff *skb, struct nf_conn *ct,
+                                      struct ip_vs_conn *cp, u_int8_t proto,
+                                      const __be16 port, int from_rs);
+extern void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp);
+
+#else
+
+static inline int ip_vs_conntrack_enabled(void)
+{
+        return 0;
+}
+
+static inline void ip_vs_update_conntrack(struct sk_buff *skb,
+                                          struct ip_vs_conn *cp, int outin)
+{
+}
+
+static inline int ip_vs_confirm_conntrack(struct sk_buff *skb,
+                                          struct ip_vs_conn *cp)
+{
+        return NF_ACCEPT;
+}
+
+static inline void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp)
+{
+}
+/* CONFIG_IP_VS_NFCT */
+#endif
 
 #endif /* __KERNEL__ */
 
diff --git a/include/net/netfilter/ipv6/nf_defrag_ipv6.h b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
new file mode 100644
index 00000000000..94dd54d76b4
--- /dev/null
+++ b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
@@ -0,0 +1,6 @@
+#ifndef _NF_DEFRAG_IPV6_H
+#define _NF_DEFRAG_IPV6_H
+
+extern void nf_defrag_ipv6_enable(void);
+
+#endif /* _NF_DEFRAG_IPV6_H */
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 11e815084fc..0f8a8c58753 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -67,9 +67,6 @@ struct nf_conntrack_expect_policy {
 
 #define NF_CT_EXPECT_CLASS_DEFAULT      0
 
-#define NF_CT_EXPECT_PERMANENT  0x1
-#define NF_CT_EXPECT_INACTIVE   0x2
-
 int nf_conntrack_expect_init(struct net *net);
 void nf_conntrack_expect_fini(struct net *net);
 
@@ -85,9 +82,16 @@ struct nf_conntrack_expect *
 nf_ct_find_expectation(struct net *net, u16 zone,
                        const struct nf_conntrack_tuple *tuple);
 
-void nf_ct_unlink_expect(struct nf_conntrack_expect *exp);
+void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp,
+                                u32 pid, int report);
+static inline void nf_ct_unlink_expect(struct nf_conntrack_expect *exp)
+{
+        nf_ct_unlink_expect_report(exp, 0, 0);
+}
+
 void nf_ct_remove_expectations(struct nf_conn *ct);
 void nf_ct_unexpect_related(struct nf_conntrack_expect *exp);
+void nf_ct_remove_userspace_expectations(void);
 
 /* Allocate space for an expectation: this is mandatory before calling
    nf_ct_expect_related.  You will have to call put afterwards. */
diff --git a/include/net/netfilter/nf_nat_protocol.h b/include/net/netfilter/nf_nat_protocol.h
index df17bac46bf..93cc90d28e6 100644
--- a/include/net/netfilter/nf_nat_protocol.h
+++ b/include/net/netfilter/nf_nat_protocol.h
@@ -45,9 +45,6 @@ struct nf_nat_protocol {
 extern int nf_nat_protocol_register(const struct nf_nat_protocol *proto);
 extern void nf_nat_protocol_unregister(const struct nf_nat_protocol *proto);
 
-extern const struct nf_nat_protocol *nf_nat_proto_find_get(u_int8_t protocol);
-extern void nf_nat_proto_put(const struct nf_nat_protocol *proto);
-
 /* Built-in protocols. */
 extern const struct nf_nat_protocol nf_nat_protocol_tcp;
 extern const struct nf_nat_protocol nf_nat_protocol_udp;
diff --git a/include/net/netfilter/nf_tproxy_core.h b/include/net/netfilter/nf_tproxy_core.h
index 208b46f4d6d..cd85b3bc832 100644
--- a/include/net/netfilter/nf_tproxy_core.h
+++ b/include/net/netfilter/nf_tproxy_core.h
@@ -5,15 +5,201 @@
 #include <linux/in.h>
 #include <linux/skbuff.h>
 #include <net/sock.h>
-#include <net/inet_sock.h>
+#include <net/inet_hashtables.h>
+#include <net/inet6_hashtables.h>
 #include <net/tcp.h>
 
