Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

13 files changed, 127 insertions, 240 deletions

diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 53ea512c4608..625353a5fe18 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -95,13 +95,13 @@ config IP6_NF_MATCH_OPTS
           To compile it as a module, choose M here.  If unsure, say N.
 
 config IP6_NF_MATCH_HL
-        tristate '"hl" match support'
+        tristate '"hl" hoplimit match support'
         depends on NETFILTER_ADVANCED
-        help
-          HL matching allows you to match packets based on the hop
-          limit of the packet.
-
-          To compile it as a module, choose M here.  If unsure, say N.
+        select NETFILTER_XT_MATCH_HL
+        ---help---
+        This is a backwards-compat option for the user's convenience
+        (e.g. when running oldconfig). It selects
+        COFNIG_NETFILTER_XT_MATCH_HL.
 
 config IP6_NF_MATCH_IPV6HEADER
         tristate '"ipv6header" IPv6 Extension Headers Match'
@@ -130,6 +130,15 @@ config IP6_NF_MATCH_RT
           To compile it as a module, choose M here.  If unsure, say N.
 
 # The targets
+config IP6_NF_TARGET_HL
+        tristate '"HL" hoplimit target support'
+        depends on NETFILTER_ADVANCED
+        select NETFILTER_XT_TARGET_HL
+        ---help---
+        This is a backwards-compat option for the user's convenience
+        (e.g. when running oldconfig). It selects
+        COFNIG_NETFILTER_XT_TARGET_HL.
+
 config IP6_NF_TARGET_LOG
         tristate "LOG target support"
         default m if NETFILTER_ADVANCED=n
@@ -170,23 +179,6 @@ config IP6_NF_MANGLE
 
           To compile it as a module, choose M here.  If unsure, say N.
 
-config IP6_NF_TARGET_HL
-        tristate  'HL (hoplimit) target support'
-        depends on IP6_NF_MANGLE
-        depends on NETFILTER_ADVANCED
-        help
-          This option adds a `HL' target, which enables the user to decrement
-          the hoplimit value of the IPv6 header or set it to a given (lower)
-          value.
-
-          While it is safe to decrement the hoplimit value, this option also
-          enables functionality to increment and set the hoplimit value of the
-          IPv6 header to arbitrary values.  This is EXTREMELY DANGEROUS since
-          you can easily create immortal packets that loop forever on the
-          network.
-
-          To compile it as a module, choose M here.  If unsure, say N.
-
 config IP6_NF_RAW
         tristate  'raw table support (required for TRACE)'
         depends on NETFILTER_ADVANCED
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index 3f17c948eefb..aafbba30c899 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -20,13 +20,11 @@ obj-$(CONFIG_NF_CONNTRACK_IPV6) += nf_conntrack_ipv6.o
 obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o
 obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o
 obj-$(CONFIG_IP6_NF_MATCH_FRAG) += ip6t_frag.o
-obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
 obj-$(CONFIG_IP6_NF_MATCH_IPV6HEADER) += ip6t_ipv6header.o
 obj-$(CONFIG_IP6_NF_MATCH_MH) += ip6t_mh.o
 obj-$(CONFIG_IP6_NF_MATCH_OPTS) += ip6t_hbh.o
 obj-$(CONFIG_IP6_NF_MATCH_RT) += ip6t_rt.o
 
 # targets
-obj-$(CONFIG_IP6_NF_TARGET_HL) += ip6t_HL.o
 obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
 obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index 5859c046cbc4..b693f841aeb4 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -643,6 +643,7 @@ static void __exit ip6_queue_fini(void)
 
 MODULE_DESCRIPTION("IPv6 packet queue handler");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_IP6_FW);
 
 module_init(ip6_queue_init);
 module_exit(ip6_queue_fini);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index a33485dc81cb..34af7bb8df5f 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -89,6 +89,25 @@ ip6t_ext_hdr(u8 nexthdr)
                  (nexthdr == IPPROTO_DSTOPTS) );
 }
 
