Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

author: David S. Miller <davem@davemloft.net> 2010-02-16 14:15:13 -0500
committer: David S. Miller <davem@davemloft.net> 2010-02-16 14:15:13 -0500
commit: 749f621e20ab0db35a15ff730088922603c809ba (patch)
tree: 2684d12199b58f2b9e0c5b7e6cc0ea3f002e611a /include/net
parent: 339c6e99853d2ef1f02ad8a313e079050a300427 (diff)
parent: 3e5e524ffb5fcf2447eb5dd9f8e54ad22dd9baa7 (diff)
15 files changed, 124 insertions, 64 deletions
diff --git a/include/net/ip.h b/include/net/ip.h
index fb63371c07a8..7bc47873e3fc 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -352,8 +352,11 @@ enum ip_defrag_users {
        IP_DEFRAG_LOCAL_DELIVER,
        IP_DEFRAG_CALL_RA_CHAIN,
        IP_DEFRAG_CONNTRACK_IN,
+        __IP_DEFRAG_CONNTRACK_IN_END    = IP_DEFRAG_CONNTRACK_IN + USHORT_MAX,
        IP_DEFRAG_CONNTRACK_OUT,
+        __IP_DEFRAG_CONNTRACK_OUT_END   = IP_DEFRAG_CONNTRACK_OUT + USHORT_MAX,
        IP_DEFRAG_CONNTRACK_BRIDGE_IN,
+        __IP_DEFRAG_CONNTRACK_BRIDGE_IN = IP_DEFRAG_CONNTRACK_BRIDGE_IN + USHORT_MAX,
        IP_DEFRAG_VS_IN,
        IP_DEFRAG_VS_OUT,
        IP_DEFRAG_VS_FWD
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index 8dc3296b7bea..a816c37417bb 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -26,6 +26,11 @@
 #include <linux/ipv6.h>                 /* for struct ipv6hdr */
 #include <net/ipv6.h>                   /* for ipv6_addr_copy */
+/* Connections' size value needed by ip_vs_ctl.c */
+extern int ip_vs_conn_tab_size;
 struct ip_vs_iphdr {
        int len;
        __u8 protocol;
@@ -592,17 +597,6 @@ extern void ip_vs_init_hash_table(struct list_head *table, int rows);
 *     (from ip_vs_conn.c)
 */
-/*
- *     IPVS connection entry hash table
- */
-#ifndef CONFIG_IP_VS_TAB_BITS
-#define CONFIG_IP_VS_TAB_BITS   12
-#endif
-#define IP_VS_CONN_TAB_BITS     CONFIG_IP_VS_TAB_BITS
-#define IP_VS_CONN_TAB_SIZE     (1 << IP_VS_CONN_TAB_BITS)
-#define IP_VS_CONN_TAB_MASK     (IP_VS_CONN_TAB_SIZE - 1)
 enum {
        IP_VS_DIR_INPUT = 0,
        IP_VS_DIR_OUTPUT,
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index ccab5946c830..639ec53ea081 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -246,6 +246,8 @@ extern int ipv6_opt_accepted(struct sock *sk, struct sk_buff *skb);
 int ip6_frag_nqueues(struct net *net);
 int ip6_frag_mem(struct net *net);
+#define IPV6_FRAG_HIGH_THRESH   262144          /* == 256*1024 */
+#define IPV6_FRAG_LOW_THRESH    196608          /* == 192*1024 */
 #define IPV6_FRAG_TIMEOUT       (60*HZ)         /* 60 seconds */
 extern int __ipv6_addr_type(const struct in6_addr *addr);
@@ -353,8 +355,11 @@ struct inet_frag_queue;
 enum ip6_defrag_users {
        IP6_DEFRAG_LOCAL_DELIVER,
        IP6_DEFRAG_CONNTRACK_IN,
+        __IP6_DEFRAG_CONNTRACK_IN       = IP6_DEFRAG_CONNTRACK_IN + USHORT_MAX,
        IP6_DEFRAG_CONNTRACK_OUT,
+        __IP6_DEFRAG_CONNTRACK_OUT      = IP6_DEFRAG_CONNTRACK_OUT + USHORT_MAX,
        IP6_DEFRAG_CONNTRACK_BRIDGE_IN,
+        __IP6_DEFRAG_CONNTRACK_BRIDGE_IN = IP6_DEFRAG_CONNTRACK_BRIDGE_IN + USHORT_MAX,
 };
 struct ip6_create_arg {
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index f307e133d14c..82b7be4db89a 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -81,6 +81,8 @@ struct net {
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
        struct netns_ct         ct;
 #endif
+        struct sock             *nfnl;
+        struct sock             *nfnl_stash;
 #endif
 #ifdef CONFIG_XFRM
        struct netns_xfrm       xfrm;
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index a0904adfb8f7..bde095f7e845 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -70,7 +70,7 @@ union nf_conntrack_help {
 struct nf_conntrack_helper;
 /* Must be kept in sync with the classes defined by helpers */
