Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

20 files changed, 573 insertions, 215 deletions

diff --git a/include/linux/in6.h b/include/linux/in6.h
index c4bf46f764bf..097a34b55560 100644
--- a/include/linux/in6.h
+++ b/include/linux/in6.h
@@ -268,6 +268,10 @@ struct in6_flowlabel_req {
 /* RFC5082: Generalized Ttl Security Mechanism */
 #define IPV6_MINHOPCOUNT                73
 
+#define IPV6_ORIGDSTADDR        74
+#define IPV6_RECVORIGDSTADDR    IPV6_ORIGDSTADDR
+#define IPV6_TRANSPARENT        75
+
 /*
  * Multicast Routing:
  * see include/linux/mroute6.h.
diff --git a/include/linux/ip_vs.h b/include/linux/ip_vs.h
index 9708de265bb1..5f43a3b2e3ad 100644
--- a/include/linux/ip_vs.h
+++ b/include/linux/ip_vs.h
@@ -70,6 +70,7 @@
 
 /*
  *      IPVS Connection Flags
+ *      Only flags 0..15 are sent to backup server
  */
 #define IP_VS_CONN_F_FWD_MASK   0x0007          /* mask for the fwd methods */
 #define IP_VS_CONN_F_MASQ       0x0000          /* masquerading/NAT */
@@ -88,9 +89,20 @@
 #define IP_VS_CONN_F_TEMPLATE   0x1000          /* template, not connection */
 #define IP_VS_CONN_F_ONE_PACKET 0x2000          /* forward only one packet */
 
+/* Flags that are not sent to backup server start from bit 16 */
+#define IP_VS_CONN_F_NFCT       (1 << 16)       /* use netfilter conntrack */
+
+/* Connection flags from destination that can be changed by user space */
+#define IP_VS_CONN_F_DEST_MASK (IP_VS_CONN_F_FWD_MASK | \
+                                IP_VS_CONN_F_ONE_PACKET | \
+                                IP_VS_CONN_F_NFCT | \
+                                0)
+
 #define IP_VS_SCHEDNAME_MAXLEN  16
+#define IP_VS_PENAME_MAXLEN     16
 #define IP_VS_IFNAME_MAXLEN     16
 
+#define IP_VS_PEDATA_MAXLEN     255
 
 /*
  *      The struct ip_vs_service_user and struct ip_vs_dest_user are
@@ -324,6 +336,9 @@ enum {
         IPVS_SVC_ATTR_NETMASK,          /* persistent netmask */
 
         IPVS_SVC_ATTR_STATS,            /* nested attribute for service stats */
+
+        IPVS_SVC_ATTR_PE_NAME,          /* name of ct retriever */
+
         __IPVS_SVC_ATTR_MAX,
 };
 
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index e62683ba88e6..8e429d0e0405 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -341,7 +341,9 @@ struct ipv6_pinfo {
                                 odstopts:1,
                                 rxflow:1,
                                 rxtclass:1,
-                                rxpmtu:1;
+                                rxpmtu:1,
+                                rxorigdstaddr:1;
+                                /* 2 bits hole */
                 } bits;
                 __u16           all;
         } rxopt;
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 1afd18c855ec..50cdc2559a5a 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -98,8 +98,14 @@ enum ip_conntrack_events {
 
 enum ip_conntrack_expect_events {
         IPEXP_NEW,              /* new expectation */
+        IPEXP_DESTROY,          /* destroyed expectation */
 };
 
+/* expectation flags */
+#define NF_CT_EXPECT_PERMANENT          0x1
+#define NF_CT_EXPECT_INACTIVE           0x2
+#define NF_CT_EXPECT_USERSPACE          0x4
+
 #ifdef __KERNEL__
 struct ip_conntrack_stat {
         unsigned int searched;
diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index ff8cfbcf3b81..0ce91d56a5f2 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -89,6 +89,7 @@ enum sip_header_types {
         SIP_HDR_VIA_TCP,
         SIP_HDR_EXPIRES,
         SIP_HDR_CONTENT_LENGTH,
+        SIP_HDR_CALL_ID,
 };
 
 enum sdp_header_types {
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
index 9ed534c991b9..455f0ce4f430 100644
--- a/include/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/linux/netfilter/nfnetlink_conntrack.h
@@ -161,6 +161,7 @@ enum ctattr_expect {
         CTA_EXPECT_ID,
         CTA_EXPECT_HELP_NAME,
         CTA_EXPECT_ZONE,
+        CTA_EXPECT_FLAGS,
         __CTA_EXPECT_MAX
 };
 #define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 24e5d01d27d0..742bec051440 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -66,6 +66,11 @@ struct xt_standard_target {
         int verdict;
 };
 
+struct xt_error_target {
+        struct xt_entry_target target;
+        char errorname[XT_FUNCTION_MAXNAMELEN];
+};
+
 /* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
  * kernel supports, if >= revision. */
 struct xt_get_revision {
diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/linux/netfilter/xt_TPROXY.h
index 152e8f97132b..3f3d69361289 100644
--- a/include/linux/netfilter/xt_TPROXY.h
+++ b/include/linux/netfilter/xt_TPROXY.h
@@ -1,5 +1,5 @@
-#ifndef _XT_TPROXY_H_target
-#define _XT_TPROXY_H_target
+#ifndef _XT_TPROXY_H
+#define _XT_TPROXY_H
 
 /* TPROXY target is capable of marking the packet to perform
  * redirection. We can get rid of that whenever we get support for
@@ -11,4 +11,11 @@ struct xt_tproxy_target_info {
         __be16 lport;
 };
 
-#endif /* _XT_TPROXY_H_target */
+struct xt_tproxy_target_info_v1 {
+        u_int32_t mark_mask;
+        u_int32_t mark_value;
+        union nf_inet_addr laddr;
+        __be16 lport;
+};
+
+#endif /* _XT_TPROXY_H */
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index e9948c0560f6..adbf4bff87ed 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -21,8 +21,21 @@
 
 #include <linux/netfilter/x_tables.h>
 
+#ifndef __KERNEL__
 #define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
 #define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+#define arpt_entry_target xt_entry_target
+#define arpt_standard_target xt_standard_target
+#define arpt_error_target xt_error_target
+#define ARPT_CONTINUE XT_CONTINUE
+#define ARPT_RETURN XT_RETURN
+#define arpt_counters_info xt_counters_info
+#define arpt_counters xt_counters
+#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
+#define ARPT_ERROR_TARGET XT_ERROR_TARGET
+#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
+        XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
+#endif
 
 #define ARPT_DEV_ADDR_LEN_MAX 16
 
@@ -63,9 +76,6 @@ struct arpt_arp {
         u_int16_t invflags;
 };
 
-#define arpt_entry_target xt_entry_target
-#define arpt_standard_target xt_standard_target
-
 /* Values for "flag" field in struct arpt_ip (general arp structure).
  * No flags defined yet.
  */
@@ -125,16 +135,10 @@ struct arpt_entry
 #define ARPT_SO_GET_REVISION_TARGET     (ARPT_BASE_CTL + 3)
 #define ARPT_SO_GET_MAX                 (ARPT_SO_GET_REVISION_TARGET)
 
