16 files changed, 26 insertions, 27 deletions
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 50cdc2559a5a..0d3dd66322ec 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -18,6 +18,9 @@ enum ip_conntrack_info {
        /* >= this indicates reply direction */
        IP_CT_IS_REPLY,
+        IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
+        IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
+        IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,   
        /* Number of distinct IP_CT types (no NEW in reply dirn). */
        IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
 };
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index d609ac3cb9a4..5c9e97c79017 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -307,7 +307,7 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
         * error messages (RELATED) and information requests (see below) */
        if (ip_hdr(skb)->protocol == IPPROTO_ICMP &&
            (ctinfo == IP_CT_RELATED ||
-             ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY))
+             ctinfo == IP_CT_RELATED_REPLY))
                return XT_CONTINUE;
        /* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
@@ -321,12 +321,12 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
                        ct->mark = hash;
                        break;
                case IP_CT_RELATED:
-                case IP_CT_RELATED+IP_CT_IS_REPLY:
+                case IP_CT_RELATED_REPLY:
                        /* FIXME: we don't handle expectations at the
                         * moment.  they can arrive on a different node than
                         * the master connection (e.g. FTP passive mode) */
                case IP_CT_ESTABLISHED:
-                case IP_CT_ESTABLISHED+IP_CT_IS_REPLY:
+                case IP_CT_ESTABLISHED_REPLY:
                        break;
                default:
                        break;
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index d2ed9dc74ebc..9931152a78b5 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -60,7 +60,7 @@ masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par)
        nat = nfct_nat(ct);
        NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
-                            ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
+                            ctinfo == IP_CT_RELATED_REPLY));
        /* Source address is 0.0.0.0 - locally generated packet that is
         * probably not supposed to be masqueraded.
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 5a03c02af999..db10075dd88e 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -101,7 +101,7 @@ static unsigned int ipv4_confirm(unsigned int hooknum,
        /* This is where we call the helper: as the packet goes out. */
        ct = nf_ct_get(skb, &ctinfo);
-        if (!ct || ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY)
+        if (!ct || ctinfo == IP_CT_RELATED_REPLY)
                goto out;
        help = nfct_help(ct);
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 9c71b2755ce3..3346de5d94d0 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -433,7 +433,7 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct,
        /* Must be RELATED */
        NF_CT_ASSERT(skb->nfctinfo == IP_CT_RELATED ||
-                     skb->nfctinfo == IP_CT_RELATED+IP_CT_IS_REPLY);
+                     skb->nfctinfo == IP_CT_RELATED_REPLY);
        /* Redirects on non-null nats must be dropped, else they'll
           start talking to each other without our translation, and be
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 21c30426480b..733c9abc1cbd 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -53,7 +53,7 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
        /* Connection must be valid and new. */
        NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
-                            ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
+                            ctinfo == IP_CT_RELATED_REPLY));
        NF_CT_ASSERT(par->out != NULL);
        return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_SRC);
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 7317bdf1d457..483b76d042da 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -116,7 +116,7 @@ nf_nat_fn(unsigned int hooknum,
        switch (ctinfo) {
        case IP_CT_RELATED:
-        case IP_CT_RELATED+IP_CT_IS_REPLY:
+        case IP_CT_RELATED_REPLY:
                if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
                        if (!nf_nat_icmp_reply_translation(ct, ctinfo,
                                                           hooknum, skb))
@@ -144,7 +144,7 @@ nf_nat_fn(unsigned int hooknum,
        default:
                /* ESTABLISHED */
                NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
-                             ctinfo == (IP_CT_ESTABLISHED+IP_CT_IS_REPLY));
+                             ctinfo == IP_CT_ESTABLISHED_REPLY);
        }
        return nf_nat_packet(ct, ctinfo, hooknum, skb);
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index c8af58b22562..4111050a9fc5 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -160,7 +160,7 @@ static unsigned int ipv6_confirm(unsigned int hooknum,
        /* This is where we call the helper: as the packet goes out. */
        ct = nf_ct_get(skb, &ctinfo);
-        if (!ct || ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY)
+        if (!ct || ctinfo == IP_CT_RELATED_REPLY)
                goto out;
        help = nfct_help(ct);
