Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6.26

12 files changed, 91 insertions, 56 deletions

diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index aed51bcc66b4..8c6c5e71f210 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -121,16 +121,44 @@ __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
         }
         return csum;
 }
-
 EXPORT_SYMBOL(nf_ip6_checksum);
 
+static __sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
+                                       unsigned int dataoff, unsigned int len,
+                                       u_int8_t protocol)
+{
+        struct ipv6hdr *ip6h = ipv6_hdr(skb);
+        __wsum hsum;
+        __sum16 csum = 0;
+
+        switch (skb->ip_summed) {
+        case CHECKSUM_COMPLETE:
+                if (len == skb->len - dataoff)
+                        return nf_ip6_checksum(skb, hook, dataoff, protocol);
+                /* fall through */
+        case CHECKSUM_NONE:
+                hsum = skb_checksum(skb, 0, dataoff, 0);
+                skb->csum = ~csum_unfold(csum_ipv6_magic(&ip6h->saddr,
+                                                         &ip6h->daddr,
+                                                         skb->len - dataoff,
+                                                         protocol,
+                                                         csum_sub(0, hsum)));
+                skb->ip_summed = CHECKSUM_NONE;
+                csum = __skb_checksum_complete_head(skb, dataoff + len);
+                if (!csum)
+                        skb->ip_summed = CHECKSUM_UNNECESSARY;
+        }
+        return csum;
+};
+
 static const struct nf_afinfo nf_ip6_afinfo = {
-        .family         = AF_INET6,
-        .checksum       = nf_ip6_checksum,
-        .route          = nf_ip6_route,
-        .saveroute      = nf_ip6_saveroute,
-        .reroute        = nf_ip6_reroute,
-        .route_key_size = sizeof(struct ip6_rt_info),
+        .family                 = AF_INET6,
+        .checksum               = nf_ip6_checksum,
+        .checksum_partial       = nf_ip6_checksum_partial,
+        .route                  = nf_ip6_route,
+        .saveroute              = nf_ip6_saveroute,
+        .reroute                = nf_ip6_reroute,
+        .route_key_size         = sizeof(struct ip6_rt_info),
 };
 
 int __init ipv6_netfilter_init(void)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 70ef0d276cc0..0b4557e03431 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -325,7 +325,7 @@ static void trace_packet(struct sk_buff *skb,
                          struct ip6t_entry *e)
 {
         void *table_base;
-        struct ip6t_entry *root;
+        const struct ip6t_entry *root;
         char *hookname, *chainname, *comment;
         unsigned int rulenum = 0;
 
@@ -952,7 +952,7 @@ static struct xt_counters *alloc_counters(struct xt_table *table)
 {
         unsigned int countersize;
         struct xt_counters *counters;
-        struct xt_table_info *private = table->private;
+        const struct xt_table_info *private = table->private;
 
         /* We need atomic snapshot of counters: rest doesn't change
            (other than comefrom, which userspace doesn't care
@@ -979,9 +979,9 @@ copy_entries_to_user(unsigned int total_size,
         unsigned int off, num;
         struct ip6t_entry *e;
         struct xt_counters *counters;
-        struct xt_table_info *private = table->private;
+        const struct xt_table_info *private = table->private;
         int ret = 0;
-        void *loc_cpu_entry;
+        const void *loc_cpu_entry;
 
         counters = alloc_counters(table);
         if (IS_ERR(counters))
@@ -1001,8 +1001,8 @@ copy_entries_to_user(unsigned int total_size,
         /* ... then go back and fix counters and names */
         for (off = 0, num = 0; off < total_size; off += e->next_offset, num++){
                 unsigned int i;
-                struct ip6t_entry_match *m;
-                struct ip6t_entry_target *t;
+                const struct ip6t_entry_match *m;
+                const struct ip6t_entry_target *t;
 
                 e = (struct ip6t_entry *)(loc_cpu_entry + off);
                 if (copy_to_user(userptr + off
@@ -1142,7 +1142,7 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
                                     "ip6table_%s", name);
         if (t && !IS_ERR(t)) {
                 struct ip6t_getinfo info;
-                struct xt_table_info *private = t->private;
+                const struct xt_table_info *private = t->private;
 
