aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Documentation/Changes2
-rw-r--r--Documentation/feature-removal-schedule.txt18
-rw-r--r--include/linux/ipv6.h1
-rw-r--r--include/linux/kernel.h6
-rw-r--r--include/linux/netfilter/Kbuild1
-rw-r--r--include/linux/netfilter/nf_conntrack_common.h1
-rw-r--r--include/linux/netfilter/nf_conntrack_tuple_common.h3
-rw-r--r--include/linux/netfilter/x_tables.h50
-rw-r--r--include/linux/netfilter/xt_CONNMARK.h22
-rw-r--r--include/linux/netfilter/xt_MARK.h6
-rw-r--r--include/linux/netfilter/xt_TEE.h12
-rw-r--r--include/linux/netfilter/xt_connmark.h11
-rw-r--r--include/linux/netfilter/xt_mark.h4
-rw-r--r--include/linux/netfilter/xt_recent.h7
-rw-r--r--include/linux/netfilter_bridge.h29
-rw-r--r--include/linux/netfilter_ipv6/ip6_tables.h4
-rw-r--r--include/net/neighbour.h14
-rw-r--r--net/bridge/br_device.c8
-rw-r--r--net/bridge/br_forward.c12
-rw-r--r--net/bridge/br_input.c6
-rw-r--r--net/bridge/br_multicast.c2
-rw-r--r--net/bridge/br_netfilter.c263
-rw-r--r--net/bridge/br_stp_bpdu.c2
-rw-r--r--net/bridge/netfilter/ebt_802_3.c6
-rw-r--r--net/bridge/netfilter/ebt_among.c25
-rw-r--r--net/bridge/netfilter/ebt_arp.c8
-rw-r--r--net/bridge/netfilter/ebt_arpreply.c8
-rw-r--r--net/bridge/netfilter/ebt_dnat.c10
-rw-r--r--net/bridge/netfilter/ebt_ip.c16
-rw-r--r--net/bridge/netfilter/ebt_ip6.c37
-rw-r--r--net/bridge/netfilter/ebt_limit.c9
-rw-r--r--net/bridge/netfilter/ebt_log.c8
-rw-r--r--net/bridge/netfilter/ebt_mark.c10
-rw-r--r--net/bridge/netfilter/ebt_mark_m.c10
-rw-r--r--net/bridge/netfilter/ebt_nflog.c6
-rw-r--r--net/bridge/netfilter/ebt_pkttype.c6
-rw-r--r--net/bridge/netfilter/ebt_redirect.c10
-rw-r--r--net/bridge/netfilter/ebt_snat.c10
-rw-r--r--net/bridge/netfilter/ebt_stp.c8
-rw-r--r--net/bridge/netfilter/ebt_ulog.c36
-rw-r--r--net/bridge/netfilter/ebt_vlan.c52
-rw-r--r--net/bridge/netfilter/ebtables.c23
-rw-r--r--net/decnet/dn_neigh.c9
-rw-r--r--net/decnet/dn_nsp_in.c3
-rw-r--r--net/decnet/dn_route.c28
-rw-r--r--net/ipv4/ip_forward.c4
-rw-r--r--net/ipv4/ip_input.c4
-rw-r--r--net/ipv4/ip_output.c22
-rw-r--r--net/ipv4/ipmr.c2
-rw-r--r--net/ipv4/netfilter/arp_tables.c26
-rw-r--r--net/ipv4/netfilter/arpt_mangle.c2
-rw-r--r--net/ipv4/netfilter/ip_queue.c3
-rw-r--r--net/ipv4/netfilter/ip_tables.c127
-rw-r--r--net/ipv4/netfilter/ipt_CLUSTERIP.c71
-rw-r--r--net/ipv4/netfilter/ipt_ECN.c21
-rw-r--r--net/ipv4/netfilter/ipt_LOG.c17
-rw-r--r--net/ipv4/netfilter/ipt_MASQUERADE.c16
-rw-r--r--net/ipv4/netfilter/ipt_NETMAP.c14
-rw-r--r--net/ipv4/netfilter/ipt_REDIRECT.c14
-rw-r--r--net/ipv4/netfilter/ipt_REJECT.c17
-rw-r--r--net/ipv4/netfilter/ipt_ULOG.c45
-rw-r--r--net/ipv4/netfilter/ipt_addrtype.c24
-rw-r--r--net/ipv4/netfilter/ipt_ah.c24
-rw-r--r--net/ipv4/netfilter/ipt_ecn.c15
-rw-r--r--net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c7
-rw-r--r--net/ipv4/netfilter/nf_nat_h323.c1
-rw-r--r--net/ipv4/netfilter/nf_nat_rule.c17
-rw-r--r--net/ipv4/netfilter/nf_nat_standalone.c3
-rw-r--r--net/ipv4/netfilter/nf_nat_tftp.c1
-rw-r--r--net/ipv4/raw.c4
-rw-r--r--net/ipv4/xfrm4_input.c2
-rw-r--r--net/ipv4/xfrm4_output.c2
-rw-r--r--net/ipv6/ip6_input.c4
-rw-r--r--net/ipv6/ip6_output.c64
-rw-r--r--net/ipv6/ip6mr.c2
-rw-r--r--net/ipv6/mcast.c4
-rw-r--r--net/ipv6/ndisc.c4
-rw-r--r--net/ipv6/netfilter.c25
-rw-r--r--net/ipv6/netfilter/ip6_queue.c3
-rw-r--r--net/ipv6/netfilter/ip6_tables.c109
-rw-r--r--net/ipv6/netfilter/ip6t_LOG.c18
-rw-r--r--net/ipv6/netfilter/ip6t_REJECT.c30
-rw-r--r--net/ipv6/netfilter/ip6t_ah.c12
-rw-r--r--net/ipv6/netfilter/ip6t_frag.c12
-rw-r--r--net/ipv6/netfilter/ip6t_hbh.c23
-rw-r--r--net/ipv6/netfilter/ip6t_ipv6header.c6
-rw-r--r--net/ipv6/netfilter/ip6t_mh.c15
-rw-r--r--net/ipv6/netfilter/ip6t_rt.c14
-rw-r--r--net/ipv6/netfilter/nf_conntrack_reasm.c2
-rw-r--r--net/ipv6/raw.c4
-rw-r--r--net/ipv6/xfrm6_input.c2
-rw-r--r--net/ipv6/xfrm6_output.c4
-rw-r--r--net/netfilter/Kconfig131
-rw-r--r--net/netfilter/Makefile9
-rw-r--r--net/netfilter/ipvs/ip_vs_ftp.c10
-rw-r--r--net/netfilter/ipvs/ip_vs_proto.c28
-rw-r--r--net/netfilter/ipvs/ip_vs_proto_ah_esp.c14
-rw-r--r--net/netfilter/ipvs/ip_vs_xmit.c16
-rw-r--r--net/netfilter/nf_conntrack_core.c4
-rw-r--r--net/netfilter/nf_conntrack_ecache.c12
-rw-r--r--net/netfilter/nf_conntrack_h323_main.c3
-rw-r--r--net/netfilter/nf_conntrack_netlink.c17
-rw-r--r--net/netfilter/nf_conntrack_proto.c8
-rw-r--r--net/netfilter/nf_conntrack_standalone.c7
-rw-r--r--net/netfilter/nf_log.c6
-rw-r--r--net/netfilter/nfnetlink.c3
-rw-r--r--net/netfilter/nfnetlink_queue.c3
-rw-r--r--net/netfilter/x_tables.c128
-rw-r--r--net/netfilter/xt_CONNMARK.c113
-rw-r--r--net/netfilter/xt_CONNSECMARK.c27
-rw-r--r--net/netfilter/xt_CT.c23
-rw-r--r--net/netfilter/xt_DSCP.c10
-rw-r--r--net/netfilter/xt_HL.c26
-rw-r--r--net/netfilter/xt_LED.c91
-rw-r--r--net/netfilter/xt_MARK.c56
-rw-r--r--net/netfilter/xt_NFLOG.c8
-rw-r--r--net/netfilter/xt_NFQUEUE.c48
-rw-r--r--net/netfilter/xt_RATEEST.c18
-rw-r--r--net/netfilter/xt_SECMARK.c46
-rw-r--r--net/netfilter/xt_TCPMSS.c37
-rw-r--r--net/netfilter/xt_TCPOPTSTRIP.c3
-rw-r--r--net/netfilter/xt_TEE.c309
-rw-r--r--net/netfilter/xt_TPROXY.c10
-rw-r--r--net/netfilter/xt_cluster.c19
-rw-r--r--net/netfilter/xt_connbytes.c20
-rw-r--r--net/netfilter/xt_connlimit.c18
-rw-r--r--net/netfilter/xt_connmark.c102
-rw-r--r--net/netfilter/xt_conntrack.c17
-rw-r--r--net/netfilter/xt_dccp.c12
-rw-r--r--net/netfilter/xt_dscp.c12
-rw-r--r--net/netfilter/xt_esp.c24
-rw-r--r--net/netfilter/xt_hashlimit.c342
-rw-r--r--net/netfilter/xt_helper.c16
-rw-r--r--net/netfilter/xt_hl.c12
-rw-r--r--net/netfilter/xt_iprange.c1
-rw-r--r--net/netfilter/xt_limit.c13
-rw-r--r--net/netfilter/xt_mac.c21
-rw-r--r--net/netfilter/xt_mark.c35
-rw-r--r--net/netfilter/xt_multiport.c95
-rw-r--r--net/netfilter/xt_osf.c8
-rw-r--r--net/netfilter/xt_physdev.c16
-rw-r--r--net/netfilter/xt_policy.c29
-rw-r--r--net/netfilter/xt_quota.c8
-rw-r--r--net/netfilter/xt_rateest.c8
-rw-r--r--net/netfilter/xt_recent.c185
-rw-r--r--net/netfilter/xt_sctp.c51
-rw-r--r--net/netfilter/xt_socket.c5
-rw-r--r--net/netfilter/xt_state.c48
-rw-r--r--net/netfilter/xt_statistic.c12
-rw-r--r--net/netfilter/xt_string.c66
-rw-r--r--net/netfilter/xt_tcpudp.c24
-rw-r--r--net/netfilter/xt_time.c13
-rw-r--r--net/netfilter/xt_u32.c3
-rw-r--r--net/sched/act_ipt.c4
154 files changed, 2033 insertions, 2114 deletions
diff --git a/Documentation/Changes b/Documentation/Changes
index f08b313cd235..eca9f6e6fbe6 100644
--- a/Documentation/Changes
+++ b/Documentation/Changes
@@ -49,7 +49,7 @@ o oprofile 0.9 # oprofiled --version
49o udev 081 # udevinfo -V 49o udev 081 # udevinfo -V
50o grub 0.93 # grub --version 50o grub 0.93 # grub --version
51o mcelog 0.6 51o mcelog 0.6
52o iptables 1.4.1 # iptables -V 52o iptables 1.4.2 # iptables -V
53 53
54 54
55Kernel compilation 55Kernel compilation
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 116a13c4f13f..a1c6e9277986 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -241,16 +241,6 @@ Who: Thomas Gleixner <tglx@linutronix.de>
241 241
242--------------------------- 242---------------------------
243 243
244What (Why):
245 - xt_recent: the old ipt_recent proc dir
246 (superseded by /proc/net/xt_recent)
247
248When: January 2009 or Linux 2.7.0, whichever comes first
249Why: Superseded by newer revisions or modules
250Who: Jan Engelhardt <jengelh@computergmbh.de>
251
252---------------------------
253
254What: GPIO autorequest on gpio_direction_{input,output}() in gpiolib 244What: GPIO autorequest on gpio_direction_{input,output}() in gpiolib
255When: February 2010 245When: February 2010
256Why: All callers should use explicit gpio_request()/gpio_free(). 246Why: All callers should use explicit gpio_request()/gpio_free().
@@ -628,3 +618,11 @@ Why: Internal alias support has been present in module-init-tools for some
628 with no impact. 618 with no impact.