-/* CONTINUE verdict for targets */
-#define ARPT_CONTINUE XT_CONTINUE
-
-/* For standard target */
-#define ARPT_RETURN XT_RETURN
-
 /* The argument to ARPT_SO_GET_INFO */
 struct arpt_getinfo {
         /* Which table: caller fills this in. */
-        char name[ARPT_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* Kernel fills these in. */
         /* Which hook entry points are valid: bitmask */
@@ -156,7 +160,7 @@ struct arpt_getinfo {
 /* The argument to ARPT_SO_SET_REPLACE. */
 struct arpt_replace {
         /* Which table. */
-        char name[ARPT_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* Which hook entry points are valid: bitmask.  You can't
            change this. */
@@ -184,14 +188,10 @@ struct arpt_replace {
         struct arpt_entry entries[0];
 };
 
-/* The argument to ARPT_SO_ADD_COUNTERS. */
-#define arpt_counters_info xt_counters_info
-#define arpt_counters xt_counters
-
 /* The argument to ARPT_SO_GET_ENTRIES. */
 struct arpt_get_entries {
         /* Which table: user fills this in. */
-        char name[ARPT_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* User fills this in: total entry size. */
         unsigned int size;
@@ -200,23 +200,12 @@ struct arpt_get_entries {
         struct arpt_entry entrytable[0];
 };
 
-/* Standard return verdict, or do jump. */
-#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
-/* Error verdict. */
-#define ARPT_ERROR_TARGET XT_ERROR_TARGET
-
 /* Helper functions */
-static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e)
+static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e)
 {
         return (void *)e + e->target_offset;
 }
 
-#ifndef __KERNEL__
-/* fn returns 0 to continue iteration */
-#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
-        XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
-#endif
-
 /*
  *      Main firewall chains definitions and global var's definitions.
  */
@@ -225,17 +214,12 @@ static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e
 /* Standard entry. */
 struct arpt_standard {
         struct arpt_entry entry;
-        struct arpt_standard_target target;
-};
-
-struct arpt_error_target {
-        struct arpt_entry_target target;
-        char errorname[ARPT_FUNCTION_MAXNAMELEN];
+        struct xt_standard_target target;
 };
 
 struct arpt_error {
         struct arpt_entry entry;
-        struct arpt_error_target target;
+        struct xt_error_target target;
 };
 
 #define ARPT_ENTRY_INIT(__size)                                                \
@@ -247,16 +231,16 @@ struct arpt_error {
 #define ARPT_STANDARD_INIT(__verdict)                                          \
 {                                                                              \
         .entry          = ARPT_ENTRY_INIT(sizeof(struct arpt_standard)),       \
-        .target         = XT_TARGET_INIT(ARPT_STANDARD_TARGET,                 \
-                                         sizeof(struct arpt_standard_target)), \
+        .target         = XT_TARGET_INIT(XT_STANDARD_TARGET,                   \
+                                         sizeof(struct xt_standard_target)), \
         .target.verdict = -(__verdict) - 1,                                    \
 }
 
 #define ARPT_ERROR_INIT                                                        \
 {                                                                              \
         .entry          = ARPT_ENTRY_INIT(sizeof(struct arpt_error)),          \
-        .target         = XT_TARGET_INIT(ARPT_ERROR_TARGET,                    \
-                                         sizeof(struct arpt_error_target)),    \
+        .target         = XT_TARGET_INIT(XT_ERROR_TARGET,                      \
+                                         sizeof(struct xt_error_target)),      \
         .target.errorname = "ERROR",                                           \
 }
 
@@ -271,8 +255,6 @@ extern unsigned int arpt_do_table(struct sk_buff *skb,
                                   const struct net_device *out,
                                   struct xt_table *table);
 
-#define ARPT_ALIGN(s) XT_ALIGN(s)
-
 #ifdef CONFIG_COMPAT
 #include <net/compat.h>
 
@@ -285,14 +267,12 @@ struct compat_arpt_entry {
         unsigned char elems[0];
 };
 
-static inline struct arpt_entry_target *
+static inline struct xt_entry_target *
 compat_arpt_get_target(struct compat_arpt_entry *e)
 {
         return (void *)e + e->target_offset;
 }
 
-#define COMPAT_ARPT_ALIGN(s)    COMPAT_XT_ALIGN(s)
-
 #endif /* CONFIG_COMPAT */
 #endif /*__KERNEL__*/
 #endif /* _ARPTABLES_H */
diff --git a/include/linux/netfilter_bridge/Kbuild b/include/linux/netfilter_bridge/Kbuild
index d4d78672873e..e48f1a3f5a4a 100644
--- a/include/linux/netfilter_bridge/Kbuild
+++ b/include/linux/netfilter_bridge/Kbuild
@@ -3,11 +3,13 @@ header-y += ebt_among.h
 header-y += ebt_arp.h
 header-y += ebt_arpreply.h
 header-y += ebt_ip.h
+header-y += ebt_ip6.h
 header-y += ebt_limit.h
 header-y += ebt_log.h
 header-y += ebt_mark_m.h
 header-y += ebt_mark_t.h
 header-y += ebt_nat.h
+header-y += ebt_nflog.h
 header-y += ebt_pkttype.h
 header-y += ebt_redirect.h
 header-y += ebt_stp.h
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 704a7b6e8169..64a5d95c58e8 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -27,12 +27,49 @@
 
 #include <linux/netfilter/x_tables.h>
 
+#ifndef __KERNEL__
 #define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
 #define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
 #define ipt_match xt_match
 #define ipt_target xt_target
 #define ipt_table xt_table
 #define ipt_get_revision xt_get_revision
+#define ipt_entry_match xt_entry_match
+#define ipt_entry_target xt_entry_target
+#define ipt_standard_target xt_standard_target
+#define ipt_error_target xt_error_target
+#define ipt_counters xt_counters
+#define IPT_CONTINUE XT_CONTINUE
+#define IPT_RETURN XT_RETURN
+
+/* This group is older than old (iptables < v1.4.0-rc1~89) */
+#include <linux/netfilter/xt_tcpudp.h>
+#define ipt_udp xt_udp
+#define ipt_tcp xt_tcp
+#define IPT_TCP_INV_SRCPT       XT_TCP_INV_SRCPT
+#define IPT_TCP_INV_DSTPT       XT_TCP_INV_DSTPT
+#define IPT_TCP_INV_FLAGS       XT_TCP_INV_FLAGS
+#define IPT_TCP_INV_OPTION      XT_TCP_INV_OPTION
+#define IPT_TCP_INV_MASK        XT_TCP_INV_MASK
+#define IPT_UDP_INV_SRCPT       XT_UDP_INV_SRCPT
+#define IPT_UDP_INV_DSTPT       XT_UDP_INV_DSTPT
+#define IPT_UDP_INV_MASK        XT_UDP_INV_MASK
+
+/* The argument to IPT_SO_ADD_COUNTERS. */
+#define ipt_counters_info xt_counters_info
+/* Standard return verdict, or do jump. */
+#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
+/* Error verdict. */
+#define IPT_ERROR_TARGET XT_ERROR_TARGET
+
+/* fn returns 0 to continue iteration */
+#define IPT_MATCH_ITERATE(e, fn, args...) \
+        XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
+
+/* fn returns 0 to continue iteration */
+#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
+        XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
+#endif
 
 /* Yes, Virginia, you have to zero the padding. */
 struct ipt_ip {
@@ -52,12 +89,6 @@ struct ipt_ip {
         u_int8_t invflags;
 };
 