-#define NF_CT_MAX_EXPECT_CLASSES        3
+#define NF_CT_MAX_EXPECT_CLASSES        4
 /* nf_conn feature for connections that have a helper */
 struct nf_conn_help {
@@ -198,7 +198,8 @@ extern void *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced, int null
 extern void nf_ct_free_hashtable(void *hash, int vmalloced, unsigned int size);
 extern struct nf_conntrack_tuple_hash *
-__nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple);
+__nf_conntrack_find(struct net *net, u16 zone,
+                    const struct nf_conntrack_tuple *tuple);
 extern void nf_conntrack_hash_insert(struct nf_conn *ct);
 extern void nf_ct_delete_from_lists(struct nf_conn *ct);
@@ -267,11 +268,16 @@ extern void
 nf_ct_iterate_cleanup(struct net *net, int (*iter)(struct nf_conn *i, void *data), void *data);
 extern void nf_conntrack_free(struct nf_conn *ct);
 extern struct nf_conn *
-nf_conntrack_alloc(struct net *net,
+nf_conntrack_alloc(struct net *net, u16 zone,
                   const struct nf_conntrack_tuple *orig,
                   const struct nf_conntrack_tuple *repl,
                   gfp_t gfp);
+static inline int nf_ct_is_template(const struct nf_conn *ct)
+{
+        return test_bit(IPS_TEMPLATE_BIT, &ct->status);
+}
 /* It's confirmed if it is, or has been in the hash table. */
 static inline int nf_ct_is_confirmed(struct nf_conn *ct)
 {
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index 5a449b44ba33..dffde8e6920e 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -49,7 +49,8 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
 /* Find a connection corresponding to a tuple. */
 extern struct nf_conntrack_tuple_hash *
-nf_conntrack_find_get(struct net *net, const struct nf_conntrack_tuple *tuple);
+nf_conntrack_find_get(struct net *net, u16 zone,
+                      const struct nf_conntrack_tuple *tuple);
 extern int __nf_conntrack_confirm(struct sk_buff *skb);
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index 475facc3051a..96ba5f7dcab6 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -12,27 +12,12 @@
 #include <linux/netfilter/nf_conntrack_tuple_common.h>
 #include <net/netfilter/nf_conntrack_extend.h>
-/* Connection tracking event types */
-enum ip_conntrack_events {
-        IPCT_NEW                = 0,    /* new conntrack */
-        IPCT_RELATED            = 1,    /* related conntrack */
-        IPCT_DESTROY            = 2,    /* destroyed conntrack */
-        IPCT_STATUS             = 3,    /* status has changed */
-        IPCT_PROTOINFO          = 4,    /* protocol information has changed */
-        IPCT_HELPER             = 5,    /* new helper has been set */
-        IPCT_MARK               = 6,    /* new mark has been set */
-        IPCT_NATSEQADJ          = 7,    /* NAT is doing sequence adjustment */
-        IPCT_SECMARK            = 8,    /* new security mark has been set */
-};
-enum ip_conntrack_expect_events {
-        IPEXP_NEW               = 0,    /* new expectation */
-};
 struct nf_conntrack_ecache {
-        unsigned long cache;            /* bitops want long */
+        unsigned long cache;    /* bitops want long */
-        unsigned long missed;           /* missed events */
+        unsigned long missed;   /* missed events */
-        u32 pid;                        /* netlink pid of destroyer */
+        u16 ctmask;             /* bitmask of ct events to be delivered */
+        u16 expmask;            /* bitmask of expect events to be delivered */
+        u32 pid;                /* netlink pid of destroyer */
 };
 static inline struct nf_conntrack_ecache *
@@ -42,14 +27,24 @@ nf_ct_ecache_find(const struct nf_conn *ct)
 }
 static inline struct nf_conntrack_ecache *
-nf_ct_ecache_ext_add(struct nf_conn *ct, gfp_t gfp)
+nf_ct_ecache_ext_add(struct nf_conn *ct, u16 ctmask, u16 expmask, gfp_t gfp)