629 619
630Who: Wey-Yi Guy <wey-yi.w.guy@intel.com> 620Who: Wey-Yi Guy <wey-yi.w.guy@intel.com>
621
622---------------------------
623
624What: xt_NOTRACK
625Files: net/netfilter/xt_NOTRACK.c
626When: April 2011
627Why: Superseded by xt_CT
628Who: Netfilter developer team <netfilter-devel@vger.kernel.org>
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index 2ab5509f6d49..0e269038bb38 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -254,6 +254,7 @@ struct inet6_skb_parm {
254 254
255#define IP6SKB_XFRM_TRANSFORMED 1 255#define IP6SKB_XFRM_TRANSFORMED 1
256#define IP6SKB_FORWARDED 2 256#define IP6SKB_FORWARDED 2
257#define IP6SKB_REROUTED 4
257}; 258};
258 259
259#define IP6CB(skb) ((struct inet6_skb_parm*)((skb)->cb)) 260#define IP6CB(skb) ((struct inet6_skb_parm*)((skb)->cb))
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index 9365227dbaf6..a38d6bd6fde6 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -4,6 +4,8 @@
4/* 4/*
5 * 'kernel.h' contains some often-used function prototypes etc 5 * 'kernel.h' contains some often-used function prototypes etc
6 */ 6 */
7#define __ALIGN_KERNEL(x, a) __ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1)
8#define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask))
7 9
8#ifdef __KERNEL__ 10#ifdef __KERNEL__
9 11
@@ -37,8 +39,8 @@ extern const char linux_proc_banner[];
37 39
38#define STACK_MAGIC 0xdeadbeef 40#define STACK_MAGIC 0xdeadbeef
39 41
40#define ALIGN(x,a) __ALIGN_MASK(x,(typeof(x))(a)-1) 42#define ALIGN(x, a) __ALIGN_KERNEL((x), (a))
41#define __ALIGN_MASK(x,mask) (((x)+(mask))&~(mask)) 43#define __ALIGN_MASK(x, mask) __ALIGN_KERNEL_MASK((x), (mask))
42#define PTR_ALIGN(p, a) ((typeof(p))ALIGN((unsigned long)(p), (a))) 44#define PTR_ALIGN(p, a) ((typeof(p))ALIGN((unsigned long)(p), (a)))
43#define IS_ALIGNED(x, a) (((x) & ((typeof(x))(a) - 1)) == 0) 45#define IS_ALIGNED(x, a) (((x) & ((typeof(x))(a) - 1)) == 0)
44 46
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index a5a63e41b8af..48767cd16453 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -16,6 +16,7 @@ header-y += xt_RATEEST.h
16header-y += xt_SECMARK.h 16header-y += xt_SECMARK.h
17header-y += xt_TCPMSS.h 17header-y += xt_TCPMSS.h
18header-y += xt_TCPOPTSTRIP.h 18header-y += xt_TCPOPTSTRIP.h
19header-y += xt_TEE.h
19header-y += xt_TPROXY.h 20header-y += xt_TPROXY.h
20header-y += xt_comment.h 21header-y += xt_comment.h
21header-y += xt_connbytes.h 22header-y += xt_connbytes.h
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index c608677dda60..14e6d32002c4 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -113,6 +113,7 @@ struct ip_conntrack_stat {
113 unsigned int expect_new; 113 unsigned int expect_new;
114 unsigned int expect_create; 114 unsigned int expect_create;
115 unsigned int expect_delete; 115 unsigned int expect_delete;
116 unsigned int search_restart;
116}; 117};
117 118
118/* call to create an explicit dependency on nf_conntrack. */ 119/* call to create an explicit dependency on nf_conntrack. */
diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/linux/netfilter/nf_conntrack_tuple_common.h
index 8e145f0d61cb..2ea22b018a87 100644
--- a/include/linux/netfilter/nf_conntrack_tuple_common.h
+++ b/include/linux/netfilter/nf_conntrack_tuple_common.h
@@ -1,8 +1,7 @@
1#ifndef _NF_CONNTRACK_TUPLE_COMMON_H 1#ifndef _NF_CONNTRACK_TUPLE_COMMON_H
2#define _NF_CONNTRACK_TUPLE_COMMON_H 2#define _NF_CONNTRACK_TUPLE_COMMON_H
3 3
4enum ip_conntrack_dir 4enum ip_conntrack_dir {
5{
6 IP_CT_DIR_ORIGINAL, 5 IP_CT_DIR_ORIGINAL,
7 IP_CT_DIR_REPLY, 6 IP_CT_DIR_REPLY,
8 IP_CT_DIR_MAX 7 IP_CT_DIR_MAX
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 84c7c928e9eb..eeb4884c30be 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -1,9 +1,10 @@
1#ifndef _X_TABLES_H 1#ifndef _X_TABLES_H
2#define _X_TABLES_H 2#define _X_TABLES_H
3 3#include <linux/kernel.h>
4#include <linux/types.h> 4#include <linux/types.h>
5 5
6#define XT_FUNCTION_MAXNAMELEN 30 6#define XT_FUNCTION_MAXNAMELEN 30
7#define XT_EXTENSION_MAXNAMELEN 29
7#define XT_TABLE_MAXNAMELEN 32 8#define XT_TABLE_MAXNAMELEN 32
8 9
9struct xt_entry_match { 10struct xt_entry_match {
@@ -12,8 +13,7 @@ struct xt_entry_match {
12 __u16 match_size; 13 __u16 match_size;
13 14
14 /* Used by userspace */ 15 /* Used by userspace */
15 char name[XT_FUNCTION_MAXNAMELEN-1]; 16 char name[XT_EXTENSION_MAXNAMELEN];
16
17 __u8 revision; 17 __u8 revision;
18 } user; 18 } user;
19 struct { 19 struct {
@@ -36,8 +36,7 @@ struct xt_entry_target {
36 __u16 target_size; 36 __u16 target_size;
37 37
38 /* Used by userspace */ 38 /* Used by userspace */
39 char name[XT_FUNCTION_MAXNAMELEN-1]; 39 char name[XT_EXTENSION_MAXNAMELEN];
40
41 __u8 revision; 40 __u8 revision;
42 } user; 41 } user;
43 struct { 42 struct {
@@ -70,8 +69,7 @@ struct xt_standard_target {
70/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision 69/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
71 * kernel supports, if >= revision. */ 70 * kernel supports, if >= revision. */
72struct xt_get_revision { 71struct xt_get_revision {
73 char name[XT_FUNCTION_MAXNAMELEN-1]; 72 char name[XT_EXTENSION_MAXNAMELEN];
74
75 __u8 revision; 73 __u8 revision;
76}; 74};
77 75
@@ -93,7 +91,7 @@ struct _xt_align {
93 __u64 u64; 91 __u64 u64;
94}; 92};
95 93
96#define XT_ALIGN(s) ALIGN((s), __alignof__(struct _xt_align)) 94#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
97 95
98/* Standard return verdict, or do jump. */ 96/* Standard return verdict, or do jump. */
99#define XT_STANDARD_TARGET "" 97#define XT_STANDARD_TARGET ""
@@ -197,6 +195,7 @@ struct xt_counters_info {
197 * @family: Actual NFPROTO_* through which the function is invoked 195 * @family: Actual NFPROTO_* through which the function is invoked
198 * (helpful when match->family == NFPROTO_UNSPEC) 196 * (helpful when match->family == NFPROTO_UNSPEC)
199 * @hotdrop: drop packet if we had inspection problems 197 * @hotdrop: drop packet if we had inspection problems
198 * Network namespace obtainable using dev_net(in/out)
200 */ 199 */
201struct xt_match_param { 200struct xt_match_param {
202 const struct net_device *in, *out; 201 const struct net_device *in, *out;
@@ -213,12 +212,14 @@ struct xt_match_param {
213 * struct xt_mtchk_param - parameters for match extensions' 212 * struct xt_mtchk_param - parameters for match extensions'
214 * checkentry functions 213 * checkentry functions
215 * 214 *
215 * @net: network namespace through which the check was invoked
216 * @table: table the rule is tried to be inserted into 216 * @table: table the rule is tried to be inserted into
217 * @entryinfo: the family-specific rule data 217 * @entryinfo: the family-specific rule data
218 * (struct ipt_ip, ip6t_ip, ebt_entry) 218 * (struct ipt_ip, ip6t_ip, arpt_arp or (note) ebt_entry)
219 * @match: struct xt_match through which this function was invoked 219 * @match: struct xt_match through which this function was invoked
220 * @matchinfo: per-match data 220 * @matchinfo: per-match data
221 * @hook_mask: via which hooks the new rule is reachable 221 * @hook_mask: via which hooks the new rule is reachable
222 * Other fields as above.
222 */ 223 */
223struct xt_mtchk_param { 224struct xt_mtchk_param {
224 struct net *net; 225 struct net *net;
@@ -230,7 +231,10 @@ struct xt_mtchk_param {
230 u_int8_t family; 231 u_int8_t family;
231}; 232};
232 233
233/* Match destructor parameters */ 234/**
235 * struct xt_mdtor_param - match destructor parameters
236 * Fields as above.
237 */
234struct xt_mtdtor_param { 238struct xt_mtdtor_param {
235 struct net *net; 239 struct net *net;
236 const struct xt_match *match; 240 const struct xt_match *match;
@@ -285,7 +289,7 @@ struct xt_tgdtor_param {
285struct xt_match { 289struct xt_match {
286 struct list_head list; 290 struct list_head list;
287 291
288 const char name[XT_FUNCTION_MAXNAMELEN-1]; 292 const char name[XT_EXTENSION_MAXNAMELEN];
289 u_int8_t revision; 293 u_int8_t revision;
290 294
291 /* Return true or false: return FALSE and set *hotdrop = 1 to 295 /* Return true or false: return FALSE and set *hotdrop = 1 to
@@ -297,7 +301,7 @@ struct xt_match {
297 const struct xt_match_param *); 301 const struct xt_match_param *);
298 302
299 /* Called when user tries to insert an entry of this type. */ 303 /* Called when user tries to insert an entry of this type. */
300 bool (*checkentry)(const struct xt_mtchk_param *); 304 int (*checkentry)(const struct xt_mtchk_param *);
301 305
302 /* Called when entry of this type deleted. */ 306 /* Called when entry of this type deleted. */
303 void (*destroy)(const struct xt_mtdtor_param *); 307 void (*destroy)(const struct xt_mtdtor_param *);
@@ -309,9 +313,6 @@ struct xt_match {
309 /* Set this to THIS_MODULE if you are a module, otherwise NULL */ 313 /* Set this to THIS_MODULE if you are a module, otherwise NULL */
310 struct module *me; 314 struct module *me;
311 315
312 /* Free to use by each match */
313 unsigned long data;
314
315 const char *table; 316 const char *table;
316 unsigned int matchsize; 317 unsigned int matchsize;
317#ifdef CONFIG_COMPAT 318#ifdef CONFIG_COMPAT
@@ -327,7 +328,8 @@ struct xt_match {
327struct xt_target { 328struct xt_target {
328 struct list_head list; 329 struct list_head list;
329 330
330 const char name[XT_FUNCTION_MAXNAMELEN-1]; 331 const char name[XT_EXTENSION_MAXNAMELEN];
332 u_int8_t revision;
331 333
332 /* Returns verdict. Argument order changed since 2.6.9, as this 334 /* Returns verdict. Argument order changed since 2.6.9, as this
333 must now handle non-linear skbs, using skb_copy_bits and 335 must now handle non-linear skbs, using skb_copy_bits and
@@ -338,8 +340,8 @@ struct xt_target {
338 /* Called when user tries to insert an entry of this type: 340 /* Called when user tries to insert an entry of this type:
339 hook_mask is a bitmask of hooks from which it can be 341 hook_mask is a bitmask of hooks from which it can be
340 called. */ 342 called. */
341 /* Should return true or false. */ 343 /* Should return true or false, or an error code (-Exxxx). */
342 bool (*checkentry)(const struct xt_tgchk_param *); 344 int (*checkentry)(const struct xt_tgchk_param *);
343 345
344 /* Called when entry of this type deleted. */ 346 /* Called when entry of this type deleted. */
345 void (*destroy)(const struct xt_tgdtor_param *); 347 void (*destroy)(const struct xt_tgdtor_param *);
@@ -360,7 +362,6 @@ struct xt_target {
360 unsigned short proto; 362 unsigned short proto;
361 363
362 unsigned short family; 364 unsigned short family;
363 u_int8_t revision;
364}; 365};
365 366
366/* Furniture shopping... */ 367/* Furniture shopping... */
@@ -398,6 +399,13 @@ struct xt_table_info {
398 unsigned int hook_entry[NF_INET_NUMHOOKS]; 399 unsigned int hook_entry[NF_INET_NUMHOOKS];
399 unsigned int underflow[NF_INET_NUMHOOKS]; 400 unsigned int underflow[NF_INET_NUMHOOKS];
400 401
402 /*
403 * Number of user chains. Since tables cannot have loops, at most
404 * @stacksize jumps (number of user chains) can possibly be made.
405 */
406 unsigned int stacksize;
407 unsigned int *stackptr;
408 void ***jumpstack;
401 /* ipt_entry tables: one per CPU */ 409 /* ipt_entry tables: one per CPU */
402 /* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */ 410 /* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */
403 void *entries[1]; 411 void *entries[1];
@@ -433,6 +441,8 @@ extern struct xt_table_info *xt_replace_table(struct xt_table *table,
433 441
434extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision); 442extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
435extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision); 443extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision);
444extern struct xt_match *xt_request_find_match(u8 af, const char *name,
445 u8 revision);
436extern struct xt_target *xt_request_find_target(u8 af, const char *name, 446extern struct xt_target *xt_request_find_target(u8 af, const char *name,
437 u8 revision); 447 u8 revision);
438extern int xt_find_revision(u8 af, const char *name, u8 revision, 448extern int xt_find_revision(u8 af, const char *name, u8 revision,
@@ -598,7 +608,7 @@ struct _compat_xt_align {
598 compat_u64 u64; 608 compat_u64 u64;
599}; 609};
600 610
601#define COMPAT_XT_ALIGN(s) ALIGN((s), __alignof__(struct _compat_xt_align)) 611#define COMPAT_XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _compat_xt_align))
602 612
603extern void xt_compat_lock(u_int8_t af); 613extern void xt_compat_lock(u_int8_t af);
604extern void xt_compat_unlock(u_int8_t af); 614extern void xt_compat_unlock(u_int8_t af);
diff --git a/include/linux/netfilter/xt_CONNMARK.h b/include/linux/netfilter/xt_CONNMARK.h
index 0a8545866752..2f2e48ec8023 100644
--- a/include/linux/netfilter/xt_CONNMARK.h
+++ b/include/linux/netfilter/xt_CONNMARK.h
@@ -1,26 +1,6 @@
1#ifndef _XT_CONNMARK_H_target 1#ifndef _XT_CONNMARK_H_target
2#define _XT_CONNMARK_H_target 2#define _XT_CONNMARK_H_target
3 3
4#include <linux/types.h> 4#include <linux/netfilter/xt_connmark.h>
5
6/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
7 * by Henrik Nordstrom <hno@marasystems.com>
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 */
14
15enum {
16 XT_CONNMARK_SET = 0,
17 XT_CONNMARK_SAVE,
18 XT_CONNMARK_RESTORE
19};
20
21struct xt_connmark_tginfo1 {
22 __u32 ctmark, ctmask, nfmask;
23 __u8 mode;
24};
25 5
26#endif /*_XT_CONNMARK_H_target*/ 6#endif /*_XT_CONNMARK_H_target*/
diff --git a/include/linux/netfilter/xt_MARK.h b/include/linux/netfilter/xt_MARK.h
index bc9561bdef79..41c456deba22 100644
--- a/include/linux/netfilter/xt_MARK.h
+++ b/include/linux/netfilter/xt_MARK.h
@@ -1,10 +1,6 @@
1#ifndef _XT_MARK_H_target 1#ifndef _XT_MARK_H_target
2#define _XT_MARK_H_target 2#define _XT_MARK_H_target
3 3
4#include <linux/types.h> 4#include <linux/netfilter/xt_mark.h>
5
6struct xt_mark_tginfo2 {
7 __u32 mark, mask;
8};
9 5
10#endif /*_XT_MARK_H_target */ 6#endif /*_XT_MARK_H_target */
diff --git a/include/linux/netfilter/xt_TEE.h b/include/linux/netfilter/xt_TEE.h
new file mode 100644
index 000000000000..5c21d5c829af
--- /dev/null
+++ b/include/linux/netfilter/xt_TEE.h
@@ -0,0 +1,12 @@
1#ifndef _XT_TEE_TARGET_H
2#define _XT_TEE_TARGET_H
3
4struct xt_tee_tginfo {
5 union nf_inet_addr gw;
6 char oif[16];
7
8 /* used internally by the kernel */
9 struct xt_tee_priv *priv __attribute__((aligned(8)));
10};
11
12#endif /* _XT_TEE_TARGET_H */
diff --git a/include/linux/netfilter/xt_connmark.h b/include/linux/netfilter/xt_connmark.h
index 619e47cde01a..efc17a8305fb 100644
--- a/include/linux/netfilter/xt_connmark.h
+++ b/include/linux/netfilter/xt_connmark.h
@@ -12,6 +12,17 @@
12 * (at your option) any later version. 12 * (at your option) any later version.