-#define ipt_entry_match xt_entry_match
-#define ipt_entry_target xt_entry_target
-#define ipt_standard_target xt_standard_target
-
-#define ipt_counters xt_counters
-
 /* Values for "flag" field in struct ipt_ip (general ip structure). */
 #define IPT_F_FRAG              0x01    /* Set if rule is a fragment rule */
 #define IPT_F_GOTO              0x02    /* Set if jump is a goto */
@@ -116,23 +147,6 @@ struct ipt_entry {
 #define IPT_SO_GET_REVISION_TARGET      (IPT_BASE_CTL + 3)
 #define IPT_SO_GET_MAX                  IPT_SO_GET_REVISION_TARGET
 
-#define IPT_CONTINUE XT_CONTINUE
-#define IPT_RETURN XT_RETURN
-
-#include <linux/netfilter/xt_tcpudp.h>
-#define ipt_udp xt_udp
-#define ipt_tcp xt_tcp
-
-#define IPT_TCP_INV_SRCPT       XT_TCP_INV_SRCPT
-#define IPT_TCP_INV_DSTPT       XT_TCP_INV_DSTPT
-#define IPT_TCP_INV_FLAGS       XT_TCP_INV_FLAGS
-#define IPT_TCP_INV_OPTION      XT_TCP_INV_OPTION
-#define IPT_TCP_INV_MASK        XT_TCP_INV_MASK
-
-#define IPT_UDP_INV_SRCPT       XT_UDP_INV_SRCPT
-#define IPT_UDP_INV_DSTPT       XT_UDP_INV_DSTPT
-#define IPT_UDP_INV_MASK        XT_UDP_INV_MASK
-
 /* ICMP matching stuff */
 struct ipt_icmp {
         u_int8_t type;                          /* type to match */
@@ -146,7 +160,7 @@ struct ipt_icmp {
 /* The argument to IPT_SO_GET_INFO */
 struct ipt_getinfo {
         /* Which table: caller fills this in. */
-        char name[IPT_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* Kernel fills these in. */
         /* Which hook entry points are valid: bitmask */
@@ -168,7 +182,7 @@ struct ipt_getinfo {
 /* The argument to IPT_SO_SET_REPLACE. */
 struct ipt_replace {
         /* Which table. */
-        char name[IPT_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* Which hook entry points are valid: bitmask.  You can't
            change this. */
@@ -196,13 +210,10 @@ struct ipt_replace {
         struct ipt_entry entries[0];
 };
 
-/* The argument to IPT_SO_ADD_COUNTERS. */
-#define ipt_counters_info xt_counters_info
-
 /* The argument to IPT_SO_GET_ENTRIES. */
 struct ipt_get_entries {
         /* Which table: user fills this in. */
-        char name[IPT_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* User fills this in: total entry size. */
         unsigned int size;
@@ -211,28 +222,13 @@ struct ipt_get_entries {
         struct ipt_entry entrytable[0];
 };
 
-/* Standard return verdict, or do jump. */
-#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
-/* Error verdict. */
-#define IPT_ERROR_TARGET XT_ERROR_TARGET
-
 /* Helper functions */
-static __inline__ struct ipt_entry_target *
+static __inline__ struct xt_entry_target *
 ipt_get_target(struct ipt_entry *e)
 {
         return (void *)e + e->target_offset;
 }
 
-#ifndef __KERNEL__
-/* fn returns 0 to continue iteration */
-#define IPT_MATCH_ITERATE(e, fn, args...) \
-        XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
-
-/* fn returns 0 to continue iteration */
-#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
-        XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
-#endif
-
 /*
  *      Main firewall chains definitions and global var's definitions.
  */
@@ -249,17 +245,12 @@ extern void ipt_unregister_table(struct net *net, struct xt_table *table);
 /* Standard entry. */
 struct ipt_standard {
         struct ipt_entry entry;
-        struct ipt_standard_target target;
-};
-
-struct ipt_error_target {
-        struct ipt_entry_target target;
-        char errorname[IPT_FUNCTION_MAXNAMELEN];
+        struct xt_standard_target target;
 };
 
 struct ipt_error {
         struct ipt_entry entry;
-        struct ipt_error_target target;
+        struct xt_error_target target;
 };
 
 #define IPT_ENTRY_INIT(__size)                                                 \
@@ -271,7 +262,7 @@ struct ipt_error {
 #define IPT_STANDARD_INIT(__verdict)                                           \
 {                                                                              \
         .entry          = IPT_ENTRY_INIT(sizeof(struct ipt_standard)),         \
-        .target         = XT_TARGET_INIT(IPT_STANDARD_TARGET,                  \
+        .target         = XT_TARGET_INIT(XT_STANDARD_TARGET,                   \
                                          sizeof(struct xt_standard_target)),   \
         .target.verdict = -(__verdict) - 1,                                    \
 }
@@ -279,8 +270,8 @@ struct ipt_error {
 #define IPT_ERROR_INIT                                                         \
 {                                                                              \
         .entry          = IPT_ENTRY_INIT(sizeof(struct ipt_error)),            \
-        .target         = XT_TARGET_INIT(IPT_ERROR_TARGET,                     \
-                                         sizeof(struct ipt_error_target)),     \
+        .target         = XT_TARGET_INIT(XT_ERROR_TARGET,                      \
+                                         sizeof(struct xt_error_target)),      \
         .target.errorname = "ERROR",                                           \
 }
 
@@ -291,8 +282,6 @@ extern unsigned int ipt_do_table(struct sk_buff *skb,
                                  const struct net_device *out,
                                  struct xt_table *table);
 
-#define IPT_ALIGN(s) XT_ALIGN(s)
-
 #ifdef CONFIG_COMPAT
 #include <net/compat.h>
 
@@ -307,14 +296,12 @@ struct compat_ipt_entry {
 };
 
 /* Helper functions */
-static inline struct ipt_entry_target *
+static inline struct xt_entry_target *
 compat_ipt_get_target(struct compat_ipt_entry *e)
 {
         return (void *)e + e->target_offset;
 }
 
-#define COMPAT_IPT_ALIGN(s)     COMPAT_XT_ALIGN(s)
-
 #endif /* CONFIG_COMPAT */
 #endif /*__KERNEL__*/
 #endif /* _IPTABLES_H */
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 18442ff19c07..c9784f7a9c1f 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -27,13 +27,42 @@
 
 #include <linux/netfilter/x_tables.h>
 
+#ifndef __KERNEL__
 #define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
 #define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-
 #define ip6t_match xt_match
 #define ip6t_target xt_target
 #define ip6t_table xt_table
 #define ip6t_get_revision xt_get_revision
+#define ip6t_entry_match xt_entry_match
+#define ip6t_entry_target xt_entry_target
+#define ip6t_standard_target xt_standard_target
+#define ip6t_error_target xt_error_target
+#define ip6t_counters xt_counters
+#define IP6T_CONTINUE XT_CONTINUE
+#define IP6T_RETURN XT_RETURN
+
+/* Pre-iptables-1.4.0 */
+#include <linux/netfilter/xt_tcpudp.h>
+#define ip6t_tcp xt_tcp
+#define ip6t_udp xt_udp
+#define IP6T_TCP_INV_SRCPT      XT_TCP_INV_SRCPT
+#define IP6T_TCP_INV_DSTPT      XT_TCP_INV_DSTPT
+#define IP6T_TCP_INV_FLAGS      XT_TCP_INV_FLAGS
+#define IP6T_TCP_INV_OPTION     XT_TCP_INV_OPTION
+#define IP6T_TCP_INV_MASK       XT_TCP_INV_MASK
+#define IP6T_UDP_INV_SRCPT      XT_UDP_INV_SRCPT
+#define IP6T_UDP_INV_DSTPT      XT_UDP_INV_DSTPT
+#define IP6T_UDP_INV_MASK       XT_UDP_INV_MASK
+
+#define ip6t_counters_info xt_counters_info
+#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
+#define IP6T_ERROR_TARGET XT_ERROR_TARGET
+#define IP6T_MATCH_ITERATE(e, fn, args...) \
+        XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
+#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
+        XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
+#endif
 