+static unsigned long ifname_compare(const char *_a, const char *_b,
+                                    const unsigned char *_mask)
+{
+        const unsigned long *a = (const unsigned long *)_a;
+        const unsigned long *b = (const unsigned long *)_b;
+        const unsigned long *mask = (const unsigned long *)_mask;
+        unsigned long ret;
+
+        ret = (a[0] ^ b[0]) & mask[0];
+        if (IFNAMSIZ > sizeof(unsigned long))
+                ret |= (a[1] ^ b[1]) & mask[1];
+        if (IFNAMSIZ > 2 * sizeof(unsigned long))
+                ret |= (a[2] ^ b[2]) & mask[2];
+        if (IFNAMSIZ > 3 * sizeof(unsigned long))
+                ret |= (a[3] ^ b[3]) & mask[3];
+        BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
+        return ret;
+}
+
 /* Returns whether matches rule or not. */
 /* Performance critical - called for every packet */
 static inline bool
@@ -99,7 +118,6 @@ ip6_packet_match(const struct sk_buff *skb,
                  unsigned int *protoff,
                  int *fragoff, bool *hotdrop)
 {
-        size_t i;
         unsigned long ret;
         const struct ipv6hdr *ipv6 = ipv6_hdr(skb);
 
@@ -120,12 +138,7 @@ ip6_packet_match(const struct sk_buff *skb,
                 return false;
         }
 
-        /* Look for ifname matches; this should unroll nicely. */
-        for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
-                ret |= (((const unsigned long *)indev)[i]
-                        ^ ((const unsigned long *)ip6info->iniface)[i])
-                        & ((const unsigned long *)ip6info->iniface_mask)[i];
-        }
+        ret = ifname_compare(indev, ip6info->iniface, ip6info->iniface_mask);
 
         if (FWINV(ret != 0, IP6T_INV_VIA_IN)) {
                 dprintf("VIA in mismatch (%s vs %s).%s\n",
@@ -134,11 +147,7 @@ ip6_packet_match(const struct sk_buff *skb,
                 return false;
         }
 
-        for (i = 0, ret = 0; i < IFNAMSIZ/sizeof(unsigned long); i++) {
-                ret |= (((const unsigned long *)outdev)[i]
-                        ^ ((const unsigned long *)ip6info->outiface)[i])
-                        & ((const unsigned long *)ip6info->outiface_mask)[i];
-        }
+        ret = ifname_compare(outdev, ip6info->outiface, ip6info->outiface_mask);
 
         if (FWINV(ret != 0, IP6T_INV_VIA_OUT)) {
                 dprintf("VIA out mismatch (%s vs %s).%s\n",
@@ -373,10 +382,12 @@ ip6t_do_table(struct sk_buff *skb,
         mtpar.family  = tgpar.family = NFPROTO_IPV6;
         tgpar.hooknum = hook;
 
-        read_lock_bh(&table->lock);
         IP_NF_ASSERT(table->valid_hooks & (1 << hook));
-        private = table->private;
-        table_base = (void *)private->entries[smp_processor_id()];
+
+        rcu_read_lock();
+        private = rcu_dereference(table->private);
+        table_base = rcu_dereference(private->entries[smp_processor_id()]);
+
         e = get_entry(table_base, private->hook_entry[hook]);
 
         /* For return from builtin chain */
@@ -474,7 +485,7 @@ ip6t_do_table(struct sk_buff *skb,
 #ifdef CONFIG_NETFILTER_DEBUG
         ((struct ip6t_entry *)table_base)->comefrom = NETFILTER_LINK_POISON;
 #endif
-        read_unlock_bh(&table->lock);
+        rcu_read_unlock();
 
 #ifdef DEBUG_ALLOW_ALL
         return NF_ACCEPT;
@@ -955,11 +966,64 @@ get_counters(const struct xt_table_info *t,
         }
 }
 