13 */ 13 */
14 14
15enum {
16 XT_CONNMARK_SET = 0,
17 XT_CONNMARK_SAVE,
18 XT_CONNMARK_RESTORE
19};
20
21struct xt_connmark_tginfo1 {
22 __u32 ctmark, ctmask, nfmask;
23 __u8 mode;
24};
25
15struct xt_connmark_mtinfo1 { 26struct xt_connmark_mtinfo1 {
16 __u32 mark, mask; 27 __u32 mark, mask;
17 __u8 invert; 28 __u8 invert;
diff --git a/include/linux/netfilter/xt_mark.h b/include/linux/netfilter/xt_mark.h
index 6607c8f38ea5..ecadc40d5cde 100644
--- a/include/linux/netfilter/xt_mark.h
+++ b/include/linux/netfilter/xt_mark.h
@@ -3,6 +3,10 @@
3 3
4#include <linux/types.h> 4#include <linux/types.h>
5 5
6struct xt_mark_tginfo2 {
7 __u32 mark, mask;
8};
9
6struct xt_mark_mtinfo1 { 10struct xt_mark_mtinfo1 {
7 __u32 mark, mask; 11 __u32 mark, mask;
8 __u8 invert; 12 __u8 invert;
diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h
index d2c276609925..83318e01425e 100644
--- a/include/linux/netfilter/xt_recent.h
+++ b/include/linux/netfilter/xt_recent.h
@@ -9,6 +9,7 @@ enum {
9 XT_RECENT_UPDATE = 1 << 2, 9 XT_RECENT_UPDATE = 1 << 2,
10 XT_RECENT_REMOVE = 1 << 3, 10 XT_RECENT_REMOVE = 1 << 3,
11 XT_RECENT_TTL = 1 << 4, 11 XT_RECENT_TTL = 1 << 4,
12 XT_RECENT_REAP = 1 << 5,
12 13
13 XT_RECENT_SOURCE = 0, 14 XT_RECENT_SOURCE = 0,
14 XT_RECENT_DEST = 1, 15 XT_RECENT_DEST = 1,
@@ -16,6 +17,12 @@ enum {
16 XT_RECENT_NAME_LEN = 200, 17 XT_RECENT_NAME_LEN = 200,
17}; 18};
18 19
20/* Only allowed with --rcheck and --update */
21#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
22
23#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
24 XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
25
19struct xt_recent_mtinfo { 26struct xt_recent_mtinfo {
20 __u32 seconds; 27 __u32 seconds;
21 __u32 hit_count; 28 __u32 hit_count;
diff --git a/include/linux/netfilter_bridge.h b/include/linux/netfilter_bridge.h
index f8105e54716a..0ddd161f3b06 100644
--- a/include/linux/netfilter_bridge.h
+++ b/include/linux/netfilter_bridge.h
@@ -41,10 +41,10 @@ enum nf_br_hook_priorities {
41 41
42#define BRNF_PKT_TYPE 0x01 42#define BRNF_PKT_TYPE 0x01
43#define BRNF_BRIDGED_DNAT 0x02 43#define BRNF_BRIDGED_DNAT 0x02
44#define BRNF_DONT_TAKE_PARENT 0x04 44#define BRNF_BRIDGED 0x04
45#define BRNF_BRIDGED 0x08 45#define BRNF_NF_BRIDGE_PREROUTING 0x08
46#define BRNF_NF_BRIDGE_PREROUTING 0x10 46#define BRNF_8021Q 0x10
47 47#define BRNF_PPPoE 0x20
48 48
49/* Only used in br_forward.c */ 49/* Only used in br_forward.c */
50extern int nf_bridge_copy_header(struct sk_buff *skb); 50extern int nf_bridge_copy_header(struct sk_buff *skb);
@@ -68,6 +68,27 @@ static inline unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb)
68 } 68 }
69} 69}
70 70
71static inline unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb)
72{
73 if (unlikely(skb->nf_bridge->mask & BRNF_PPPoE))
74 return PPPOE_SES_HLEN;
75 return 0;
76}
77
78extern int br_handle_frame_finish(struct sk_buff *skb);
79/* Only used in br_device.c */
80static inline int br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb)
81{
82 struct nf_bridge_info *nf_bridge = skb->nf_bridge;
83
84 skb_pull(skb, ETH_HLEN);
85 nf_bridge->mask ^= BRNF_BRIDGED_DNAT;
86 skb_copy_to_linear_data_offset(skb, -(ETH_HLEN-ETH_ALEN),
87 skb->nf_bridge->data, ETH_HLEN-ETH_ALEN);
88 skb->dev = nf_bridge->physindev;
89 return br_handle_frame_finish(skb);
90}
91
71/* This is called by the IP fragmenting code and it ensures there is 92/* This is called by the IP fragmenting code and it ensures there is
72 * enough room for the encapsulating header (if there is one). */ 93 * enough room for the encapsulating header (if there is one). */
73static inline unsigned int nf_bridge_pad(const struct sk_buff *skb) 94static inline unsigned int nf_bridge_pad(const struct sk_buff *skb)
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index e5ba03d783c6..18442ff19c07 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -316,10 +316,6 @@ extern int ip6t_ext_hdr(u8 nexthdr);
316extern int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset, 316extern int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
317 int target, unsigned short *fragoff); 317 int target, unsigned short *fragoff);
318 318
319extern int ip6_masked_addrcmp(const struct in6_addr *addr1,
320 const struct in6_addr *mask,
321 const struct in6_addr *addr2);
322
323#define IP6T_ALIGN(s) XT_ALIGN(s) 319#define IP6T_ALIGN(s) XT_ALIGN(s)
324 320
325#ifdef CONFIG_COMPAT 321#ifdef CONFIG_COMPAT
diff --git a/include/net/neighbour.h b/include/net/neighbour.h
index da1d58be31b7..eb21340a573b 100644
--- a/include/net/neighbour.h
+++ b/include/net/neighbour.h
@@ -299,6 +299,20 @@ static inline int neigh_event_send(struct neighbour *neigh, struct sk_buff *skb)
299 return 0; 299 return 0;
300} 300}
301 301
302#ifdef CONFIG_BRIDGE_NETFILTER
303static inline int neigh_hh_bridge(struct hh_cache *hh, struct sk_buff *skb)
304{
305 unsigned seq, hh_alen;
306
307 do {
308 seq = read_seqbegin(&hh->hh_lock);
309 hh_alen = HH_DATA_ALIGN(ETH_HLEN);
310 memcpy(skb->data - hh_alen, hh->hh_data, ETH_ALEN + hh_alen - ETH_HLEN);
311 } while (read_seqretry(&hh->hh_lock, seq));
312 return 0;
313}
314#endif
315
302static inline int neigh_hh_output(struct hh_cache *hh, struct sk_buff *skb) 316static inline int neigh_hh_output(struct hh_cache *hh, struct sk_buff *skb)
303{ 317{
304 unsigned seq; 318 unsigned seq;
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index 074c59690fc5..f15f9c4a0dd2 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -17,6 +17,7 @@
17#include <linux/etherdevice.h> 17#include <linux/etherdevice.h>
18#include <linux/ethtool.h> 18#include <linux/ethtool.h>
19#include <linux/list.h> 19#include <linux/list.h>
20#include <linux/netfilter_bridge.h>
20 21
21#include <asm/uaccess.h> 22#include <asm/uaccess.h>
22#include "br_private.h" 23#include "br_private.h"
@@ -30,6 +31,13 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
30 struct net_bridge_mdb_entry *mdst; 31 struct net_bridge_mdb_entry *mdst;
31 struct br_cpu_netstats *brstats = this_cpu_ptr(br->stats); 32 struct br_cpu_netstats *brstats = this_cpu_ptr(br->stats);
32 33
34#ifdef CONFIG_BRIDGE_NETFILTER
35 if (skb->nf_bridge && (skb->nf_bridge->mask & BRNF_BRIDGED_DNAT)) {
36 br_nf_pre_routing_finish_bridge_slow(skb);
37 return NETDEV_TX_OK;
38 }
39#endif
40
33 brstats->tx_packets++; 41 brstats->tx_packets++;
34 brstats->tx_bytes += skb->len; 42 brstats->tx_bytes += skb->len;
35 43
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index 92ad9feb199d..a98ef1393097 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -45,7 +45,7 @@ int br_dev_queue_push_xmit(struct sk_buff *skb)
45 if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb)) 45 if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb))
46 kfree_skb(skb); 46 kfree_skb(skb);
47 else { 47 else {
48 /* ip_refrag calls ip_fragment, doesn't copy the MAC header. */ 48 /* ip_fragment doesn't copy the MAC header */
49 if (nf_bridge_maybe_copy_header(skb)) 49 if (nf_bridge_maybe_copy_header(skb))
50 kfree_skb(skb); 50 kfree_skb(skb);
51 else { 51 else {
@@ -66,7 +66,7 @@ int br_dev_queue_push_xmit(struct sk_buff *skb)
66 66
67int br_forward_finish(struct sk_buff *skb) 67int br_forward_finish(struct sk_buff *skb)
68{ 68{
69 return NF_HOOK(PF_BRIDGE, NF_BR_POST_ROUTING, skb, NULL, skb->dev, 69 return NF_HOOK(NFPROTO_BRIDGE, NF_BR_POST_ROUTING, skb, NULL, skb->dev,
70 br_dev_queue_push_xmit); 70 br_dev_queue_push_xmit);
71 71
72} 72}
@@ -84,8 +84,8 @@ static void __br_deliver(const struct net_bridge_port *to, struct sk_buff *skb)
84 } 84 }
85#endif 85#endif
86 skb->dev = to->dev; 86 skb->dev = to->dev;
87 NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, 87 NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
88 br_forward_finish); 88 br_forward_finish);
89#ifdef CONFIG_NET_POLL_CONTROLLER 89#ifdef CONFIG_NET_POLL_CONTROLLER
90 if (skb->dev->npinfo) 90 if (skb->dev->npinfo)
91 skb->dev->npinfo->netpoll->dev = br->dev; 91 skb->dev->npinfo->netpoll->dev = br->dev;
@@ -105,8 +105,8 @@ static void __br_forward(const struct net_bridge_port *to, struct sk_buff *skb)
105 skb->dev = to->dev; 105 skb->dev = to->dev;
106 skb_forward_csum(skb); 106 skb_forward_csum(skb);
107 107
108 NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, indev, skb->dev, 108 NF_HOOK(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, indev, skb->dev,
109 br_forward_finish); 109 br_forward_finish);
110} 110}
111 111
112/* called with rcu_read_lock */ 112/* called with rcu_read_lock */
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index e7f4c1d02f57..d36e700f7a26 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -33,7 +33,7 @@ static int br_pass_frame_up(struct sk_buff *skb)
33 indev = skb->dev; 33 indev = skb->dev;
34 skb->dev = brdev; 34 skb->dev = brdev;
35 35
36 return NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, indev, NULL, 36 return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, indev, NULL,
37 netif_receive_skb); 37 netif_receive_skb);
38} 38}
39 39
@@ -156,7 +156,7 @@ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb)
156 if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0) 156 if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0)
157 goto forward; 157 goto forward;
158 158
159 if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev, 159 if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
160 NULL, br_handle_local_finish)) 160 NULL, br_handle_local_finish))
161 return NULL; /* frame consumed by filter */ 161 return NULL; /* frame consumed by filter */
162 else 162 else
@@ -177,7 +177,7 @@ forward:
177 if (!compare_ether_addr(p->br->dev->dev_addr, dest)) 177 if (!compare_ether_addr(p->br->dev->dev_addr, dest))
178 skb->pkt_type = PACKET_HOST; 178 skb->pkt_type = PACKET_HOST;
179 179
180 NF_HOOK(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, 180 NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
181 br_handle_frame_finish); 181 br_handle_frame_finish);
182 break; 182 break;
183 default: 183 default:
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 7128abdce45f..c8419e240316 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -814,7 +814,7 @@ static void __br_multicast_send_query(struct net_bridge *br,
814 if (port) { 814 if (port) {
815 __skb_push(skb, sizeof(struct ethhdr)); 815 __skb_push(skb, sizeof(struct ethhdr));
816 skb->dev = port->dev; 816 skb->dev = port->dev;
817 NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, 817 NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
818 dev_queue_xmit); 818 dev_queue_xmit);
819 } else 819 } else
820 netif_rx(skb); 820 netif_rx(skb);
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 4c4977d12fd6..93f80fefa496 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -3,15 +3,8 @@
3 * Linux ethernet bridge 3 * Linux ethernet bridge
4 * 4 *
5 * Authors: 5 * Authors:
6 * Lennert Buytenhek <buytenh@gnu.org> 6 * Lennert Buytenhek <buytenh@gnu.org>
7 * Bart De Schuymer (maintainer) <bdschuym@pandora.be> 7 * Bart De Schuymer <bdschuym@pandora.be>
8 *
9 * Changes:
10 * Apr 29 2003: physdev module support (bdschuym)
11 * Jun 19 2003: let arptables see bridged ARP traffic (bdschuym)
12 * Oct 06 2003: filter encapsulated IP/ARP VLAN traffic on untagged bridge
13 * (bdschuym)
14 * Sep 01 2004: add IPv6 filtering (bdschuym)
15 * 8 *
16 * This program is free software; you can redistribute it and/or 9 * This program is free software; you can redistribute it and/or
17 * modify it under the terms of the GNU General Public License 10 * modify it under the terms of the GNU General Public License
@@ -204,15 +197,24 @@ static inline void nf_bridge_save_header(struct sk_buff *skb)
204 skb->nf_bridge->data, header_size); 197 skb->nf_bridge->data, header_size);
205} 198}
206 199
207/* 200static inline void nf_bridge_update_protocol(struct sk_buff *skb)
208 * When forwarding bridge frames, we save a copy of the original 201{
209 * header before processing. 202 if (skb->nf_bridge->mask & BRNF_8021Q)
203 skb->protocol = htons(ETH_P_8021Q);
204 else if (skb->nf_bridge->mask & BRNF_PPPoE)
205 skb->protocol = htons(ETH_P_PPP_SES);
206}
207
208/* Fill in the header for fragmented IP packets handled by
209 * the IPv4 connection tracking code.