 {
        struct net *net = nf_ct_net(ct);
+        struct nf_conntrack_ecache *e;
-        if (!net->ct.sysctl_events)
+        if (!ctmask && !expmask && net->ct.sysctl_events) {
+                ctmask = ~0;
+                expmask = ~0;
+        }
+        if (!ctmask && !expmask)
                return NULL;
-        return nf_ct_ext_add(ct, NF_CT_EXT_ECACHE, gfp);
+        e = nf_ct_ext_add(ct, NF_CT_EXT_ECACHE, gfp);
+        if (e) {
+                e->ctmask  = ctmask;
+                e->expmask = expmask;
+        }
+        return e;
 };
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
@@ -82,6 +77,9 @@ nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct)
        if (e == NULL)
                return;
+        if (!(e->ctmask & (1 << event)))
+                return;
        set_bit(event, &e->cache);
 }
@@ -92,7 +90,6 @@ nf_conntrack_eventmask_report(unsigned int eventmask,
                              int report)
 {
        int ret = 0;
-        struct net *net = nf_ct_net(ct);
        struct nf_ct_event_notifier *notify;
        struct nf_conntrack_ecache *e;
@@ -101,9 +98,6 @@ nf_conntrack_eventmask_report(unsigned int eventmask,
        if (notify == NULL)
                goto out_unlock;
-        if (!net->ct.sysctl_events)
-                goto out_unlock;
        e = nf_ct_ecache_find(ct);
        if (e == NULL)
                goto out_unlock;
@@ -117,6 +111,9 @@ nf_conntrack_eventmask_report(unsigned int eventmask,
                /* This is a resent of a destroy event? If so, skip missed */
                unsigned long missed = e->pid ? 0 : e->missed;
+                if (!((eventmask | missed) & e->ctmask))
+                        goto out_unlock;
                ret = notify->fcn(eventmask | missed, &item);
                if (unlikely(ret < 0 || missed)) {
                        spin_lock_bh(&ct->lock);
@@ -172,18 +169,19 @@ nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
                          u32 pid,
                          int report)
 {
-        struct net *net = nf_ct_exp_net(exp);
        struct nf_exp_event_notifier *notify;
+        struct nf_conntrack_ecache *e;
        rcu_read_lock();
        notify = rcu_dereference(nf_expect_event_cb);
        if (notify == NULL)
                goto out_unlock;
-        if (!net->ct.sysctl_events)
+        e = nf_ct_ecache_find(exp->master);
+        if (e == NULL)
                goto out_unlock;
-        {
+        if (e->expmask & (1 << event)) {
                struct nf_exp_event item = {
                        .exp    = exp,
                        .pid    = pid,
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 9a2b9cb52271..11e815084fcf 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -56,16 +56,13 @@ struct nf_conntrack_expect {
 static inline struct net *nf_ct_exp_net(struct nf_conntrack_expect *exp)
 {
-#ifdef CONFIG_NET_NS
+        return nf_ct_net(exp->master);
-        return exp->master->ct_net;     /* by definition */
-#else
-        return &init_net;
-#endif
 }
 struct nf_conntrack_expect_policy {
        unsigned int    max_expected;
        unsigned int    timeout;
+        const char      *name;
 };
 #define NF_CT_EXPECT_CLASS_DEFAULT      0
@@ -77,13 +74,16 @@ int nf_conntrack_expect_init(struct net *net);
 void nf_conntrack_expect_fini(struct net *net);
 struct nf_conntrack_expect *
-__nf_ct_expect_find(struct net *net, const struct nf_conntrack_tuple *tuple);
+__nf_ct_expect_find(struct net *net, u16 zone,
+                    const struct nf_conntrack_tuple *tuple);
 struct nf_conntrack_expect *
-nf_ct_expect_find_get(struct net *net, const struct nf_conntrack_tuple *tuple);
+nf_ct_expect_find_get(struct net *net, u16 zone,
+                      const struct nf_conntrack_tuple *tuple);
