Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

author: David S. Miller <davem@davemloft.net> 2008-10-08 12:50:38 -0400
committer: David S. Miller <davem@davemloft.net> 2008-10-08 12:50:38 -0400
commit: 364ae953a48152be11f1aa424cbfd943b7762b0d (patch)
tree: 6873b352af1aa2dd6baa223b951eff4d6e74b1ae /net/ipv6
parent: 075f664689b40217539ebfe856fab73d302a15f1 (diff)
parent: f39a9410ed0503278fd5edc559fa019051413039 (diff)
20 files changed, 274 insertions, 309 deletions
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 8c6c5e71f210..4cb4844a3220 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -23,7 +23,7 @@ int ip6_route_me_harder(struct sk_buff *skb)
                    .saddr = iph->saddr, } },
        };
-        dst = ip6_route_output(&init_net, skb->sk, &fl);
+        dst = ip6_route_output(dev_net(skb->dst->dev), skb->sk, &fl);
 #ifdef CONFIG_XFRM
        if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 0cfcce7b18d8..53ea512c4608 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -55,30 +55,29 @@ config IP6_NF_IPTABLES
          To compile it as a module, choose M here.  If unsure, say N.
+if IP6_NF_IPTABLES
 # The simple matches.
-config IP6_NF_MATCH_RT
+config IP6_NF_MATCH_AH
-        tristate '"rt" Routing header match support'
+        tristate '"ah" match support'
-        depends on IP6_NF_IPTABLES
        depends on NETFILTER_ADVANCED
        help
-          rt matching allows you to match packets based on the routing
+          This module allows one to match AH packets.
-          header of the packet.
          To compile it as a module, choose M here.  If unsure, say N.
-config IP6_NF_MATCH_OPTS
+config IP6_NF_MATCH_EUI64
-        tristate '"hopbyhop" and "dst" opts header match support'
+        tristate '"eui64" address check'
-        depends on IP6_NF_IPTABLES
        depends on NETFILTER_ADVANCED
        help
-          This allows one to match packets based on the hop-by-hop
+          This module performs checking on the IPv6 source address
-          and destination options headers of a packet.
+          Compares the last 64 bits with the EUI64 (delivered
+          from the MAC address) address
          To compile it as a module, choose M here.  If unsure, say N.
 config IP6_NF_MATCH_FRAG
        tristate '"frag" Fragmentation header match support'
-        depends on IP6_NF_IPTABLES
        depends on NETFILTER_ADVANCED
        help
          frag matching allows you to match packets based on the fragmentation
@@ -86,9 +85,17 @@ config IP6_NF_MATCH_FRAG
          To compile it as a module, choose M here.  If unsure, say N.
+config IP6_NF_MATCH_OPTS
+        tristate '"hbh" hop-by-hop and "dst" opts header match support'
+        depends on NETFILTER_ADVANCED
+        help
+          This allows one to match packets based on the hop-by-hop
+          and destination options headers of a packet.
+          To compile it as a module, choose M here.  If unsure, say N.
 config IP6_NF_MATCH_HL
        tristate '"hl" match support'
-        depends on IP6_NF_IPTABLES
        depends on NETFILTER_ADVANCED
        help
          HL matching allows you to match packets based on the hop
@@ -98,7 +105,6 @@ config IP6_NF_MATCH_HL
 config IP6_NF_MATCH_IPV6HEADER
        tristate '"ipv6header" IPv6 Extension Headers Match'
-        depends on IP6_NF_IPTABLES
        default m if NETFILTER_ADVANCED=n
        help
          This module allows one to match packets based upon
@@ -106,54 +112,40 @@ config IP6_NF_MATCH_IPV6HEADER
          To compile it as a module, choose M here.  If unsure, say N.
-config IP6_NF_MATCH_AH
-        tristate '"ah" match support'
-        depends on IP6_NF_IPTABLES
-        depends on NETFILTER_ADVANCED
-        help
-          This module allows one to match AH packets.
-          To compile it as a module, choose M here.  If unsure, say N.
 config IP6_NF_MATCH_MH
        tristate '"mh" match support'
-        depends on IP6_NF_IPTABLES
        depends on NETFILTER_ADVANCED
        help
          This module allows one to match MH packets.
          To compile it as a module, choose M here.  If unsure, say N.
-config IP6_NF_MATCH_EUI64
+config IP6_NF_MATCH_RT
-        tristate '"eui64" address check'
+        tristate '"rt" Routing header match support'
-        depends on IP6_NF_IPTABLES
        depends on NETFILTER_ADVANCED
        help
-          This module performs checking on the IPv6 source address
+          rt matching allows you to match packets based on the routing
-          Compares the last 64 bits with the EUI64 (delivered
+          header of the packet.
-          from the MAC address) address
          To compile it as a module, choose M here.  If unsure, say N.
 # The targets
-config IP6_NF_FILTER
+config IP6_NF_TARGET_LOG
-        tristate "Packet filtering"
+        tristate "LOG target support"
-        depends on IP6_NF_IPTABLES
        default m if NETFILTER_ADVANCED=n
        help
-          Packet filtering defines a table `filter', which has a series of
+          This option adds a `LOG' target, which allows you to create rules in
-          rules for simple packet filtering at local input, forwarding and
+          any iptables table which records the packet header to the syslog.
-          local output.  See the man page for iptables(8).
          To compile it as a module, choose M here.  If unsure, say N.
-config IP6_NF_TARGET_LOG
+config IP6_NF_FILTER
-        tristate "LOG target support"
+        tristate "Packet filtering"
-        depends on IP6_NF_FILTER
        default m if NETFILTER_ADVANCED=n
        help
-          This option adds a `LOG' target, which allows you to create rules in
+          Packet filtering defines a table `filter', which has a series of
-          any iptables table which records the packet header to the syslog.
+          rules for simple packet filtering at local input, forwarding and
+          local output.  See the man page for iptables(8).
          To compile it as a module, choose M here.  If unsure, say N.
@@ -170,7 +162,6 @@ config IP6_NF_TARGET_REJECT
 config IP6_NF_MANGLE
        tristate "Packet mangling"
-        depends on IP6_NF_IPTABLES
        default m if NETFILTER_ADVANCED=n
        help
          This option adds a `mangle' table to iptables: see the man page for
@@ -198,7 +189,6 @@ config IP6_NF_TARGET_HL
 config IP6_NF_RAW
        tristate  'raw table support (required for TRACE)'
-        depends on IP6_NF_IPTABLES
        depends on NETFILTER_ADVANCED
        help
          This option adds a `raw' table to ip6tables. This table is the very
@@ -211,7 +201,6 @@ config IP6_NF_RAW
 # security table for MAC policy
 config IP6_NF_SECURITY
       tristate "Security table"
-       depends on IP6_NF_IPTABLES
       depends on SECURITY
       depends on NETFILTER_ADVANCED
       help
@@ -220,5 +209,7 @@ config IP6_NF_SECURITY
        
         If unsure, say N.
