Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6

14 files changed, 63 insertions, 27 deletions

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 4cf6088625c1..468896939843 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -184,8 +184,11 @@ static inline int nf_hook_thresh(int pf, unsigned int hook,
                                  struct sk_buff **pskb,
                                  struct net_device *indev,
                                  struct net_device *outdev,
-                                 int (*okfn)(struct sk_buff *), int thresh)
+                                 int (*okfn)(struct sk_buff *), int thresh,
+                                 int cond)
 {
+        if (!cond)
+                return 1;
 #ifndef CONFIG_NETFILTER_DEBUG
         if (list_empty(&nf_hooks[pf][hook]))
                 return 1;
@@ -197,7 +200,7 @@ static inline int nf_hook(int pf, unsigned int hook, struct sk_buff **pskb,
                           struct net_device *indev, struct net_device *outdev,
                           int (*okfn)(struct sk_buff *))
 {
-        return nf_hook_thresh(pf, hook, pskb, indev, outdev, okfn, INT_MIN);
+        return nf_hook_thresh(pf, hook, pskb, indev, outdev, okfn, INT_MIN, 1);
 }
                    
 /* Activate hook; either okfn or kfree_skb called, unless a hook
@@ -224,7 +227,13 @@ static inline int nf_hook(int pf, unsigned int hook, struct sk_buff **pskb,
 
 #define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh)             \
 ({int __ret;                                                                   \
-if ((__ret=nf_hook_thresh(pf, hook, &(skb), indev, outdev, okfn, thresh)) == 1)\
+if ((__ret=nf_hook_thresh(pf, hook, &(skb), indev, outdev, okfn, thresh, 1)) == 1)\
+        __ret = (okfn)(skb);                                                   \
+__ret;})
+
+#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond)                 \
+({int __ret;                                                                   \
+if ((__ret=nf_hook_thresh(pf, hook, &(skb), indev, outdev, okfn, INT_MIN, cond)) == 1)\
         __ret = (okfn)(skb);                                                   \
 __ret;})
 
@@ -295,11 +304,13 @@ extern struct proc_dir_entry *proc_net_netfilter;
 
 #else /* !CONFIG_NETFILTER */
 #define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
+#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb)
 static inline int nf_hook_thresh(int pf, unsigned int hook,
                                  struct sk_buff **pskb,
                                  struct net_device *indev,
                                  struct net_device *outdev,
-                                 int (*okfn)(struct sk_buff *), int thresh)
+                                 int (*okfn)(struct sk_buff *), int thresh,
+                                 int cond)
 {
         return okfn(*pskb);
 }
@@ -307,7 +318,7 @@ static inline int nf_hook(int pf, unsigned int hook, struct sk_buff **pskb,
                           struct net_device *indev, struct net_device *outdev,
                           int (*okfn)(struct sk_buff *))
 {
-        return okfn(*pskb);
+        return 1;
 }
 static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
 struct flowi;
diff --git a/include/net/ip.h b/include/net/ip.h
index 8de0697b364c..fab3d5b3ab1c 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -41,6 +41,7 @@ struct inet_skb_parm
 #define IPSKB_XFRM_TUNNEL_SIZE  2
 #define IPSKB_XFRM_TRANSFORMED  4
 #define IPSKB_FRAG_COMPLETE     8
+#define IPSKB_REROUTED          16
 };
 
 struct ipcm_cookie
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index d09ca0e7d139..d6111a2f0a23 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -866,7 +866,6 @@ extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
 extern int xfrm_init_state(struct xfrm_state *x);
 extern int xfrm4_rcv(struct sk_buff *skb);
 extern int xfrm4_output(struct sk_buff *skb);
-extern int xfrm4_output_finish(struct sk_buff *skb);
 extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler);
 extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler);
 extern int xfrm6_rcv_spi(struct sk_buff **pskb, u32 spi);
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index abe23923e4e7..9981dcd68f11 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -830,7 +830,8 @@ static int ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
         skb->h.raw = skb->nh.raw;
         skb->nh.raw = skb_push(skb, gre_hlen);
         memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
-        IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE|IPSKB_XFRM_TRANSFORMED);
+        IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
+                              IPSKB_REROUTED);
         dst_release(skb->dst);
         skb->dst = &rt->u.dst;
 
