Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6

8 files changed, 95 insertions, 19 deletions

diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
index 3430c7751948..7ae05338e94c 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -81,4 +81,17 @@ struct xt_conntrack_mtinfo1 {
         __u8 state_mask, status_mask;
 };
 
+struct xt_conntrack_mtinfo2 {
+        union nf_inet_addr origsrc_addr, origsrc_mask;
+        union nf_inet_addr origdst_addr, origdst_mask;
+        union nf_inet_addr replsrc_addr, replsrc_mask;
+        union nf_inet_addr repldst_addr, repldst_mask;
+        __u32 expires_min, expires_max;
+        __u16 l4proto;
+        __be16 origsrc_port, origdst_port;
+        __be16 replsrc_port, repldst_port;
+        __u16 match_flags, invert_flags;
+        __u16 state_mask, status_mask;
+};
+
 #endif /*_XT_CONNTRACK_H*/
diff --git a/include/linux/netfilter/xt_osf.h b/include/linux/netfilter/xt_osf.h
index fd2272e0959a..18afa495f973 100644
--- a/include/linux/netfilter/xt_osf.h
+++ b/include/linux/netfilter/xt_osf.h
@@ -20,6 +20,8 @@
 #ifndef _XT_OSF_H
 #define _XT_OSF_H
 
+#include <linux/types.h>
+
 #define MAXGENRELEN             32
 
 #define XT_OSF_GENRE            (1<<0)
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index a632689b61b4..cbdd6284996d 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -258,8 +258,8 @@ static inline bool nf_ct_kill(struct nf_conn *ct)
 /* Update TCP window tracking data when NAT mangles the packet */
 extern void nf_conntrack_tcp_update(const struct sk_buff *skb,
                                     unsigned int dataoff,
-                                    struct nf_conn *ct,
-                                    int dir);
+                                    struct nf_conn *ct, int dir,
+                                    s16 offset);
 
 /* Fake conntrack entry for untracked connections */
 extern struct nf_conn nf_conntrack_untracked;
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c
index 155c008626c8..09172a65d9b6 100644
--- a/net/ipv4/netfilter/nf_nat_helper.c
+++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -191,7 +191,8 @@ nf_nat_mangle_tcp_packet(struct sk_buff *skb,
                                     ct, ctinfo);
                 /* Tell TCP window tracking about seq change */
                 nf_conntrack_tcp_update(skb, ip_hdrlen(skb),
-                                        ct, CTINFO2DIR(ctinfo));
+                                        ct, CTINFO2DIR(ctinfo),
+                                        (int)rep_len - (int)match_len);
 
                 nf_conntrack_event_cache(IPCT_NATSEQADJ, ct);
         }
@@ -377,6 +378,7 @@ nf_nat_seq_adjust(struct sk_buff *skb,
         struct tcphdr *tcph;
         int dir;
         __be32 newseq, newack;
+        s16 seqoff, ackoff;
         struct nf_conn_nat *nat = nfct_nat(ct);
         struct nf_nat_seq *this_way, *other_way;
 
@@ -390,15 +392,18 @@ nf_nat_seq_adjust(struct sk_buff *skb,
 
         tcph = (void *)skb->data + ip_hdrlen(skb);
         if (after(ntohl(tcph->seq), this_way->correction_pos))
-                newseq = htonl(ntohl(tcph->seq) + this_way->offset_after);
+                seqoff = this_way->offset_after;
         else
-                newseq = htonl(ntohl(tcph->seq) + this_way->offset_before);
+                seqoff = this_way->offset_before;
 
         if (after(ntohl(tcph->ack_seq) - other_way->offset_before,
                   other_way->correction_pos))
-                newack = htonl(ntohl(tcph->ack_seq) - other_way->offset_after);
+                ackoff = other_way->offset_after;
         else
-                newack = htonl(ntohl(tcph->ack_seq) - other_way->offset_before);
+                ackoff = other_way->offset_before;
+
+        newseq = htonl(ntohl(tcph->seq) + seqoff);
+        newack = htonl(ntohl(tcph->ack_seq) - ackoff);
 
         inet_proto_csum_replace4(&tcph->check, skb, tcph->seq, newseq, 0);
         inet_proto_csum_replace4(&tcph->check, skb, tcph->ack_seq, newack, 0);
@@ -413,7 +418,7 @@ nf_nat_seq_adjust(struct sk_buff *skb,
         if (!nf_nat_sack_adjust(skb, tcph, ct, ctinfo))
                 return 0;
 
-        nf_conntrack_tcp_update(skb, ip_hdrlen(skb), ct, dir);
+        nf_conntrack_tcp_update(skb, ip_hdrlen(skb), ct, dir, seqoff);
 