+endif # IP6_NF_IPTABLES
 endmenu
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 0b4557e03431..a33485dc81cb 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -200,32 +200,25 @@ ip6_checkentry(const struct ip6t_ip6 *ipv6)
 }
 static unsigned int
-ip6t_error(struct sk_buff *skb,
+ip6t_error(struct sk_buff *skb, const struct xt_target_param *par)
-          const struct net_device *in,
-          const struct net_device *out,
-          unsigned int hooknum,
-          const struct xt_target *target,
-          const void *targinfo)
 {
        if (net_ratelimit())
-                printk("ip6_tables: error: `%s'\n", (char *)targinfo);
+                printk("ip6_tables: error: `%s'\n",
+                       (const char *)par->targinfo);
        return NF_DROP;
 }
 /* Performance critical - called for every packet */
 static inline bool
-do_match(struct ip6t_entry_match *m,
+do_match(struct ip6t_entry_match *m, const struct sk_buff *skb,
-              const struct sk_buff *skb,
+         struct xt_match_param *par)
-              const struct net_device *in,
-              const struct net_device *out,
-              int offset,
-              unsigned int protoff,
-              bool *hotdrop)
 {
+        par->match     = m->u.kernel.match;
+        par->matchinfo = m->data;
        /* Stop iteration if it doesn't match */
-        if (!m->u.kernel.match->match(skb, in, out, m->u.kernel.match, m->data,
+        if (!m->u.kernel.match->match(skb, par))
-                                      offset, protoff, hotdrop))
                return true;
        else
                return false;
@@ -355,8 +348,6 @@ ip6t_do_table(struct sk_buff *skb,
              struct xt_table *table)
 {
        static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
-        int offset = 0;
-        unsigned int protoff = 0;
        bool hotdrop = false;
        /* Initializing verdict to NF_DROP keeps gcc happy. */
        unsigned int verdict = NF_DROP;
@@ -364,6 +355,8 @@ ip6t_do_table(struct sk_buff *skb,
        void *table_base;
        struct ip6t_entry *e, *back;
        struct xt_table_info *private;
+        struct xt_match_param mtpar;
+        struct xt_target_param tgpar;
        /* Initialization */
        indev = in ? in->name : nulldevname;
@@ -374,6 +367,11 @@ ip6t_do_table(struct sk_buff *skb,
         * things we don't know, ie. tcp syn flag or ports).  If the
         * rule is also a fragment-specific rule, non-fragments won't
         * match it. */
+        mtpar.hotdrop = &hotdrop;
+        mtpar.in      = tgpar.in  = in;
+        mtpar.out     = tgpar.out = out;
+        mtpar.family  = tgpar.family = NFPROTO_IPV6;
+        tgpar.hooknum = hook;
        read_lock_bh(&table->lock);
        IP_NF_ASSERT(table->valid_hooks & (1 << hook));
@@ -388,12 +386,10 @@ ip6t_do_table(struct sk_buff *skb,
                IP_NF_ASSERT(e);
                IP_NF_ASSERT(back);
                if (ip6_packet_match(skb, indev, outdev, &e->ipv6,
-                        &protoff, &offset, &hotdrop)) {
+                        &mtpar.thoff, &mtpar.fragoff, &hotdrop)) {
                        struct ip6t_entry_target *t;
-                        if (IP6T_MATCH_ITERATE(e, do_match,
+                        if (IP6T_MATCH_ITERATE(e, do_match, skb, &mtpar) != 0)
-                                               skb, in, out,
-                                               offset, protoff, &hotdrop) != 0)
                                goto no_match;
                        ADD_COUNTER(e->counters,
@@ -441,15 +437,15 @@ ip6t_do_table(struct sk_buff *skb,
                        } else {
                                /* Targets which reenter must return
                                   abs. verdicts */
+                                tgpar.target   = t->u.kernel.target;
+                                tgpar.targinfo = t->data;
 #ifdef CONFIG_NETFILTER_DEBUG
                                ((struct ip6t_entry *)table_base)->comefrom
                                        = 0xeeeeeeec;
 #endif
                                verdict = t->u.kernel.target->target(skb,
-                                                                     in, out,
+                                                                     &tgpar);
-                                                                     hook,
-                                                                     t->u.kernel.target,
-                                                                     t->data);
 #ifdef CONFIG_NETFILTER_DEBUG
                                if (((struct ip6t_entry *)table_base)->comefrom
@@ -602,12 +598,17 @@ mark_source_chains(struct xt_table_info *newinfo,
 static int
 cleanup_match(struct ip6t_entry_match *m, unsigned int *i)
 {
+        struct xt_mtdtor_param par;
        if (i && (*i)-- == 0)
                return 1;
-        if (m->u.kernel.match->destroy)
+        par.match     = m->u.kernel.match;
-                m->u.kernel.match->destroy(m->u.kernel.match, m->data);
+        par.matchinfo = m->data;
-        module_put(m->u.kernel.match->me);
+        par.family    = NFPROTO_IPV6;
+        if (par.match->destroy != NULL)
+                par.match->destroy(&par);
+        module_put(par.match->me);
        return 0;
 }
@@ -632,34 +633,28 @@ check_entry(struct ip6t_entry *e, const char *name)
        return 0;
 }
-static int check_match(struct ip6t_entry_match *m, const char *name,
+static int check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par,
-                              const struct ip6t_ip6 *ipv6,
+                       unsigned int *i)
-                              unsigned int hookmask, unsigned int *i)
 {
-        struct xt_match *match;
+        const struct ip6t_ip6 *ipv6 = par->entryinfo;
        int ret;
-        match = m->u.kernel.match;
+        par->match     = m->u.kernel.match;
-        ret = xt_check_match(match, AF_INET6, m->u.match_size - sizeof(*m),
+        par->matchinfo = m->data;
-                             name, hookmask, ipv6->proto,
-                             ipv6->invflags & IP6T_INV_PROTO);
+        ret = xt_check_match(par, m->u.match_size - sizeof(*m),
-        if (!ret && m->u.kernel.match->checkentry
+                             ipv6->proto, ipv6->invflags & IP6T_INV_PROTO);
-            && !m->u.kernel.match->checkentry(name, ipv6, match, m->data,
+        if (ret < 0) {
-                                              hookmask)) {
                duprintf("ip_tables: check failed for `%s'.\n",
-                         m->u.kernel.match->name);
+                         par.match->name);
-                ret = -EINVAL;
+                return ret;
        }
-        if (!ret)
+        ++*i;
-                (*i)++;
+        return 0;
-        return ret;
 }
 static int
-find_check_match(struct ip6t_entry_match *m,
+find_check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par,
-                 const char *name,
-                 const struct ip6t_ip6 *ipv6,
-                 unsigned int hookmask,
                 unsigned int *i)
 {
        struct xt_match *match;
@@ -674,7 +669,7 @@ find_check_match(struct ip6t_entry_match *m,
        }
        m->u.kernel.match = match;