+/* We're lazy, and add to the first CPU; overflow works its fey magic
+ * and everything is OK. */
+static int
+add_counter_to_entry(struct ip6t_entry *e,
+                     const struct xt_counters addme[],
+                     unsigned int *i)
+{
+        ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
+
+        (*i)++;
+        return 0;
+}
+
+/* Take values from counters and add them back onto the current cpu */
+static void put_counters(struct xt_table_info *t,
+                         const struct xt_counters counters[])
+{
+        unsigned int i, cpu;
+
+        local_bh_disable();
+        cpu = smp_processor_id();
+        i = 0;
+        IP6T_ENTRY_ITERATE(t->entries[cpu],
+                           t->size,
+                           add_counter_to_entry,
+                           counters,
+                           &i);
+        local_bh_enable();
+}
+
+static inline int
+zero_entry_counter(struct ip6t_entry *e, void *arg)
+{
+        e->counters.bcnt = 0;
+        e->counters.pcnt = 0;
+        return 0;
+}
+
+static void
+clone_counters(struct xt_table_info *newinfo, const struct xt_table_info *info)
+{
+        unsigned int cpu;
+        const void *loc_cpu_entry = info->entries[raw_smp_processor_id()];
+
+        memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
+        for_each_possible_cpu(cpu) {
+                memcpy(newinfo->entries[cpu], loc_cpu_entry, info->size);
+                IP6T_ENTRY_ITERATE(newinfo->entries[cpu], newinfo->size,
+                                   zero_entry_counter, NULL);
+        }
+}
+
 static struct xt_counters *alloc_counters(struct xt_table *table)
 {
         unsigned int countersize;
         struct xt_counters *counters;
-        const struct xt_table_info *private = table->private;
+        struct xt_table_info *private = table->private;
+        struct xt_table_info *info;
 
         /* We need atomic snapshot of counters: rest doesn't change
            (other than comefrom, which userspace doesn't care
@@ -968,14 +1032,28 @@ static struct xt_counters *alloc_counters(struct xt_table *table)
         counters = vmalloc_node(countersize, numa_node_id());
 
         if (counters == NULL)
-                return ERR_PTR(-ENOMEM);
+                goto nomem;
+
+        info = xt_alloc_table_info(private->size);
+        if (!info)
+                goto free_counters;
+
+        clone_counters(info, private);
 
-        /* First, sum counters... */
-        write_lock_bh(&table->lock);
-        get_counters(private, counters);
-        write_unlock_bh(&table->lock);
+        mutex_lock(&table->lock);
+        xt_table_entry_swap_rcu(private, info);
+        synchronize_net();      /* Wait until smoke has cleared */
 
-        return counters;
+        get_counters(info, counters);
+        put_counters(private, counters);
+        mutex_unlock(&table->lock);
+
+        xt_free_table_info(info);
+
+ free_counters:
+        vfree(counters);
+ nomem:
+        return ERR_PTR(-ENOMEM);
 }
 
 static int
@@ -1342,28 +1420,6 @@ do_replace(struct net *net, void __user *user, unsigned int len)
         return ret;
 }
 
-/* We're lazy, and add to the first CPU; overflow works its fey magic
- * and everything is OK. */
-static inline int
-add_counter_to_entry(struct ip6t_entry *e,
-                     const struct xt_counters addme[],
-                     unsigned int *i)
-{
-#if 0
-        duprintf("add_counter: Entry %u %lu/%lu + %lu/%lu\n",
-                 *i,
-                 (long unsigned int)e->counters.pcnt,
-                 (long unsigned int)e->counters.bcnt,
-                 (long unsigned int)addme[*i].pcnt,
-                 (long unsigned int)addme[*i].bcnt);
-#endif
-
-        ADD_COUNTER(e->counters, addme[*i].bcnt, addme[*i].pcnt);
-
-        (*i)++;
-        return 0;
-}
-
 static int
 do_add_counters(struct net *net, void __user *user, unsigned int len,
                 int compat)
@@ -1424,13 +1480,14 @@ do_add_counters(struct net *net, void __user *user, unsigned int len,
                 goto free;
         }
 
-        write_lock_bh(&t->lock);
+        mutex_lock(&t->lock);
         private = t->private;
         if (private->number != num_counters) {
                 ret = -EINVAL;
                 goto unlock_up_free;
         }
 