 struct nf_conntrack_expect *
-nf_ct_find_expectation(struct net *net, const struct nf_conntrack_tuple *tuple);
+nf_ct_find_expectation(struct net *net, u16 zone,
+                       const struct nf_conntrack_tuple *tuple);
 void nf_ct_unlink_expect(struct nf_conntrack_expect *exp);
 void nf_ct_remove_expectations(struct nf_conn *ct);
diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
index e192dc17c583..2d2a1f9a61d8 100644
--- a/include/net/netfilter/nf_conntrack_extend.h
+++ b/include/net/netfilter/nf_conntrack_extend.h
@@ -8,6 +8,7 @@ enum nf_ct_ext_id {
        NF_CT_EXT_NAT,
        NF_CT_EXT_ACCT,
        NF_CT_EXT_ECACHE,
+        NF_CT_EXT_ZONE,
        NF_CT_EXT_NUM,
 };
@@ -15,6 +16,7 @@ enum nf_ct_ext_id {
 #define NF_CT_EXT_NAT_TYPE struct nf_conn_nat
 #define NF_CT_EXT_ACCT_TYPE struct nf_conn_counter
 #define NF_CT_EXT_ECACHE_TYPE struct nf_conntrack_ecache
+#define NF_CT_EXT_ZONE_TYPE struct nf_conntrack_zone
 /* Extensions: optional stuff which isn't permanently in struct. */
 struct nf_ct_ext {
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index d015de92e03f..32c305dbdab6 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -40,14 +40,18 @@ struct nf_conntrack_helper {
 };
 extern struct nf_conntrack_helper *
-__nf_conntrack_helper_find_byname(const char *name);
+__nf_conntrack_helper_find(const char *name, u16 l3num, u8 protonum);
+extern struct nf_conntrack_helper *
+nf_conntrack_helper_try_module_get(const char *name, u16 l3num, u8 protonum);
 extern int nf_conntrack_helper_register(struct nf_conntrack_helper *);
 extern void nf_conntrack_helper_unregister(struct nf_conntrack_helper *);
 extern struct nf_conn_help *nf_ct_helper_ext_add(struct nf_conn *ct, gfp_t gfp);
-extern int __nf_ct_try_assign_helper(struct nf_conn *ct, gfp_t flags);
+extern int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
+                                     gfp_t flags);
 extern void nf_ct_helper_destroy(struct nf_conn *ct);
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index ca6dcf3445ab..e3d3ee3c06a2 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -49,8 +49,8 @@ struct nf_conntrack_l4proto {
        /* Called when a conntrack entry is destroyed */
        void (*destroy)(struct nf_conn *ct);
-        int (*error)(struct net *net, struct sk_buff *skb, unsigned int dataoff,
+        int (*error)(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
-                     enum ip_conntrack_info *ctinfo,
+                     unsigned int dataoff, enum ip_conntrack_info *ctinfo,
                     u_int8_t pf, unsigned int hooknum);
        /* Print out the per-protocol part of the tuple. Return like seq_* */
diff --git a/include/net/netfilter/nf_conntrack_zones.h b/include/net/netfilter/nf_conntrack_zones.h
new file mode 100644
index 000000000000..0bbb2bd51e89
--- /dev/null
+++ b/include/net/netfilter/nf_conntrack_zones.h
@@ -0,0 +1,23 @@
+#ifndef _NF_CONNTRACK_ZONES_H
+#define _NF_CONNTRACK_ZONES_H
+#include <net/netfilter/nf_conntrack_extend.h>
+#define NF_CT_DEFAULT_ZONE      0
+struct nf_conntrack_zone {
+        u16     id;
+};
+static inline u16 nf_ct_zone(const struct nf_conn *ct)
+{
+#ifdef CONFIG_NF_CONNTRACK_ZONES
+        struct nf_conntrack_zone *nf_ct_zone;
+        nf_ct_zone = nf_ct_ext_find(ct, NF_CT_EXT_ZONE);
+        if (nf_ct_zone)
+                return nf_ct_zone->id;
+#endif
+        return NF_CT_DEFAULT_ZONE;
+}
+#endif /* _NF_CONNTRACK_ZONES_H */
diff --git a/include/net/netfilter/nf_nat_helper.h b/include/net/netfilter/nf_nat_helper.h
index 4222220920a5..02bb6c29dc3d 100644
--- a/include/net/netfilter/nf_nat_helper.h
+++ b/include/net/netfilter/nf_nat_helper.h
@@ -7,13 +7,27 @@
 struct sk_buff;
 /* These return true or false. */