-        ret = check_match(m, name, ipv6, hookmask, i);
+        ret = check_match(m, par, i);
        if (ret)
                goto err;
@@ -686,23 +681,26 @@ err:
 static int check_target(struct ip6t_entry *e, const char *name)
 {
-        struct ip6t_entry_target *t;
+        struct ip6t_entry_target *t = ip6t_get_target(e);
-        struct xt_target *target;
+        struct xt_tgchk_param par = {
+                .table     = name,
+                .entryinfo = e,
+                .target    = t->u.kernel.target,
+                .targinfo  = t->data,
+                .hook_mask = e->comefrom,
+                .family    = NFPROTO_IPV6,
+        };
        int ret;
        t = ip6t_get_target(e);
-        target = t->u.kernel.target;
+        ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
-        ret = xt_check_target(target, AF_INET6, t->u.target_size - sizeof(*t),
+              e->ipv6.proto, e->ipv6.invflags & IP6T_INV_PROTO);
-                              name, e->comefrom, e->ipv6.proto,
+        if (ret < 0) {
-                              e->ipv6.invflags & IP6T_INV_PROTO);
-        if (!ret && t->u.kernel.target->checkentry
-            && !t->u.kernel.target->checkentry(name, e, target, t->data,
-                                               e->comefrom)) {
                duprintf("ip_tables: check failed for `%s'.\n",
                         t->u.kernel.target->name);
-                ret = -EINVAL;
+                return ret;
        }
-        return ret;
+        return 0;
 }
 static int
@@ -713,14 +711,18 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
        struct xt_target *target;
        int ret;
        unsigned int j;
+        struct xt_mtchk_param mtpar;
        ret = check_entry(e, name);
        if (ret)
                return ret;
        j = 0;
-        ret = IP6T_MATCH_ITERATE(e, find_check_match, name, &e->ipv6,
+        mtpar.table     = name;
-                                 e->comefrom, &j);
+        mtpar.entryinfo = &e->ipv6;
+        mtpar.hook_mask = e->comefrom;
+        mtpar.family    = NFPROTO_IPV6;
+        ret = IP6T_MATCH_ITERATE(e, find_check_match, &mtpar, &j);
        if (ret != 0)
                goto cleanup_matches;
@@ -795,6 +797,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
 static int
 cleanup_entry(struct ip6t_entry *e, unsigned int *i)
 {
+        struct xt_tgdtor_param par;
        struct ip6t_entry_target *t;
        if (i && (*i)-- == 0)
@@ -803,9 +806,13 @@ cleanup_entry(struct ip6t_entry *e, unsigned int *i)
        /* Cleanup all matches */
        IP6T_MATCH_ITERATE(e, cleanup_match, NULL);
        t = ip6t_get_target(e);
-        if (t->u.kernel.target->destroy)
-                t->u.kernel.target->destroy(t->u.kernel.target, t->data);
+        par.target   = t->u.kernel.target;
-        module_put(t->u.kernel.target->me);
+        par.targinfo = t->data;
+        par.family   = NFPROTO_IPV6;
+        if (par.target->destroy != NULL)
+                par.target->destroy(&par);
+        module_put(par.target->me);
        return 0;
 }
@@ -1677,10 +1684,14 @@ static int compat_check_entry(struct ip6t_entry *e, const char *name,
 {
        unsigned int j;
        int ret;
+        struct xt_mtchk_param mtpar;
        j = 0;
-        ret = IP6T_MATCH_ITERATE(e, check_match, name, &e->ipv6,
+        mtpar.table     = name;
-                                 e->comefrom, &j);
+        mtpar.entryinfo = &e->ipv6;
+        mtpar.hook_mask = e->comefrom;
+        mtpar.family    = NFPROTO_IPV6;
+        ret = IP6T_MATCH_ITERATE(e, check_match, &mtpar, &j);
        if (ret)
                goto cleanup_matches;
@@ -2146,30 +2157,23 @@ icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
 }
 static bool
-icmp6_match(const struct sk_buff *skb,
+icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par)
-           const struct net_device *in,
-           const struct net_device *out,
-           const struct xt_match *match,
-           const void *matchinfo,
-           int offset,
-           unsigned int protoff,
-           bool *hotdrop)
 {
        const struct icmp6hdr *ic;
        struct icmp6hdr _icmph;
-        const struct ip6t_icmp *icmpinfo = matchinfo;
+        const struct ip6t_icmp *icmpinfo = par->matchinfo;
        /* Must not be a fragment. */
-        if (offset)
+        if (par->fragoff != 0)
                return false;
-        ic = skb_header_pointer(skb, protoff, sizeof(_icmph), &_icmph);
+        ic = skb_header_pointer(skb, par->thoff, sizeof(_icmph), &_icmph);
        if (ic == NULL) {
                /* We've been asked to examine this packet, and we
                 * can't.  Hence, no choice but to drop.
                 */
                duprintf("Dropping evil ICMP tinygram.\n");
-                *hotdrop = true;
+                *par->hotdrop = true;
                return false;
        }
@@ -2181,14 +2185,9 @@ icmp6_match(const struct sk_buff *skb,
 }
 /* Called when user tries to insert an entry of this type. */
-static bool
+static bool icmp6_checkentry(const struct xt_mtchk_param *par)
-icmp6_checkentry(const char *tablename,
-           const void *entry,
-           const struct xt_match *match,
-           void *matchinfo,
-           unsigned int hook_mask)
 {
-        const struct ip6t_icmp *icmpinfo = matchinfo;
+        const struct ip6t_icmp *icmpinfo = par->matchinfo;
        /* Must specify no unknown invflags */
        return !(icmpinfo->invflags & ~IP6T_ICMP_INV);
diff --git a/net/ipv6/netfilter/ip6t_HL.c b/net/ipv6/netfilter/ip6t_HL.c
index d5f8fd5f29d3..27b5adf670a2 100644
--- a/net/ipv6/netfilter/ip6t_HL.c
+++ b/net/ipv6/netfilter/ip6t_HL.c
@@ -19,12 +19,10 @@ MODULE_DESCRIPTION("Xtables: IPv6 Hop Limit field modification target");
 MODULE_LICENSE("GPL");
 static unsigned int
-hl_tg6(struct sk_buff *skb, const struct net_device *in,
+hl_tg6(struct sk_buff *skb, const struct xt_target_param *par)
-       const struct net_device *out, unsigned int hooknum,
-       const struct xt_target *target, const void *targinfo)
 {
        struct ipv6hdr *ip6h;
-        const struct ip6t_HL_info *info = targinfo;
+        const struct ip6t_HL_info *info = par->targinfo;
        int new_hl;
        if (!skb_make_writable(skb, skb->len))
@@ -56,12 +54,9 @@ hl_tg6(struct sk_buff *skb, const struct net_device *in,
        return XT_CONTINUE;
 }
-static bool
+static bool hl_tg6_check(const struct xt_tgchk_param *par)
-hl_tg6_check(const char *tablename, const void *entry,
-             const struct xt_target *target, void *targinfo,
-             unsigned int hook_mask)
 {
-        const struct ip6t_HL_info *info = targinfo;
+        const struct ip6t_HL_info *info = par->targinfo;
        if (info->mode > IP6T_HL_MAXMODE) {
                printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n",
@@ -78,7 +73,7 @@ hl_tg6_check(const char *tablename, const void *entry,
 static struct xt_target hl_tg6_reg __read_mostly = {
        .name           = "HL",
-        .family         = AF_INET6,
+        .family         = NFPROTO_IPV6,
        .target         = hl_tg6,
        .targetsize     = sizeof(struct ip6t_HL_info),
        .table          = "mangle",