 /* Yes, Virginia, you have to zero the padding. */
 struct ip6t_ip6 {
@@ -62,12 +91,6 @@ struct ip6t_ip6 {
         u_int8_t invflags;
 };
 
-#define ip6t_entry_match xt_entry_match
-#define ip6t_entry_target xt_entry_target
-#define ip6t_standard_target xt_standard_target
-
-#define ip6t_counters   xt_counters
-
 /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
 #define IP6T_F_PROTO            0x01    /* Set if rule cares about upper 
                                            protocols */
@@ -112,17 +135,12 @@ struct ip6t_entry {
 /* Standard entry */
 struct ip6t_standard {
         struct ip6t_entry entry;
-        struct ip6t_standard_target target;
-};
-
-struct ip6t_error_target {
-        struct ip6t_entry_target target;
-        char errorname[IP6T_FUNCTION_MAXNAMELEN];
+        struct xt_standard_target target;
 };
 
 struct ip6t_error {
         struct ip6t_entry entry;
-        struct ip6t_error_target target;
+        struct xt_error_target target;
 };
 
 #define IP6T_ENTRY_INIT(__size)                                                \
@@ -134,16 +152,16 @@ struct ip6t_error {
 #define IP6T_STANDARD_INIT(__verdict)                                          \
 {                                                                              \
         .entry          = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)),       \
-        .target         = XT_TARGET_INIT(IP6T_STANDARD_TARGET,                 \
-                                         sizeof(struct ip6t_standard_target)), \
+        .target         = XT_TARGET_INIT(XT_STANDARD_TARGET,                   \
+                                         sizeof(struct xt_standard_target)),   \
         .target.verdict = -(__verdict) - 1,                                    \
 }
 
 #define IP6T_ERROR_INIT                                                        \
 {                                                                              \
         .entry          = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)),          \
-        .target         = XT_TARGET_INIT(IP6T_ERROR_TARGET,                    \
-                                         sizeof(struct ip6t_error_target)),    \
+        .target         = XT_TARGET_INIT(XT_ERROR_TARGET,                      \
+                                         sizeof(struct xt_error_target)),      \
         .target.errorname = "ERROR",                                           \
 }
 
@@ -166,30 +184,6 @@ struct ip6t_error {
 #define IP6T_SO_GET_REVISION_TARGET     (IP6T_BASE_CTL + 5)
 #define IP6T_SO_GET_MAX                 IP6T_SO_GET_REVISION_TARGET
 
-/* CONTINUE verdict for targets */
-#define IP6T_CONTINUE XT_CONTINUE
-
-/* For standard target */
-#define IP6T_RETURN XT_RETURN
-
-/* TCP/UDP matching stuff */
-#include <linux/netfilter/xt_tcpudp.h>
-
-#define ip6t_tcp xt_tcp
-#define ip6t_udp xt_udp
-
-/* Values for "inv" field in struct ipt_tcp. */
-#define IP6T_TCP_INV_SRCPT      XT_TCP_INV_SRCPT
-#define IP6T_TCP_INV_DSTPT      XT_TCP_INV_DSTPT
-#define IP6T_TCP_INV_FLAGS      XT_TCP_INV_FLAGS
-#define IP6T_TCP_INV_OPTION     XT_TCP_INV_OPTION
-#define IP6T_TCP_INV_MASK       XT_TCP_INV_MASK
-
-/* Values for "invflags" field in struct ipt_udp. */
-#define IP6T_UDP_INV_SRCPT      XT_UDP_INV_SRCPT
-#define IP6T_UDP_INV_DSTPT      XT_UDP_INV_DSTPT
-#define IP6T_UDP_INV_MASK       XT_UDP_INV_MASK
-
 /* ICMP matching stuff */
 struct ip6t_icmp {
         u_int8_t type;                          /* type to match */
@@ -203,7 +197,7 @@ struct ip6t_icmp {
 /* The argument to IP6T_SO_GET_INFO */
 struct ip6t_getinfo {
         /* Which table: caller fills this in. */
-        char name[IP6T_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* Kernel fills these in. */
         /* Which hook entry points are valid: bitmask */
@@ -225,7 +219,7 @@ struct ip6t_getinfo {
 /* The argument to IP6T_SO_SET_REPLACE. */
 struct ip6t_replace {
         /* Which table. */
-        char name[IP6T_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* Which hook entry points are valid: bitmask.  You can't
            change this. */
@@ -253,13 +247,10 @@ struct ip6t_replace {
         struct ip6t_entry entries[0];
 };
 
-/* The argument to IP6T_SO_ADD_COUNTERS. */
-#define ip6t_counters_info xt_counters_info
-
 /* The argument to IP6T_SO_GET_ENTRIES. */
 struct ip6t_get_entries {
         /* Which table: user fills this in. */
-        char name[IP6T_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* User fills this in: total entry size. */
         unsigned int size;
@@ -268,28 +259,13 @@ struct ip6t_get_entries {
         struct ip6t_entry entrytable[0];
 };
 
-/* Standard return verdict, or do jump. */
-#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
-/* Error verdict. */
-#define IP6T_ERROR_TARGET XT_ERROR_TARGET
-
 /* Helper functions */
-static __inline__ struct ip6t_entry_target *
+static __inline__ struct xt_entry_target *
 ip6t_get_target(struct ip6t_entry *e)
 {
         return (void *)e + e->target_offset;
 }
 
-#ifndef __KERNEL__
-/* fn returns 0 to continue iteration */
-#define IP6T_MATCH_ITERATE(e, fn, args...) \
-        XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
-
-/* fn returns 0 to continue iteration */
-#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
-        XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
-#endif
-
 /*
  *      Main firewall chains definitions and global var's definitions.
  */
@@ -316,8 +292,6 @@ extern int ip6t_ext_hdr(u8 nexthdr);
 extern int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
                          int target, unsigned short *fragoff);
 
-#define IP6T_ALIGN(s) XT_ALIGN(s)
-
 #ifdef CONFIG_COMPAT
 #include <net/compat.h>
 
@@ -331,14 +305,12 @@ struct compat_ip6t_entry {
         unsigned char elems[0];
 };
 
-static inline struct ip6t_entry_target *
+static inline struct xt_entry_target *
 compat_ip6t_get_target(struct compat_ip6t_entry *e)
 {
         return (void *)e + e->target_offset;
 }
 
-#define COMPAT_IP6T_ALIGN(s)    COMPAT_XT_ALIGN(s)
-
 #endif /* CONFIG_COMPAT */
 #endif /*__KERNEL__*/
 #endif /* _IP6_TABLES_H */
diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
index 74358d1b3f43..e9c2ed8af864 100644
--- a/include/net/inet_hashtables.h
+++ b/include/net/inet_hashtables.h
@@ -245,7 +245,7 @@ static inline int inet_sk_listen_hashfn(const struct sock *sk)
 }
 
