Merge branch 'master' of git://1984.lsi.us.es/nf

Pablo Neira Ayuso says:

====================
* One to get the timeout special parameter for the SET target back working
  (this was introduced while trying to fix another bug in 3.4) from
  Jozsef Kadlecsik.

* One crash fix if containers and nf_conntrack are used reported by Hans
  Schillstrom by myself.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

2 files changed, 4 insertions, 2 deletions

diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index a88fb6939387..e1ce1048fe5f 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -78,7 +78,7 @@ nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct)
         struct net *net = nf_ct_net(ct);
         struct nf_conntrack_ecache *e;
 
-        if (net->ct.nf_conntrack_event_cb == NULL)
+        if (!rcu_access_pointer(net->ct.nf_conntrack_event_cb))
                 return;
 
         e = nf_ct_ecache_find(ct);
diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 035960ec5cb9..c6f7db720d84 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -16,6 +16,7 @@
 
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
@@ -310,7 +311,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
                 info->del_set.flags, 0, UINT_MAX);
 
         /* Normalize to fit into jiffies */
-        if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
+        if (add_opt.timeout != IPSET_NO_TIMEOUT &&
+            add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
                 add_opt.timeout = UINT_MAX/MSEC_PER_SEC;
         if (info->add_set.index != IPSET_INVALID_ID)
                 ip_set_add(info->add_set.index, skb, par, &add_opt);