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 3a2316974f83..caa441d09567 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -385,7 +385,7 @@ static struct nf_loginfo default_loginfo = {
 };
 static void
-ip6t_log_packet(unsigned int pf,
+ip6t_log_packet(u_int8_t pf,
                unsigned int hooknum,
                const struct sk_buff *skb,
                const struct net_device *in,
@@ -438,28 +438,24 @@ ip6t_log_packet(unsigned int pf,
 }
 static unsigned int
-log_tg6(struct sk_buff *skb, const struct net_device *in,
+log_tg6(struct sk_buff *skb, const struct xt_target_param *par)
-        const struct net_device *out, unsigned int hooknum,
-        const struct xt_target *target, const void *targinfo)
 {
-        const struct ip6t_log_info *loginfo = targinfo;
+        const struct ip6t_log_info *loginfo = par->targinfo;
        struct nf_loginfo li;
        li.type = NF_LOG_TYPE_LOG;
        li.u.log.level = loginfo->level;
        li.u.log.logflags = loginfo->logflags;
-        ip6t_log_packet(PF_INET6, hooknum, skb, in, out, &li, loginfo->prefix);
+        ip6t_log_packet(NFPROTO_IPV6, par->hooknum, skb, par->in, par->out,
+                        &li, loginfo->prefix);
        return XT_CONTINUE;
 }
-static bool
+static bool log_tg6_check(const struct xt_tgchk_param *par)
-log_tg6_check(const char *tablename, const void *entry,
-              const struct xt_target *target, void *targinfo,
-              unsigned int hook_mask)
 {
-        const struct ip6t_log_info *loginfo = targinfo;
+        const struct ip6t_log_info *loginfo = par->targinfo;
        if (loginfo->level >= 8) {
                pr_debug("LOG: level %u >= 8\n", loginfo->level);
@@ -475,7 +471,7 @@ log_tg6_check(const char *tablename, const void *entry,
 static struct xt_target log_tg6_reg __read_mostly = {
        .name           = "LOG",
-        .family         = AF_INET6,
+        .family         = NFPROTO_IPV6,
        .target         = log_tg6,
        .targetsize     = sizeof(struct ip6t_log_info),
        .checkentry     = log_tg6_check,
@@ -495,7 +491,7 @@ static int __init log_tg6_init(void)
        ret = xt_register_target(&log_tg6_reg);
        if (ret < 0)
                return ret;
-        nf_log_register(PF_INET6, &ip6t_logger);
+        nf_log_register(NFPROTO_IPV6, &ip6t_logger);
        return 0;
 }
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 44c8d65a2431..0981b4ccb8b1 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -35,7 +35,7 @@ MODULE_DESCRIPTION("Xtables: packet \"rejection\" target for IPv6");
 MODULE_LICENSE("GPL");
 /* Send RST reply */
-static void send_reset(struct sk_buff *oldskb)
+static void send_reset(struct net *net, struct sk_buff *oldskb)
 {
        struct sk_buff *nskb;
        struct tcphdr otcph, *tcph;
@@ -94,7 +94,7 @@ static void send_reset(struct sk_buff *oldskb)
        fl.fl_ip_sport = otcph.dest;
        fl.fl_ip_dport = otcph.source;
        security_skb_classify_flow(oldskb, &fl);
-        dst = ip6_route_output(&init_net, NULL, &fl);
+        dst = ip6_route_output(net, NULL, &fl);
        if (dst == NULL)
                return;
        if (dst->error || xfrm_lookup(&dst, &fl, NULL, 0))
@@ -163,20 +163,20 @@ static void send_reset(struct sk_buff *oldskb)
 }
 static inline void
-send_unreach(struct sk_buff *skb_in, unsigned char code, unsigned int hooknum)
+send_unreach(struct net *net, struct sk_buff *skb_in, unsigned char code,
+             unsigned int hooknum)
 {
        if (hooknum == NF_INET_LOCAL_OUT && skb_in->dev == NULL)
-                skb_in->dev = init_net.loopback_dev;
+                skb_in->dev = net->loopback_dev;
        icmpv6_send(skb_in, ICMPV6_DEST_UNREACH, code, 0, NULL);
 }
 static unsigned int
-reject_tg6(struct sk_buff *skb, const struct net_device *in,
+reject_tg6(struct sk_buff *skb, const struct xt_target_param *par)
-           const struct net_device *out, unsigned int hooknum,
-           const struct xt_target *target, const void *targinfo)
 {
-        const struct ip6t_reject_info *reject = targinfo;
+        const struct ip6t_reject_info *reject = par->targinfo;
+        struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
        pr_debug("%s: medium point\n", __func__);
        /* WARNING: This code causes reentry within ip6tables.
@@ -184,25 +184,25 @@ reject_tg6(struct sk_buff *skb, const struct net_device *in,
           must return an absolute verdict. --RR */
        switch (reject->with) {
        case IP6T_ICMP6_NO_ROUTE:
-                send_unreach(skb, ICMPV6_NOROUTE, hooknum);
+                send_unreach(net, skb, ICMPV6_NOROUTE, par->hooknum);
                break;
        case IP6T_ICMP6_ADM_PROHIBITED:
-                send_unreach(skb, ICMPV6_ADM_PROHIBITED, hooknum);
+                send_unreach(net, skb, ICMPV6_ADM_PROHIBITED, par->hooknum);
                break;
        case IP6T_ICMP6_NOT_NEIGHBOUR:
-                send_unreach(skb, ICMPV6_NOT_NEIGHBOUR, hooknum);
+                send_unreach(net, skb, ICMPV6_NOT_NEIGHBOUR, par->hooknum);
                break;
        case IP6T_ICMP6_ADDR_UNREACH:
-                send_unreach(skb, ICMPV6_ADDR_UNREACH, hooknum);
+                send_unreach(net, skb, ICMPV6_ADDR_UNREACH, par->hooknum);
                break;
        case IP6T_ICMP6_PORT_UNREACH:
-                send_unreach(skb, ICMPV6_PORT_UNREACH, hooknum);
+                send_unreach(net, skb, ICMPV6_PORT_UNREACH, par->hooknum);
                break;
        case IP6T_ICMP6_ECHOREPLY:
                /* Do nothing */
                break;
        case IP6T_TCP_RESET:
-                send_reset(skb);
+                send_reset(net, skb);
                break;
        default:
                if (net_ratelimit())
@@ -213,13 +213,10 @@ reject_tg6(struct sk_buff *skb, const struct net_device *in,
        return NF_DROP;
 }
-static bool
+static bool reject_tg6_check(const struct xt_tgchk_param *par)
-reject_tg6_check(const char *tablename, const void *entry,
-                 const struct xt_target *target, void *targinfo,
-                 unsigned int hook_mask)
 {
-        const struct ip6t_reject_info *rejinfo = targinfo;
+        const struct ip6t_reject_info *rejinfo = par->targinfo;
-        const struct ip6t_entry *e = entry;
+        const struct ip6t_entry *e = par->entryinfo;
        if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
                printk("ip6t_REJECT: ECHOREPLY is not supported.\n");
@@ -237,7 +234,7 @@ reject_tg6_check(const char *tablename, const void *entry,
 static struct xt_target reject_tg6_reg __read_mostly = {
        .name           = "REJECT",
-        .family         = AF_INET6,
+        .family         = NFPROTO_IPV6,
        .target         = reject_tg6,
        .targetsize     = sizeof(struct ip6t_reject_info),
        .table          = "filter",
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index 429629fd63b6..3a82f24746b9 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -36,14 +36,11 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
        return r;
 }
-static bool
+static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
-ah_mt6(const struct sk_buff *skb, const struct net_device *in,
-       const struct net_device *out, const struct xt_match *match,
-       const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
 {
        struct ip_auth_hdr _ah;