210 */ 210 */
211int nf_bridge_copy_header(struct sk_buff *skb) 211int nf_bridge_copy_header(struct sk_buff *skb)
212{ 212{
213 int err; 213 int err;
214 int header_size = ETH_HLEN + nf_bridge_encap_header_len(skb); 214 unsigned int header_size;
215 215
216 nf_bridge_update_protocol(skb);
217 header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);
216 err = skb_cow_head(skb, header_size); 218 err = skb_cow_head(skb, header_size);
217 if (err) 219 if (err)
218 return err; 220 return err;
@@ -246,27 +248,48 @@ static int br_nf_pre_routing_finish_ipv6(struct sk_buff *skb)
246 skb_dst_set(skb, &rt->u.dst); 248 skb_dst_set(skb, &rt->u.dst);
247 249
248 skb->dev = nf_bridge->physindev; 250 skb->dev = nf_bridge->physindev;
251 nf_bridge_update_protocol(skb);
249 nf_bridge_push_encap_header(skb); 252 nf_bridge_push_encap_header(skb);
250 NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, 253 NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
251 br_handle_frame_finish, 1); 254 br_handle_frame_finish, 1);
252 255
253 return 0; 256 return 0;
254} 257}
255 258
256static void __br_dnat_complain(void) 259/* Obtain the correct destination MAC address, while preserving the original
260 * source MAC address. If we already know this address, we just copy it. If we
261 * don't, we use the neighbour framework to find out. In both cases, we make
262 * sure that br_handle_frame_finish() is called afterwards.
263 */
264static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
257{ 265{
258 static unsigned long last_complaint; 266 struct nf_bridge_info *nf_bridge = skb->nf_bridge;
267 struct dst_entry *dst;
259 268
260 if (jiffies - last_complaint >= 5 * HZ) { 269 skb->dev = bridge_parent(skb->dev);
261 printk(KERN_WARNING "Performing cross-bridge DNAT requires IP " 270 if (!skb->dev)
262 "forwarding to be enabled\n"); 271 goto free_skb;
263 last_complaint = jiffies; 272 dst = skb_dst(skb);
273 if (dst->hh) {
274 neigh_hh_bridge(dst->hh, skb);
275 skb->dev = nf_bridge->physindev;
276 return br_handle_frame_finish(skb);
277 } else if (dst->neighbour) {
278 /* the neighbour function below overwrites the complete
279 * MAC header, so we save the Ethernet source address and
280 * protocol number. */
281 skb_copy_from_linear_data_offset(skb, -(ETH_HLEN-ETH_ALEN), skb->nf_bridge->data, ETH_HLEN-ETH_ALEN);
282 /* tell br_dev_xmit to continue with forwarding */
283 nf_bridge->mask |= BRNF_BRIDGED_DNAT;
284 return dst->neighbour->output(skb);
264 } 285 }
286free_skb:
287 kfree_skb(skb);
288 return 0;
265} 289}
266 290
267/* This requires some explaining. If DNAT has taken place, 291/* This requires some explaining. If DNAT has taken place,
268 * we will need to fix up the destination Ethernet address, 292 * we will need to fix up the destination Ethernet address.
269 * and this is a tricky process.
270 * 293 *
271 * There are two cases to consider: 294 * There are two cases to consider:
272 * 1. The packet was DNAT'ed to a device in the same bridge 295 * 1. The packet was DNAT'ed to a device in the same bridge
@@ -280,62 +303,29 @@ static void __br_dnat_complain(void)
280 * call ip_route_input() and to look at skb->dst->dev, which is 303 * call ip_route_input() and to look at skb->dst->dev, which is
281 * changed to the destination device if ip_route_input() succeeds. 304 * changed to the destination device if ip_route_input() succeeds.
282 * 305 *
283 * Let us first consider the case that ip_route_input() succeeds: 306 * Let's first consider the case that ip_route_input() succeeds:
284 *
285 * If skb->dst->dev equals the logical bridge device the packet
286 * came in on, we can consider this bridging. The packet is passed
287 * through the neighbour output function to build a new destination
288 * MAC address, which will make the packet enter br_nf_local_out()
289 * not much later. In that function it is assured that the iptables
290 * FORWARD chain is traversed for the packet.
291 * 307 *
308 * If the output device equals the logical bridge device the packet
309 * came in on, we can consider this bridging. The corresponding MAC
310 * address will be obtained in br_nf_pre_routing_finish_bridge.
292 * Otherwise, the packet is considered to be routed and we just 311 * Otherwise, the packet is considered to be routed and we just
293 * change the destination MAC address so that the packet will 312 * change the destination MAC address so that the packet will
294 * later be passed up to the IP stack to be routed. For a redirected 313 * later be passed up to the IP stack to be routed. For a redirected
295 * packet, ip_route_input() will give back the localhost as output device, 314 * packet, ip_route_input() will give back the localhost as output device,
296 * which differs from the bridge device. 315 * which differs from the bridge device.
297 * 316 *
298 * Let us now consider the case that ip_route_input() fails: 317 * Let's now consider the case that ip_route_input() fails:
299 * 318 *
300 * This can be because the destination address is martian, in which case 319 * This can be because the destination address is martian, in which case
301 * the packet will be dropped. 320 * the packet will be dropped.
302 * After a "echo '0' > /proc/sys/net/ipv4/ip_forward" ip_route_input() 321 * If IP forwarding is disabled, ip_route_input() will fail, while
303 * will fail, while __ip_route_output_key() will return success. The source 322 * ip_route_output_key() can return success. The source
304 * address for __ip_route_output_key() is set to zero, so __ip_route_output_key 323 * address for ip_route_output_key() is set to zero, so ip_route_output_key()
305 * thinks we're handling a locally generated packet and won't care 324 * thinks we're handling a locally generated packet and won't care
306 * if IP forwarding is allowed. We send a warning message to the users's 325 * if IP forwarding is enabled. If the output device equals the logical bridge
307 * log telling her to put IP forwarding on. 326 * device, we proceed as if ip_route_input() succeeded. If it differs from the
308 * 327 * logical bridge port or if ip_route_output_key() fails we drop the packet.
309 * ip_route_input() will also fail if there is no route available. 328 */
310 * In that case we just drop the packet.
311 *
312 * --Lennert, 20020411
313 * --Bart, 20020416 (updated)
314 * --Bart, 20021007 (updated)
315 * --Bart, 20062711 (updated) */
316static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
317{
318 if (skb->pkt_type == PACKET_OTHERHOST) {
319 skb->pkt_type = PACKET_HOST;
320 skb->nf_bridge->mask |= BRNF_PKT_TYPE;
321 }
322 skb->nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
323
324 skb->dev = bridge_parent(skb->dev);
325 if (skb->dev) {
326 struct dst_entry *dst = skb_dst(skb);
327
328 nf_bridge_pull_encap_header(skb);
329
330 if (dst->hh)
331 return neigh_hh_output(dst->hh, skb);
332 else if (dst->neighbour)
333 return dst->neighbour->output(skb);
334 }
335 kfree_skb(skb);
336 return 0;
337}
338
339static int br_nf_pre_routing_finish(struct sk_buff *skb) 329static int br_nf_pre_routing_finish(struct sk_buff *skb)
340{ 330{
341 struct net_device *dev = skb->dev; 331 struct net_device *dev = skb->dev;
@@ -379,11 +369,6 @@ static int br_nf_pre_routing_finish(struct sk_buff *skb)
379 skb_dst_set(skb, (struct dst_entry *)rt); 369 skb_dst_set(skb, (struct dst_entry *)rt);
380 goto bridged_dnat; 370 goto bridged_dnat;
381 } 371 }
382 /* we are sure that forwarding is disabled, so printing
383 * this message is no problem. Note that the packet could
384 * still have a martian destination address, in which case
385 * the packet could be dropped even if forwarding were enabled */
386 __br_dnat_complain();
387 dst_release((struct dst_entry *)rt); 372 dst_release((struct dst_entry *)rt);
388 } 373 }
389free_skb: 374free_skb:
@@ -392,12 +377,11 @@ free_skb:
392 } else { 377 } else {
393 if (skb_dst(skb)->dev == dev) { 378 if (skb_dst(skb)->dev == dev) {
394bridged_dnat: 379bridged_dnat:
395 /* Tell br_nf_local_out this is a
396 * bridged frame */
397 nf_bridge->mask |= BRNF_BRIDGED_DNAT;
398 skb->dev = nf_bridge->physindev; 380 skb->dev = nf_bridge->physindev;
381 nf_bridge_update_protocol(skb);
399 nf_bridge_push_encap_header(skb); 382 nf_bridge_push_encap_header(skb);
400 NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, 383 NF_HOOK_THRESH(NFPROTO_BRIDGE,
384 NF_BR_PRE_ROUTING,
401 skb, skb->dev, NULL, 385 skb, skb->dev, NULL,
402 br_nf_pre_routing_finish_bridge, 386 br_nf_pre_routing_finish_bridge,
403 1); 387 1);
@@ -417,8 +401,9 @@ bridged_dnat:
417 } 401 }
418 402
419 skb->dev = nf_bridge->physindev; 403 skb->dev = nf_bridge->physindev;
404 nf_bridge_update_protocol(skb);
420 nf_bridge_push_encap_header(skb); 405 nf_bridge_push_encap_header(skb);
421 NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL, 406 NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
422 br_handle_frame_finish, 1); 407 br_handle_frame_finish, 1);
423 408
424 return 0; 409 return 0;
@@ -437,6 +422,10 @@ static struct net_device *setup_pre_routing(struct sk_buff *skb)
437 nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING; 422 nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING;
438 nf_bridge->physindev = skb->dev; 423 nf_bridge->physindev = skb->dev;
439 skb->dev = bridge_parent(skb->dev); 424 skb->dev = bridge_parent(skb->dev);
425 if (skb->protocol == htons(ETH_P_8021Q))
426 nf_bridge->mask |= BRNF_8021Q;
427 else if (skb->protocol == htons(ETH_P_PPP_SES))
428 nf_bridge->mask |= BRNF_PPPoE;
440 429
441 return skb->dev; 430 return skb->dev;
442} 431}
@@ -535,7 +524,8 @@ static unsigned int br_nf_pre_routing_ipv6(unsigned int hook,
535 if (!setup_pre_routing(skb)) 524 if (!setup_pre_routing(skb))
536 return NF_DROP; 525 return NF_DROP;
537 526
538 NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, 527 skb->protocol = htons(ETH_P_IPV6);
528 NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
539 br_nf_pre_routing_finish_ipv6); 529 br_nf_pre_routing_finish_ipv6);
540 530
541 return NF_STOLEN; 531 return NF_STOLEN;
@@ -607,8 +597,9 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
607 if (!setup_pre_routing(skb)) 597 if (!setup_pre_routing(skb))
608 return NF_DROP; 598 return NF_DROP;
609 store_orig_dstaddr(skb); 599 store_orig_dstaddr(skb);
600 skb->protocol = htons(ETH_P_IP);
610 601
611 NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, 602 NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
612 br_nf_pre_routing_finish); 603 br_nf_pre_routing_finish);
613 604
614 return NF_STOLEN; 605 return NF_STOLEN;
@@ -655,8 +646,10 @@ static int br_nf_forward_finish(struct sk_buff *skb)
655 } else { 646 } else {
656 in = *((struct net_device **)(skb->cb)); 647 in = *((struct net_device **)(skb->cb));
657 } 648 }
649 nf_bridge_update_protocol(skb);
658 nf_bridge_push_encap_header(skb); 650 nf_bridge_push_encap_header(skb);
659 NF_HOOK_THRESH(PF_BRIDGE, NF_BR_FORWARD, skb, in, 651
652 NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, in,
660 skb->dev, br_forward_finish, 1); 653 skb->dev, br_forward_finish, 1);
661 return 0; 654 return 0;
662} 655}
@@ -707,6 +700,10 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
707 /* The physdev module checks on this */ 700 /* The physdev module checks on this */
708 nf_bridge->mask |= BRNF_BRIDGED; 701 nf_bridge->mask |= BRNF_BRIDGED;
709 nf_bridge->physoutdev = skb->dev; 702 nf_bridge->physoutdev = skb->dev;
703 if (pf == PF_INET)
704 skb->protocol = htons(ETH_P_IP);
705 else
706 skb->protocol = htons(ETH_P_IPV6);
710 707
711 NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent, 708 NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent,
712 br_nf_forward_finish); 709 br_nf_forward_finish);
@@ -744,60 +741,11 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
744 return NF_STOLEN; 741 return NF_STOLEN;
745} 742}
746 743
747/* PF_BRIDGE/LOCAL_OUT ***********************************************
748 *
749 * This function sees both locally originated IP packets and forwarded
750 * IP packets (in both cases the destination device is a bridge
751 * device). It also sees bridged-and-DNAT'ed packets.