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 3324fbfe528a..57d290d89ec2 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -207,8 +207,10 @@ static inline int ip_finish_output(struct sk_buff *skb)
 {
 #if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
         /* Policy lookup after SNAT yielded a new policy */
-        if (skb->dst->xfrm != NULL)
-                return xfrm4_output_finish(skb);
+        if (skb->dst->xfrm != NULL) {
+                IPCB(skb)->flags |= IPSKB_REROUTED;
+                return dst_output(skb);
+        }
 #endif
         if (skb->len > dst_mtu(skb->dst) &&
             !(skb_shinfo(skb)->ufo_size || skb_shinfo(skb)->tso_size))
@@ -271,8 +273,9 @@ int ip_mc_output(struct sk_buff *skb)
                                 newskb->dev, ip_dev_loopback_xmit);
         }
 
-        return NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dev,
-                       ip_finish_output);
+        return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dev,
+                            ip_finish_output,
+                            !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
 
 int ip_output(struct sk_buff *skb)
@@ -284,8 +287,9 @@ int ip_output(struct sk_buff *skb)
         skb->dev = dev;
         skb->protocol = htons(ETH_P_IP);
 
-        return NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, dev,
-                       ip_finish_output);
+        return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, dev,
+                            ip_finish_output,
+                            !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
 
 int ip_queue_xmit(struct sk_buff *skb, int ipfragok)
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index e5cbe72c6b80..03d13742a4b8 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -622,7 +622,8 @@ static int ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
         skb->h.raw = skb->nh.raw;
         skb->nh.raw = skb_push(skb, sizeof(struct iphdr));
         memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
-        IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE|IPSKB_XFRM_TRANSFORMED);
+        IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
+                              IPSKB_REROUTED);
         dst_release(skb->dst);
         skb->dst = &rt->u.dst;
 
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 167619f638c6..6c8624a54933 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -529,15 +529,10 @@ static int init_or_cleanup(int init)
                 goto cleanup_localinops;
         }
 #endif
-
-        /* For use by REJECT target */
-        ip_ct_attach = __nf_conntrack_attach;
-
         return ret;
 
  cleanup:
         synchronize_net();
-        ip_ct_attach = NULL;
 #ifdef CONFIG_SYSCTL
         unregister_sysctl_table(nf_ct_ipv4_sysctl_header);
  cleanup_localinops:
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index d4df0ddd424b..32ad229b4fed 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -152,10 +152,16 @@ error_nolock:
         goto out_exit;
 }
 
-int xfrm4_output_finish(struct sk_buff *skb)
+static int xfrm4_output_finish(struct sk_buff *skb)
 {
         int err;
 
+#ifdef CONFIG_NETFILTER
+        if (!skb->dst->xfrm) {
+                IPCB(skb)->flags |= IPSKB_REROUTED;
+                return dst_output(skb);
+        }
+#endif
         while (likely((err = xfrm4_output_one(skb)) == 0)) {
                 nf_reset(skb);
 
@@ -178,6 +184,7 @@ int xfrm4_output_finish(struct sk_buff *skb)
 
 int xfrm4_output(struct sk_buff *skb)
 {
-        return NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dst->dev,
-                       xfrm4_output_finish);
+        return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dst->dev,
+                            xfrm4_output_finish,
+                            !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index fcf883183cef..21eb725e885f 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -42,6 +42,7 @@
 #include <linux/net.h>
 #include <linux/skbuff.h>
 #include <linux/init.h>
+#include <linux/netfilter.h>
 
 #ifdef CONFIG_SYSCTL
 #include <linux/sysctl.h>
@@ -255,6 +256,7 @@ out:
 struct icmpv6_msg {
         struct sk_buff  *skb;
         int             offset;
+        uint8_t         type;
 };
 
 static int icmpv6_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb)
@@ -266,6 +268,8 @@ static int icmpv6_getfrag(void *from, char *to, int offset, int len, int odd, st
         csum = skb_copy_and_csum_bits(org_skb, msg->offset + offset,
                                       to, len, csum);
         skb->csum = csum_block_add(skb->csum, csum, odd);
+        if (!(msg->type & ICMPV6_INFOMSG_MASK))
+                nf_ct_attach(skb, org_skb);
         return 0;
 }
 