        const struct ip_auth_hdr *ah;
-        const struct ip6t_ah *ahinfo = matchinfo;
+        const struct ip6t_ah *ahinfo = par->matchinfo;
        unsigned int ptr;
        unsigned int hdrlen = 0;
        int err;
@@ -51,13 +48,13 @@ ah_mt6(const struct sk_buff *skb, const struct net_device *in,
        err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
        if (err < 0) {
                if (err != -ENOENT)
-                        *hotdrop = true;
+                        *par->hotdrop = true;
                return false;
        }
        ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
        if (ah == NULL) {
-                *hotdrop = true;
+                *par->hotdrop = true;
                return false;
        }
@@ -93,13 +90,9 @@ ah_mt6(const struct sk_buff *skb, const struct net_device *in,
               !(ahinfo->hdrres && ah->reserved);
 }
-/* Called when user tries to insert an entry of this type. */
+static bool ah_mt6_check(const struct xt_mtchk_param *par)
-static bool
-ah_mt6_check(const char *tablename, const void *entry,
-             const struct xt_match *match, void *matchinfo,
-             unsigned int hook_mask)
 {
-        const struct ip6t_ah *ahinfo = matchinfo;
+        const struct ip6t_ah *ahinfo = par->matchinfo;
        if (ahinfo->invflags & ~IP6T_AH_INV_MASK) {
                pr_debug("ip6t_ah: unknown flags %X\n", ahinfo->invflags);
@@ -110,7 +103,7 @@ ah_mt6_check(const char *tablename, const void *entry,
 static struct xt_match ah_mt6_reg __read_mostly = {
        .name           = "ah",
-        .family         = AF_INET6,
+        .family         = NFPROTO_IPV6,
        .match          = ah_mt6,
        .matchsize      = sizeof(struct ip6t_ah),
        .checkentry     = ah_mt6_check,
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index 8f331f12b2ec..db610bacbcce 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -20,18 +20,15 @@ MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
 static bool
-eui64_mt6(const struct sk_buff *skb, const struct net_device *in,
+eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
-          const struct net_device *out, const struct xt_match *match,
-          const void *matchinfo, int offset, unsigned int protoff,
-          bool *hotdrop)
 {
        unsigned char eui64[8];
        int i = 0;
        if (!(skb_mac_header(skb) >= skb->head &&
              skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
-            offset != 0) {
+            par->fragoff != 0) {
-                *hotdrop = true;
+                *par->hotdrop = true;
                return false;
        }
@@ -60,7 +57,7 @@ eui64_mt6(const struct sk_buff *skb, const struct net_device *in,
 static struct xt_match eui64_mt6_reg __read_mostly = {
        .name           = "eui64",
-        .family         = AF_INET6,
+        .family         = NFPROTO_IPV6,
        .match          = eui64_mt6,
        .matchsize      = sizeof(int),
        .hooks          = (1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_IN) |
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index e2bbc63dba5b..673aa0a5084e 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -35,27 +35,24 @@ id_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
 }
 static bool
-frag_mt6(const struct sk_buff *skb, const struct net_device *in,
+frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
-         const struct net_device *out, const struct xt_match *match,
-         const void *matchinfo, int offset, unsigned int protoff,
-         bool *hotdrop)
 {
        struct frag_hdr _frag;
        const struct frag_hdr *fh;
-        const struct ip6t_frag *fraginfo = matchinfo;
+        const struct ip6t_frag *fraginfo = par->matchinfo;
        unsigned int ptr;
        int err;
        err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
        if (err < 0) {
                if (err != -ENOENT)
-                        *hotdrop = true;
+                        *par->hotdrop = true;
                return false;
        }
        fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
        if (fh == NULL) {
-                *hotdrop = true;
+                *par->hotdrop = true;
                return false;
        }
@@ -110,13 +107,9 @@ frag_mt6(const struct sk_buff *skb, const struct net_device *in,
                 && (ntohs(fh->frag_off) & IP6_MF));
 }
-/* Called when user tries to insert an entry of this type. */
+static bool frag_mt6_check(const struct xt_mtchk_param *par)
-static bool
-frag_mt6_check(const char *tablename, const void *ip,
-               const struct xt_match *match, void *matchinfo,
-               unsigned int hook_mask)
 {
-        const struct ip6t_frag *fraginfo = matchinfo;
+        const struct ip6t_frag *fraginfo = par->matchinfo;
        if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) {
                pr_debug("ip6t_frag: unknown flags %X\n", fraginfo->invflags);
@@ -127,7 +120,7 @@ frag_mt6_check(const char *tablename, const void *ip,
 static struct xt_match frag_mt6_reg __read_mostly = {
        .name           = "frag",
-        .family         = AF_INET6,
+        .family         = NFPROTO_IPV6,
        .match          = frag_mt6,
        .matchsize      = sizeof(struct ip6t_frag),
        .checkentry     = frag_mt6_check,
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index 26654b26d7fa..cbe8dec9744b 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -42,14 +42,11 @@ MODULE_ALIAS("ip6t_dst");
 */
 static bool
-hbh_mt6(const struct sk_buff *skb, const struct net_device *in,
+hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
-        const struct net_device *out, const struct xt_match *match,
-        const void *matchinfo, int offset, unsigned int protoff,
-        bool *hotdrop)
 {
        struct ipv6_opt_hdr _optsh;
        const struct ipv6_opt_hdr *oh;
-        const struct ip6t_opts *optinfo = matchinfo;
+        const struct ip6t_opts *optinfo = par->matchinfo;
        unsigned int temp;
        unsigned int ptr;
        unsigned int hdrlen = 0;
@@ -61,16 +58,16 @@ hbh_mt6(const struct sk_buff *skb, const struct net_device *in,
        unsigned int optlen;
        int err;
-        err = ipv6_find_hdr(skb, &ptr, match->data, NULL);
+        err = ipv6_find_hdr(skb, &ptr, par->match->data, NULL);
        if (err < 0) {
                if (err != -ENOENT)
-                        *hotdrop = true;
+                        *par->hotdrop = true;
                return false;
        }
        oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
        if (oh == NULL) {
-                *hotdrop = true;
+                *par->hotdrop = true;
                return false;
        }
@@ -163,13 +160,9 @@ hbh_mt6(const struct sk_buff *skb, const struct net_device *in,
        return false;
 }
-/* Called when user tries to insert an entry of this type. */
+static bool hbh_mt6_check(const struct xt_mtchk_param *par)
-static bool
-hbh_mt6_check(const char *tablename, const void *entry,
-              const struct xt_match *match, void *matchinfo,
-              unsigned int hook_mask)
 {
-        const struct ip6t_opts *optsinfo = matchinfo;
+        const struct ip6t_opts *optsinfo = par->matchinfo;