752 *
753 * If (nf_bridge->mask & BRNF_BRIDGED_DNAT) then the packet is bridged
754 * and we fake the PF_BRIDGE/FORWARD hook. The function br_nf_forward()
755 * will then fake the PF_INET/FORWARD hook. br_nf_local_out() has priority
756 * NF_BR_PRI_FIRST, so no relevant PF_BRIDGE/INPUT functions have been nor
757 * will be executed.
758 */
759static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff *skb,
760 const struct net_device *in,
761 const struct net_device *out,
762 int (*okfn)(struct sk_buff *))
763{
764 struct net_device *realindev;
765 struct nf_bridge_info *nf_bridge;
766
767 if (!skb->nf_bridge)
768 return NF_ACCEPT;
769
770 /* Need exclusive nf_bridge_info since we might have multiple
771 * different physoutdevs. */
772 if (!nf_bridge_unshare(skb))
773 return NF_DROP;
774
775 nf_bridge = skb->nf_bridge;
776 if (!(nf_bridge->mask & BRNF_BRIDGED_DNAT))
777 return NF_ACCEPT;
778
779 /* Bridged, take PF_BRIDGE/FORWARD.
780 * (see big note in front of br_nf_pre_routing_finish) */
781 nf_bridge->physoutdev = skb->dev;
782 realindev = nf_bridge->physindev;
783
784 if (nf_bridge->mask & BRNF_PKT_TYPE) {
785 skb->pkt_type = PACKET_OTHERHOST;
786 nf_bridge->mask ^= BRNF_PKT_TYPE;
787 }
788 nf_bridge_push_encap_header(skb);
789
790 NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, realindev, skb->dev,
791 br_forward_finish);
792 return NF_STOLEN;
793}
794
795#if defined(CONFIG_NF_CONNTRACK_IPV4) || defined(CONFIG_NF_CONNTRACK_IPV4_MODULE) 744#if defined(CONFIG_NF_CONNTRACK_IPV4) || defined(CONFIG_NF_CONNTRACK_IPV4_MODULE)
796static int br_nf_dev_queue_xmit(struct sk_buff *skb) 745static int br_nf_dev_queue_xmit(struct sk_buff *skb)
797{ 746{
798 if (skb->nfct != NULL && 747 if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) &&
799 (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb)) && 748 skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu &&
800 skb->len > skb->dev->mtu &&
801 !skb_is_gso(skb)) 749 !skb_is_gso(skb))
802 return ip_fragment(skb, br_dev_queue_push_xmit); 750 return ip_fragment(skb, br_dev_queue_push_xmit);
803 else 751 else
@@ -820,21 +768,7 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
820 struct net_device *realoutdev = bridge_parent(skb->dev); 768 struct net_device *realoutdev = bridge_parent(skb->dev);
821 u_int8_t pf; 769 u_int8_t pf;
822 770
823#ifdef CONFIG_NETFILTER_DEBUG 771 if (!nf_bridge || !(nf_bridge->mask & BRNF_BRIDGED))
824 /* Be very paranoid. This probably won't happen anymore, but let's
825 * keep the check just to be sure... */
826 if (skb_mac_header(skb) < skb->head ||
827 skb_mac_header(skb) + ETH_HLEN > skb->data) {
828 printk(KERN_CRIT "br_netfilter: Argh!! br_nf_post_routing: "
829 "bad mac.raw pointer.\n");
830 goto print_error;
831 }
832#endif
833
834 if (!nf_bridge)
835 return NF_ACCEPT;
836
837 if (!(nf_bridge->mask & (BRNF_BRIDGED | BRNF_BRIDGED_DNAT)))
838 return NF_ACCEPT; 772 return NF_ACCEPT;
839 773
840 if (!realoutdev) 774 if (!realoutdev)
@@ -849,13 +783,6 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
849 else 783 else
850 return NF_ACCEPT; 784 return NF_ACCEPT;
851 785
852#ifdef CONFIG_NETFILTER_DEBUG
853 if (skb_dst(skb) == NULL) {
854 printk(KERN_INFO "br_netfilter post_routing: skb->dst == NULL\n");
855 goto print_error;
856 }
857#endif
858
859 /* We assume any code from br_dev_queue_push_xmit onwards doesn't care 786 /* We assume any code from br_dev_queue_push_xmit onwards doesn't care
860 * about the value of skb->pkt_type. */ 787 * about the value of skb->pkt_type. */
861 if (skb->pkt_type == PACKET_OTHERHOST) { 788 if (skb->pkt_type == PACKET_OTHERHOST) {
@@ -865,24 +792,15 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
865 792
866 nf_bridge_pull_encap_header(skb); 793 nf_bridge_pull_encap_header(skb);
867 nf_bridge_save_header(skb); 794 nf_bridge_save_header(skb);
795 if (pf == PF_INET)
796 skb->protocol = htons(ETH_P_IP);
797 else
798 skb->protocol = htons(ETH_P_IPV6);
868 799
869 NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev, 800 NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev,
870 br_nf_dev_queue_xmit); 801 br_nf_dev_queue_xmit);
871 802
872 return NF_STOLEN; 803 return NF_STOLEN;
873
874#ifdef CONFIG_NETFILTER_DEBUG
875print_error:
876 if (skb->dev != NULL) {
877 printk("[%s]", skb->dev->name);
878 if (realoutdev)
879 printk("[%s]", realoutdev->name);
880 }
881 printk(" head:%p, raw:%p, data:%p\n", skb->head, skb_mac_header(skb),
882 skb->data);
883 dump_stack();
884 return NF_ACCEPT;
885#endif
886} 804}
887 805
888/* IP/SABOTAGE *****************************************************/ 806/* IP/SABOTAGE *****************************************************/
@@ -901,10 +819,8 @@ static unsigned int ip_sabotage_in(unsigned int hook, struct sk_buff *skb,
901 return NF_ACCEPT; 819 return NF_ACCEPT;
902} 820}
903 821
904/* For br_nf_local_out we need (prio = NF_BR_PRI_FIRST), to insure that innocent 822/* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
905 * PF_BRIDGE/NF_BR_LOCAL_OUT functions don't get bridged traffic as input. 823 * br_dev_queue_push_xmit is called afterwards */
906 * For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
907 * ip_refrag() can return NF_STOLEN. */
908static struct nf_hook_ops br_nf_ops[] __read_mostly = { 824static struct nf_hook_ops br_nf_ops[] __read_mostly = {
909 { 825 {
910 .hook = br_nf_pre_routing, 826 .hook = br_nf_pre_routing,
@@ -935,13 +851,6 @@ static struct nf_hook_ops br_nf_ops[] __read_mostly = {
935 .priority = NF_BR_PRI_BRNF, 851 .priority = NF_BR_PRI_BRNF,
936 }, 852 },
937 { 853 {
938 .hook = br_nf_local_out,
939 .owner = THIS_MODULE,
940 .pf = PF_BRIDGE,
941 .hooknum = NF_BR_LOCAL_OUT,
942 .priority = NF_BR_PRI_FIRST,
943 },
944 {
945 .hook = br_nf_post_routing, 854 .hook = br_nf_post_routing,
946 .owner = THIS_MODULE, 855 .owner = THIS_MODULE,
947 .pf = PF_BRIDGE, 856 .pf = PF_BRIDGE,
diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c
index d66cce11f3bf..217bd225a42f 100644
--- a/net/bridge/br_stp_bpdu.c
+++ b/net/bridge/br_stp_bpdu.c
@@ -50,7 +50,7 @@ static void br_send_bpdu(struct net_bridge_port *p,
50 50
51 llc_mac_hdr_init(skb, p->dev->dev_addr, p->br->group_addr); 51 llc_mac_hdr_init(skb, p->dev->dev_addr, p->br->group_addr);
52 52
53 NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev, 53 NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
54 dev_queue_xmit); 54 dev_queue_xmit);
55} 55}
56 56
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index 5d1176758ca5..f7de8dbc3422 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -36,14 +36,14 @@ ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par)
36 return true; 36 return true;
37} 37}
38 38
39static bool ebt_802_3_mt_check(const struct xt_mtchk_param *par) 39static int ebt_802_3_mt_check(const struct xt_mtchk_param *par)
40{ 40{
41 const struct ebt_802_3_info *info = par->matchinfo; 41 const struct ebt_802_3_info *info = par->matchinfo;
42 42
43 if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK) 43 if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK)
44 return false; 44 return -EINVAL;
45 45
46 return true; 46 return 0;
47} 47}
48 48
49static struct xt_match ebt_802_3_mt_reg __read_mostly = { 49static struct xt_match ebt_802_3_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index b595f091f35b..20068e03fa81 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -7,6 +7,7 @@
7 * August, 2003 7 * August, 2003
8 * 8 *
9 */ 9 */
10#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10#include <linux/ip.h> 11#include <linux/ip.h>
11#include <linux/if_arp.h> 12#include <linux/if_arp.h>
12#include <linux/module.h> 13#include <linux/module.h>
@@ -171,7 +172,7 @@ ebt_among_mt(const struct sk_buff *skb, const struct xt_match_param *par)
171 return true; 172 return true;
172} 173}
173 174
174static bool ebt_among_mt_check(const struct xt_mtchk_param *par) 175static int ebt_among_mt_check(const struct xt_mtchk_param *par)
175{ 176{
176 const struct ebt_among_info *info = par->matchinfo; 177 const struct ebt_among_info *info = par->matchinfo;
177 const struct ebt_entry_match *em = 178 const struct ebt_entry_match *em =
@@ -186,24 +187,20 @@ static bool ebt_among_mt_check(const struct xt_mtchk_param *par)
186 expected_length += ebt_mac_wormhash_size(wh_src); 187 expected_length += ebt_mac_wormhash_size(wh_src);
187 188
188 if (em->match_size != EBT_ALIGN(expected_length)) { 189 if (em->match_size != EBT_ALIGN(expected_length)) {
189 printk(KERN_WARNING 190 pr_info("wrong size: %d against expected %d, rounded to %Zd\n",
190 "ebtables: among: wrong size: %d " 191 em->match_size, expected_length,
191 "against expected %d, rounded to %Zd\n", 192 EBT_ALIGN(expected_length));
192 em->match_size, expected_length, 193 return -EINVAL;
193 EBT_ALIGN(expected_length));
194 return false;
195 } 194 }
196 if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) { 195 if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) {
197 printk(KERN_WARNING 196 pr_info("dst integrity fail: %x\n", -err);
198 "ebtables: among: dst integrity fail: %x\n", -err); 197 return -EINVAL;
199 return false;
200 } 198 }
201 if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) { 199 if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) {
202 printk(KERN_WARNING 200 pr_info("src integrity fail: %x\n", -err);
203 "ebtables: among: src integrity fail: %x\n", -err); 201 return -EINVAL;
204 return false;
205 } 202 }
206 return true; 203 return 0;
207} 204}
208 205
209static struct xt_match ebt_among_mt_reg __read_mostly = { 206static struct xt_match ebt_among_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index e727697c5847..952150cd5e7d 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -100,7 +100,7 @@ ebt_arp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
100 return true; 100 return true;
101} 101}
102 102
103static bool ebt_arp_mt_check(const struct xt_mtchk_param *par) 103static int ebt_arp_mt_check(const struct xt_mtchk_param *par)
104{ 104{
105 const struct ebt_arp_info *info = par->matchinfo; 105 const struct ebt_arp_info *info = par->matchinfo;
106 const struct ebt_entry *e = par->entryinfo; 106 const struct ebt_entry *e = par->entryinfo;
@@ -108,10 +108,10 @@ static bool ebt_arp_mt_check(const struct xt_mtchk_param *par)
108 if ((e->ethproto != htons(ETH_P_ARP) && 108 if ((e->ethproto != htons(ETH_P_ARP) &&
109 e->ethproto != htons(ETH_P_RARP)) || 109 e->ethproto != htons(ETH_P_RARP)) ||
110 e->invflags & EBT_IPROTO) 110 e->invflags & EBT_IPROTO)
111 return false; 111 return -EINVAL;
112 if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK) 112 if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK)
