Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

4 files changed, 51 insertions, 27 deletions

diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 5234f4f3499a..915fc17d7ce2 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -13,6 +13,7 @@
 #include <linux/module.h>
 #include <linux/spinlock.h>
 #include <linux/skbuff.h>
+#include <linux/if_arp.h>
 #include <linux/ip.h>
 #include <net/icmp.h>
 #include <net/udp.h>
@@ -363,6 +364,42 @@ static void dump_packet(const struct nf_loginfo *info,
         /* maxlen = 230+   91  + 230 + 252 = 803 */
 }
 
+static void dump_mac_header(const struct nf_loginfo *info,
+                            const struct sk_buff *skb)
+{
+        struct net_device *dev = skb->dev;
+        unsigned int logflags = 0;
+
+        if (info->type == NF_LOG_TYPE_LOG)
+                logflags = info->u.log.logflags;
+
+        if (!(logflags & IPT_LOG_MACDECODE))
+                goto fallback;
+
+        switch (dev->type) {
+        case ARPHRD_ETHER:
+                printk("MACSRC=%pM MACDST=%pM MACPROTO=%04x ",
+                       eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
+                       ntohs(eth_hdr(skb)->h_proto));
+                return;
+        default:
+                break;
+        }
+
+fallback:
+        printk("MAC=");
+        if (dev->hard_header_len &&
+            skb->mac_header != skb->network_header) {
+                const unsigned char *p = skb_mac_header(skb);
+                unsigned int i;
+
+                printk("%02x", *p++);
+                for (i = 1; i < dev->hard_header_len; i++, p++)
+                        printk(":%02x", *p);
+        }
+        printk(" ");
+}
+
 static struct nf_loginfo default_loginfo = {
         .type   = NF_LOG_TYPE_LOG,
         .u = {
@@ -404,20 +441,9 @@ ipt_log_packet(u_int8_t pf,
         }
 #endif
 
-        if (in && !out) {
-                /* MAC logging for input chain only. */
-                printk("MAC=");
-                if (skb->dev && skb->dev->hard_header_len &&
-                    skb->mac_header != skb->network_header) {
-                        int i;
-                        const unsigned char *p = skb_mac_header(skb);
-                        for (i = 0; i < skb->dev->hard_header_len; i++,p++)
-                                printk("%02x%c", *p,
-                                       i==skb->dev->hard_header_len - 1
-                                       ? ' ':':');
-                } else
-                        printk(" ");
-        }
+        /* MAC logging for input path only. */
+        if (in && !out)
+                dump_mac_header(loginfo, skb);
 
         dump_packet(loginfo, skb, 0);
         printk("\n");
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index f43867d1697f..6cdb298f1035 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -48,7 +48,8 @@ netmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
 
         NF_CT_ASSERT(par->hooknum == NF_INET_PRE_ROUTING ||
                      par->hooknum == NF_INET_POST_ROUTING ||
-                     par->hooknum == NF_INET_LOCAL_OUT);
+                     par->hooknum == NF_INET_LOCAL_OUT ||
+                     par->hooknum == NF_INET_LOCAL_IN);
         ct = nf_ct_get(skb, &ctinfo);
 
         netmask = ~(mr->range[0].min_ip ^ mr->range[0].max_ip);
@@ -77,7 +78,8 @@ static struct xt_target netmap_tg_reg __read_mostly = {
         .table          = "nat",
         .hooks          = (1 << NF_INET_PRE_ROUTING) |
                           (1 << NF_INET_POST_ROUTING) |
-                          (1 << NF_INET_LOCAL_OUT),
+                          (1 << NF_INET_LOCAL_OUT) |
+                          (1 << NF_INET_LOCAL_IN),
         .checkentry     = netmap_tg_check,
         .me             = THIS_MODULE
 };
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 98ed78281aee..ebbd319f62f5 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -28,7 +28,8 @@
 
 #define NAT_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | \
                          (1 << NF_INET_POST_ROUTING) | \
-                         (1 << NF_INET_LOCAL_OUT))
+                         (1 << NF_INET_LOCAL_OUT) | \
+                         (1 << NF_INET_LOCAL_IN))
 
 static const struct xt_table nat_table = {
         .name           = "nat",
@@ -45,7 +46,8 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
         enum ip_conntrack_info ctinfo;
         const struct nf_nat_multi_range_compat *mr = par->targinfo;
 
-        NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING);
+        NF_CT_ASSERT(par->hooknum == NF_INET_POST_ROUTING ||
+                     par->hooknum == NF_INET_LOCAL_IN);
 
         ct = nf_ct_get(skb, &ctinfo);
 
@@ -99,7 +101,7 @@ static int ipt_dnat_checkentry(const struct xt_tgchk_param *par)
         return 0;
 }
 
-unsigned int
+static unsigned int
 alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
 {
         /* Force range to this IP; let proto decide mapping for
@@ -141,7 +143,7 @@ static struct xt_target ipt_snat_reg __read_mostly = {
         .target         = ipt_snat_target,
         .targetsize     = sizeof(struct nf_nat_multi_range_compat),
         .table          = "nat",
-        .hooks          = 1 << NF_INET_POST_ROUTING,
+        .hooks          = (1 << NF_INET_POST_ROUTING) | (1 << NF_INET_LOCAL_IN),
         .checkentry     = ipt_snat_checkentry,
         .family         = AF_INET,
 };
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 6723c682250d..95481fee8bdb 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -131,13 +131,7 @@ nf_nat_fn(unsigned int hooknum,
                 if (!nf_nat_initialized(ct, maniptype)) {
                         unsigned int ret;
 
-                        if (hooknum == NF_INET_LOCAL_IN)
-                                /* LOCAL_IN hook doesn't have a chain!  */
-                                ret = alloc_null_binding(ct, hooknum);
-                        else
-                                ret = nf_nat_rule_find(skb, hooknum, in, out,
-                                                       ct);
-
+                        ret = nf_nat_rule_find(skb, hooknum, in, out, ct);
                         if (ret != NF_ACCEPT)
                                 return ret;
                 } else