        if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) {
                pr_debug("ip6t_opts: unknown flags %X\n", optsinfo->invflags);
@@ -187,7 +180,7 @@ hbh_mt6_check(const char *tablename, const void *entry,
 static struct xt_match hbh_mt6_reg[] __read_mostly = {
        {
                .name           = "hbh",
-                .family         = AF_INET6,
+                .family         = NFPROTO_IPV6,
                .match          = hbh_mt6,
                .matchsize      = sizeof(struct ip6t_opts),
                .checkentry     = hbh_mt6_check,
@@ -196,7 +189,7 @@ static struct xt_match hbh_mt6_reg[] __read_mostly = {
        },
        {
                .name           = "dst",
-                .family         = AF_INET6,
+                .family         = NFPROTO_IPV6,
                .match          = hbh_mt6,
                .matchsize      = sizeof(struct ip6t_opts),
                .checkentry     = hbh_mt6_check,
diff --git a/net/ipv6/netfilter/ip6t_hl.c b/net/ipv6/netfilter/ip6t_hl.c
index 345671673845..c964dca1132d 100644
--- a/net/ipv6/netfilter/ip6t_hl.c
+++ b/net/ipv6/netfilter/ip6t_hl.c
@@ -19,12 +19,9 @@ MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
 MODULE_DESCRIPTION("Xtables: IPv6 Hop Limit field match");
 MODULE_LICENSE("GPL");
-static bool
+static bool hl_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
-hl_mt6(const struct sk_buff *skb, const struct net_device *in,
-       const struct net_device *out, const struct xt_match *match,
-       const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
 {
-        const struct ip6t_hl_info *info = matchinfo;
+        const struct ip6t_hl_info *info = par->matchinfo;
        const struct ipv6hdr *ip6h = ipv6_hdr(skb);
        switch (info->mode) {
@@ -51,7 +48,7 @@ hl_mt6(const struct sk_buff *skb, const struct net_device *in,
 static struct xt_match hl_mt6_reg __read_mostly = {
        .name           = "hl",
-        .family         = AF_INET6,
+        .family         = NFPROTO_IPV6,
        .match          = hl_mt6,
        .matchsize      = sizeof(struct ip6t_hl_info),
        .me             = THIS_MODULE,
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 317a8960a757..14e6724d5672 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -27,12 +27,9 @@ MODULE_DESCRIPTION("Xtables: IPv6 header types match");
 MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
 static bool
-ipv6header_mt6(const struct sk_buff *skb, const struct net_device *in,
+ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
-               const struct net_device *out, const struct xt_match *match,
-               const void *matchinfo, int offset, unsigned int protoff,
-               bool *hotdrop)
 {
-        const struct ip6t_ipv6header_info *info = matchinfo;
+        const struct ip6t_ipv6header_info *info = par->matchinfo;
        unsigned int temp;
        int len;
        u8 nexthdr;
@@ -121,12 +118,9 @@ ipv6header_mt6(const struct sk_buff *skb, const struct net_device *in,
        }
 }
-static bool
+static bool ipv6header_mt6_check(const struct xt_mtchk_param *par)
-ipv6header_mt6_check(const char *tablename, const void *ip,
-                     const struct xt_match *match, void *matchinfo,
-                     unsigned int hook_mask)
 {
-        const struct ip6t_ipv6header_info *info = matchinfo;
+        const struct ip6t_ipv6header_info *info = par->matchinfo;
        /* invflags is 0 or 0xff in hard mode */
        if ((!info->modeflag) && info->invflags != 0x00 &&
@@ -138,7 +132,7 @@ ipv6header_mt6_check(const char *tablename, const void *ip,
 static struct xt_match ipv6header_mt6_reg __read_mostly = {
        .name           = "ipv6header",
-        .family         = AF_INET6,
+        .family         = NFPROTO_IPV6,
        .match          = ipv6header_mt6,
        .matchsize      = sizeof(struct ip6t_ipv6header_info),
        .checkentry     = ipv6header_mt6_check,
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index e06678d07ec8..aafe4e66577b 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -37,32 +37,29 @@ type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert)
        return (type >= min && type <= max) ^ invert;
 }
-static bool
+static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
-mh_mt6(const struct sk_buff *skb, const struct net_device *in,
-       const struct net_device *out, const struct xt_match *match,
-       const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
 {
        struct ip6_mh _mh;
        const struct ip6_mh *mh;
-        const struct ip6t_mh *mhinfo = matchinfo;
+        const struct ip6t_mh *mhinfo = par->matchinfo;
        /* Must not be a fragment. */
-        if (offset)
+        if (par->fragoff != 0)
                return false;
-        mh = skb_header_pointer(skb, protoff, sizeof(_mh), &_mh);
+        mh = skb_header_pointer(skb, par->thoff, sizeof(_mh), &_mh);
        if (mh == NULL) {
                /* We've been asked to examine this packet, and we
                   can't.  Hence, no choice but to drop. */
                duprintf("Dropping evil MH tinygram.\n");
-                *hotdrop = true;
+                *par->hotdrop = true;
                return false;
        }
        if (mh->ip6mh_proto != IPPROTO_NONE) {
                duprintf("Dropping invalid MH Payload Proto: %u\n",
                         mh->ip6mh_proto);
-                *hotdrop = true;
+                *par->hotdrop = true;
                return false;
        }
@@ -70,13 +67,9 @@ mh_mt6(const struct sk_buff *skb, const struct net_device *in,
                          !!(mhinfo->invflags & IP6T_MH_INV_TYPE));
 }
-/* Called when user tries to insert an entry of this type. */
+static bool mh_mt6_check(const struct xt_mtchk_param *par)
-static bool
-mh_mt6_check(const char *tablename, const void *entry,
-             const struct xt_match *match, void *matchinfo,
-             unsigned int hook_mask)
 {
-        const struct ip6t_mh *mhinfo = matchinfo;
+        const struct ip6t_mh *mhinfo = par->matchinfo;
        /* Must specify no unknown invflags */
        return !(mhinfo->invflags & ~IP6T_MH_INV_MASK);
@@ -84,7 +77,7 @@ mh_mt6_check(const char *tablename, const void *entry,
 static struct xt_match mh_mt6_reg __read_mostly = {
        .name           = "mh",
-        .family         = AF_INET6,
+        .family         = NFPROTO_IPV6,
        .checkentry     = mh_mt6_check,
        .match          = mh_mt6,
        .matchsize      = sizeof(struct ip6t_mh),
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 81aaf7aaaabf..356b8d6f6baa 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -36,14 +36,11 @@ segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
        return r;
 }
-static bool
+static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
-rt_mt6(const struct sk_buff *skb, const struct net_device *in,
-       const struct net_device *out, const struct xt_match *match,
-       const void *matchinfo, int offset, unsigned int protoff, bool *hotdrop)
 {
        struct ipv6_rt_hdr _route;
        const struct ipv6_rt_hdr *rh;
-        const struct ip6t_rt *rtinfo = matchinfo;
+        const struct ip6t_rt *rtinfo = par->matchinfo;
        unsigned int temp;
        unsigned int ptr;
        unsigned int hdrlen = 0;