113 return false; 113 return -EINVAL;
114 return true; 114 return 0;
115} 115}
116 116
117static struct xt_match ebt_arp_mt_reg __read_mostly = { 117static struct xt_match ebt_arp_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c
index f392e9d93f53..4581adb27583 100644
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -57,17 +57,17 @@ ebt_arpreply_tg(struct sk_buff *skb, const struct xt_target_param *par)
57 return info->target; 57 return info->target;
58} 58}
59 59
60static bool ebt_arpreply_tg_check(const struct xt_tgchk_param *par) 60static int ebt_arpreply_tg_check(const struct xt_tgchk_param *par)
61{ 61{
62 const struct ebt_arpreply_info *info = par->targinfo; 62 const struct ebt_arpreply_info *info = par->targinfo;
63 const struct ebt_entry *e = par->entryinfo; 63 const struct ebt_entry *e = par->entryinfo;
64 64
65 if (BASE_CHAIN && info->target == EBT_RETURN) 65 if (BASE_CHAIN && info->target == EBT_RETURN)
66 return false; 66 return -EINVAL;
67 if (e->ethproto != htons(ETH_P_ARP) || 67 if (e->ethproto != htons(ETH_P_ARP) ||
68 e->invflags & EBT_IPROTO) 68 e->invflags & EBT_IPROTO)
69 return false; 69 return -EINVAL;
70 return true; 70 return 0;
71} 71}
72 72
73static struct xt_target ebt_arpreply_tg_reg __read_mostly = { 73static struct xt_target ebt_arpreply_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 2bb40d728a35..59d5b7c8a557 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -26,13 +26,13 @@ ebt_dnat_tg(struct sk_buff *skb, const struct xt_target_param *par)
26 return info->target; 26 return info->target;
27} 27}
28 28
29static bool ebt_dnat_tg_check(const struct xt_tgchk_param *par) 29static int ebt_dnat_tg_check(const struct xt_tgchk_param *par)
30{ 30{
31 const struct ebt_nat_info *info = par->targinfo; 31 const struct ebt_nat_info *info = par->targinfo;
32 unsigned int hook_mask; 32 unsigned int hook_mask;
33 33
34 if (BASE_CHAIN && info->target == EBT_RETURN) 34 if (BASE_CHAIN && info->target == EBT_RETURN)
35 return false; 35 return -EINVAL;
36 36
37 hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); 37 hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS);
38 if ((strcmp(par->table, "nat") != 0 || 38 if ((strcmp(par->table, "nat") != 0 ||
@@ -40,10 +40,10 @@ static bool ebt_dnat_tg_check(const struct xt_tgchk_param *par)
40 (1 << NF_BR_LOCAL_OUT)))) && 40 (1 << NF_BR_LOCAL_OUT)))) &&
41 (strcmp(par->table, "broute") != 0 || 41 (strcmp(par->table, "broute") != 0 ||
42 hook_mask & ~(1 << NF_BR_BROUTING))) 42 hook_mask & ~(1 << NF_BR_BROUTING)))
43 return false; 43 return -EINVAL;
44 if (INVALID_TARGET) 44 if (INVALID_TARGET)
45 return false; 45 return -EINVAL;
46 return true; 46 return 0;
47} 47}
48 48
49static struct xt_target ebt_dnat_tg_reg __read_mostly = { 49static struct xt_target ebt_dnat_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index 5de6df6f86b8..a1c76c7e5219 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -77,31 +77,31 @@ ebt_ip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
77 return true; 77 return true;
78} 78}
79 79
80static bool ebt_ip_mt_check(const struct xt_mtchk_param *par) 80static int ebt_ip_mt_check(const struct xt_mtchk_param *par)
81{ 81{
82 const struct ebt_ip_info *info = par->matchinfo; 82 const struct ebt_ip_info *info = par->matchinfo;
83 const struct ebt_entry *e = par->entryinfo; 83 const struct ebt_entry *e = par->entryinfo;
84 84
85 if (e->ethproto != htons(ETH_P_IP) || 85 if (e->ethproto != htons(ETH_P_IP) ||
86 e->invflags & EBT_IPROTO) 86 e->invflags & EBT_IPROTO)
87 return false; 87 return -EINVAL;
88 if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK) 88 if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK)
89 return false; 89 return -EINVAL;
90 if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) { 90 if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) {
91 if (info->invflags & EBT_IP_PROTO) 91 if (info->invflags & EBT_IP_PROTO)
92 return false; 92 return -EINVAL;
93 if (info->protocol != IPPROTO_TCP && 93 if (info->protocol != IPPROTO_TCP &&
94 info->protocol != IPPROTO_UDP && 94 info->protocol != IPPROTO_UDP &&
95 info->protocol != IPPROTO_UDPLITE && 95 info->protocol != IPPROTO_UDPLITE &&
96 info->protocol != IPPROTO_SCTP && 96 info->protocol != IPPROTO_SCTP &&
97 info->protocol != IPPROTO_DCCP) 97 info->protocol != IPPROTO_DCCP)
98 return false; 98 return -EINVAL;
99 } 99 }
100 if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1]) 100 if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1])
101 return false; 101 return -EINVAL;
102 if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1]) 102 if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1])
103 return false; 103 return -EINVAL;
104 return true; 104 return 0;
105} 105}
106 106
107static struct xt_match ebt_ip_mt_reg __read_mostly = { 107static struct xt_match ebt_ip_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index bbf2534ef026..33f8413f05ad 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -4,7 +4,7 @@
4 * Authors: 4 * Authors:
5 * Manohar Castelino <manohar.r.castelino@intel.com> 5 * Manohar Castelino <manohar.r.castelino@intel.com>
6 * Kuo-Lang Tseng <kuo-lang.tseng@intel.com> 6 * Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
7 * Jan Engelhardt <jengelh@computergmbh.de> 7 * Jan Engelhardt <jengelh@medozas.de>
8 * 8 *
9 * Summary: 9 * Summary:
10 * This is just a modification of the IPv4 code written by 10 * This is just a modification of the IPv4 code written by
@@ -35,8 +35,6 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
35 struct ipv6hdr _ip6h; 35 struct ipv6hdr _ip6h;
36 const struct tcpudphdr *pptr; 36 const struct tcpudphdr *pptr;
37 struct tcpudphdr _ports; 37 struct tcpudphdr _ports;
38 struct in6_addr tmp_addr;
39 int i;
40 38
41 ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h); 39 ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h);
42 if (ih6 == NULL) 40 if (ih6 == NULL)
@@ -44,18 +42,10 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
44 if (info->bitmask & EBT_IP6_TCLASS && 42 if (info->bitmask & EBT_IP6_TCLASS &&
45 FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS)) 43 FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS))
46 return false; 44 return false;
47 for (i = 0; i < 4; i++) 45 if (FWINV(ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk,
48 tmp_addr.in6_u.u6_addr32[i] = ih6->saddr.in6_u.u6_addr32[i] & 46 &info->saddr), EBT_IP6_SOURCE) ||
49 info->smsk.in6_u.u6_addr32[i]; 47 FWINV(ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk,
50 if (info->bitmask & EBT_IP6_SOURCE && 48 &info->daddr), EBT_IP6_DEST))
51 FWINV((ipv6_addr_cmp(&tmp_addr, &info->saddr) != 0),
52 EBT_IP6_SOURCE))
53 return false;
54 for (i = 0; i < 4; i++)
55 tmp_addr.in6_u.u6_addr32[i] = ih6->daddr.in6_u.u6_addr32[i] &
56 info->dmsk.in6_u.u6_addr32[i];
57 if (info->bitmask & EBT_IP6_DEST &&
58 FWINV((ipv6_addr_cmp(&tmp_addr, &info->daddr) != 0), EBT_IP6_DEST))
59 return false; 49 return false;
60 if (info->bitmask & EBT_IP6_PROTO) { 50 if (info->bitmask & EBT_IP6_PROTO) {
61 uint8_t nexthdr = ih6->nexthdr; 51 uint8_t nexthdr = ih6->nexthdr;
@@ -90,30 +80,30 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
90 return true; 80 return true;
91} 81}
92 82
93static bool ebt_ip6_mt_check(const struct xt_mtchk_param *par) 83static int ebt_ip6_mt_check(const struct xt_mtchk_param *par)
94{ 84{
95 const struct ebt_entry *e = par->entryinfo; 85 const struct ebt_entry *e = par->entryinfo;
96 struct ebt_ip6_info *info = par->matchinfo; 86 struct ebt_ip6_info *info = par->matchinfo;
97 87
98 if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO) 88 if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO)
99 return false; 89 return -EINVAL;
100 if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK) 90 if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK)
101 return false; 91 return -EINVAL;
102 if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) { 92 if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) {
103 if (info->invflags & EBT_IP6_PROTO) 93 if (info->invflags & EBT_IP6_PROTO)
104 return false; 94 return -EINVAL;
105 if (info->protocol != IPPROTO_TCP && 95 if (info->protocol != IPPROTO_TCP &&
106 info->protocol != IPPROTO_UDP && 96 info->protocol != IPPROTO_UDP &&
107 info->protocol != IPPROTO_UDPLITE && 97 info->protocol != IPPROTO_UDPLITE &&
108 info->protocol != IPPROTO_SCTP && 98 info->protocol != IPPROTO_SCTP &&
109 info->protocol != IPPROTO_DCCP) 99 info->protocol != IPPROTO_DCCP)
110 return false; 100 return -EINVAL;
111 } 101 }
112 if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1]) 102 if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1])
113 return false; 103 return -EINVAL;
114 if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1]) 104 if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1])
115 return false; 105 return -EINVAL;
116 return true; 106 return 0;
117} 107}
118 108
119static struct xt_match ebt_ip6_mt_reg __read_mostly = { 109static struct xt_match ebt_ip6_mt_reg __read_mostly = {
@@ -139,4 +129,5 @@ static void __exit ebt_ip6_fini(void)
139module_init(ebt_ip6_init); 129module_init(ebt_ip6_init);
140module_exit(ebt_ip6_fini); 130module_exit(ebt_ip6_fini);
141MODULE_DESCRIPTION("Ebtables: IPv6 protocol packet match"); 131MODULE_DESCRIPTION("Ebtables: IPv6 protocol packet match");
132MODULE_AUTHOR("Kuo-Lang Tseng <kuo-lang.tseng@intel.com>");
142MODULE_LICENSE("GPL"); 133MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 7a8182710eb3..4b0e2e53fa57 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -10,6 +10,7 @@
10 * September, 2003 10 * September, 2003
11 * 11 *
12 */ 12 */
13#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13#include <linux/module.h> 14#include <linux/module.h>
14#include <linux/netdevice.h> 15#include <linux/netdevice.h>
15#include <linux/spinlock.h> 16#include <linux/spinlock.h>
@@ -64,16 +65,16 @@ user2credits(u_int32_t user)
64 return (user * HZ * CREDITS_PER_JIFFY) / EBT_LIMIT_SCALE; 65 return (user * HZ * CREDITS_PER_JIFFY) / EBT_LIMIT_SCALE;
65} 66}
66 67
67static bool ebt_limit_mt_check(const struct xt_mtchk_param *par) 68static int ebt_limit_mt_check(const struct xt_mtchk_param *par)
68{ 69{
69 struct ebt_limit_info *info = par->matchinfo; 70 struct ebt_limit_info *info = par->matchinfo;
70 71
71 /* Check for overflow. */ 72 /* Check for overflow. */
72 if (info->burst == 0 || 73 if (info->burst == 0 ||
73 user2credits(info->avg * info->burst) < user2credits(info->avg)) { 74 user2credits(info->avg * info->burst) < user2credits(info->avg)) {
