4 files changed, 47 insertions, 6 deletions
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index fdc4a9527343..43c09d790b83 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -79,7 +79,7 @@ enum nf_ip_hook_priorities {
 #ifdef __KERNEL__
 extern int ip_route_me_harder(struct sk_buff **pskb);
+extern int ip_xfrm_me_harder(struct sk_buff **pskb);
 #endif /*__KERNEL__*/
 #endif /*__LINUX_IP_NETFILTER_H*/
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index cc047f7fb6ef..35cf3a074087 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -67,7 +67,7 @@ void br_stp_disable_bridge(struct net_bridge *br)
 {
        struct net_bridge_port *p;
-        spin_lock(&br->lock);
+        spin_lock_bh(&br->lock);
        list_for_each_entry(p, &br->port_list, list) {
                if (p->state != BR_STATE_DISABLED)
                        br_stp_disable_port(p);
@@ -76,7 +76,7 @@ void br_stp_disable_bridge(struct net_bridge *br)
        br->topology_change = 0;
        br->topology_change_detected = 0;
-        spin_unlock(&br->lock);
+        spin_unlock_bh(&br->lock);
        del_timer_sync(&br->hello_timer);
        del_timer_sync(&br->topology_change_timer);
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 52a3d7c57907..ed42cdc57cd9 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -78,6 +78,47 @@ int ip_route_me_harder(struct sk_buff **pskb)
 }
 EXPORT_SYMBOL(ip_route_me_harder);
+#ifdef CONFIG_XFRM
+int ip_xfrm_me_harder(struct sk_buff **pskb)
+{
+        struct flowi fl;
+        unsigned int hh_len;
+        struct dst_entry *dst;
+        if (IPCB(*pskb)->flags & IPSKB_XFRM_TRANSFORMED)
+                return 0;
+        if (xfrm_decode_session(*pskb, &fl, AF_INET) < 0)
+                return -1;
+        dst = (*pskb)->dst;
+        if (dst->xfrm)
+                dst = ((struct xfrm_dst *)dst)->route;
+        dst_hold(dst);
+        if (xfrm_lookup(&dst, &fl, (*pskb)->sk, 0) < 0)
+                return -1;
+        dst_release((*pskb)->dst);
+        (*pskb)->dst = dst;
+        /* Change in oif may mean change in hh_len. */
+        hh_len = (*pskb)->dst->dev->hard_header_len;
+        if (skb_headroom(*pskb) < hh_len) {
+                struct sk_buff *nskb;
+                nskb = skb_realloc_headroom(*pskb, hh_len);
+                if (!nskb)
+                        return -1;
+                if ((*pskb)->sk)
+                        skb_set_owner_w(nskb, (*pskb)->sk);
+                kfree_skb(*pskb);
+                *pskb = nskb;
+        }
+        return 0;
+}
+EXPORT_SYMBOL(ip_xfrm_me_harder);
+#endif
 void (*ip_nat_decode_session)(struct sk_buff *, struct flowi *);
 EXPORT_SYMBOL(ip_nat_decode_session);
diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
index 92c54999a19d..7c3f7d380240 100644
--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -235,19 +235,19 @@ ip_nat_out(unsigned int hooknum,
                return NF_ACCEPT;
        ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
+#ifdef CONFIG_XFRM
        if (ret != NF_DROP && ret != NF_STOLEN
            && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
                enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
                if (ct->tuplehash[dir].tuple.src.ip !=
                    ct->tuplehash[!dir].tuple.dst.ip
-#ifdef CONFIG_XFRM
                    || ct->tuplehash[dir].tuple.src.u.all !=
                       ct->tuplehash[!dir].tuple.dst.u.all
-#endif
                    )
-                        return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
+                        return ip_xfrm_me_harder(pskb) == 0 ? ret : NF_DROP;
        }
+#endif
        return ret;
 }

diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h index fdc4a9527343..43c09d790b83 100644 --- a/include/linux/netfilter_ipv4.h +++ b/include/linux/netfilter_ipv4.h
@@ -79,7 +79,7 @@ enum nf_ip_hook_priorities {
79		79
80	#ifdef __KERNEL__	80	#ifdef __KERNEL__
81	extern int ip_route_me_harder(struct sk_buff **pskb);	81	extern int ip_route_me_harder(struct sk_buff **pskb);
82		82	extern int ip_xfrm_me_harder(struct sk_buff **pskb);
83	#endif /__KERNEL__/	83	#endif /__KERNEL__/
84		84
85	#endif /__LINUX_IP_NETFILTER_H/	85	#endif /__LINUX_IP_NETFILTER_H/


diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c index cc047f7fb6ef..35cf3a074087 100644 --- a/net/bridge/br_stp_if.c +++ b/net/bridge/br_stp_if.c
@@ -67,7 +67,7 @@ void br_stp_disable_bridge(struct net_bridge *br)
67	{	67	{
68	struct net_bridge_port *p;	68	struct net_bridge_port *p;
69		69
70	spin_lock(&br->lock);	70	spin_lock_bh(&br->lock);
71	list_for_each_entry(p, &br->port_list, list) {	71	list_for_each_entry(p, &br->port_list, list) {
72	if (p->state != BR_STATE_DISABLED)	72	if (p->state != BR_STATE_DISABLED)
73	br_stp_disable_port(p);	73	br_stp_disable_port(p);
@@ -76,7 +76,7 @@ void br_stp_disable_bridge(struct net_bridge *br)
76		76
77	br->topology_change = 0;	77	br->topology_change = 0;
78	br->topology_change_detected = 0;	78	br->topology_change_detected = 0;
79	spin_unlock(&br->lock);	79	spin_unlock_bh(&br->lock);
80		80
81	del_timer_sync(&br->hello_timer);	81	del_timer_sync(&br->hello_timer);
82	del_timer_sync(&br->topology_change_timer);	82	del_timer_sync(&br->topology_change_timer);


diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c index 52a3d7c57907..ed42cdc57cd9 100644 --- a/net/ipv4/netfilter.c +++ b/net/ipv4/netfilter.c
@@ -78,6 +78,47 @@ int ip_route_me_harder(struct sk_buff **pskb)
78	}	78	}
79	EXPORT_SYMBOL(ip_route_me_harder);	79	EXPORT_SYMBOL(ip_route_me_harder);
80		80
		81	#ifdef CONFIG_XFRM
		82	int ip_xfrm_me_harder(struct sk_buff **pskb)
		83	{
		84	struct flowi fl;
		85	unsigned int hh_len;
		86	struct dst_entry *dst;
		87
		88	if (IPCB(*pskb)->flags & IPSKB_XFRM_TRANSFORMED)
		89	return 0;
		90	if (xfrm_decode_session(*pskb, &fl, AF_INET) < 0)
		91	return -1;
		92
		93	dst = (*pskb)->dst;
		94	if (dst->xfrm)
		95	dst = ((struct xfrm_dst *)dst)->route;
		96	dst_hold(dst);
		97
		98	if (xfrm_lookup(&dst, &fl, (*pskb)->sk, 0) < 0)
		99	return -1;
		100
		101	dst_release((*pskb)->dst);
		102	(*pskb)->dst = dst;
		103
		104	/* Change in oif may mean change in hh_len. */
		105	hh_len = (*pskb)->dst->dev->hard_header_len;
		106	if (skb_headroom(*pskb) < hh_len) {
		107	struct sk_buff *nskb;
		108
		109	nskb = skb_realloc_headroom(*pskb, hh_len);
		110	if (!nskb)
		111	return -1;
		112	if ((*pskb)->sk)
		113	skb_set_owner_w(nskb, (*pskb)->sk);
		114	kfree_skb(*pskb);
		115	*pskb = nskb;
		116	}
		117	return 0;
		118	}
		119	EXPORT_SYMBOL(ip_xfrm_me_harder);
		120	#endif
		121
81	void (ip_nat_decode_session)(struct sk_buff , struct flowi *);	122	void (ip_nat_decode_session)(struct sk_buff , struct flowi *);
82	EXPORT_SYMBOL(ip_nat_decode_session);	123	EXPORT_SYMBOL(ip_nat_decode_session);
83		124


diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c index 92c54999a19d..7c3f7d380240 100644 --- a/net/ipv4/netfilter/ip_nat_standalone.c +++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -235,19 +235,19 @@ ip_nat_out(unsigned int hooknum,
235	return NF_ACCEPT;	235	return NF_ACCEPT;
236		236
237	ret = ip_nat_fn(hooknum, pskb, in, out, okfn);	237	ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
		238	#ifdef CONFIG_XFRM
238	if (ret != NF_DROP && ret != NF_STOLEN	239	if (ret != NF_DROP && ret != NF_STOLEN
239	&& (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {	240	&& (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
240	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);	241	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
241		242
242	if (ct->tuplehash[dir].tuple.src.ip !=	243	if (ct->tuplehash[dir].tuple.src.ip !=
243	ct->tuplehash[!dir].tuple.dst.ip	244	ct->tuplehash[!dir].tuple.dst.ip
244	#ifdef CONFIG_XFRM
245	\|\| ct->tuplehash[dir].tuple.src.u.all !=	245	\|\| ct->tuplehash[dir].tuple.src.u.all !=
246	ct->tuplehash[!dir].tuple.dst.u.all	246	ct->tuplehash[!dir].tuple.dst.u.all
247	#endif
248	)	247	)
249	return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;	248	return ip_xfrm_me_harder(pskb) == 0 ? ret : NF_DROP;
250	}	249	}
		250	#endif
251	return ret;	251	return ret;
252	}	252	}
253		253