 /* Caller must disable local BH processing. */
-extern void __inet_inherit_port(struct sock *sk, struct sock *child);
+extern int __inet_inherit_port(struct sock *sk, struct sock *child);
 
 extern void inet_put_port(struct sock *sk);
 
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index f976885f686f..b7bbd6c28cfa 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -25,7 +25,9 @@
 #include <linux/ip.h>
 #include <linux/ipv6.h>                 /* for struct ipv6hdr */
 #include <net/ipv6.h>                   /* for ipv6_addr_copy */
-
+#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+#include <net/netfilter/nf_conntrack.h>
+#endif
 
 /* Connections' size value needed by ip_vs_ctl.c */
 extern int ip_vs_conn_tab_size;
@@ -134,24 +136,24 @@ static inline const char *ip_vs_dbg_addr(int af, char *buf, size_t buf_len,
                 if (net_ratelimit())                                    \
                         printk(KERN_DEBUG pr_fmt(msg), ##__VA_ARGS__);  \
         } while (0)
-#define IP_VS_DBG_PKT(level, pp, skb, ofs, msg)                         \
+#define IP_VS_DBG_PKT(level, af, pp, skb, ofs, msg)                     \
         do {                                                            \
                 if (level <= ip_vs_get_debug_level())                   \
-                        pp->debug_packet(pp, skb, ofs, msg);            \
+                        pp->debug_packet(af, pp, skb, ofs, msg);        \
         } while (0)
-#define IP_VS_DBG_RL_PKT(level, pp, skb, ofs, msg)                      \
+#define IP_VS_DBG_RL_PKT(level, af, pp, skb, ofs, msg)                  \
         do {                                                            \
                 if (level <= ip_vs_get_debug_level() &&                 \
                     net_ratelimit())                                    \
-                        pp->debug_packet(pp, skb, ofs, msg);            \
+                        pp->debug_packet(af, pp, skb, ofs, msg);        \
         } while (0)
 #else   /* NO DEBUGGING at ALL */
 #define IP_VS_DBG_BUF(level, msg...)  do {} while (0)
 #define IP_VS_ERR_BUF(msg...)  do {} while (0)
 #define IP_VS_DBG(level, msg...)  do {} while (0)
 #define IP_VS_DBG_RL(msg...)  do {} while (0)
-#define IP_VS_DBG_PKT(level, pp, skb, ofs, msg)         do {} while (0)
-#define IP_VS_DBG_RL_PKT(level, pp, skb, ofs, msg)      do {} while (0)
+#define IP_VS_DBG_PKT(level, af, pp, skb, ofs, msg)     do {} while (0)
+#define IP_VS_DBG_RL_PKT(level, af, pp, skb, ofs, msg)  do {} while (0)
 #endif
 
 #define IP_VS_BUG() BUG()
@@ -343,7 +345,7 @@ struct ip_vs_protocol {
 
         int (*app_conn_bind)(struct ip_vs_conn *cp);
 
-        void (*debug_packet)(struct ip_vs_protocol *pp,
+        void (*debug_packet)(int af, struct ip_vs_protocol *pp,
                              const struct sk_buff *skb,
                              int offset,
                              const char *msg);
@@ -355,6 +357,19 @@ struct ip_vs_protocol {
 
 extern struct ip_vs_protocol * ip_vs_proto_get(unsigned short proto);
 
+struct ip_vs_conn_param {
+        const union nf_inet_addr        *caddr;
+        const union nf_inet_addr        *vaddr;
+        __be16                          cport;
+        __be16                          vport;
+        __u16                           protocol;
+        u16                             af;
+
+        const struct ip_vs_pe           *pe;
+        char                            *pe_data;
+        __u8                            pe_data_len;
+};
+
 /*
  *      IP_VS structure allocated for each dynamically scheduled connection
  */
@@ -366,6 +381,7 @@ struct ip_vs_conn {
         union nf_inet_addr       caddr;          /* client address */
         union nf_inet_addr       vaddr;          /* virtual address */
         union nf_inet_addr       daddr;          /* destination address */
+        volatile __u32           flags;          /* status flags */
         __be16                   cport;
         __be16                   vport;
         __be16                   dport;
@@ -378,7 +394,6 @@ struct ip_vs_conn {
 
         /* Flags and state transition */
         spinlock_t              lock;           /* lock for state transition */
-        volatile __u16          flags;          /* status flags */
         volatile __u16          state;          /* state info */
         volatile __u16          old_state;      /* old state, to be used for
                                                  * state transition triggerd
@@ -394,6 +409,7 @@ struct ip_vs_conn {
         /* packet transmitter for different forwarding methods.  If it
            mangles the packet, it must return NF_DROP or better NF_STOLEN,
            otherwise this must be changed to a sk_buff **.
+           NF_ACCEPT can be returned when destination is local.
          */
         int (*packet_xmit)(struct sk_buff *skb, struct ip_vs_conn *cp,
                            struct ip_vs_protocol *pp);
@@ -405,6 +421,9 @@ struct ip_vs_conn {
         void                    *app_data;      /* Application private data */
         struct ip_vs_seq        in_seq;         /* incoming seq. struct */
         struct ip_vs_seq        out_seq;        /* outgoing seq. struct */
+
+        char                    *pe_data;
+        __u8                    pe_data_len;
 };
 
 
@@ -426,6 +445,7 @@ struct ip_vs_service_user_kern {
 
         /* virtual service options */
         char                    *sched_name;
+        char                    *pe_name;
         unsigned                flags;          /* virtual service flags */
         unsigned                timeout;        /* persistent timeout in sec */
         u32                     netmask;        /* persistent netmask */
@@ -475,6 +495,9 @@ struct ip_vs_service {
         struct ip_vs_scheduler  *scheduler;    /* bound scheduler object */
         rwlock_t                sched_lock;    /* lock sched_data */
         void                    *sched_data;   /* scheduler application data */
+
+        /* alternate persistence engine */
+        struct ip_vs_pe         *pe;
 };
 
 
@@ -507,6 +530,10 @@ struct ip_vs_dest {
         spinlock_t              dst_lock;       /* lock of dst_cache */
         struct dst_entry        *dst_cache;     /* destination cache entry */
         u32                     dst_rtos;       /* RT_TOS(tos) for dst */
+        u32                     dst_cookie;
+#ifdef CONFIG_IP_VS_IPV6
+        struct in6_addr         dst_saddr;
+#endif
 
         /* for virtual service */
         struct ip_vs_service    *svc;           /* service it belongs to */
@@ -538,6 +565,21 @@ struct ip_vs_scheduler {
                                        const struct sk_buff *skb);
 };
 
+/* The persistence engine object */
+struct ip_vs_pe {
+        struct list_head        n_list;         /* d-linked list head */
+        char                    *name;          /* scheduler name */
+        atomic_t                refcnt;         /* reference counter */
+        struct module           *module;        /* THIS_MODULE/NULL */
+
+        /* get the connection template, if any */
+        int (*fill_param)(struct ip_vs_conn_param *p, struct sk_buff *skb);
+        bool (*ct_match)(const struct ip_vs_conn_param *p,
+                         struct ip_vs_conn *ct);
+        u32 (*hashkey_raw)(const struct ip_vs_conn_param *p, u32 initval,
+                           bool inverse);
+        int (*show_pe_data)(const struct ip_vs_conn *cp, char *buf);
+};
 