@@ -403,6 +407,7 @@ void icmpv6_send(struct sk_buff *skb, int type, int code, __u32 info,
 
         msg.skb = skb;
         msg.offset = skb->nh.raw - skb->data;
+        msg.type = type;
 
         len = skb->len - msg.offset;
         len = min_t(unsigned int, len, IPV6_MIN_MTU - sizeof(struct ipv6hdr) -sizeof(struct icmp6hdr));
@@ -500,6 +505,7 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
 
         msg.skb = skb;
         msg.offset = 0;
+        msg.type = ICMPV6_ECHO_REPLY;
 
         err = ip6_append_data(sk, icmpv6_getfrag, &msg, skb->len + sizeof(struct icmp6hdr),
                                 sizeof(struct icmp6hdr), hlimit, tclass, NULL, &fl,
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index c745717b4ce2..0e6d1d4bbd5c 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -160,6 +160,8 @@ static void send_reset(struct sk_buff *oldskb)
                                       csum_partial((char *)tcph,
                                                    sizeof(struct tcphdr), 0));
 
+        nf_ct_attach(nskb, oldskb);
+
         NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
                 dst_output);
 }
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 0e550127fa7e..a8e5544da93e 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -126,7 +126,7 @@ config NETFILTER_XT_TARGET_CONNMARK
         tristate  '"CONNMARK" target support'
         depends on NETFILTER_XTABLES
         depends on IP_NF_MANGLE || IP6_NF_MANGLE
-        depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK_IPV4)
+        depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK)
         help
           This option adds a `CONNMARK' target, which allows one to manipulate
           the connection mark value.  Similar to the MARK target, but
@@ -187,7 +187,7 @@ config NETFILTER_XT_MATCH_COMMENT
 config NETFILTER_XT_MATCH_CONNBYTES
         tristate  '"connbytes" per-connection counter match support'
         depends on NETFILTER_XTABLES
-        depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || NF_CT_ACCT
+        depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || (NF_CT_ACCT && NF_CONNTRACK)
         help
           This option adds a `connbytes' match, which allows you to match the
           number of bytes and/or packets for each direction within a connection.
@@ -198,7 +198,7 @@ config NETFILTER_XT_MATCH_CONNBYTES
 config NETFILTER_XT_MATCH_CONNMARK
         tristate  '"connmark" connection mark match support'
         depends on NETFILTER_XTABLES
-        depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || NF_CONNTRACK_MARK
+        depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK)
         help
           This option adds a `connmark' match, which allows you to match the
           connection mark value previously set for the session by `CONNMARK'. 
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 0ce337a1d974..d622ddf08bb0 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1556,6 +1556,8 @@ void nf_conntrack_cleanup(void)
 {
         int i;
 
+        ip_ct_attach = NULL;
+
         /* This makes sure all current packets have passed through
            netfilter framework.  Roll on, two-stage module
            delete... */
@@ -1715,6 +1717,9 @@ int __init nf_conntrack_init(void)
                 nf_ct_l3protos[i] = &nf_conntrack_generic_l3proto;
         write_unlock_bh(&nf_conntrack_lock);
 
+        /* For use by REJECT target */
+        ip_ct_attach = __nf_conntrack_attach;
+
         /* Set up fake conntrack:
             - to never be deleted, not in any hashes */
         atomic_set(&nf_conntrack_untracked.ct_general.use, 1);
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index df99138c3b3b..6492ed66fb3c 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -864,7 +864,9 @@ static int csum6(const struct sk_buff *skb, unsigned int dataoff)
 {
         return csum_ipv6_magic(&skb->nh.ipv6h->saddr, &skb->nh.ipv6h->daddr,
                                skb->len - dataoff, IPPROTO_TCP,
-                               skb->ip_summed == CHECKSUM_HW ? skb->csum
+                               skb->ip_summed == CHECKSUM_HW
+                               ? csum_sub(skb->csum,
+                                          skb_checksum(skb, 0, dataoff, 0))
                                : skb_checksum(skb, dataoff, skb->len - dataoff,
                                               0));
 }
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index 4264dd079a16..831d206344e0 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -161,7 +161,9 @@ static int csum6(const struct sk_buff *skb, unsigned int dataoff)
 {
         return csum_ipv6_magic(&skb->nh.ipv6h->saddr, &skb->nh.ipv6h->daddr,
                                skb->len - dataoff, IPPROTO_UDP,
-                               skb->ip_summed == CHECKSUM_HW ? skb->csum
+                               skb->ip_summed == CHECKSUM_HW
+                               ? csum_sub(skb->csum,
+                                          skb_checksum(skb, 0, dataoff, 0))
                                : skb_checksum(skb, dataoff, skb->len - dataoff,
                                               0));
 }