@@ -55,13 +52,13 @@ rt_mt6(const struct sk_buff *skb, const struct net_device *in,
        err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
        if (err < 0) {
                if (err != -ENOENT)
-                        *hotdrop = true;
+                        *par->hotdrop = true;
                return false;
        }
        rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
        if (rh == NULL) {
-                *hotdrop = true;
+                *par->hotdrop = true;
                return false;
        }
@@ -189,13 +186,9 @@ rt_mt6(const struct sk_buff *skb, const struct net_device *in,
        return false;
 }
-/* Called when user tries to insert an entry of this type. */
+static bool rt_mt6_check(const struct xt_mtchk_param *par)
-static bool
-rt_mt6_check(const char *tablename, const void *entry,
-             const struct xt_match *match, void *matchinfo,
-             unsigned int hook_mask)
 {
-        const struct ip6t_rt *rtinfo = matchinfo;
+        const struct ip6t_rt *rtinfo = par->matchinfo;
        if (rtinfo->invflags & ~IP6T_RT_INV_MASK) {
                pr_debug("ip6t_rt: unknown flags %X\n", rtinfo->invflags);
@@ -214,7 +207,7 @@ rt_mt6_check(const char *tablename, const void *entry,
 static struct xt_match rt_mt6_reg __read_mostly = {
        .name           = "rt",
-        .family         = AF_INET6,
+        .family         = NFPROTO_IPV6,
        .match          = rt_mt6,
        .matchsize      = sizeof(struct ip6t_rt),
        .checkentry     = rt_mt6_check,
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 55a2c290bad4..b110a8a85a14 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -68,7 +68,7 @@ ip6t_local_in_hook(unsigned int hook,
                   int (*okfn)(struct sk_buff *))
 {
        return ip6t_do_table(skb, hook, in, out,
-                             nf_local_in_net(in, out)->ipv6.ip6table_filter);
+                             dev_net(in)->ipv6.ip6table_filter);
 }
 static unsigned int
@@ -79,7 +79,7 @@ ip6t_forward_hook(unsigned int hook,
                  int (*okfn)(struct sk_buff *))
 {
        return ip6t_do_table(skb, hook, in, out,
-                             nf_forward_net(in, out)->ipv6.ip6table_filter);
+                             dev_net(in)->ipv6.ip6table_filter);
 }
 static unsigned int
@@ -100,7 +100,7 @@ ip6t_local_out_hook(unsigned int hook,
 #endif
        return ip6t_do_table(skb, hook, in, out,
-                             nf_local_out_net(in, out)->ipv6.ip6table_filter);
+                             dev_net(out)->ipv6.ip6table_filter);
 }
 static struct nf_hook_ops ip6t_ops[] __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index f405cea21a8b..d0b31b259d4d 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -67,17 +67,29 @@ static struct xt_table packet_mangler = {
 /* The work comes in here from netfilter.c. */
 static unsigned int
-ip6t_route_hook(unsigned int hook,
+ip6t_in_hook(unsigned int hook,
         struct sk_buff *skb,
         const struct net_device *in,
         const struct net_device *out,
         int (*okfn)(struct sk_buff *))
 {
-        return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_mangle);
+        return ip6t_do_table(skb, hook, in, out,
+                             dev_net(in)->ipv6.ip6table_mangle);
 }
 static unsigned int
-ip6t_local_hook(unsigned int hook,
+ip6t_post_routing_hook(unsigned int hook,
+                struct sk_buff *skb,
+                const struct net_device *in,
+                const struct net_device *out,
+                int (*okfn)(struct sk_buff *))
+{
+        return ip6t_do_table(skb, hook, in, out,
+                             dev_net(out)->ipv6.ip6table_mangle);
+}
+static unsigned int
+ip6t_local_out_hook(unsigned int hook,
                   struct sk_buff *skb,
                   const struct net_device *in,
                   const struct net_device *out,
@@ -108,7 +120,8 @@ ip6t_local_hook(unsigned int hook,
        /* flowlabel and prio (includes version, which shouldn't change either */
        flowlabel = *((u_int32_t *)ipv6_hdr(skb));
-        ret = ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_mangle);
+        ret = ip6t_do_table(skb, hook, in, out,
+                            dev_net(out)->ipv6.ip6table_mangle);
        if (ret != NF_DROP && ret != NF_STOLEN
                && (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr))
@@ -122,35 +135,35 @@ ip6t_local_hook(unsigned int hook,
 static struct nf_hook_ops ip6t_ops[] __read_mostly = {
        {
-                .hook           = ip6t_route_hook,
+                .hook           = ip6t_in_hook,
                .owner          = THIS_MODULE,
                .pf             = PF_INET6,
                .hooknum        = NF_INET_PRE_ROUTING,
                .priority       = NF_IP6_PRI_MANGLE,
        },
        {
-                .hook           = ip6t_route_hook,
+                .hook           = ip6t_in_hook,
                .owner          = THIS_MODULE,
                .pf             = PF_INET6,
                .hooknum        = NF_INET_LOCAL_IN,
                .priority       = NF_IP6_PRI_MANGLE,
        },
        {
-                .hook           = ip6t_route_hook,
+                .hook           = ip6t_in_hook,
                .owner          = THIS_MODULE,
                .pf             = PF_INET6,
                .hooknum        = NF_INET_FORWARD,
                .priority       = NF_IP6_PRI_MANGLE,
        },
        {
-                .hook           = ip6t_local_hook,
+                .hook           = ip6t_local_out_hook,
                .owner          = THIS_MODULE,
                .pf             = PF_INET6,
                .hooknum        = NF_INET_LOCAL_OUT,
                .priority       = NF_IP6_PRI_MANGLE,
        },
        {
-                .hook           = ip6t_route_hook,
+                .hook           = ip6t_post_routing_hook,
                .owner          = THIS_MODULE,
                .pf             = PF_INET6,
                .hooknum        = NF_INET_POST_ROUTING,
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 92b91077ac29..109fab6f831a 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -45,25 +45,37 @@ static struct xt_table packet_raw = {
 /* The work comes in here from netfilter.c. */
 static unsigned int
-ip6t_hook(unsigned int hook,
+ip6t_pre_routing_hook(unsigned int hook,
         struct sk_buff *skb,
         const struct net_device *in,
         const struct net_device *out,
         int (*okfn)(struct sk_buff *))
 {
-        return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_raw);
+        return ip6t_do_table(skb, hook, in, out,
+                             dev_net(in)->ipv6.ip6table_raw);
+}
+static unsigned int
+ip6t_local_out_hook(unsigned int hook,
+         struct sk_buff *skb,
+         const struct net_device *in,
+         const struct net_device *out,
+         int (*okfn)(struct sk_buff *))
+{
+        return ip6t_do_table(skb, hook, in, out,
+                             dev_net(out)->ipv6.ip6table_raw);
 }
 static struct nf_hook_ops ip6t_ops[] __read_mostly = {
        {
-          .hook = ip6t_hook,
+          .hook = ip6t_pre_routing_hook,
          .pf = PF_INET6,
          .hooknum = NF_INET_PRE_ROUTING,