 /*
  *      The application module object (a.k.a. app incarnation)
@@ -556,11 +598,19 @@ struct ip_vs_app {
         __be16                  port;           /* port number in net order */
         atomic_t                usecnt;         /* usage counter */
 
-        /* output hook: return false if can't linearize. diff set for TCP.  */
+        /*
+         * output hook: Process packet in inout direction, diff set for TCP.
+         * Return: 0=Error, 1=Payload Not Mangled/Mangled but checksum is ok,
+         *         2=Mangled but checksum was not updated
+         */
         int (*pkt_out)(struct ip_vs_app *, struct ip_vs_conn *,
                        struct sk_buff *, int *diff);
 
-        /* input hook: return false if can't linearize. diff set for TCP. */
+        /*
+         * input hook: Process packet in outin direction, diff set for TCP.
+         * Return: 0=Error, 1=Payload Not Mangled/Mangled but checksum is ok,
+         *         2=Mangled but checksum was not updated
+         */
         int (*pkt_in)(struct ip_vs_app *, struct ip_vs_conn *,
                       struct sk_buff *, int *diff);
 
@@ -624,13 +674,25 @@ enum {
         IP_VS_DIR_LAST,
 };
 
-extern struct ip_vs_conn *ip_vs_conn_in_get
-(int af, int protocol, const union nf_inet_addr *s_addr, __be16 s_port,
- const union nf_inet_addr *d_addr, __be16 d_port);
+static inline void ip_vs_conn_fill_param(int af, int protocol,
+                                         const union nf_inet_addr *caddr,
+                                         __be16 cport,
+                                         const union nf_inet_addr *vaddr,
+                                         __be16 vport,
+                                         struct ip_vs_conn_param *p)
+{
+        p->af = af;
+        p->protocol = protocol;
+        p->caddr = caddr;
+        p->cport = cport;
+        p->vaddr = vaddr;
+        p->vport = vport;
+        p->pe = NULL;
+        p->pe_data = NULL;
+}
 
-extern struct ip_vs_conn *ip_vs_ct_in_get
-(int af, int protocol, const union nf_inet_addr *s_addr, __be16 s_port,
- const union nf_inet_addr *d_addr, __be16 d_port);
+struct ip_vs_conn *ip_vs_conn_in_get(const struct ip_vs_conn_param *p);
+struct ip_vs_conn *ip_vs_ct_in_get(const struct ip_vs_conn_param *p);
 
 struct ip_vs_conn * ip_vs_conn_in_get_proto(int af, const struct sk_buff *skb,
                                             struct ip_vs_protocol *pp,
@@ -638,9 +700,7 @@ struct ip_vs_conn * ip_vs_conn_in_get_proto(int af, const struct sk_buff *skb,
                                             unsigned int proto_off,
                                             int inverse);
 
-extern struct ip_vs_conn *ip_vs_conn_out_get
-(int af, int protocol, const union nf_inet_addr *s_addr, __be16 s_port,
- const union nf_inet_addr *d_addr, __be16 d_port);
+struct ip_vs_conn *ip_vs_conn_out_get(const struct ip_vs_conn_param *p);
 
 struct ip_vs_conn * ip_vs_conn_out_get_proto(int af, const struct sk_buff *skb,
                                              struct ip_vs_protocol *pp,
@@ -656,11 +716,10 @@ static inline void __ip_vs_conn_put(struct ip_vs_conn *cp)
 extern void ip_vs_conn_put(struct ip_vs_conn *cp);
 extern void ip_vs_conn_fill_cport(struct ip_vs_conn *cp, __be16 cport);
 
-extern struct ip_vs_conn *
-ip_vs_conn_new(int af, int proto, const union nf_inet_addr *caddr, __be16 cport,
-               const union nf_inet_addr *vaddr, __be16 vport,
-               const union nf_inet_addr *daddr, __be16 dport, unsigned flags,
-               struct ip_vs_dest *dest);
+struct ip_vs_conn *ip_vs_conn_new(const struct ip_vs_conn_param *p,
+                                  const union nf_inet_addr *daddr,
+                                  __be16 dport, unsigned flags,
+                                  struct ip_vs_dest *dest);
 extern void ip_vs_conn_expire_now(struct ip_vs_conn *cp);
 
 extern const char * ip_vs_state_name(__u16 proto, int state);
@@ -751,6 +810,12 @@ extern int ip_vs_app_pkt_in(struct ip_vs_conn *, struct sk_buff *skb);
 extern int ip_vs_app_init(void);
 extern void ip_vs_app_cleanup(void);
 
+void ip_vs_bind_pe(struct ip_vs_service *svc, struct ip_vs_pe *pe);
+void ip_vs_unbind_pe(struct ip_vs_service *svc);
+int register_ip_vs_pe(struct ip_vs_pe *pe);
+int unregister_ip_vs_pe(struct ip_vs_pe *pe);
+extern struct ip_vs_pe *ip_vs_pe_get(const char *name);
+extern void ip_vs_pe_put(struct ip_vs_pe *pe);
 
 /*
  *      IPVS protocol functions (from ip_vs_proto.c)
@@ -763,7 +828,8 @@ extern int
 ip_vs_set_state_timeout(int *table, int num, const char *const *names,
                         const char *name, int to);
 extern void
-ip_vs_tcpudp_debug_packet(struct ip_vs_protocol *pp, const struct sk_buff *skb,
+ip_vs_tcpudp_debug_packet(int af, struct ip_vs_protocol *pp,
+                          const struct sk_buff *skb,
                           int offset, const char *msg);
 
 extern struct ip_vs_protocol ip_vs_protocol_tcp;
@@ -785,7 +851,8 @@ extern int ip_vs_unbind_scheduler(struct ip_vs_service *svc);
 extern struct ip_vs_scheduler *ip_vs_scheduler_get(const char *sched_name);
 extern void ip_vs_scheduler_put(struct ip_vs_scheduler *scheduler);
 extern struct ip_vs_conn *
-ip_vs_schedule(struct ip_vs_service *svc, const struct sk_buff *skb);
+ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,
+               struct ip_vs_protocol *pp, int *ignored);
 extern int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
                         struct ip_vs_protocol *pp);
 
@@ -798,6 +865,8 @@ extern int sysctl_ip_vs_expire_nodest_conn;
 extern int sysctl_ip_vs_expire_quiescent_template;
 extern int sysctl_ip_vs_sync_threshold[2];
 extern int sysctl_ip_vs_nat_icmp_send;
+extern int sysctl_ip_vs_conntrack;
+extern int sysctl_ip_vs_snat_reroute;
 extern struct ip_vs_stats ip_vs_stats;
 extern const struct ctl_path net_vs_ctl_path[];
 
@@ -955,8 +1024,65 @@ static inline __wsum ip_vs_check_diff2(__be16 old, __be16 new, __wsum oldsum)
         return csum_partial(diff, sizeof(diff), oldsum);
 }
 