 #ifdef CONFIG_COMPAT
                 if (compat) {
@@ -1206,7 +1206,7 @@ get_entries(struct net *net, struct ip6t_get_entries __user *uptr, int *len)
                 else {
                         duprintf("get_entries: I've got %u not %u!\n",
                                  private->size, get.size);
-                        ret = -EINVAL;
+                        ret = -EAGAIN;
                 }
                 module_put(t->me);
                 xt_table_unlock(t);
@@ -1225,7 +1225,7 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
         struct xt_table *t;
         struct xt_table_info *oldinfo;
         struct xt_counters *counters;
-        void *loc_cpu_old_entry;
+        const void *loc_cpu_old_entry;
 
         ret = 0;
         counters = vmalloc_node(num_counters * sizeof(struct xt_counters),
@@ -1369,9 +1369,9 @@ do_add_counters(struct net *net, void __user *user, unsigned int len,
         int size;
         void *ptmp;
         struct xt_table *t;
-        struct xt_table_info *private;
+        const struct xt_table_info *private;
         int ret = 0;
-        void *loc_cpu_entry;
+        const void *loc_cpu_entry;
 #ifdef CONFIG_COMPAT
         struct compat_xt_counters_info compat_tmp;
 
@@ -1905,11 +1905,11 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
                             void __user *userptr)
 {
         struct xt_counters *counters;
-        struct xt_table_info *private = table->private;
+        const struct xt_table_info *private = table->private;
         void __user *pos;
         unsigned int size;
         int ret = 0;
-        void *loc_cpu_entry;
+        const void *loc_cpu_entry;
         unsigned int i = 0;
 
         counters = alloc_counters(table);
@@ -1956,7 +1956,7 @@ compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
         xt_compat_lock(AF_INET6);
         t = xt_find_table_lock(net, AF_INET6, get.name);
         if (t && !IS_ERR(t)) {
-                struct xt_table_info *private = t->private;
+                const struct xt_table_info *private = t->private;
                 struct xt_table_info info;
                 duprintf("t->private->number = %u\n", private->number);
                 ret = compat_table_info(private, &info);
@@ -1966,7 +1966,7 @@ compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
                 } else if (!ret) {
                         duprintf("compat_get_entries: I've got %u not %u!\n",
                                  private->size, get.size);
-                        ret = -EINVAL;
+                        ret = -EAGAIN;
                 }
                 xt_compat_flush_offsets(AF_INET6);
                 module_put(t->me);
@@ -2155,7 +2155,8 @@ icmp6_match(const struct sk_buff *skb,
            unsigned int protoff,
            bool *hotdrop)
 {
-        struct icmp6hdr _icmph, *ic;
+        const struct icmp6hdr *ic;
+        struct icmp6hdr _icmph;
         const struct ip6t_icmp *icmpinfo = matchinfo;
 
         /* Must not be a fragment. */
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 86a613810b69..3a2316974f83 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -363,11 +363,15 @@ static void dump_packet(const struct nf_loginfo *info,
         if ((logflags & IP6T_LOG_UID) && recurse && skb->sk) {
                 read_lock_bh(&skb->sk->sk_callback_lock);
                 if (skb->sk->sk_socket && skb->sk->sk_socket->file)
-                        printk("UID=%u GID=%u",
+                        printk("UID=%u GID=%u ",
                                 skb->sk->sk_socket->file->f_uid,
                                 skb->sk->sk_socket->file->f_gid);
                 read_unlock_bh(&skb->sk->sk_callback_lock);
         }
+
+        /* Max length: 16 "MARK=0xFFFFFFFF " */
+        if (!recurse && skb->mark)
+                printk("MARK=0x%x ", skb->mark);
 }
 
 static struct nf_loginfo default_loginfo = {
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index baf829075f6f..44c8d65a2431 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -41,7 +41,8 @@ static void send_reset(struct sk_buff *oldskb)
         struct tcphdr otcph, *tcph;
         unsigned int otcplen, hh_len;
         int tcphoff, needs_ack;
-        struct ipv6hdr *oip6h = ipv6_hdr(oldskb), *ip6h;
+        const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
+        struct ipv6hdr *ip6h;
         struct dst_entry *dst = NULL;
         u8 proto;
         struct flowi fl;
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 3a940171f829..317a8960a757 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -49,7 +49,8 @@ ipv6header_mt6(const struct sk_buff *skb, const struct net_device *in,
         temp = 0;
 
         while (ip6t_ext_hdr(nexthdr)) {
-                struct ipv6_opt_hdr _hdr, *hp;
+                const struct ipv6_opt_hdr *hp;
+                struct ipv6_opt_hdr _hdr;
                 int hdrlen;
 