         return 1;
 }
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index afde8f991646..2032dfe25ca8 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -617,8 +617,10 @@ err1:
 void nf_conntrack_expect_fini(struct net *net)
 {
         exp_proc_remove(net);
-        if (net_eq(net, &init_net))
+        if (net_eq(net, &init_net)) {
+                rcu_barrier(); /* Wait for call_rcu() before destroy */
                 kmem_cache_destroy(nf_ct_expect_cachep);
+        }
         nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc,
                              nf_ct_expect_hsize);
 }
diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index 4b2c769d555f..fef95be334bd 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -186,6 +186,6 @@ void nf_ct_extend_unregister(struct nf_ct_ext_type *type)
         rcu_assign_pointer(nf_ct_ext_types[type->id], NULL);
         update_alloc_size(type);
         mutex_unlock(&nf_ct_ext_type_mutex);
-        synchronize_rcu();
+        rcu_barrier(); /* Wait for completion of call_rcu()'s */
 }
 EXPORT_SYMBOL_GPL(nf_ct_extend_unregister);
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 33fc0a443f3d..97a82ba75376 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -720,8 +720,8 @@ static bool tcp_in_window(const struct nf_conn *ct,
 /* Caller must linearize skb at tcp header. */
 void nf_conntrack_tcp_update(const struct sk_buff *skb,
                              unsigned int dataoff,
-                             struct nf_conn *ct,
-                             int dir)
+                             struct nf_conn *ct, int dir,
+                             s16 offset)
 {
         const struct tcphdr *tcph = (const void *)skb->data + dataoff;
         const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[dir];
@@ -734,7 +734,7 @@ void nf_conntrack_tcp_update(const struct sk_buff *skb,
         /*
          * We have to worry for the ack in the reply packet only...
          */
-        if (after(end, ct->proto.tcp.seen[dir].td_end))
+        if (ct->proto.tcp.seen[dir].td_end + offset == end)
                 ct->proto.tcp.seen[dir].td_end = end;
         ct->proto.tcp.last_end = end;
         spin_unlock_bh(&ct->lock);
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 0b7139f3dd78..fc581800698e 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -129,7 +129,7 @@ conntrack_addrcmp(const union nf_inet_addr *kaddr,
 
 static inline bool
 conntrack_mt_origsrc(const struct nf_conn *ct,
-                     const struct xt_conntrack_mtinfo1 *info,
+                     const struct xt_conntrack_mtinfo2 *info,
                      u_int8_t family)
 {
         return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3,
@@ -138,7 +138,7 @@ conntrack_mt_origsrc(const struct nf_conn *ct,
 
 static inline bool
 conntrack_mt_origdst(const struct nf_conn *ct,
-                     const struct xt_conntrack_mtinfo1 *info,
+                     const struct xt_conntrack_mtinfo2 *info,
                      u_int8_t family)
 {
         return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3,
@@ -147,7 +147,7 @@ conntrack_mt_origdst(const struct nf_conn *ct,
 
 static inline bool
 conntrack_mt_replsrc(const struct nf_conn *ct,
-                     const struct xt_conntrack_mtinfo1 *info,
+                     const struct xt_conntrack_mtinfo2 *info,
                      u_int8_t family)
 {
         return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3,
@@ -156,7 +156,7 @@ conntrack_mt_replsrc(const struct nf_conn *ct,
 
 static inline bool
 conntrack_mt_repldst(const struct nf_conn *ct,
-                     const struct xt_conntrack_mtinfo1 *info,
+                     const struct xt_conntrack_mtinfo2 *info,
                      u_int8_t family)
 {
         return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3,
@@ -164,7 +164,7 @@ conntrack_mt_repldst(const struct nf_conn *ct,
 }
 
 static inline bool
-ct_proto_port_check(const struct xt_conntrack_mtinfo1 *info,
+ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
                     const struct nf_conn *ct)
 {
         const struct nf_conntrack_tuple *tuple;
@@ -204,7 +204,7 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo1 *info,
 static bool
 conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 {
-        const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
+        const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
         enum ip_conntrack_info ctinfo;
         const struct nf_conn *ct;
         unsigned int statebit;
@@ -278,6 +278,16 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
         return true;
 }
 
+static bool
+conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+        const struct xt_conntrack_mtinfo2 *const *info = par->matchinfo;
+        struct xt_match_param newpar = *par;
+
+        newpar.matchinfo = *info;
+        return conntrack_mt(skb, &newpar);
+}
+
 static bool conntrack_mt_check(const struct xt_mtchk_param *par)
 {
         if (nf_ct_l3proto_try_module_get(par->family) < 0) {
@@ -288,11 +298,45 @@ static bool conntrack_mt_check(const struct xt_mtchk_param *par)
         return true;
 }
 
+static bool conntrack_mt_check_v1(const struct xt_mtchk_param *par)
+{
+        struct xt_conntrack_mtinfo1 *info = par->matchinfo;
+        struct xt_conntrack_mtinfo2 *up;
+        int ret = conntrack_mt_check(par);
+
+        if (ret < 0)
+                return ret;
+
+        up = kmalloc(sizeof(*up), GFP_KERNEL);
+        if (up == NULL) {
+                nf_ct_l3proto_module_put(par->family);
+                return -ENOMEM;
+        }
+
+        /*
+         * The strategy here is to minimize the overhead of v1 matching,
+         * by prebuilding a v2 struct and putting the pointer into the
+         * v1 dataspace.
+         */
+        memcpy(up, info, offsetof(typeof(*info), state_mask));
+        up->state_mask  = info->state_mask;
+        up->status_mask = info->status_mask;
+        *(void **)info  = up;
+        return true;
+}
+
 static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
 {
         nf_ct_l3proto_module_put(par->family);
 }
 
+static void conntrack_mt_destroy_v1(const struct xt_mtdtor_param *par)
+{
+        struct xt_conntrack_mtinfo2 **info = par->matchinfo;
+        kfree(*info);
+        conntrack_mt_destroy(par);
+}
+
 #ifdef CONFIG_COMPAT
 struct compat_xt_conntrack_info
 {
@@ -363,6 +407,16 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
                 .revision   = 1,
                 .family     = NFPROTO_UNSPEC,
                 .matchsize  = sizeof(struct xt_conntrack_mtinfo1),
+                .match      = conntrack_mt_v1,
+                .checkentry = conntrack_mt_check_v1,
+                .destroy    = conntrack_mt_destroy_v1,
+                .me         = THIS_MODULE,
+        },
+        {
+                .name       = "conntrack",
+                .revision   = 2,
+                .family     = NFPROTO_UNSPEC,
+                .matchsize  = sizeof(struct xt_conntrack_mtinfo2),
                 .match      = conntrack_mt,
                 .checkentry = conntrack_mt_check,
                 .destroy    = conntrack_mt_destroy,