-extern int nf_nat_mangle_tcp_packet(struct sk_buff *skb,
+extern int __nf_nat_mangle_tcp_packet(struct sk_buff *skb,
-                                    struct nf_conn *ct,
+                                      struct nf_conn *ct,
-                                    enum ip_conntrack_info ctinfo,
+                                      enum ip_conntrack_info ctinfo,
-                                    unsigned int match_offset,
+                                      unsigned int match_offset,
-                                    unsigned int match_len,
+                                      unsigned int match_len,
-                                    const char *rep_buffer,
+                                      const char *rep_buffer,
-                                    unsigned int rep_len);
+                                      unsigned int rep_len, bool adjust);
+static inline int nf_nat_mangle_tcp_packet(struct sk_buff *skb,
+                                           struct nf_conn *ct,
+                                           enum ip_conntrack_info ctinfo,
+                                           unsigned int match_offset,
+                                           unsigned int match_len,
+                                           const char *rep_buffer,
+                                           unsigned int rep_len)
+{
+        return __nf_nat_mangle_tcp_packet(skb, ct, ctinfo,
+                                          match_offset, match_len,
+                                          rep_buffer, rep_len, true);
+}
 extern int nf_nat_mangle_udp_packet(struct sk_buff *skb,
                                    struct nf_conn *ct,
                                    enum ip_conntrack_info ctinfo,
@@ -21,6 +35,10 @@ extern int nf_nat_mangle_udp_packet(struct sk_buff *skb,
                                    unsigned int match_len,
                                    const char *rep_buffer,
                                    unsigned int rep_len);
+extern void nf_nat_set_seq_adjust(struct nf_conn *ct,
+                                  enum ip_conntrack_info ctinfo,
+                                  __be32 seq, s16 off);
 extern int nf_nat_seq_adjust(struct sk_buff *skb,
                             struct nf_conn *ct,
                             enum ip_conntrack_info ctinfo);
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index 9a4b8b714079..2764994c9136 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -37,7 +37,9 @@ struct netns_ipv4 {
        struct xt_table         *iptable_mangle;
        struct xt_table         *iptable_raw;
        struct xt_table         *arptable_filter;
+#ifdef CONFIG_SECURITY
        struct xt_table         *iptable_security;
+#endif
        struct xt_table         *nat_table;
        struct hlist_head       *nat_bysource;
        unsigned int            nat_htable_size;
diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
index dfeb2d7c425b..1f11ebc22151 100644
--- a/include/net/netns/ipv6.h
+++ b/include/net/netns/ipv6.h
@@ -36,8 +36,10 @@ struct netns_ipv6 {
        struct xt_table         *ip6table_filter;
        struct xt_table         *ip6table_mangle;
        struct xt_table         *ip6table_raw;
+#ifdef CONFIG_SECURITY
        struct xt_table         *ip6table_security;
 #endif
+#endif
        struct rt6_info         *ip6_null_entry;
        struct rt6_statistics   *rt6_stats;
        struct timer_list       ip6_fib_timer;
author	David S. Miller <davem@davemloft.net>	2010-02-16 14:15:13 -0500
committer	David S. Miller <davem@davemloft.net>	2010-02-16 14:15:13 -0500
commit	749f621e20ab0db35a15ff730088922603c809ba (patch)
tree	2684d12199b58f2b9e0c5b7e6cc0ea3f002e611a /include/net
parent	339c6e99853d2ef1f02ad8a313e079050a300427 (diff)
parent	3e5e524ffb5fcf2447eb5dd9f8e54ad22dd9baa7 (diff)