+#define NFT_LOOKUP_ANY         0
+#define NFT_LOOKUP_LISTENER    1
+#define NFT_LOOKUP_ESTABLISHED 2
+
 /* look up and get a reference to a matching socket */
-extern struct sock *
+
+
+/* This function is used by the 'TPROXY' target and the 'socket'
+ * match. The following lookups are supported:
+ *
+ * Explicit TProxy target rule
+ * ===========================
+ *
+ * This is used when the user wants to intercept a connection matching
+ * an explicit iptables rule. In this case the sockets are assumed
+ * matching in preference order:
+ *
+ *   - match: if there's a fully established connection matching the
+ *     _packet_ tuple, it is returned, assuming the redirection
+ *     already took place and we process a packet belonging to an
+ *     established connection
+ *
+ *   - match: if there's a listening socket matching the redirection
+ *     (e.g. on-port & on-ip of the connection), it is returned,
+ *     regardless if it was bound to 0.0.0.0 or an explicit
+ *     address. The reasoning is that if there's an explicit rule, it
+ *     does not really matter if the listener is bound to an interface
+ *     or to 0. The user already stated that he wants redirection
+ *     (since he added the rule).
+ *
+ * "socket" match based redirection (no specific rule)
+ * ===================================================
+ *
+ * There are connections with dynamic endpoints (e.g. FTP data
+ * connection) that the user is unable to add explicit rules
+ * for. These are taken care of by a generic "socket" rule. It is
+ * assumed that the proxy application is trusted to open such
+ * connections without explicit iptables rule (except of course the
+ * generic 'socket' rule). In this case the following sockets are
+ * matched in preference order:
+ *
+ *   - match: if there's a fully established connection matching the
+ *     _packet_ tuple
+ *
+ *   - match: if there's a non-zero bound listener (possibly with a
+ *     non-local address) We don't accept zero-bound listeners, since
+ *     then local services could intercept traffic going through the
+ *     box.
+ *
+ * Please note that there's an overlap between what a TPROXY target
+ * and a socket match will match. Normally if you have both rules the
+ * "socket" match will be the first one, effectively all packets
+ * belonging to established connections going through that one.
+ */
+static inline struct sock *
 nf_tproxy_get_sock_v4(struct net *net, const u8 protocol,
                       const __be32 saddr, const __be32 daddr,
                       const __be16 sport, const __be16 dport,
-                      const struct net_device *in, bool listening);
+                      const struct net_device *in, int lookup_type)
+{
+        struct sock *sk;
+
+        /* look up socket */
+        switch (protocol) {
+        case IPPROTO_TCP:
+                switch (lookup_type) {
+                case NFT_LOOKUP_ANY:
+                        sk = __inet_lookup(net, &tcp_hashinfo,
+                                           saddr, sport, daddr, dport,
+                                           in->ifindex);
+                        break;
+                case NFT_LOOKUP_LISTENER:
+                        sk = inet_lookup_listener(net, &tcp_hashinfo,
+                                                    daddr, dport,
+                                                    in->ifindex);
+
+                        /* NOTE: we return listeners even if bound to
+                         * 0.0.0.0, those are filtered out in
+                         * xt_socket, since xt_TPROXY needs 0 bound
+                         * listeners too */
+
+                        break;
+                case NFT_LOOKUP_ESTABLISHED:
+                        sk = inet_lookup_established(net, &tcp_hashinfo,
+                                                    saddr, sport, daddr, dport,
+                                                    in->ifindex);
+                        break;
+                default:
+                        WARN_ON(1);
+                        sk = NULL;
+                        break;
+                }
+                break;
+        case IPPROTO_UDP:
+                sk = udp4_lib_lookup(net, saddr, sport, daddr, dport,
+                                     in->ifindex);
+                if (sk && lookup_type != NFT_LOOKUP_ANY) {
+                        int connected = (sk->sk_state == TCP_ESTABLISHED);
+                        int wildcard = (inet_sk(sk)->inet_rcv_saddr == 0);
+
+                        /* NOTE: we return listeners even if bound to
+                         * 0.0.0.0, those are filtered out in
+                         * xt_socket, since xt_TPROXY needs 0 bound
+                         * listeners too */
+                        if ((lookup_type == NFT_LOOKUP_ESTABLISHED && (!connected || wildcard)) ||
+                            (lookup_type == NFT_LOOKUP_LISTENER && connected)) {
+                                sock_put(sk);
+                                sk = NULL;
+                        }
+                }
+                break;
+        default:
+                WARN_ON(1);
+                sk = NULL;
+        }
+
+        pr_debug("tproxy socket lookup: proto %u %08x:%u -> %08x:%u, lookup type: %d, sock %p\n",
+                 protocol, ntohl(saddr), ntohs(sport), ntohl(daddr), ntohs(dport), lookup_type, sk);
+
+        return sk;
+}
+
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+static inline struct sock *
+nf_tproxy_get_sock_v6(struct net *net, const u8 protocol,
+                      const struct in6_addr *saddr, const struct in6_addr *daddr,
+                      const __be16 sport, const __be16 dport,
+                      const struct net_device *in, int lookup_type)
+{
+        struct sock *sk;
+
+        /* look up socket */
+        switch (protocol) {
+        case IPPROTO_TCP:
+                switch (lookup_type) {
+                case NFT_LOOKUP_ANY:
+                        sk = inet6_lookup(net, &tcp_hashinfo,
+                                          saddr, sport, daddr, dport,
+                                          in->ifindex);
+                        break;
+                case NFT_LOOKUP_LISTENER:
+                        sk = inet6_lookup_listener(net, &tcp_hashinfo,
+                                                   daddr, ntohs(dport),
+                                                   in->ifindex);
+
+                        /* NOTE: we return listeners even if bound to
+                         * 0.0.0.0, those are filtered out in
+                         * xt_socket, since xt_TPROXY needs 0 bound
+                         * listeners too */
+
+                        break;
+                case NFT_LOOKUP_ESTABLISHED:
+                        sk = __inet6_lookup_established(net, &tcp_hashinfo,
+                                                        saddr, sport, daddr, ntohs(dport),
+                                                        in->ifindex);
+                        break;
+                default:
+                        WARN_ON(1);
+                        sk = NULL;
+                        break;
+                }
+                break;
+        case IPPROTO_UDP:
+                sk = udp6_lib_lookup(net, saddr, sport, daddr, dport,
+                                     in->ifindex);
+                if (sk && lookup_type != NFT_LOOKUP_ANY) {
+                        int connected = (sk->sk_state == TCP_ESTABLISHED);
+                        int wildcard = ipv6_addr_any(&inet6_sk(sk)->rcv_saddr);
+
+                        /* NOTE: we return listeners even if bound to
+                         * 0.0.0.0, those are filtered out in
+                         * xt_socket, since xt_TPROXY needs 0 bound
+                         * listeners too */
+                        if ((lookup_type == NFT_LOOKUP_ESTABLISHED && (!connected || wildcard)) ||
+                            (lookup_type == NFT_LOOKUP_LISTENER && connected)) {
+                                sock_put(sk);
+                                sk = NULL;
+                        }
+                }
+                break;
+        default:
+                WARN_ON(1);
+                sk = NULL;
+        }
+
+        pr_debug("tproxy socket lookup: proto %u %pI6:%u -> %pI6:%u, lookup type: %d, sock %p\n",
+                 protocol, saddr, ntohs(sport), daddr, ntohs(dport), lookup_type, sk);
+
+        return sk;
+}
+#endif
 