74 printk("Overflow in ebt_limit, try lower: %u/%u\n", 75 pr_info("overflow, try lower: %u/%u\n",
75 info->avg, info->burst); 76 info->avg, info->burst);
76 return false; 77 return -EINVAL;
77 } 78 }
78 79
79 /* User avg in seconds * EBT_LIMIT_SCALE: convert to jiffies * 128. */ 80 /* User avg in seconds * EBT_LIMIT_SCALE: convert to jiffies * 128. */
@@ -81,7 +82,7 @@ static bool ebt_limit_mt_check(const struct xt_mtchk_param *par)
81 info->credit = user2credits(info->avg * info->burst); 82 info->credit = user2credits(info->avg * info->burst);
82 info->credit_cap = user2credits(info->avg * info->burst); 83 info->credit_cap = user2credits(info->avg * info->burst);
83 info->cost = user2credits(info->avg); 84 info->cost = user2credits(info->avg);
84 return true; 85 return 0;
85} 86}
86 87
87 88
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index e873924ddb5d..c46024156539 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -24,16 +24,16 @@
24 24
25static DEFINE_SPINLOCK(ebt_log_lock); 25static DEFINE_SPINLOCK(ebt_log_lock);
26 26
27static bool ebt_log_tg_check(const struct xt_tgchk_param *par) 27static int ebt_log_tg_check(const struct xt_tgchk_param *par)
28{ 28{
29 struct ebt_log_info *info = par->targinfo; 29 struct ebt_log_info *info = par->targinfo;
30 30
31 if (info->bitmask & ~EBT_LOG_MASK) 31 if (info->bitmask & ~EBT_LOG_MASK)
32 return false; 32 return -EINVAL;
33 if (info->loglevel >= 8) 33 if (info->loglevel >= 8)
34 return false; 34 return -EINVAL;
35 info->prefix[EBT_LOG_PREFIX_SIZE - 1] = '\0'; 35 info->prefix[EBT_LOG_PREFIX_SIZE - 1] = '\0';
36 return true; 36 return 0;
37} 37}
38 38
39struct tcpudphdr 39struct tcpudphdr
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c
index 2b5ce533d6b9..126e536ff8f4 100644
--- a/net/bridge/netfilter/ebt_mark.c
+++ b/net/bridge/netfilter/ebt_mark.c
@@ -36,21 +36,21 @@ ebt_mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
36 return info->target | ~EBT_VERDICT_BITS; 36 return info->target | ~EBT_VERDICT_BITS;
37} 37}
38 38
39static bool ebt_mark_tg_check(const struct xt_tgchk_param *par) 39static int ebt_mark_tg_check(const struct xt_tgchk_param *par)
40{ 40{
41 const struct ebt_mark_t_info *info = par->targinfo; 41 const struct ebt_mark_t_info *info = par->targinfo;
42 int tmp; 42 int tmp;
43 43
44 tmp = info->target | ~EBT_VERDICT_BITS; 44 tmp = info->target | ~EBT_VERDICT_BITS;
45 if (BASE_CHAIN && tmp == EBT_RETURN) 45 if (BASE_CHAIN && tmp == EBT_RETURN)
46 return false; 46 return -EINVAL;
47 if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) 47 if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0)
48 return false; 48 return -EINVAL;
49 tmp = info->target & ~EBT_VERDICT_BITS; 49 tmp = info->target & ~EBT_VERDICT_BITS;
50 if (tmp != MARK_SET_VALUE && tmp != MARK_OR_VALUE && 50 if (tmp != MARK_SET_VALUE && tmp != MARK_OR_VALUE &&
51 tmp != MARK_AND_VALUE && tmp != MARK_XOR_VALUE) 51 tmp != MARK_AND_VALUE && tmp != MARK_XOR_VALUE)
52 return false; 52 return -EINVAL;
53 return true; 53 return 0;
54} 54}
55#ifdef CONFIG_COMPAT 55#ifdef CONFIG_COMPAT
56struct compat_ebt_mark_t_info { 56struct compat_ebt_mark_t_info {
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c
index 8de8c396d913..e4366c0a1a43 100644
--- a/net/bridge/netfilter/ebt_mark_m.c
+++ b/net/bridge/netfilter/ebt_mark_m.c
@@ -22,17 +22,17 @@ ebt_mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
22 return ((skb->mark & info->mask) == info->mark) ^ info->invert; 22 return ((skb->mark & info->mask) == info->mark) ^ info->invert;
23} 23}
24 24
25static bool ebt_mark_mt_check(const struct xt_mtchk_param *par) 25static int ebt_mark_mt_check(const struct xt_mtchk_param *par)
26{ 26{
27 const struct ebt_mark_m_info *info = par->matchinfo; 27 const struct ebt_mark_m_info *info = par->matchinfo;
28 28
29 if (info->bitmask & ~EBT_MARK_MASK) 29 if (info->bitmask & ~EBT_MARK_MASK)
30 return false; 30 return -EINVAL;
31 if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND)) 31 if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND))
32 return false; 32 return -EINVAL;
33 if (!info->bitmask) 33 if (!info->bitmask)
34 return false; 34 return -EINVAL;
35 return true; 35 return 0;
36} 36}
37 37
38 38
diff --git a/net/bridge/netfilter/ebt_nflog.c b/net/bridge/netfilter/ebt_nflog.c
index 40dbd248b9ae..22e2ad5f23e8 100644
--- a/net/bridge/netfilter/ebt_nflog.c
+++ b/net/bridge/netfilter/ebt_nflog.c
@@ -35,14 +35,14 @@ ebt_nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
35 return EBT_CONTINUE; 35 return EBT_CONTINUE;
36} 36}
37 37
38static bool ebt_nflog_tg_check(const struct xt_tgchk_param *par) 38static int ebt_nflog_tg_check(const struct xt_tgchk_param *par)
39{ 39{
40 struct ebt_nflog_info *info = par->targinfo; 40 struct ebt_nflog_info *info = par->targinfo;
41 41
42 if (info->flags & ~EBT_NFLOG_MASK) 42 if (info->flags & ~EBT_NFLOG_MASK)
43 return false; 43 return -EINVAL;
44 info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0'; 44 info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0';
45 return true; 45 return 0;
46} 46}
47 47
48static struct xt_target ebt_nflog_tg_reg __read_mostly = { 48static struct xt_target ebt_nflog_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c
index e2a07e6cbef3..f34bcc3197bd 100644
--- a/net/bridge/netfilter/ebt_pkttype.c
+++ b/net/bridge/netfilter/ebt_pkttype.c
@@ -20,14 +20,14 @@ ebt_pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par)
20 return (skb->pkt_type == info->pkt_type) ^ info->invert; 20 return (skb->pkt_type == info->pkt_type) ^ info->invert;
21} 21}
22 22
23static bool ebt_pkttype_mt_check(const struct xt_mtchk_param *par) 23static int ebt_pkttype_mt_check(const struct xt_mtchk_param *par)
24{ 24{
25 const struct ebt_pkttype_info *info = par->matchinfo; 25 const struct ebt_pkttype_info *info = par->matchinfo;
26 26
27 if (info->invert != 0 && info->invert != 1) 27 if (info->invert != 0 && info->invert != 1)
28 return false; 28 return -EINVAL;
29 /* Allow any pkt_type value */ 29 /* Allow any pkt_type value */
30 return true; 30 return 0;
31} 31}
32 32
33static struct xt_match ebt_pkttype_mt_reg __read_mostly = { 33static struct xt_match ebt_pkttype_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index 9be8fbcd370b..a6044a6f2383 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -32,23 +32,23 @@ ebt_redirect_tg(struct sk_buff *skb, const struct xt_target_param *par)
32 return info->target; 32 return info->target;
33} 33}
34 34
35static bool ebt_redirect_tg_check(const struct xt_tgchk_param *par) 35static int ebt_redirect_tg_check(const struct xt_tgchk_param *par)
36{ 36{
37 const struct ebt_redirect_info *info = par->targinfo; 37 const struct ebt_redirect_info *info = par->targinfo;
38 unsigned int hook_mask; 38 unsigned int hook_mask;
39 39
40 if (BASE_CHAIN && info->target == EBT_RETURN) 40 if (BASE_CHAIN && info->target == EBT_RETURN)
41 return false; 41 return -EINVAL;
42 42
43 hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS); 43 hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS);
44 if ((strcmp(par->table, "nat") != 0 || 44 if ((strcmp(par->table, "nat") != 0 ||
45 hook_mask & ~(1 << NF_BR_PRE_ROUTING)) && 45 hook_mask & ~(1 << NF_BR_PRE_ROUTING)) &&
46 (strcmp(par->table, "broute") != 0 || 46 (strcmp(par->table, "broute") != 0 ||
47 hook_mask & ~(1 << NF_BR_BROUTING))) 47 hook_mask & ~(1 << NF_BR_BROUTING)))
48 return false; 48 return -EINVAL;
49 if (INVALID_TARGET) 49 if (INVALID_TARGET)
50 return false; 50 return -EINVAL;
51 return true; 51 return 0;
52} 52}
53 53
54static struct xt_target ebt_redirect_tg_reg __read_mostly = { 54static struct xt_target ebt_redirect_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 9c7b520765a2..79caca34ae2b 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -42,21 +42,21 @@ out:
42 return info->target | ~EBT_VERDICT_BITS; 42 return info->target | ~EBT_VERDICT_BITS;
43} 43}
44 44
45static bool ebt_snat_tg_check(const struct xt_tgchk_param *par) 45static int ebt_snat_tg_check(const struct xt_tgchk_param *par)
46{ 46{
47 const struct ebt_nat_info *info = par->targinfo; 47 const struct ebt_nat_info *info = par->targinfo;
48 int tmp; 48 int tmp;
49 49
50 tmp = info->target | ~EBT_VERDICT_BITS; 50 tmp = info->target | ~EBT_VERDICT_BITS;
51 if (BASE_CHAIN && tmp == EBT_RETURN) 51 if (BASE_CHAIN && tmp == EBT_RETURN)
52 return false; 52 return -EINVAL;
53 53
54 if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0) 54 if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0)
55 return false; 55 return -EINVAL;
56 tmp = info->target | EBT_VERDICT_BITS; 56 tmp = info->target | EBT_VERDICT_BITS;
57 if ((tmp & ~NAT_ARP_BIT) != ~NAT_ARP_BIT) 57 if ((tmp & ~NAT_ARP_BIT) != ~NAT_ARP_BIT)
58 return false; 58 return -EINVAL;
59 return true; 59 return 0;
60} 60}
61 61
62static struct xt_target ebt_snat_tg_reg __read_mostly = { 62static struct xt_target ebt_snat_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 92a93d363765..02f28fdda393 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -153,7 +153,7 @@ ebt_stp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
153 return true; 153 return true;
154} 154}
155 155
156static bool ebt_stp_mt_check(const struct xt_mtchk_param *par) 156static int ebt_stp_mt_check(const struct xt_mtchk_param *par)
157{ 157{
158 const struct ebt_stp_info *info = par->matchinfo; 158 const struct ebt_stp_info *info = par->matchinfo;
159 const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00}; 159 const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00};
@@ -162,13 +162,13 @@ static bool ebt_stp_mt_check(const struct xt_mtchk_param *par)
162 162
163 if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK || 163 if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK ||
164 !(info->bitmask & EBT_STP_MASK)) 164 !(info->bitmask & EBT_STP_MASK))
165 return false; 165 return -EINVAL;
166 /* Make sure the match only receives stp frames */ 166 /* Make sure the match only receives stp frames */
167 if (compare_ether_addr(e->destmac, bridge_ula) || 167 if (compare_ether_addr(e->destmac, bridge_ula) ||
168 compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC)) 168 compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC))
169 return false; 169 return -EINVAL;
170 170
171 return true; 171 return 0;
172} 172}
173 173
174static struct xt_match ebt_stp_mt_reg __read_mostly = { 174static struct xt_match ebt_stp_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index f9560f3dbdc7..852f37c27659 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -27,7 +27,7 @@
27 * flushed even if it is not full yet. 27 * flushed even if it is not full yet.