+        preempt_disable();
         i = 0;
         /* Choose the copy that is on our node */
         loc_cpu_entry = private->entries[raw_smp_processor_id()];
@@ -1439,8 +1496,9 @@ do_add_counters(struct net *net, void __user *user, unsigned int len,
                           add_counter_to_entry,
                           paddc,
                           &i);
+        preempt_enable();
  unlock_up_free:
-        write_unlock_bh(&t->lock);
+        mutex_unlock(&t->lock);
         xt_table_unlock(t);
         module_put(t->me);
  free:
diff --git a/net/ipv6/netfilter/ip6t_HL.c b/net/ipv6/netfilter/ip6t_HL.c
deleted file mode 100644
index 27b5adf670a2..000000000000
--- a/net/ipv6/netfilter/ip6t_HL.c
+++ /dev/null
@@ -1,95 +0,0 @@
-/*
- * Hop Limit modification target for ip6tables
- * Maciej Soltysiak <solt@dns.toxicfilms.tv>
- * Based on HW's TTL module
- *
- * This software is distributed under the terms of GNU GPL
- */
-
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/ip.h>
-#include <linux/ipv6.h>
-
-#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter_ipv6/ip6t_HL.h>
-
-MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
-MODULE_DESCRIPTION("Xtables: IPv6 Hop Limit field modification target");
-MODULE_LICENSE("GPL");
-
-static unsigned int
-hl_tg6(struct sk_buff *skb, const struct xt_target_param *par)
-{
-        struct ipv6hdr *ip6h;
-        const struct ip6t_HL_info *info = par->targinfo;
-        int new_hl;
-
-        if (!skb_make_writable(skb, skb->len))
-                return NF_DROP;
-
-        ip6h = ipv6_hdr(skb);
-
-        switch (info->mode) {
-                case IP6T_HL_SET:
-                        new_hl = info->hop_limit;
-                        break;
-                case IP6T_HL_INC:
-                        new_hl = ip6h->hop_limit + info->hop_limit;
-                        if (new_hl > 255)
-                                new_hl = 255;
-                        break;
-                case IP6T_HL_DEC:
-                        new_hl = ip6h->hop_limit - info->hop_limit;
-                        if (new_hl < 0)
-                                new_hl = 0;
-                        break;
-                default:
-                        new_hl = ip6h->hop_limit;
-                        break;
-        }
-
-        ip6h->hop_limit = new_hl;
-
-        return XT_CONTINUE;
-}
-
-static bool hl_tg6_check(const struct xt_tgchk_param *par)
-{
-        const struct ip6t_HL_info *info = par->targinfo;
-
-        if (info->mode > IP6T_HL_MAXMODE) {
-                printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n",
-                        info->mode);
-                return false;
-        }
-        if (info->mode != IP6T_HL_SET && info->hop_limit == 0) {
-                printk(KERN_WARNING "ip6t_HL: increment/decrement doesn't "
-                        "make sense with value 0\n");
-                return false;
-        }
-        return true;
-}
-
-static struct xt_target hl_tg6_reg __read_mostly = {
-        .name           = "HL",
-        .family         = NFPROTO_IPV6,
-        .target         = hl_tg6,
-        .targetsize     = sizeof(struct ip6t_HL_info),
-        .table          = "mangle",
-        .checkentry     = hl_tg6_check,
-        .me             = THIS_MODULE
-};
-
-static int __init hl_tg6_init(void)
-{
-        return xt_register_target(&hl_tg6_reg);
-}
-
-static void __exit hl_tg6_exit(void)
-{
-        xt_unregister_target(&hl_tg6_reg);
-}
-
-module_init(hl_tg6_init);
-module_exit(hl_tg6_exit);
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 37adf5abc51e..7018cac4fddc 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -477,7 +477,7 @@ static struct xt_target log_tg6_reg __read_mostly = {
         .me             = THIS_MODULE,
 };
 