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 2e1c11f78419..0bd568929403 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -850,7 +850,7 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl,
        /* It exists; we have (non-exclusive) reference. */
        if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) {
-                *ctinfo = IP_CT_ESTABLISHED + IP_CT_IS_REPLY;
+                *ctinfo = IP_CT_ESTABLISHED_REPLY;
                /* Please set reply bit if this packet OK */
                *set_reply = 1;
        } else {
@@ -1143,7 +1143,7 @@ static void nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb)
        /* This ICMP is in reverse direction to the packet which caused it */
        ct = nf_ct_get(skb, &ctinfo);
        if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
-                ctinfo = IP_CT_RELATED + IP_CT_IS_REPLY;
+                ctinfo = IP_CT_RELATED_REPLY;
        else
                ctinfo = IP_CT_RELATED;
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index e17cb7c7dd8f..6f5801eac999 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -368,7 +368,7 @@ static int help(struct sk_buff *skb,
        /* Until there's been traffic both ways, don't look in packets. */
        if (ctinfo != IP_CT_ESTABLISHED &&
-            ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
+            ctinfo != IP_CT_ESTABLISHED_REPLY) {
                pr_debug("ftp: Conntrackinfo = %u\n", ctinfo);
                return NF_ACCEPT;
        }
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 18b2ce5c8ced..f03c2d4539f6 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -571,10 +571,9 @@ static int h245_help(struct sk_buff *skb, unsigned int protoff,
        int ret;
        /* Until there's been traffic both ways, don't look in packets. */
-        if (ctinfo != IP_CT_ESTABLISHED &&
+        if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
-            ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
                return NF_ACCEPT;
-        }
        pr_debug("nf_ct_h245: skblen = %u\n", skb->len);
        spin_lock_bh(&nf_h323_lock);
@@ -1125,10 +1124,9 @@ static int q931_help(struct sk_buff *skb, unsigned int protoff,
        int ret;
        /* Until there's been traffic both ways, don't look in packets. */
-        if (ctinfo != IP_CT_ESTABLISHED &&
+        if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
-            ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
                return NF_ACCEPT;
-        }
        pr_debug("nf_ct_q931: skblen = %u\n", skb->len);
        spin_lock_bh(&nf_h323_lock);
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index b394aa318776..4f9390b98697 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -125,8 +125,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
                return NF_ACCEPT;
        /* Until there's been traffic both ways, don't look in packets. */
-        if (ctinfo != IP_CT_ESTABLISHED &&
+        if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
-            ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
                return NF_ACCEPT;
        /* Not a full tcp header? */
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index 088944824e13..2fd4565144de 100644
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -519,8 +519,7 @@ conntrack_pptp_help(struct sk_buff *skb, unsigned int protoff,
        u_int16_t msg;
        /* don't do any tracking before tcp handshake complete */
-        if (ctinfo != IP_CT_ESTABLISHED &&
+        if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
-            ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
                return NF_ACCEPT;
        nexthdr_off = protoff;
diff --git a/net/netfilter/nf_conntrack_sane.c b/net/netfilter/nf_conntrack_sane.c
index d9e27734b2a2..8501823b3f9b 100644
--- a/net/netfilter/nf_conntrack_sane.c
+++ b/net/netfilter/nf_conntrack_sane.c
@@ -78,7 +78,7 @@ static int help(struct sk_buff *skb,
        ct_sane_info = &nfct_help(ct)->help.ct_sane_info;
        /* Until there's been traffic both ways, don't look in packets. */
        if (ctinfo != IP_CT_ESTABLISHED &&
-            ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY)
+            ctinfo != IP_CT_ESTABLISHED_REPLY)
                return NF_ACCEPT;
        /* Not a full tcp header? */
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index cb5a28581782..93faf6a3a637 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1423,7 +1423,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
        typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;
        if (ctinfo != IP_CT_ESTABLISHED &&
-            ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
+            ctinfo != IP_CT_ESTABLISHED_REPLY)
                return NF_ACCEPT;
        /* No Data ? */
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 9cc46356b577..fe39f7e913df 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -143,9 +143,9 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,
        ct = nf_ct_get(skb, &ctinfo);
        if (ct && !nf_ct_is_untracked(ct) &&
            ((iph->protocol != IPPROTO_ICMP &&
-              ctinfo == IP_CT_IS_REPLY + IP_CT_ESTABLISHED) ||
+              ctinfo == IP_CT_ESTABLISHED_REPLY) ||
             (iph->protocol == IPPROTO_ICMP &&
-              ctinfo == IP_CT_IS_REPLY + IP_CT_RELATED)) &&
+              ctinfo == IP_CT_RELATED_REPLY)) &&
            (ct->status & IPS_SRC_NAT_DONE)) {
                daddr = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip;

diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h index 50cdc2559a5a..0d3dd66322ec 100644 --- a/include/linux/netfilter/nf_conntrack_common.h +++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -18,6 +18,9 @@ enum ip_conntrack_info {
18	/* >= this indicates reply direction */	18	/* >= this indicates reply direction */
19	IP_CT_IS_REPLY,	19	IP_CT_IS_REPLY,
20		20
		21	IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
		22	IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
		23	IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,
21	/* Number of distinct IP_CT types (no NEW in reply dirn). */	24	/* Number of distinct IP_CT types (no NEW in reply dirn). */
22	IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1	25	IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
23	};	26	};


diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index d609ac3cb9a4..5c9e97c79017 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -307,7 +307,7 @@ clusterip_tg(struct sk_buff skb, const struct xt_action_param par)
307	* error messages (RELATED) and information requests (see below) */	307	* error messages (RELATED) and information requests (see below) */
308	if (ip_hdr(skb)->protocol == IPPROTO_ICMP &&	308	if (ip_hdr(skb)->protocol == IPPROTO_ICMP &&
309	(ctinfo == IP_CT_RELATED \|\|	309	(ctinfo == IP_CT_RELATED \|\|
310	ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY))	310	ctinfo == IP_CT_RELATED_REPLY))
311	return XT_CONTINUE;	311	return XT_CONTINUE;
312		312
313	/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,	313	/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
@@ -321,12 +321,12 @@ clusterip_tg(struct sk_buff skb, const struct xt_action_param par)
321	ct->mark = hash;	321	ct->mark = hash;
322	break;	322	break;
323	case IP_CT_RELATED:	323	case IP_CT_RELATED:
324	case IP_CT_RELATED+IP_CT_IS_REPLY:	324	case IP_CT_RELATED_REPLY:
325	/* FIXME: we don't handle expectations at the	325	/* FIXME: we don't handle expectations at the
326	* moment. they can arrive on a different node than	326	* moment. they can arrive on a different node than
327	* the master connection (e.g. FTP passive mode) */	327	* the master connection (e.g. FTP passive mode) */
328	case IP_CT_ESTABLISHED:	328	case IP_CT_ESTABLISHED:
329	case IP_CT_ESTABLISHED+IP_CT_IS_REPLY:	329	case IP_CT_ESTABLISHED_REPLY:
330	break;	330	break;
331	default:	331	default:
332	break;	332	break;


diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c index d2ed9dc74ebc..9931152a78b5 100644 --- a/net/ipv4/netfilter/ipt_MASQUERADE.c +++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -60,7 +60,7 @@ masquerade_tg(struct sk_buff skb, const struct xt_action_param par)
60	nat = nfct_nat(ct);	60	nat = nfct_nat(ct);
61		61
62	NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW \|\| ctinfo == IP_CT_RELATED \|\|	62	NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW \|\| ctinfo == IP_CT_RELATED \|\|
63	ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));	63	ctinfo == IP_CT_RELATED_REPLY));
64		64
65	/* Source address is 0.0.0.0 - locally generated packet that is	65	/* Source address is 0.0.0.0 - locally generated packet that is
66	* probably not supposed to be masqueraded.	66	* probably not supposed to be masqueraded.


diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index 5a03c02af999..db10075dd88e 100644 --- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -101,7 +101,7 @@ static unsigned int ipv4_confirm(unsigned int hooknum,
101		101
102	/* This is where we call the helper: as the packet goes out. */	102	/* This is where we call the helper: as the packet goes out. */
103	ct = nf_ct_get(skb, &ctinfo);	103	ct = nf_ct_get(skb, &ctinfo);
104	if (!ct \|\| ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY)	104	if (!ct \|\| ctinfo == IP_CT_RELATED_REPLY)
105	goto out;	105	goto out;
106		106
107	help = nfct_help(ct);	107	help = nfct_help(ct);


diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c index 9c71b2755ce3..3346de5d94d0 100644 --- a/net/ipv4/netfilter/nf_nat_core.c +++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -433,7 +433,7 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct,
433		433
434	/* Must be RELATED */	434	/* Must be RELATED */
435	NF_CT_ASSERT(skb->nfctinfo == IP_CT_RELATED \|\|	435	NF_CT_ASSERT(skb->nfctinfo == IP_CT_RELATED \|\|
436	skb->nfctinfo == IP_CT_RELATED+IP_CT_IS_REPLY);	436	skb->nfctinfo == IP_CT_RELATED_REPLY);
437		437
438	/* Redirects on non-null nats must be dropped, else they'll	438	/* Redirects on non-null nats must be dropped, else they'll
439	start talking to each other without our translation, and be	439	start talking to each other without our translation, and be


diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c index 21c30426480b..733c9abc1cbd 100644 --- a/net/ipv4/netfilter/nf_nat_rule.c +++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -53,7 +53,7 @@ ipt_snat_target(struct sk_buff skb, const struct xt_action_param par)
53		53
54	/* Connection must be valid and new. */	54	/* Connection must be valid and new. */
55	NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW \|\| ctinfo == IP_CT_RELATED \|\|	55	NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW \|\| ctinfo == IP_CT_RELATED \|\|
56	ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));	56	ctinfo == IP_CT_RELATED_REPLY));
57	NF_CT_ASSERT(par->out != NULL);	57	NF_CT_ASSERT(par->out != NULL);
58		58
59	return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_SRC);	59	return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_SRC);


diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c index 7317bdf1d457..483b76d042da 100644 --- a/net/ipv4/netfilter/nf_nat_standalone.c +++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -116,7 +116,7 @@ nf_nat_fn(unsigned int hooknum,
116		116
117	switch (ctinfo) {	117	switch (ctinfo) {
118	case IP_CT_RELATED:	118	case IP_CT_RELATED:
119	case IP_CT_RELATED+IP_CT_IS_REPLY:	119	case IP_CT_RELATED_REPLY:
120	if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {	120	if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
121	if (!nf_nat_icmp_reply_translation(ct, ctinfo,	121	if (!nf_nat_icmp_reply_translation(ct, ctinfo,
122	hooknum, skb))	122	hooknum, skb))
@@ -144,7 +144,7 @@ nf_nat_fn(unsigned int hooknum,
144	default:	144	default:
145	/* ESTABLISHED */	145	/* ESTABLISHED */
146	NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED \|\|	146	NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED \|\|
147	ctinfo == (IP_CT_ESTABLISHED+IP_CT_IS_REPLY));	147	ctinfo == IP_CT_ESTABLISHED_REPLY);
148	}	148	}
149		149
150	return nf_nat_packet(ct, ctinfo, hooknum, skb);	150	return nf_nat_packet(ct, ctinfo, hooknum, skb);


diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c index c8af58b22562..4111050a9fc5 100644 --- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -160,7 +160,7 @@ static unsigned int ipv6_confirm(unsigned int hooknum,
160		160
161	/* This is where we call the helper: as the packet goes out. */	161	/* This is where we call the helper: as the packet goes out. */
162	ct = nf_ct_get(skb, &ctinfo);	162	ct = nf_ct_get(skb, &ctinfo);
163	if (!ct \|\| ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY)	163	if (!ct \|\| ctinfo == IP_CT_RELATED_REPLY)
164	goto out;	164	goto out;
165		165
166	help = nfct_help(ct);	166	help = nfct_help(ct);


diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 2e1c11f78419..0bd568929403 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c
@@ -850,7 +850,7 @@ resolve_normal_ct(struct net net, struct nf_conn tmpl,
850		850
851	/* It exists; we have (non-exclusive) reference. */	851	/* It exists; we have (non-exclusive) reference. */
852	if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) {	852	if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) {
853	*ctinfo = IP_CT_ESTABLISHED + IP_CT_IS_REPLY;	853	*ctinfo = IP_CT_ESTABLISHED_REPLY;
854	/* Please set reply bit if this packet OK */	854	/* Please set reply bit if this packet OK */
855	*set_reply = 1;	855	*set_reply = 1;
856	} else {	856	} else {
@@ -1143,7 +1143,7 @@ static void nf_conntrack_attach(struct sk_buff nskb, struct sk_buff skb)
1143	/* This ICMP is in reverse direction to the packet which caused it */	1143	/* This ICMP is in reverse direction to the packet which caused it */
1144	ct = nf_ct_get(skb, &ctinfo);	1144	ct = nf_ct_get(skb, &ctinfo);
1145	if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)	1145	if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
1146	ctinfo = IP_CT_RELATED + IP_CT_IS_REPLY;	1146	ctinfo = IP_CT_RELATED_REPLY;
1147	else	1147	else
1148	ctinfo = IP_CT_RELATED;	1148	ctinfo = IP_CT_RELATED;
1149		1149


diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c index e17cb7c7dd8f..6f5801eac999 100644 --- a/net/netfilter/nf_conntrack_ftp.c +++ b/net/netfilter/nf_conntrack_ftp.c
@@ -368,7 +368,7 @@ static int help(struct sk_buff *skb,
368		368
369	/* Until there's been traffic both ways, don't look in packets. */	369	/* Until there's been traffic both ways, don't look in packets. */
370	if (ctinfo != IP_CT_ESTABLISHED &&	370	if (ctinfo != IP_CT_ESTABLISHED &&
371	ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {	371	ctinfo != IP_CT_ESTABLISHED_REPLY) {
372	pr_debug("ftp: Conntrackinfo = %u\n", ctinfo);	372	pr_debug("ftp: Conntrackinfo = %u\n", ctinfo);
373	return NF_ACCEPT;	373	return NF_ACCEPT;
374	}	374	}


diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c index 18b2ce5c8ced..f03c2d4539f6 100644 --- a/net/netfilter/nf_conntrack_h323_main.c +++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -571,10 +571,9 @@ static int h245_help(struct sk_buff *skb, unsigned int protoff,
571	int ret;	571	int ret;
572		572
573	/* Until there's been traffic both ways, don't look in packets. */	573	/* Until there's been traffic both ways, don't look in packets. */
574	if (ctinfo != IP_CT_ESTABLISHED &&	574	if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
575	ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
576	return NF_ACCEPT;	575	return NF_ACCEPT;
577	}	576
578	pr_debug("nf_ct_h245: skblen = %u\n", skb->len);	577	pr_debug("nf_ct_h245: skblen = %u\n", skb->len);
579		578
580	spin_lock_bh(&nf_h323_lock);	579	spin_lock_bh(&nf_h323_lock);
@@ -1125,10 +1124,9 @@ static int q931_help(struct sk_buff *skb, unsigned int protoff,
1125	int ret;	1124	int ret;
1126		1125
1127	/* Until there's been traffic both ways, don't look in packets. */	1126	/* Until there's been traffic both ways, don't look in packets. */
1128	if (ctinfo != IP_CT_ESTABLISHED &&	1127	if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
1129	ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
1130	return NF_ACCEPT;	1128	return NF_ACCEPT;
1131	}	1129
1132	pr_debug("nf_ct_q931: skblen = %u\n", skb->len);	1130	pr_debug("nf_ct_q931: skblen = %u\n", skb->len);
1133		1131
1134	spin_lock_bh(&nf_h323_lock);	1132	spin_lock_bh(&nf_h323_lock);


diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c index b394aa318776..4f9390b98697 100644 --- a/net/netfilter/nf_conntrack_irc.c +++ b/net/netfilter/nf_conntrack_irc.c
@@ -125,8 +125,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
125	return NF_ACCEPT;	125	return NF_ACCEPT;
126		126
127	/* Until there's been traffic both ways, don't look in packets. */	127	/* Until there's been traffic both ways, don't look in packets. */
128	if (ctinfo != IP_CT_ESTABLISHED &&	128	if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
129	ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
130	return NF_ACCEPT;	129	return NF_ACCEPT;
131		130
132	/* Not a full tcp header? */	131	/* Not a full tcp header? */


diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c index 088944824e13..2fd4565144de 100644 --- a/net/netfilter/nf_conntrack_pptp.c +++ b/net/netfilter/nf_conntrack_pptp.c
@@ -519,8 +519,7 @@ conntrack_pptp_help(struct sk_buff *skb, unsigned int protoff,
519	u_int16_t msg;	519	u_int16_t msg;
520		520
521	/* don't do any tracking before tcp handshake complete */	521	/* don't do any tracking before tcp handshake complete */
522	if (ctinfo != IP_CT_ESTABLISHED &&	522	if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
523	ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
524	return NF_ACCEPT;	523	return NF_ACCEPT;
525		524
526	nexthdr_off = protoff;	525	nexthdr_off = protoff;


diff --git a/net/netfilter/nf_conntrack_sane.c b/net/netfilter/nf_conntrack_sane.c index d9e27734b2a2..8501823b3f9b 100644 --- a/net/netfilter/nf_conntrack_sane.c +++ b/net/netfilter/nf_conntrack_sane.c
@@ -78,7 +78,7 @@ static int help(struct sk_buff *skb,
78	ct_sane_info = &nfct_help(ct)->help.ct_sane_info;	78	ct_sane_info = &nfct_help(ct)->help.ct_sane_info;
79	/* Until there's been traffic both ways, don't look in packets. */	79	/* Until there's been traffic both ways, don't look in packets. */
80	if (ctinfo != IP_CT_ESTABLISHED &&	80	if (ctinfo != IP_CT_ESTABLISHED &&
81	ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY)	81	ctinfo != IP_CT_ESTABLISHED_REPLY)
82	return NF_ACCEPT;	82	return NF_ACCEPT;
83		83
84	/* Not a full tcp header? */	84	/* Not a full tcp header? */


diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index cb5a28581782..93faf6a3a637 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c
@@ -1423,7 +1423,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
1423	typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;	1423	typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;
1424		1424
1425	if (ctinfo != IP_CT_ESTABLISHED &&	1425	if (ctinfo != IP_CT_ESTABLISHED &&
1426	ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)	1426	ctinfo != IP_CT_ESTABLISHED_REPLY)
1427	return NF_ACCEPT;	1427	return NF_ACCEPT;
1428		1428
1429	/* No Data ? */	1429	/* No Data ? */


diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c index 9cc46356b577..fe39f7e913df 100644 --- a/net/netfilter/xt_socket.c +++ b/net/netfilter/xt_socket.c
@@ -143,9 +143,9 @@ socket_match(const struct sk_buff skb, struct xt_action_param par,
143	ct = nf_ct_get(skb, &ctinfo);	143	ct = nf_ct_get(skb, &ctinfo);
144	if (ct && !nf_ct_is_untracked(ct) &&	144	if (ct && !nf_ct_is_untracked(ct) &&
145	((iph->protocol != IPPROTO_ICMP &&	145	((iph->protocol != IPPROTO_ICMP &&
146	ctinfo == IP_CT_IS_REPLY + IP_CT_ESTABLISHED) \|\|	146	ctinfo == IP_CT_ESTABLISHED_REPLY) \|\|
147	(iph->protocol == IPPROTO_ICMP &&	147	(iph->protocol == IPPROTO_ICMP &&
148	ctinfo == IP_CT_IS_REPLY + IP_CT_RELATED)) &&	148	ctinfo == IP_CT_RELATED_REPLY)) &&
149	(ct->status & IPS_SRC_NAT_DONE)) {	149	(ct->status & IPS_SRC_NAT_DONE)) {
150		150
151	daddr = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip;	151	daddr = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip;