diff options
author | David S. Miller <davem@conan.davemloft.net> | 2011-06-16 21:38:01 -0400 |
---|---|---|
committer | David S. Miller <davem@conan.davemloft.net> | 2011-06-16 21:38:01 -0400 |
commit | 3009adf5acb2245216651318c2226812fd1b01a6 (patch) | |
tree | 3fa6a085be2eab409aec447ab8bd7c4737321688 | |
parent | 9281b2a2e2e02ad4bcc2fdd11797709b815d5f8e (diff) | |
parent | 42c1edd345c8412d96e7a362ee06feb7be73bb6c (diff) |
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
-rw-r--r-- | include/net/netfilter/nf_conntrack.h | 6 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_queue.c | 3 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 2 | ||||
-rw-r--r-- | net/ipv4/netfilter/ipt_ecn.c | 7 | ||||
-rw-r--r-- | net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 4 | ||||
-rw-r--r-- | net/ipv6/netfilter/ip6_queue.c | 3 | ||||
-rw-r--r-- | net/netfilter/ipvs/ip_vs_conn.c | 10 | ||||
-rw-r--r-- | net/netfilter/ipvs/ip_vs_core.c | 1 | ||||
-rw-r--r-- | net/netfilter/nfnetlink_log.c | 3 | ||||
-rw-r--r-- | net/netfilter/nfnetlink_queue.c | 3 |
10 files changed, 31 insertions, 11 deletions
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index c7c42e7acc31..5d4f8e586e32 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h | |||
@@ -307,6 +307,12 @@ static inline int nf_ct_is_untracked(const struct nf_conn *ct) | |||
307 | return test_bit(IPS_UNTRACKED_BIT, &ct->status); | 307 | return test_bit(IPS_UNTRACKED_BIT, &ct->status); |
308 | } | 308 | } |
309 | 309 | ||
310 | /* Packet is received from loopback */ | ||
311 | static inline bool nf_is_loopback_packet(const struct sk_buff *skb) | ||
312 | { | ||
313 | return skb->dev && skb->skb_iif && skb->dev->flags & IFF_LOOPBACK; | ||
314 | } | ||
315 | |||
310 | extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp); | 316 | extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp); |
311 | extern unsigned int nf_conntrack_htable_size; | 317 | extern unsigned int nf_conntrack_htable_size; |
312 | extern unsigned int nf_conntrack_max; | 318 | extern unsigned int nf_conntrack_max; |
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c index f7f9bd7ba12d..5c9b9d963918 100644 --- a/net/ipv4/netfilter/ip_queue.c +++ b/net/ipv4/netfilter/ip_queue.c | |||
@@ -203,7 +203,8 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp) | |||
203 | else | 203 | else |
204 | pmsg->outdev_name[0] = '\0'; | 204 | pmsg->outdev_name[0] = '\0'; |
205 | 205 | ||
206 | if (entry->indev && entry->skb->dev) { | 206 | if (entry->indev && entry->skb->dev && |
207 | entry->skb->mac_header != entry->skb->network_header) { | ||
207 | pmsg->hw_type = entry->skb->dev->type; | 208 | pmsg->hw_type = entry->skb->dev->type; |
208 | pmsg->hw_addrlen = dev_parse_header(entry->skb, | 209 | pmsg->hw_addrlen = dev_parse_header(entry->skb, |
209 | pmsg->hw_addr); | 210 | pmsg->hw_addr); |
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 764743843503..24e556e83a3b 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c | |||
@@ -566,7 +566,7 @@ check_entry(const struct ipt_entry *e, const char *name) | |||
566 | const struct xt_entry_target *t; | 566 | const struct xt_entry_target *t; |
567 | 567 | ||
568 | if (!ip_checkentry(&e->ip)) { | 568 | if (!ip_checkentry(&e->ip)) { |
569 | duprintf("ip check failed %p %s.\n", e, par->match->name); | 569 | duprintf("ip check failed %p %s.\n", e, name); |
570 | return -EINVAL; | 570 | return -EINVAL; |
571 | } | 571 | } |
572 | 572 | ||
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c index af6e9c778345..2b57e52c746c 100644 --- a/net/ipv4/netfilter/ipt_ecn.c +++ b/net/ipv4/netfilter/ipt_ecn.c | |||
@@ -25,7 +25,8 @@ MODULE_LICENSE("GPL"); | |||
25 | static inline bool match_ip(const struct sk_buff *skb, | 25 | static inline bool match_ip(const struct sk_buff *skb, |
26 | const struct ipt_ecn_info *einfo) | 26 | const struct ipt_ecn_info *einfo) |
27 | { | 27 | { |
28 | return (ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect; | 28 | return ((ip_hdr(skb)->tos & IPT_ECN_IP_MASK) == einfo->ip_ect) ^ |
29 | !!(einfo->invert & IPT_ECN_OP_MATCH_IP); | ||
29 | } | 30 | } |
30 | 31 | ||
31 | static inline bool match_tcp(const struct sk_buff *skb, | 32 | static inline bool match_tcp(const struct sk_buff *skb, |
@@ -76,8 +77,6 @@ static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
76 | return false; | 77 | return false; |
77 | 78 | ||
78 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { | 79 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) { |
79 | if (ip_hdr(skb)->protocol != IPPROTO_TCP) | ||
80 | return false; | ||
81 | if (!match_tcp(skb, info, &par->hotdrop)) | 80 | if (!match_tcp(skb, info, &par->hotdrop)) |
82 | return false; | 81 | return false; |
83 | } | 82 | } |
@@ -97,7 +96,7 @@ static int ecn_mt_check(const struct xt_mtchk_param *par) | |||
97 | return -EINVAL; | 96 | return -EINVAL; |
98 | 97 | ||
99 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) && | 98 | if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) && |
100 | ip->proto != IPPROTO_TCP) { | 99 | (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) { |
101 | pr_info("cannot match TCP bits in rule for non-tcp packets\n"); | 100 | pr_info("cannot match TCP bits in rule for non-tcp packets\n"); |
102 | return -EINVAL; | 101 | return -EINVAL; |
103 | } | 102 | } |
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index db10075dd88e..de9da21113a1 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | |||
@@ -121,7 +121,9 @@ static unsigned int ipv4_confirm(unsigned int hooknum, | |||
121 | return ret; | 121 | return ret; |
122 | } | 122 | } |
123 | 123 | ||
124 | if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status)) { | 124 | /* adjust seqs for loopback traffic only in outgoing direction */ |
125 | if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) && | ||
126 | !nf_is_loopback_packet(skb)) { | ||
125 | typeof(nf_nat_seq_adjust_hook) seq_adjust; | 127 | typeof(nf_nat_seq_adjust_hook) seq_adjust; |
126 | 128 | ||
127 | seq_adjust = rcu_dereference(nf_nat_seq_adjust_hook); | 129 | seq_adjust = rcu_dereference(nf_nat_seq_adjust_hook); |
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c index 065fe405fb58..249394863284 100644 --- a/net/ipv6/netfilter/ip6_queue.c +++ b/net/ipv6/netfilter/ip6_queue.c | |||
@@ -204,7 +204,8 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp) | |||
204 | else | 204 | else |
205 | pmsg->outdev_name[0] = '\0'; | 205 | pmsg->outdev_name[0] = '\0'; |
206 | 206 | ||
207 | if (entry->indev && entry->skb->dev) { | 207 | if (entry->indev && entry->skb->dev && |
208 | entry->skb->mac_header != entry->skb->network_header) { | ||
208 | pmsg->hw_type = entry->skb->dev->type; | 209 | pmsg->hw_type = entry->skb->dev->type; |
209 | pmsg->hw_addrlen = dev_parse_header(entry->skb, pmsg->hw_addr); | 210 | pmsg->hw_addrlen = dev_parse_header(entry->skb, pmsg->hw_addr); |
210 | } | 211 | } |
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c index bf28ac2fc99b..782db275ac53 100644 --- a/net/netfilter/ipvs/ip_vs_conn.c +++ b/net/netfilter/ipvs/ip_vs_conn.c | |||
@@ -776,8 +776,16 @@ static void ip_vs_conn_expire(unsigned long data) | |||
776 | if (cp->control) | 776 | if (cp->control) |
777 | ip_vs_control_del(cp); | 777 | ip_vs_control_del(cp); |
778 | 778 | ||
779 | if (cp->flags & IP_VS_CONN_F_NFCT) | 779 | if (cp->flags & IP_VS_CONN_F_NFCT) { |
780 | ip_vs_conn_drop_conntrack(cp); | 780 | ip_vs_conn_drop_conntrack(cp); |
781 | /* Do not access conntracks during subsys cleanup | ||
782 | * because nf_conntrack_find_get can not be used after | ||
783 | * conntrack cleanup for the net. | ||
784 | */ | ||
785 | smp_rmb(); | ||
786 | if (ipvs->enable) | ||
787 | ip_vs_conn_drop_conntrack(cp); | ||
788 | } | ||
781 | 789 | ||
782 | ip_vs_pe_put(cp->pe); | 790 | ip_vs_pe_put(cp->pe); |
783 | kfree(cp->pe_data); | 791 | kfree(cp->pe_data); |
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index 55af2242bccd..24c28d238dcb 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c | |||
@@ -1945,6 +1945,7 @@ static void __net_exit __ip_vs_dev_cleanup(struct net *net) | |||
1945 | { | 1945 | { |
1946 | EnterFunction(2); | 1946 | EnterFunction(2); |
1947 | net_ipvs(net)->enable = 0; /* Disable packet reception */ | 1947 | net_ipvs(net)->enable = 0; /* Disable packet reception */ |
1948 | smp_wmb(); | ||
1948 | __ip_vs_sync_cleanup(net); | 1949 | __ip_vs_sync_cleanup(net); |
1949 | LeaveFunction(2); | 1950 | LeaveFunction(2); |
1950 | } | 1951 | } |
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c index e0ee010935e7..2e7ccbb43ddb 100644 --- a/net/netfilter/nfnetlink_log.c +++ b/net/netfilter/nfnetlink_log.c | |||
@@ -456,7 +456,8 @@ __build_packet_message(struct nfulnl_instance *inst, | |||
456 | if (skb->mark) | 456 | if (skb->mark) |
457 | NLA_PUT_BE32(inst->skb, NFULA_MARK, htonl(skb->mark)); | 457 | NLA_PUT_BE32(inst->skb, NFULA_MARK, htonl(skb->mark)); |
458 | 458 | ||
459 | if (indev && skb->dev) { | 459 | if (indev && skb->dev && |
460 | skb->mac_header != skb->network_header) { | ||
460 | struct nfulnl_msg_packet_hw phw; | 461 | struct nfulnl_msg_packet_hw phw; |
461 | int len = dev_parse_header(skb, phw.hw_addr); | 462 | int len = dev_parse_header(skb, phw.hw_addr); |
462 | if (len > 0) { | 463 | if (len > 0) { |
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index b83123f12b42..fdd2fafe0a14 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c | |||
@@ -335,7 +335,8 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, | |||
335 | if (entskb->mark) | 335 | if (entskb->mark) |
336 | NLA_PUT_BE32(skb, NFQA_MARK, htonl(entskb->mark)); | 336 | NLA_PUT_BE32(skb, NFQA_MARK, htonl(entskb->mark)); |
337 | 337 | ||
338 | if (indev && entskb->dev) { | 338 | if (indev && entskb->dev && |
339 | entskb->mac_header != entskb->network_header) { | ||
339 | struct nfqnl_msg_packet_hw phw; | 340 | struct nfqnl_msg_packet_hw phw; |
340 | int len = dev_parse_header(entskb, phw.hw_addr); | 341 | int len = dev_parse_header(entskb, phw.hw_addr); |
341 | if (len) { | 342 | if (len) { |