Merge branch 'master' of git://1984.lsi.us.es/nf-next

Pablo Neira Ayuso says:

====================
The following patchset contains Netfilter and IPVS updates for
your net-next tree, most relevantly they are:

* Add net namespace support to NFLOG, ULOG and ebt_ulog and NFQUEUE.
  The LOG and ebt_log target has been also adapted, but they still
  depend on the syslog netnamespace that seems to be missing, from
  Gao Feng.

* Don't lose indications of congestion in IPv6 fragmentation handling,
  from Hannes Frederic Sowa.i

* IPVS conversion to use RCU, including some code consolidation patches
  and optimizations, also some from Julian Anastasov.

* cpu fanout support for NFQUEUE, from Holger Eitzenberger.

* Better error reporting to userspace when dropping packets from
  all our _*_[xfrm|route]_me_harder functions, from Patrick McHardy.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

3 files changed, 26 insertions, 6 deletions

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 341b54ade72c..8861b1ef420e 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -284,6 +284,7 @@ static void trace_packet(const struct sk_buff *skb,
         const char *hookname, *chainname, *comment;
         const struct ip6t_entry *iter;
         unsigned int rulenum = 0;
+        struct net *net = dev_net(in ? in : out);
 
         table_base = private->entries[smp_processor_id()];
         root = get_entry(table_base, private->hook_entry[hook]);
@@ -296,7 +297,7 @@ static void trace_packet(const struct sk_buff *skb,
                     &chainname, &comment, &rulenum) != 0)
                         break;
 
-        nf_log_packet(AF_INET6, hook, skb, in, out, &trace_loginfo,
+        nf_log_packet(net, AF_INET6, hook, skb, in, out, &trace_loginfo,
                       "TRACE: %s:%s:%s:%u ",
                       tablename, chainname, comment, rulenum);
 }
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 24df3dde0076..b3807c5cb888 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -131,7 +131,8 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
                          type + 128);
                 nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple);
                 if (LOG_INVALID(nf_ct_net(ct), IPPROTO_ICMPV6))
-                        nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
+                        nf_log_packet(nf_ct_net(ct), PF_INET6, 0, skb, NULL,
+                                      NULL, NULL,
                                       "nf_ct_icmpv6: invalid new with type %d ",
                                       type + 128);
                 return false;
@@ -203,7 +204,7 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl,
         icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
         if (icmp6h == NULL) {
                 if (LOG_INVALID(net, IPPROTO_ICMPV6))
-                nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
+                        nf_log_packet(net, PF_INET6, 0, skb, NULL, NULL, NULL,
                               "nf_ct_icmpv6: short packet ");
                 return -NF_ACCEPT;
         }
@@ -211,7 +212,7 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl,
         if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
             nf_ip6_checksum(skb, hooknum, dataoff, IPPROTO_ICMPV6)) {
                 if (LOG_INVALID(net, IPPROTO_ICMPV6))
-                        nf_log_packet(PF_INET6, 0, skb, NULL, NULL, NULL,
+                        nf_log_packet(net, PF_INET6, 0, skb, NULL, NULL, NULL,
                                       "nf_ct_icmpv6: ICMPv6 checksum failed ");
                 return -NF_ACCEPT;
         }
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 6700069949dd..dffdc1a389c5 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -41,6 +41,7 @@
 #include <net/rawv6.h>
 #include <net/ndisc.h>
 #include <net/addrconf.h>
+#include <net/inet_ecn.h>
 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
 #include <linux/sysctl.h>
 #include <linux/netfilter.h>
@@ -138,6 +139,11 @@ static void __net_exit nf_ct_frags6_sysctl_unregister(struct net *net)
 }
 #endif
 
+static inline u8 ip6_frag_ecn(const struct ipv6hdr *ipv6h)
+{
+        return 1 << (ipv6_get_dsfield(ipv6h) & INET_ECN_MASK);
+}
+
 static unsigned int nf_hashfn(struct inet_frag_queue *q)
 {
         const struct frag_queue *nq;
@@ -166,7 +172,7 @@ static void nf_ct_frag6_expire(unsigned long data)
 /* Creation primitives. */
 static inline struct frag_queue *fq_find(struct net *net, __be32 id,
                                          u32 user, struct in6_addr *src,
-                                         struct in6_addr *dst)
+                                         struct in6_addr *dst, u8 ecn)
 {
         struct inet_frag_queue *q;
         struct ip6_create_arg arg;
@@ -176,6 +182,7 @@ static inline struct frag_queue *fq_find(struct net *net, __be32 id,
         arg.user = user;
         arg.src = src;
         arg.dst = dst;
+        arg.ecn = ecn;
 
         read_lock_bh(&nf_frags.lock);
         hash = inet6_hash_frag(id, src, dst, nf_frags.rnd);
@@ -196,6 +203,7 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
         struct sk_buff *prev, *next;
         unsigned int payload_len;
         int offset, end;
+        u8 ecn;
 
         if (fq->q.last_in & INET_FRAG_COMPLETE) {
                 pr_debug("Already completed\n");
@@ -213,6 +221,8 @@ static int nf_ct_frag6_queue(struct frag_queue *fq, struct sk_buff *skb,
                 return -1;
         }
 
+        ecn = ip6_frag_ecn(ipv6_hdr(skb));
+
         if (skb->ip_summed == CHECKSUM_COMPLETE) {
                 const unsigned char *nh = skb_network_header(skb);
                 skb->csum = csum_sub(skb->csum,
@@ -317,6 +327,7 @@ found:
         }
         fq->q.stamp = skb->tstamp;
         fq->q.meat += skb->len;
+        fq->ecn |= ecn;
         if (payload_len > fq->q.max_size)
                 fq->q.max_size = payload_len;
         add_frag_mem_limit(&fq->q, skb->truesize);
@@ -352,12 +363,17 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct net_device *dev)
 {
         struct sk_buff *fp, *op, *head = fq->q.fragments;
         int    payload_len;
+        u8 ecn;
 
         inet_frag_kill(&fq->q, &nf_frags);
 
         WARN_ON(head == NULL);
         WARN_ON(NFCT_FRAG6_CB(head)->offset != 0);
 
+        ecn = ip_frag_ecn_table[fq->ecn];
+        if (unlikely(ecn == 0xff))
+                goto out_fail;
+
         /* Unfragmented part is taken from the first segment. */
         payload_len = ((head->data - skb_network_header(head)) -
                        sizeof(struct ipv6hdr) + fq->q.len -
@@ -428,6 +444,7 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct net_device *dev)
         head->dev = dev;
         head->tstamp = fq->q.stamp;
         ipv6_hdr(head)->payload_len = htons(payload_len);
+        ipv6_change_dsfield(ipv6_hdr(head), 0xff, ecn);
         IP6CB(head)->frag_max_size = sizeof(struct ipv6hdr) + fq->q.max_size;
 
         /* Yes, and fold redundant checksum back. 8) */
@@ -572,7 +589,8 @@ struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user)
         inet_frag_evictor(&net->nf_frag.frags, &nf_frags, false);
         local_bh_enable();
 
-        fq = fq_find(net, fhdr->identification, user, &hdr->saddr, &hdr->daddr);
+        fq = fq_find(net, fhdr->identification, user, &hdr->saddr, &hdr->daddr,
+                     ip6_frag_ecn(hdr));
         if (fq == NULL) {
                 pr_debug("Can't find and can't create new queue\n");
                 goto ret_orig;