+/*
+ * Forget current conntrack (unconfirmed) and attach notrack entry
+ */
+static inline void ip_vs_notrack(struct sk_buff *skb)
+{
+#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+        enum ip_conntrack_info ctinfo;
+        struct nf_conn *ct = ct = nf_ct_get(skb, &ctinfo);
+
+        if (!ct || !nf_ct_is_untracked(ct)) {
+                nf_reset(skb);
+                skb->nfct = &nf_ct_untracked_get()->ct_general;
+                skb->nfctinfo = IP_CT_NEW;
+                nf_conntrack_get(skb->nfct);
+        }
+#endif
+}
+
+#ifdef CONFIG_IP_VS_NFCT
+/*
+ *      Netfilter connection tracking
+ *      (from ip_vs_nfct.c)
+ */
+static inline int ip_vs_conntrack_enabled(void)
+{
+        return sysctl_ip_vs_conntrack;
+}
+
 extern void ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp,
                                    int outin);
+extern int ip_vs_confirm_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp);
+extern void ip_vs_nfct_expect_related(struct sk_buff *skb, struct nf_conn *ct,
+                                      struct ip_vs_conn *cp, u_int8_t proto,
+                                      const __be16 port, int from_rs);
+extern void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp);
+
+#else
+
+static inline int ip_vs_conntrack_enabled(void)
+{
+        return 0;
+}
+
+static inline void ip_vs_update_conntrack(struct sk_buff *skb,
+                                          struct ip_vs_conn *cp, int outin)
+{
+}
+
+static inline int ip_vs_confirm_conntrack(struct sk_buff *skb,
+                                          struct ip_vs_conn *cp)
+{
+        return NF_ACCEPT;
+}
+
+static inline void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp)
+{
+}
+/* CONFIG_IP_VS_NFCT */
+#endif
 
 #endif /* __KERNEL__ */
 
diff --git a/include/net/netfilter/ipv6/nf_defrag_ipv6.h b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
new file mode 100644
index 000000000000..94dd54d76b48
--- /dev/null
+++ b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
@@ -0,0 +1,6 @@
+#ifndef _NF_DEFRAG_IPV6_H
+#define _NF_DEFRAG_IPV6_H
+
+extern void nf_defrag_ipv6_enable(void);
+
+#endif /* _NF_DEFRAG_IPV6_H */
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 11e815084fcf..0f8a8c587532 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -67,9 +67,6 @@ struct nf_conntrack_expect_policy {
 
 #define NF_CT_EXPECT_CLASS_DEFAULT      0
 
-#define NF_CT_EXPECT_PERMANENT  0x1
-#define NF_CT_EXPECT_INACTIVE   0x2
-
 int nf_conntrack_expect_init(struct net *net);
 void nf_conntrack_expect_fini(struct net *net);
 
@@ -85,9 +82,16 @@ struct nf_conntrack_expect *
 nf_ct_find_expectation(struct net *net, u16 zone,
                        const struct nf_conntrack_tuple *tuple);
 
-void nf_ct_unlink_expect(struct nf_conntrack_expect *exp);
+void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp,
+                                u32 pid, int report);
+static inline void nf_ct_unlink_expect(struct nf_conntrack_expect *exp)
+{
+        nf_ct_unlink_expect_report(exp, 0, 0);
+}
+
 void nf_ct_remove_expectations(struct nf_conn *ct);
 void nf_ct_unexpect_related(struct nf_conntrack_expect *exp);
+void nf_ct_remove_userspace_expectations(void);
 
 /* Allocate space for an expectation: this is mandatory before calling
    nf_ct_expect_related.  You will have to call put afterwards. */
diff --git a/include/net/netfilter/nf_nat_protocol.h b/include/net/netfilter/nf_nat_protocol.h
index df17bac46bf5..93cc90d28e66 100644
--- a/include/net/netfilter/nf_nat_protocol.h
+++ b/include/net/netfilter/nf_nat_protocol.h
@@ -45,9 +45,6 @@ struct nf_nat_protocol {
 extern int nf_nat_protocol_register(const struct nf_nat_protocol *proto);
 extern void nf_nat_protocol_unregister(const struct nf_nat_protocol *proto);
 
-extern const struct nf_nat_protocol *nf_nat_proto_find_get(u_int8_t protocol);
-extern void nf_nat_proto_put(const struct nf_nat_protocol *proto);
-
 /* Built-in protocols. */
 extern const struct nf_nat_protocol nf_nat_protocol_tcp;
 extern const struct nf_nat_protocol nf_nat_protocol_udp;
diff --git a/include/net/netfilter/nf_tproxy_core.h b/include/net/netfilter/nf_tproxy_core.h
index 208b46f4d6d2..cd85b3bc8327 100644
--- a/include/net/netfilter/nf_tproxy_core.h
+++ b/include/net/netfilter/nf_tproxy_core.h
@@ -5,15 +5,201 @@
 #include <linux/in.h>
 #include <linux/skbuff.h>
 #include <net/sock.h>
-#include <net/inet_sock.h>
+#include <net/inet_hashtables.h>
+#include <net/inet6_hashtables.h>
 #include <net/tcp.h>
 