          .priority = NF_IP6_PRI_FIRST,
          .owner = THIS_MODULE,
        },
        {
-          .hook = ip6t_hook,
+          .hook = ip6t_local_out_hook,
          .pf = PF_INET6,
          .hooknum = NF_INET_LOCAL_OUT,
          .priority = NF_IP6_PRI_FIRST,
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 6e7131036bc6..20bc52f13e43 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -72,7 +72,7 @@ ip6t_local_in_hook(unsigned int hook,
                   int (*okfn)(struct sk_buff *))
 {
        return ip6t_do_table(skb, hook, in, out,
-                             nf_local_in_net(in, out)->ipv6.ip6table_security);
+                             dev_net(in)->ipv6.ip6table_security);
 }
 static unsigned int
@@ -83,7 +83,7 @@ ip6t_forward_hook(unsigned int hook,
                  int (*okfn)(struct sk_buff *))
 {
        return ip6t_do_table(skb, hook, in, out,
-                             nf_forward_net(in, out)->ipv6.ip6table_security);
+                             dev_net(in)->ipv6.ip6table_security);
 }
 static unsigned int
@@ -95,7 +95,7 @@ ip6t_local_out_hook(unsigned int hook,
 {
        /* TBD: handle short packets via raw socket */
        return ip6t_do_table(skb, hook, in, out,
-                             nf_local_out_net(in, out)->ipv6.ip6table_security);
+                             dev_net(out)->ipv6.ip6table_security);
 }
 static struct nf_hook_ops ip6t_ops[] __read_mostly = {
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 85050c072abd..e91db16611d9 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -211,11 +211,10 @@ static unsigned int ipv6_defrag(unsigned int hooknum,
        return NF_STOLEN;
 }
-static unsigned int ipv6_conntrack_in(unsigned int hooknum,
+static unsigned int __ipv6_conntrack_in(struct net *net,
-                                      struct sk_buff *skb,
+                                        unsigned int hooknum,
-                                      const struct net_device *in,
+                                        struct sk_buff *skb,
-                                      const struct net_device *out,
+                                        int (*okfn)(struct sk_buff *))
-                                      int (*okfn)(struct sk_buff *))
 {
        struct sk_buff *reasm = skb->nfct_reasm;
@@ -225,7 +224,7 @@ static unsigned int ipv6_conntrack_in(unsigned int hooknum,
                if (!reasm->nfct) {
                        unsigned int ret;
-                        ret = nf_conntrack_in(PF_INET6, hooknum, reasm);
+                        ret = nf_conntrack_in(net, PF_INET6, hooknum, reasm);
                        if (ret != NF_ACCEPT)
                                return ret;
                }
@@ -235,7 +234,16 @@ static unsigned int ipv6_conntrack_in(unsigned int hooknum,
                return NF_ACCEPT;
        }
-        return nf_conntrack_in(PF_INET6, hooknum, skb);
+        return nf_conntrack_in(net, PF_INET6, hooknum, skb);
+}
+static unsigned int ipv6_conntrack_in(unsigned int hooknum,
+                                      struct sk_buff *skb,
+                                      const struct net_device *in,
+                                      const struct net_device *out,
+                                      int (*okfn)(struct sk_buff *))
+{
+        return __ipv6_conntrack_in(dev_net(in), hooknum, skb, okfn);
 }
 static unsigned int ipv6_conntrack_local(unsigned int hooknum,
@@ -250,7 +258,7 @@ static unsigned int ipv6_conntrack_local(unsigned int hooknum,
                        printk("ipv6_conntrack_local: packet too short\n");
                return NF_ACCEPT;
        }
-        return ipv6_conntrack_in(hooknum, skb, in, out, okfn);
+        return __ipv6_conntrack_in(dev_net(out), hooknum, skb, okfn);
 }
 static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 14d47d833545..05726177903f 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -81,7 +81,7 @@ static int icmpv6_packet(struct nf_conn *ct,
                       const struct sk_buff *skb,
                       unsigned int dataoff,
                       enum ip_conntrack_info ctinfo,
-                       int pf,
+                       u_int8_t pf,
                       unsigned int hooknum)
 {
        /* Try to delete connection immediately after all replies:
@@ -93,7 +93,7 @@ static int icmpv6_packet(struct nf_conn *ct,
                        nf_ct_kill_acct(ct, ctinfo, skb);
        } else {
                atomic_inc(&ct->proto.icmp.count);
-                nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb);
+                nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, ct);
                nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmpv6_timeout);
        }
@@ -122,7 +122,8 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
 }
 static int
-icmpv6_error_message(struct sk_buff *skb,
+icmpv6_error_message(struct net *net,
+                     struct sk_buff *skb,
                     unsigned int icmp6off,
                     enum ip_conntrack_info *ctinfo,
                     unsigned int hooknum)
@@ -156,7 +157,7 @@ icmpv6_error_message(struct sk_buff *skb,
        *ctinfo = IP_CT_RELATED;
-        h = nf_conntrack_find_get(&intuple);
+        h = nf_conntrack_find_get(net, &intuple);
        if (!h) {
                pr_debug("icmpv6_error: no match\n");
                return -NF_ACCEPT;
@@ -172,21 +173,21 @@ icmpv6_error_message(struct sk_buff *skb,
 }
 static int
-icmpv6_error(struct sk_buff *skb, unsigned int dataoff,
+icmpv6_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
-             enum ip_conntrack_info *ctinfo, int pf, unsigned int hooknum)
+             enum ip_conntrack_info *ctinfo, u_int8_t pf, unsigned int hooknum)
 {
        const struct icmp6hdr *icmp6h;
        struct icmp6hdr _ih;
        icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
        if (icmp6h == NULL) {
-                if (LOG_INVALID(IPPROTO_ICMPV6))
+                if (LOG_INVALID(net, IPPROTO_ICMPV6))
                nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
                              "nf_ct_icmpv6: short packet ");
                return -NF_ACCEPT;
        }
-        if (nf_conntrack_checksum && hooknum == NF_INET_PRE_ROUTING &&
+        if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
            nf_ip6_checksum(skb, hooknum, dataoff, IPPROTO_ICMPV6)) {
                nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
                              "nf_ct_icmpv6: ICMPv6 checksum failed\n");
@@ -197,7 +198,7 @@ icmpv6_error(struct sk_buff *skb, unsigned int dataoff,
        if (icmp6h->icmp6_type >= 128)
                return NF_ACCEPT;
-        return icmpv6_error_message(skb, dataoff, ctinfo, hooknum);
+        return icmpv6_error_message(net, skb, dataoff, ctinfo, hooknum);
 }
 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
author	David S. Miller <davem@davemloft.net>	2008-10-08 12:50:38 -0400
committer	David S. Miller <davem@davemloft.net>	2008-10-08 12:50:38 -0400
commit	364ae953a48152be11f1aa424cbfd943b7762b0d (patch)
tree	6873b352af1aa2dd6baa223b951eff4d6e74b1ae /net/ipv6
parent	075f664689b40217539ebfe856fab73d302a15f1 (diff)
parent	f39a9410ed0503278fd5edc559fa019051413039 (diff)