-static const struct nf_logger ip6t_logger = {
+static struct nf_logger ip6t_logger __read_mostly = {
         .name           = "ip6t_LOG",
         .logfn          = &ip6t_log_packet,
         .me             = THIS_MODULE,
diff --git a/net/ipv6/netfilter/ip6t_hl.c b/net/ipv6/netfilter/ip6t_hl.c
deleted file mode 100644
index c964dca1132d..000000000000
--- a/net/ipv6/netfilter/ip6t_hl.c
+++ /dev/null
@@ -1,68 +0,0 @@
-/* Hop Limit matching module */
-
-/* (C) 2001-2002 Maciej Soltysiak <solt@dns.toxicfilms.tv>
- * Based on HW's ttl module
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/ipv6.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-
-#include <linux/netfilter_ipv6/ip6t_hl.h>
-#include <linux/netfilter/x_tables.h>
-
-MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
-MODULE_DESCRIPTION("Xtables: IPv6 Hop Limit field match");
-MODULE_LICENSE("GPL");
-
-static bool hl_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
-{
-        const struct ip6t_hl_info *info = par->matchinfo;
-        const struct ipv6hdr *ip6h = ipv6_hdr(skb);
-
-        switch (info->mode) {
-                case IP6T_HL_EQ:
-                        return ip6h->hop_limit == info->hop_limit;
-                        break;
-                case IP6T_HL_NE:
-                        return ip6h->hop_limit != info->hop_limit;
-                        break;
-                case IP6T_HL_LT:
-                        return ip6h->hop_limit < info->hop_limit;
-                        break;
-                case IP6T_HL_GT:
-                        return ip6h->hop_limit > info->hop_limit;
-                        break;
-                default:
-                        printk(KERN_WARNING "ip6t_hl: unknown mode %d\n",
-                                info->mode);
-                        return false;
-        }
-
-        return false;
-}
-
-static struct xt_match hl_mt6_reg __read_mostly = {
-        .name           = "hl",
-        .family         = NFPROTO_IPV6,
-        .match          = hl_mt6,
-        .matchsize      = sizeof(struct ip6t_hl_info),
-        .me             = THIS_MODULE,
-};
-
-static int __init hl_mt6_init(void)
-{
-        return xt_register_match(&hl_mt6_reg);
-}
-
-static void __exit hl_mt6_exit(void)
-{
-        xt_unregister_match(&hl_mt6_reg);
-}
-
-module_init(hl_mt6_init);
-module_exit(hl_mt6_exit);
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 40d2e36d8fac..ef5a0a32bf8e 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -54,7 +54,6 @@ static struct
 static struct xt_table packet_filter = {
         .name           = "filter",
         .valid_hooks    = FILTER_VALID_HOOKS,
-        .lock           = __RW_LOCK_UNLOCKED(packet_filter.lock),
         .me             = THIS_MODULE,
         .af             = AF_INET6,
 };
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index d0b31b259d4d..ab0d398a2ba7 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -60,7 +60,6 @@ static struct
 static struct xt_table packet_mangler = {
         .name           = "mangle",
         .valid_hooks    = MANGLE_VALID_HOOKS,
-        .lock           = __RW_LOCK_UNLOCKED(packet_mangler.lock),
         .me             = THIS_MODULE,
         .af             = AF_INET6,
 };
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 109fab6f831a..4b792b6ca321 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -38,7 +38,6 @@ static struct
 static struct xt_table packet_raw = {
         .name = "raw",
         .valid_hooks = RAW_VALID_HOOKS,
-        .lock = __RW_LOCK_UNLOCKED(packet_raw.lock),
         .me = THIS_MODULE,
         .af = AF_INET6,
 };
diff --git a/net/ipv6/netfilter/ip6table_security.c b/net/ipv6/netfilter/ip6table_security.c
index 20bc52f13e43..0ea37ff15d56 100644
--- a/net/ipv6/netfilter/ip6table_security.c
+++ b/net/ipv6/netfilter/ip6table_security.c
@@ -59,7 +59,6 @@ static struct
 static struct xt_table security_table = {
         .name           = "security",
         .valid_hooks    = SECURITY_VALID_HOOKS,
-        .lock           = __RW_LOCK_UNLOCKED(security_table.lock),
         .me             = THIS_MODULE,
         .af             = AF_INET6,
 };
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 727b9530448a..e6852f617217 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -26,6 +26,7 @@
 #include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_conntrack_l3proto.h>
 #include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
 
 static bool ipv6_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
                               struct nf_conntrack_tuple *tuple)
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 72dbb6d1a6b3..41b8a956e1be 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -126,6 +126,10 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
                 pr_debug("icmpv6: can't create new conn with type %u\n",
                          type + 128);
                 nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple);
+                if (LOG_INVALID(nf_ct_net(ct), IPPROTO_ICMPV6))
+                        nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
+                                      "nf_ct_icmpv6: invalid new with type %d ",
+                                      type + 128);
                 return false;
         }
         atomic_set(&ct->proto.icmp.count, 0);