                 /* Is there enough space for the next ext header? */
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index 12a9efe9886e..81aaf7aaaabf 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -110,7 +110,8 @@ rt_mt6(const struct sk_buff *skb, const struct net_device *in,
                 !!(rtinfo->invflags & IP6T_RT_INV_TYP)));
 
         if (ret && (rtinfo->flags & IP6T_RT_RES)) {
-                u_int32_t *rp, _reserved;
+                const u_int32_t *rp;
+                u_int32_t _reserved;
                 rp = skb_header_pointer(skb,
                                         ptr + offsetof(struct rt0_hdr,
                                                        reserved),
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 2d9cd095a72c..f979e48b469b 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -54,7 +54,7 @@ static struct
 static struct xt_table packet_filter = {
         .name           = "filter",
         .valid_hooks    = FILTER_VALID_HOOKS,
-        .lock           = RW_LOCK_UNLOCKED,
+        .lock           = __RW_LOCK_UNLOCKED(packet_filter.lock),
         .me             = THIS_MODULE,
         .af             = AF_INET6,
 };
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 035343a90ffe..27a5e8b48d93 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -60,7 +60,7 @@ static struct
 static struct xt_table packet_mangler = {
         .name           = "mangle",
         .valid_hooks    = MANGLE_VALID_HOOKS,
-        .lock           = RW_LOCK_UNLOCKED,
+        .lock           = __RW_LOCK_UNLOCKED(packet_mangler.lock),
         .me             = THIS_MODULE,
         .af             = AF_INET6,
 };
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index 5cd84203abfe..92b91077ac29 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -38,7 +38,7 @@ static struct
 static struct xt_table packet_raw = {
         .name = "raw",
         .valid_hooks = RAW_VALID_HOOKS,
-        .lock = RW_LOCK_UNLOCKED,
+        .lock = __RW_LOCK_UNLOCKED(packet_raw.lock),
         .me = THIS_MODULE,
         .af = AF_INET6,
 };
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 3717bdf34f6e..85050c072abd 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -27,8 +27,8 @@
 #include <net/netfilter/nf_conntrack_l3proto.h>
 #include <net/netfilter/nf_conntrack_core.h>
 
-static int ipv6_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
-                             struct nf_conntrack_tuple *tuple)
+static bool ipv6_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
+                              struct nf_conntrack_tuple *tuple)
 {
         const u_int32_t *ap;
         u_int32_t _addrs[8];
@@ -36,21 +36,21 @@ static int ipv6_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
         ap = skb_header_pointer(skb, nhoff + offsetof(struct ipv6hdr, saddr),
                                 sizeof(_addrs), _addrs);
         if (ap == NULL)
-                return 0;
+                return false;
 
         memcpy(tuple->src.u3.ip6, ap, sizeof(tuple->src.u3.ip6));
         memcpy(tuple->dst.u3.ip6, ap + 4, sizeof(tuple->dst.u3.ip6));
 
-        return 1;
+        return true;
 }
 
-static int ipv6_invert_tuple(struct nf_conntrack_tuple *tuple,
-                             const struct nf_conntrack_tuple *orig)
+static bool ipv6_invert_tuple(struct nf_conntrack_tuple *tuple,
+                              const struct nf_conntrack_tuple *orig)
 {
         memcpy(tuple->src.u3.ip6, orig->dst.u3.ip6, sizeof(tuple->src.u3.ip6));
         memcpy(tuple->dst.u3.ip6, orig->src.u3.ip6, sizeof(tuple->dst.u3.ip6));
 
-        return 1;
+        return true;
 }
 
 static int ipv6_print_tuple(struct seq_file *s,
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 0897d0f4c4a2..ee713b03e9ec 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -28,21 +28,21 @@
 
 static unsigned long nf_ct_icmpv6_timeout __read_mostly = 30*HZ;
 
-static int icmpv6_pkt_to_tuple(const struct sk_buff *skb,
-                               unsigned int dataoff,
-                               struct nf_conntrack_tuple *tuple)
+static bool icmpv6_pkt_to_tuple(const struct sk_buff *skb,
+                                unsigned int dataoff,
+                                struct nf_conntrack_tuple *tuple)
 {
         const struct icmp6hdr *hp;
         struct icmp6hdr _hdr;
 
         hp = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
         if (hp == NULL)
-                return 0;
+                return false;
         tuple->dst.u.icmp.type = hp->icmp6_type;
         tuple->src.u.icmp.id = hp->icmp6_identifier;
         tuple->dst.u.icmp.code = hp->icmp6_code;
 
-        return 1;
+        return true;
 }
 
 /* Add 1; spaces filled with 0. */
@@ -53,17 +53,17 @@ static const u_int8_t invmap[] = {
         [ICMPV6_NI_REPLY - 128]         = ICMPV6_NI_REPLY +1
 };
 
-static int icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple,
-                               const struct nf_conntrack_tuple *orig)
+static bool icmpv6_invert_tuple(struct nf_conntrack_tuple *tuple,
+                                const struct nf_conntrack_tuple *orig)
 {
         int type = orig->dst.u.icmp.type - 128;
         if (type < 0 || type >= sizeof(invmap) || !invmap[type])
-                return 0;
+                return false;
 
         tuple->src.u.icmp.id   = orig->src.u.icmp.id;
         tuple->dst.u.icmp.type = invmap[type] - 1;
         tuple->dst.u.icmp.code = orig->dst.u.icmp.code;
-        return 1;
+        return true;
 }
 
 /* Print out the per-protocol part of the tuple. */
@@ -102,9 +102,8 @@ static int icmpv6_packet(struct nf_conn *ct,
 }
 
 /* Called when a new connection for this protocol found. */
-static int icmpv6_new(struct nf_conn *ct,
-                      const struct sk_buff *skb,
-                      unsigned int dataoff)
+static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
+                       unsigned int dataoff)
 {
         static const u_int8_t valid_new[] = {
                 [ICMPV6_ECHO_REQUEST - 128] = 1,
@@ -116,11 +115,11 @@ static int icmpv6_new(struct nf_conn *ct,
                 /* Can't create a new ICMPv6 `conn' with this. */
                 pr_debug("icmpv6: can't create new conn with type %u\n",
                          type + 128);
-                NF_CT_DUMP_TUPLE(&ct->tuplehash[0].tuple);
-                return 0;
+                nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple);
+                return false;
         }
         atomic_set(&ct->proto.icmp.count, 0);
-        return 1;
+        return true;
 }
 
 static int
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 9e5f305b2022..2dccad48058c 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -103,8 +103,8 @@ struct ctl_table nf_ct_ipv6_sysctl_table[] = {
 };
 #endif
 
-static unsigned int ip6qhashfn(__be32 id, struct in6_addr *saddr,
-                               struct in6_addr *daddr)
+static unsigned int ip6qhashfn(__be32 id, const struct in6_addr *saddr,
+                               const struct in6_addr *daddr)
 {
         u32 a, b, c;
 
@@ -132,7 +132,7 @@ static unsigned int ip6qhashfn(__be32 id, struct in6_addr *saddr,
 
 static unsigned int nf_hashfn(struct inet_frag_queue *q)
 {
-        struct nf_ct_frag6_queue *nq;
+        const struct nf_ct_frag6_queue *nq;
 
         nq = container_of(q, struct nf_ct_frag6_queue, q);
         return ip6qhashfn(nq->id, &nq->saddr, &nq->daddr);
@@ -222,7 +222,7 @@ oom:
 
 
 static int nf_ct_frag6_queue(struct nf_ct_frag6_queue *fq, struct sk_buff *skb,
-                             struct frag_hdr *fhdr, int nhoff)
+                             const struct frag_hdr *fhdr, int nhoff)
 {
         struct sk_buff *prev, *next;
         int offset, end;