 static inline void
 nf_tproxy_put_sock(struct sock *sk)
diff --git a/include/net/netfilter/xt_log.h b/include/net/netfilter/xt_log.h
new file mode 100644
index 00000000000..0dfb34a5b53
--- /dev/null
+++ b/include/net/netfilter/xt_log.h
@@ -0,0 +1,54 @@
+#define S_SIZE (1024 - (sizeof(unsigned int) + 1))
+
+struct sbuff {
+        unsigned int    count;
+        char            buf[S_SIZE + 1];
+};
+static struct sbuff emergency, *emergency_ptr = &emergency;
+
+static int sb_add(struct sbuff *m, const char *f, ...)
+{
+        va_list args;
+        int len;
+
+        if (likely(m->count < S_SIZE)) {
+                va_start(args, f);
+                len = vsnprintf(m->buf + m->count, S_SIZE - m->count, f, args);
+                va_end(args);
+                if (likely(m->count + len < S_SIZE)) {
+                        m->count += len;
+                        return 0;
+                }
+        }
+        m->count = S_SIZE;
+        printk_once(KERN_ERR KBUILD_MODNAME " please increase S_SIZE\n");
+        return -1;
+}
+
+static struct sbuff *sb_open(void)
+{
+        struct sbuff *m = kmalloc(sizeof(*m), GFP_ATOMIC);
+
+        if (unlikely(!m)) {
+                local_bh_disable();
+                do {
+                        m = xchg(&emergency_ptr, NULL);
+                } while (!m);
+        }
+        m->count = 0;
+        return m;
+}
+
+static void sb_close(struct sbuff *m)
+{
+        m->buf[m->count] = 0;
+        printk("%s\n", m->buf);
+
+        if (likely(m != &emergency))
+                kfree(m);
+        else {
+                xchg(&emergency_ptr, m);
+                local_bh_enable();
+        }
+}
+
diff --git a/include/net/udp.h b/include/net/udp.h
index a184d3496b1..200b82848c9 100644
--- a/include/net/udp.h
+++ b/include/net/udp.h
@@ -183,6 +183,9 @@ extern int udp_lib_setsockopt(struct sock *sk, int level, int optname,
 extern struct sock *udp4_lib_lookup(struct net *net, __be32 saddr, __be16 sport,
                                     __be32 daddr, __be16 dport,
                                     int dif);
+extern struct sock *udp6_lib_lookup(struct net *net, const struct in6_addr *saddr, __be16 sport,
+                                    const struct in6_addr *daddr, __be16 dport,
+                                    int dif);
 
 /*
  *      SNMP statistics for UDP and UDP-Lite