Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Conflicts:
	net/netfilter/nf_conntrack_proto_tcp.c

The conflict had to do with overlapping changes dealing with
fixing the use of an "s32" to hold the value returned by
NAT_OFFSET().

Pablo Neira Ayuso says:

====================
The following batch contains Netfilter/IPVS updates for your net-next tree.
More specifically, they are:

* Trivial typo fix in xt_addrtype, from Phil Oester.

* Remove net_ratelimit in the conntrack logging for consistency with other
  logging subsystem, from Patrick McHardy.

* Remove unneeded includes from the recently added xt_connlabel support, from
  Florian Westphal.

* Allow to update conntracks via nfqueue, don't need NFQA_CFG_F_CONNTRACK for
  this, from Florian Westphal.

* Remove tproxy core, now that we have socket early demux, from Florian
  Westphal.

* A couple of patches to refactor conntrack event reporting to save a good
  bunch of lines, from Florian Westphal.

* Fix missing locking in NAT sequence adjustment, it did not manifested in
  any known bug so far, from Patrick McHardy.

* Change sequence number adjustment variable to 32 bits, to delay the
  possible early overflow in long standing connections, also from Patrick.

* Comestic cleanups for IPVS, from Dragos Foianu.

* Fix possible null dereference in IPVS in the SH scheduler, from Daniel
  Borkmann.

* Allow to attach conntrack expectations via nfqueue. Before this patch, you
  had to use ctnetlink instead, thus, we save the conntrack lookup.

* Export xt_rpfilter and xt_HMARK header files, from Nicolas Dichtel.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

4 files changed, 76 insertions, 0 deletions

diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild
index 41115776d76f..174915420d3f 100644
--- a/include/uapi/linux/netfilter/Kbuild
+++ b/include/uapi/linux/netfilter/Kbuild
@@ -22,6 +22,7 @@ header-y += xt_CONNMARK.h
 header-y += xt_CONNSECMARK.h
 header-y += xt_CT.h
 header-y += xt_DSCP.h
+header-y += xt_HMARK.h
 header-y += xt_IDLETIMER.h
 header-y += xt_LED.h
 header-y += xt_LOG.h
@@ -68,6 +69,7 @@ header-y += xt_quota.h
 header-y += xt_rateest.h
 header-y += xt_realm.h
 header-y += xt_recent.h
+header-y += xt_rpfilter.h
 header-y += xt_sctp.h
 header-y += xt_set.h
 header-y += xt_socket.h
diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index 3a9b92147339..0132bad79de7 100644
--- a/include/uapi/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -46,6 +46,7 @@ enum nfqnl_attr_type {
         NFQA_CT_INFO,                   /* enum ip_conntrack_info */
         NFQA_CAP_LEN,                   /* __u32 length of captured packet */
         NFQA_SKB_INFO,                  /* __u32 skb meta information */
+        NFQA_EXP,                       /* nf_conntrack_netlink.h */
 
         __NFQA_MAX
 };
diff --git a/include/uapi/linux/netfilter/xt_HMARK.h b/include/uapi/linux/netfilter/xt_HMARK.h
new file mode 100644
index 000000000000..826fc5807577
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_HMARK.h
@@ -0,0 +1,50 @@
+#ifndef XT_HMARK_H_
+#define XT_HMARK_H_
+
+#include <linux/types.h>
+
+enum {
+        XT_HMARK_SADDR_MASK,
+        XT_HMARK_DADDR_MASK,
+        XT_HMARK_SPI,
+        XT_HMARK_SPI_MASK,
+        XT_HMARK_SPORT,
+        XT_HMARK_DPORT,
+        XT_HMARK_SPORT_MASK,
+        XT_HMARK_DPORT_MASK,
+        XT_HMARK_PROTO_MASK,
+        XT_HMARK_RND,
+        XT_HMARK_MODULUS,
+        XT_HMARK_OFFSET,
+        XT_HMARK_CT,
+        XT_HMARK_METHOD_L3,
+        XT_HMARK_METHOD_L3_4,
+};
+#define XT_HMARK_FLAG(flag)     (1 << flag)
+
+union hmark_ports {
+        struct {
+                __u16   src;
+                __u16   dst;
+        } p16;
+        struct {
+                __be16  src;
+                __be16  dst;
+        } b16;
+        __u32   v32;
+        __be32  b32;
+};
+
+struct xt_hmark_info {
+        union nf_inet_addr      src_mask;
+        union nf_inet_addr      dst_mask;
+        union hmark_ports       port_mask;
+        union hmark_ports       port_set;
+        __u32                   flags;
+        __u16                   proto_mask;
+        __u32                   hashrnd;
+        __u32                   hmodulus;
+        __u32                   hoffset;        /* Mark offset to start from */
+};
+
+#endif /* XT_HMARK_H_ */
diff --git a/include/uapi/linux/netfilter/xt_rpfilter.h b/include/uapi/linux/netfilter/xt_rpfilter.h
new file mode 100644
index 000000000000..8358d4f71952
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_rpfilter.h
@@ -0,0 +1,23 @@
+#ifndef _XT_RPATH_H
+#define _XT_RPATH_H
+
+#include <linux/types.h>
+
+enum {
+        XT_RPFILTER_LOOSE = 1 << 0,
+        XT_RPFILTER_VALID_MARK = 1 << 1,
+        XT_RPFILTER_ACCEPT_LOCAL = 1 << 2,
+        XT_RPFILTER_INVERT = 1 << 3,
+#ifdef __KERNEL__
+        XT_RPFILTER_OPTION_MASK = XT_RPFILTER_LOOSE |
+                                  XT_RPFILTER_VALID_MARK |
+                                  XT_RPFILTER_ACCEPT_LOCAL |
+                                  XT_RPFILTER_INVERT,
+#endif
+};
+
+struct xt_rpfilter_info {
+        __u8 flags;
+};
+
+#endif