+#define NFT_LOOKUP_ANY         0
+#define NFT_LOOKUP_LISTENER    1
+#define NFT_LOOKUP_ESTABLISHED 2
+
 /* look up and get a reference to a matching socket */
-extern struct sock *
+
+
+/* This function is used by the 'TPROXY' target and the 'socket'
+ * match. The following lookups are supported:
+ *
+ * Explicit TProxy target rule
+ * ===========================
+ *
+ * This is used when the user wants to intercept a connection matching
+ * an explicit iptables rule. In this case the sockets are assumed
+ * matching in preference order:
+ *
+ *   - match: if there's a fully established connection matching the
+ *     _packet_ tuple, it is returned, assuming the redirection
+ *     already took place and we process a packet belonging to an
+ *     established connection
+ *
+ *   - match: if there's a listening socket matching the redirection
+ *     (e.g. on-port & on-ip of the connection), it is returned,
+ *     regardless if it was bound to 0.0.0.0 or an explicit
+ *     address. The reasoning is that if there's an explicit rule, it
+ *     does not really matter if the listener is bound to an interface
+ *     or to 0. The user already stated that he wants redirection
+ *     (since he added the rule).
+ *
+ * "socket" match based redirection (no specific rule)
+ * ===================================================
+ *
+ * There are connections with dynamic endpoints (e.g. FTP data
+ * connection) that the user is unable to add explicit rules
+ * for. These are taken care of by a generic "socket" rule. It is
+ * assumed that the proxy application is trusted to open such
+ * connections without explicit iptables rule (except of course the
+ * generic 'socket' rule). In this case the following sockets are
+ * matched in preference order:
+ *
+ *   - match: if there's a fully established connection matching the
+ *     _packet_ tuple
+ *
+ *   - match: if there's a non-zero bound listener (possibly with a
+ *     non-local address) We don't accept zero-bound listeners, since
+ *     then local services could intercept traffic going through the
+ *     box.
+ *
+ * Please note that there's an overlap between what a TPROXY target
+ * and a socket match will match. Normally if you have both rules the
+ * "socket" match will be the first one, effectively all packets
+ * belonging to established connections going through that one.
+ */
+static inline struct sock *
 nf_tproxy_get_sock_v4(struct net *net, const u8 protocol,
                       const __be32 saddr, const __be32 daddr,
                       const __be16 sport, const __be16 dport,
-                      const struct net_device *in, bool listening);
+                      const struct net_device *in, int lookup_type)
+{
+        struct sock *sk;
+
+        /* look up socket */
+        switch (protocol) {
+        case IPPROTO_TCP:
+                switch (lookup_type) {
+                case NFT_LOOKUP_ANY:
+                        sk = __inet_lookup(net, &tcp_hashinfo,
+                                           saddr, sport, daddr, dport,
+                                           in->ifindex);
+                        break;
+                case NFT_LOOKUP_LISTENER:
+                        sk = inet_lookup_listener(net, &tcp_hashinfo,
+                                                    daddr, dport,
+                                                    in->ifindex);
+
+                        /* NOTE: we return listeners even if bound to
+                         * 0.0.0.0, those are filtered out in
+                         * xt_socket, since xt_TPROXY needs 0 bound
+                         * listeners too */
+
+                        break;
+                case NFT_LOOKUP_ESTABLISHED:
+                        sk = inet_lookup_established(net, &tcp_hashinfo,
+                                                    saddr, sport, daddr, dport,
+                                                    in->ifindex);
+                        break;
+                default:
+                        WARN_ON(1);
+                        sk = NULL;
+                        break;
+                }
+                break;
+        case IPPROTO_UDP:
+                sk = udp4_lib_lookup(net, saddr, sport, daddr, dport,
+                                     in->ifindex);
+                if (sk && lookup_type != NFT_LOOKUP_ANY) {
+                        int connected = (sk->sk_state == TCP_ESTABLISHED);
+                        int wildcard = (inet_sk(sk)->inet_rcv_saddr == 0);
+
+                        /* NOTE: we return listeners even if bound to
+                         * 0.0.0.0, those are filtered out in
+                         * xt_socket, since xt_TPROXY needs 0 bound
+                         * listeners too */
+                        if ((lookup_type == NFT_LOOKUP_ESTABLISHED && (!connected || wildcard)) ||
+                            (lookup_type == NFT_LOOKUP_LISTENER && connected)) {
+                                sock_put(sk);
+                                sk = NULL;
+                        }
+                }
+                break;
+        default:
+                WARN_ON(1);
+                sk = NULL;
+        }
+
+        pr_debug("tproxy socket lookup: proto %u %08x:%u -> %08x:%u, lookup type: %d, sock %p\n",
+                 protocol, ntohl(saddr), ntohs(sport), ntohl(daddr), ntohs(dport), lookup_type, sk);
+
+        return sk;
+}
+
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+static inline struct sock *
+nf_tproxy_get_sock_v6(struct net *net, const u8 protocol,
+                      const struct in6_addr *saddr, const struct in6_addr *daddr,
+                      const __be16 sport, const __be16 dport,
+                      const struct net_device *in, int lookup_type)
+{
+        struct sock *sk;
+
+        /* look up socket */
+        switch (protocol) {
+        case IPPROTO_TCP:
+                switch (lookup_type) {
+                case NFT_LOOKUP_ANY:
+                        sk = inet6_lookup(net, &tcp_hashinfo,
+                                          saddr, sport, daddr, dport,
+                                          in->ifindex);
+                        break;
+                case NFT_LOOKUP_LISTENER:
+                        sk = inet6_lookup_listener(net, &tcp_hashinfo,
+                                                   daddr, ntohs(dport),
+                                                   in->ifindex);
+
+                        /* NOTE: we return listeners even if bound to
+                         * 0.0.0.0, those are filtered out in
+                         * xt_socket, since xt_TPROXY needs 0 bound
+                         * listeners too */
+
+                        break;
+                case NFT_LOOKUP_ESTABLISHED:
+                        sk = __inet6_lookup_established(net, &tcp_hashinfo,
+                                                        saddr, sport, daddr, ntohs(dport),
+                                                        in->ifindex);
+                        break;
+                default:
+                        WARN_ON(1);
+                        sk = NULL;
+                        break;
+                }
+                break;
+        case IPPROTO_UDP:
+                sk = udp6_lib_lookup(net, saddr, sport, daddr, dport,
+                                     in->ifindex);
+                if (sk && lookup_type != NFT_LOOKUP_ANY) {
+                        int connected = (sk->sk_state == TCP_ESTABLISHED);
+                        int wildcard = ipv6_addr_any(&inet6_sk(sk)->rcv_saddr);
+
+                        /* NOTE: we return listeners even if bound to
+                         * 0.0.0.0, those are filtered out in
+                         * xt_socket, since xt_TPROXY needs 0 bound
+                         * listeners too */
+                        if ((lookup_type == NFT_LOOKUP_ESTABLISHED && (!connected || wildcard)) ||
+                            (lookup_type == NFT_LOOKUP_LISTENER && connected)) {
+                                sock_put(sk);
+                                sk = NULL;
+                        }
+                }
+                break;
+        default:
+                WARN_ON(1);
+                sk = NULL;
+        }
+
+        pr_debug("tproxy socket lookup: proto %u %pI6:%u -> %pI6:%u, lookup type: %d, sock %p\n",
+                 protocol, saddr, ntohs(sport), daddr, ntohs(dport), lookup_type, sk);
+
+        return sk;
+}
+#endif
 
 static inline void
 nf_tproxy_put_sock(struct sock *sk)
diff --git a/include/net/netfilter/xt_log.h b/include/net/netfilter/xt_log.h
new file mode 100644
index 000000000000..0dfb34a5b53c
--- /dev/null
+++ b/include/net/netfilter/xt_log.h
@@ -0,0 +1,54 @@
+#define S_SIZE (1024 - (sizeof(unsigned int) + 1))
+
+struct sbuff {
+        unsigned int    count;
+        char            buf[S_SIZE + 1];
+};
+static struct sbuff emergency, *emergency_ptr = &emergency;
+
+static int sb_add(struct sbuff *m, const char *f, ...)
+{
+        va_list args;
+        int len;
+
+        if (likely(m->count < S_SIZE)) {
+                va_start(args, f);
+                len = vsnprintf(m->buf + m->count, S_SIZE - m->count, f, args);
+                va_end(args);
+                if (likely(m->count + len < S_SIZE)) {
+                        m->count += len;
+                        return 0;
+                }
+        }
+        m->count = S_SIZE;
+        printk_once(KERN_ERR KBUILD_MODNAME " please increase S_SIZE\n");
+        return -1;
+}
+
+static struct sbuff *sb_open(void)
+{
+        struct sbuff *m = kmalloc(sizeof(*m), GFP_ATOMIC);
+
+        if (unlikely(!m)) {
+                local_bh_disable();
+                do {
+                        m = xchg(&emergency_ptr, NULL);
+                } while (!m);
+        }
+        m->count = 0;
+        return m;
+}
+
+static void sb_close(struct sbuff *m)
+{
+        m->buf[m->count] = 0;
+        printk("%s\n", m->buf);
+
+        if (likely(m != &emergency))
+                kfree(m);
+        else {
+                xchg(&emergency_ptr, m);
+                local_bh_enable();
+        }
+}
+
diff --git a/include/net/udp.h b/include/net/udp.h
index a184d3496b13..200b82848c9a 100644
--- a/include/net/udp.h
+++ b/include/net/udp.h
@@ -183,6 +183,9 @@ extern int udp_lib_setsockopt(struct sock *sk, int level, int optname,
 extern struct sock *udp4_lib_lookup(struct net *net, __be32 saddr, __be16 sport,
                                     __be32 daddr, __be16 dport,
                                     int dif);
+extern struct sock *udp6_lib_lookup(struct net *net, const struct in6_addr *saddr, __be16 sport,
+                                    const struct in6_addr *daddr, __be16 dport,
+                                    int dif);
 
 /*
  *      SNMP statistics for UDP and UDP-Lite