28 * 28 *
29 */ 29 */
30 30#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
31#include <linux/module.h> 31#include <linux/module.h>
32#include <linux/slab.h> 32#include <linux/slab.h>
33#include <linux/spinlock.h> 33#include <linux/spinlock.h>
@@ -44,9 +44,6 @@
44#include <net/sock.h> 44#include <net/sock.h>
45#include "../br_private.h" 45#include "../br_private.h"
46 46
47#define PRINTR(format, args...) do { if (net_ratelimit()) \
48 printk(format , ## args); } while (0)
49
50static unsigned int nlbufsiz = NLMSG_GOODSIZE; 47static unsigned int nlbufsiz = NLMSG_GOODSIZE;
51module_param(nlbufsiz, uint, 0600); 48module_param(nlbufsiz, uint, 0600);
52MODULE_PARM_DESC(nlbufsiz, "netlink buffer size (number of bytes) " 49MODULE_PARM_DESC(nlbufsiz, "netlink buffer size (number of bytes) "
@@ -107,15 +104,14 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size)
107 n = max(size, nlbufsiz); 104 n = max(size, nlbufsiz);
108 skb = alloc_skb(n, GFP_ATOMIC); 105 skb = alloc_skb(n, GFP_ATOMIC);
109 if (!skb) { 106 if (!skb) {
110 PRINTR(KERN_ERR "ebt_ulog: can't alloc whole buffer " 107 pr_debug("cannot alloc whole buffer of size %ub!\n", n);
111 "of size %ub!\n", n);
112 if (n > size) { 108 if (n > size) {
113 /* try to allocate only as much as we need for 109 /* try to allocate only as much as we need for
114 * current packet */ 110 * current packet */
115 skb = alloc_skb(size, GFP_ATOMIC); 111 skb = alloc_skb(size, GFP_ATOMIC);
116 if (!skb) 112 if (!skb)
117 PRINTR(KERN_ERR "ebt_ulog: can't even allocate " 113 pr_debug("cannot even allocate "
118 "buffer of size %ub\n", size); 114 "buffer of size %ub\n", size);
119 } 115 }
120 } 116 }
121 117
@@ -142,8 +138,7 @@ static void ebt_ulog_packet(unsigned int hooknr, const struct sk_buff *skb,
142 138
143 size = NLMSG_SPACE(sizeof(*pm) + copy_len); 139 size = NLMSG_SPACE(sizeof(*pm) + copy_len);
144 if (size > nlbufsiz) { 140 if (size > nlbufsiz) {
145 PRINTR("ebt_ulog: Size %Zd needed, but nlbufsiz=%d\n", 141 pr_debug("Size %Zd needed, but nlbufsiz=%d\n", size, nlbufsiz);
146 size, nlbufsiz);
147 return; 142 return;
148 } 143 }
149 144
@@ -217,8 +212,8 @@ unlock:
217 return; 212 return;
218 213
219nlmsg_failure: 214nlmsg_failure:
220 printk(KERN_CRIT "ebt_ulog: error during NLMSG_PUT. This should " 215 pr_debug("error during NLMSG_PUT. This should "
221 "not happen, please report to author.\n"); 216 "not happen, please report to author.\n");
222 goto unlock; 217 goto unlock;
223alloc_failure: 218alloc_failure:
224 goto unlock; 219 goto unlock;
@@ -255,19 +250,19 @@ ebt_ulog_tg(struct sk_buff *skb, const struct xt_target_param *par)
255 return EBT_CONTINUE; 250 return EBT_CONTINUE;
256} 251}
257 252
258static bool ebt_ulog_tg_check(const struct xt_tgchk_param *par) 253static int ebt_ulog_tg_check(const struct xt_tgchk_param *par)
259{ 254{
260 struct ebt_ulog_info *uloginfo = par->targinfo; 255 struct ebt_ulog_info *uloginfo = par->targinfo;
261 256
262 if (uloginfo->nlgroup > 31) 257 if (uloginfo->nlgroup > 31)
263 return false; 258 return -EINVAL;
264 259
265 uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0'; 260 uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0';
266 261
267 if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN) 262 if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN)
268 uloginfo->qthreshold = EBT_ULOG_MAX_QLEN; 263 uloginfo->qthreshold = EBT_ULOG_MAX_QLEN;
269 264
270 return true; 265 return 0;
271} 266}
272 267
273static struct xt_target ebt_ulog_tg_reg __read_mostly = { 268static struct xt_target ebt_ulog_tg_reg __read_mostly = {
@@ -292,8 +287,8 @@ static int __init ebt_ulog_init(void)
292 int i; 287 int i;
293 288
294 if (nlbufsiz >= 128*1024) { 289 if (nlbufsiz >= 128*1024) {
295 printk(KERN_NOTICE "ebt_ulog: Netlink buffer has to be <= 128kB," 290 pr_warning("Netlink buffer has to be <= 128kB,"
296 " please try a smaller nlbufsiz parameter.\n"); 291 " please try a smaller nlbufsiz parameter.\n");
297 return -EINVAL; 292 return -EINVAL;
298 } 293 }
299 294
@@ -306,13 +301,10 @@ static int __init ebt_ulog_init(void)
306 ebtulognl = netlink_kernel_create(&init_net, NETLINK_NFLOG, 301 ebtulognl = netlink_kernel_create(&init_net, NETLINK_NFLOG,
307 EBT_ULOG_MAXNLGROUPS, NULL, NULL, 302 EBT_ULOG_MAXNLGROUPS, NULL, NULL,
308 THIS_MODULE); 303 THIS_MODULE);
309 if (!ebtulognl) { 304 if (!ebtulognl)
310 printk(KERN_WARNING KBUILD_MODNAME ": out of memory trying to "
311 "call netlink_kernel_create\n");
312 ret = -ENOMEM; 305 ret = -ENOMEM;
313 } else if ((ret = xt_register_target(&ebt_ulog_tg_reg)) != 0) { 306 else if ((ret = xt_register_target(&ebt_ulog_tg_reg)) != 0)
314 netlink_kernel_release(ebtulognl); 307 netlink_kernel_release(ebtulognl);
315 }
316 308
317 if (ret == 0) 309 if (ret == 0)
318 nf_log_register(NFPROTO_BRIDGE, &ebt_ulog_logger); 310 nf_log_register(NFPROTO_BRIDGE, &ebt_ulog_logger);
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index be1dd2e1f615..bf8ae5c7a0c5 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -26,17 +26,12 @@
26#include <linux/netfilter_bridge/ebtables.h> 26#include <linux/netfilter_bridge/ebtables.h>
27#include <linux/netfilter_bridge/ebt_vlan.h> 27#include <linux/netfilter_bridge/ebt_vlan.h>
28 28
29static int debug;
30#define MODULE_VERS "0.6" 29#define MODULE_VERS "0.6"
31 30
32module_param(debug, int, 0);
33MODULE_PARM_DESC(debug, "debug=1 is turn on debug messages");
34MODULE_AUTHOR("Nick Fedchik <nick@fedchik.org.ua>"); 31MODULE_AUTHOR("Nick Fedchik <nick@fedchik.org.ua>");
35MODULE_DESCRIPTION("Ebtables: 802.1Q VLAN tag match"); 32MODULE_DESCRIPTION("Ebtables: 802.1Q VLAN tag match");
36MODULE_LICENSE("GPL"); 33MODULE_LICENSE("GPL");
37 34
38
39#define DEBUG_MSG(args...) if (debug) printk (KERN_DEBUG "ebt_vlan: " args)
40#define GET_BITMASK(_BIT_MASK_) info->bitmask & _BIT_MASK_ 35#define GET_BITMASK(_BIT_MASK_) info->bitmask & _BIT_MASK_
41#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; } 36#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; }
42 37
@@ -84,32 +79,31 @@ ebt_vlan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
84 return true; 79 return true;
85} 80}
86 81
87static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par) 82static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
88{ 83{
89 struct ebt_vlan_info *info = par->matchinfo; 84 struct ebt_vlan_info *info = par->matchinfo;
90 const struct ebt_entry *e = par->entryinfo; 85 const struct ebt_entry *e = par->entryinfo;
91 86
92 /* Is it 802.1Q frame checked? */ 87 /* Is it 802.1Q frame checked? */
93 if (e->ethproto != htons(ETH_P_8021Q)) { 88 if (e->ethproto != htons(ETH_P_8021Q)) {
94 DEBUG_MSG 89 pr_debug("passed entry proto %2.4X is not 802.1Q (8100)\n",
95 ("passed entry proto %2.4X is not 802.1Q (8100)\n", 90 ntohs(e->ethproto));
96 (unsigned short) ntohs(e->ethproto)); 91 return -EINVAL;
97 return false;
98 } 92 }
99 93
100 /* Check for bitmask range 94 /* Check for bitmask range
101 * True if even one bit is out of mask */ 95 * True if even one bit is out of mask */
102 if (info->bitmask & ~EBT_VLAN_MASK) { 96 if (info->bitmask & ~EBT_VLAN_MASK) {
103 DEBUG_MSG("bitmask %2X is out of mask (%2X)\n", 97 pr_debug("bitmask %2X is out of mask (%2X)\n",
104 info->bitmask, EBT_VLAN_MASK); 98 info->bitmask, EBT_VLAN_MASK);
105 return false; 99 return -EINVAL;
106 } 100 }
107 101
108 /* Check for inversion flags range */ 102 /* Check for inversion flags range */
109 if (info->invflags & ~EBT_VLAN_MASK) { 103 if (info->invflags & ~EBT_VLAN_MASK) {
110 DEBUG_MSG("inversion flags %2X is out of mask (%2X)\n", 104 pr_debug("inversion flags %2X is out of mask (%2X)\n",
111 info->invflags, EBT_VLAN_MASK); 105 info->invflags, EBT_VLAN_MASK);
112 return false; 106 return -EINVAL;
113 } 107 }
114 108
115 /* Reserved VLAN ID (VID) values 109 /* Reserved VLAN ID (VID) values
@@ -121,10 +115,9 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
121 if (GET_BITMASK(EBT_VLAN_ID)) { 115 if (GET_BITMASK(EBT_VLAN_ID)) {
122 if (!!info->id) { /* if id!=0 => check vid range */ 116 if (!!info->id) { /* if id!=0 => check vid range */
123 if (info->id > VLAN_GROUP_ARRAY_LEN) { 117 if (info->id > VLAN_GROUP_ARRAY_LEN) {
124 DEBUG_MSG 118 pr_debug("id %d is out of range (1-4096)\n",
125 ("id %d is out of range (1-4096)\n", 119 info->id);
126 info->id); 120 return -EINVAL;
127 return false;
128 } 121 }
129 /* Note: This is valid VLAN-tagged frame point. 122 /* Note: This is valid VLAN-tagged frame point.
130 * Any value of user_priority are acceptable, 123 * Any value of user_priority are acceptable,
@@ -137,9 +130,9 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
137 130
138 if (GET_BITMASK(EBT_VLAN_PRIO)) { 131 if (GET_BITMASK(EBT_VLAN_PRIO)) {
139 if ((unsigned char) info->prio > 7) { 132 if ((unsigned char) info->prio > 7) {
140 DEBUG_MSG("prio %d is out of range (0-7)\n", 133 pr_debug("prio %d is out of range (0-7)\n",
141 info->prio); 134 info->prio);
142 return false; 135 return -EINVAL;
143 } 136 }
144 } 137 }
145 /* Check for encapsulated proto range - it is possible to be 138 /* Check for encapsulated proto range - it is possible to be
@@ -147,14 +140,13 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
147 * if_ether.h: ETH_ZLEN 60 - Min. octets in frame sans FCS */ 140 * if_ether.h: ETH_ZLEN 60 - Min. octets in frame sans FCS */
148 if (GET_BITMASK(EBT_VLAN_ENCAP)) { 141 if (GET_BITMASK(EBT_VLAN_ENCAP)) {
149 if ((unsigned short) ntohs(info->encap) < ETH_ZLEN) { 142 if ((unsigned short) ntohs(info->encap) < ETH_ZLEN) {
150 DEBUG_MSG 143 pr_debug("encap frame length %d is less than "
151 ("encap frame length %d is less than minimal\n", 144 "minimal\n", ntohs(info->encap));
152 ntohs(info->encap)); 145 return -EINVAL;
153 return false;
154 } 146 }
155 } 147 }
156 148
157 return true; 149 return 0;
158} 150}
159 151
160static struct xt_match ebt_vlan_mt_reg __read_mostly = { 152static struct xt_match ebt_vlan_mt_reg __read_mostly = {
@@ -169,9 +161,7 @@ static struct xt_match ebt_vlan_mt_reg __read_mostly = {
169 161
170static int __init ebt_vlan_init(void) 162static int __init ebt_vlan_init(void)
171{ 163{
172 DEBUG_MSG("ebtables 802.1Q extension module v" 164 pr_debug("ebtables 802.1Q extension module v" MODULE_VERS "\n");
173 MODULE_VERS "\n");
174 DEBUG_MSG("module debug=%d\n", !!debug);
175 return xt_register_match(&ebt_vlan_mt_reg); 165 return xt_register_match(&ebt_vlan_mt_reg);
176} 166}
177 167
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index f0865fd1e3ec..1d8c2c0a7470 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -14,8 +14,7 @@
14 * as published by the Free Software Foundation; either version 14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version. 15 * 2 of the License, or (at your option) any later version.
16 */ 16 */
17 17#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18
19#include <linux/kmod.h> 18#include <linux/kmod.h>
20#include <linux/module.h> 19#include <linux/module.h>
21#include <linux/vmalloc.h> 20#include <linux/vmalloc.h>
@@ -363,12 +362,9 @@ ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
363 left - sizeof(struct ebt_entry_match) < m->match_size) 362 left - sizeof(struct ebt_entry_match) < m->match_size)
364 return -EINVAL; 363 return -EINVAL;
365 364
366 match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE, 365 match = xt_request_find_match(NFPROTO_BRIDGE, m->u.name, 0);
367 m->u.name, 0), "ebt_%s", m->u.name);
368 if (IS_ERR(match)) 366 if (IS_ERR(match))
369 return PTR_ERR(match); 367 return PTR_ERR(match);
370 if (match == NULL)
371 return -ENOENT;
372 m->u.match = match; 368 m->u.match = match;
373 369
374 par->match = match; 370 par->match = match;
@@ -397,13 +393,9 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
397 left - sizeof(struct ebt_entry_watcher) < w->watcher_size) 393 left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
398 return -EINVAL; 394 return -EINVAL;
399 395
400 watcher = try_then_request_module( 396 watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
401 xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
402 "ebt_%s", w->u.name);
403 if (IS_ERR(watcher)) 397 if (IS_ERR(watcher))
404 return PTR_ERR(watcher); 398 return PTR_ERR(watcher);
405 if (watcher == NULL)
406 return -ENOENT;
407 w->u.watcher = watcher; 399 w->u.watcher = watcher;
408 400
409 par->target = watcher; 401 par->target = watcher;
@@ -716,15 +708,10 @@ ebt_check_entry(struct ebt_entry *e, struct net *net,
716 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset); 708 t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
717 gap = e->next_offset - e->target_offset; 709 gap = e->next_offset - e->target_offset;
718 710
719 target = try_then_request_module( 711 target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0);
720 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
721 "ebt_%s", t->u.name);
722 if (IS_ERR(target)) { 712 if (IS_ERR(target)) {
723 ret = PTR_ERR(target); 713 ret = PTR_ERR(target);
724 goto cleanup_watchers; 714 goto cleanup_watchers;
725 } else if (target == NULL) {
726 ret = -ENOENT;
727 goto cleanup_watchers;
728 } 715 }
729 716
730 t->u.target = target; 717 t->u.target = target;
@@ -2128,7 +2115,7 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
2128 return ret; 2115 return ret;
2129 new_offset += ret; 2116 new_offset += ret;
2130 if (offsets_update && new_offset) { 2117 if (offsets_update && new_offset) {
2131 pr_debug("ebtables: change offset %d to %d\n", 2118 pr_debug("change offset %d to %d\n",
2132 offsets_update[i], offsets[j] + new_offset); 2119 offsets_update[i], offsets[j] + new_offset);
2133 offsets_update[i] = offsets[j] + new_offset; 2120 offsets_update[i] = offsets[j] + new_offset;
2134 } 2121 }
diff --git a/net/decnet/dn_neigh.c b/net/decnet/dn_neigh.c
index deb723dba44b..0363bb95cc7d 100644
--- a/net/decnet/dn_neigh.c
+++ b/net/decnet/dn_neigh.c
@@ -266,7 +266,8 @@ static int dn_long_output(struct sk_buff *skb)
266 266
267 skb_reset_network_header(skb); 267 skb_reset_network_header(skb);
268 268
269 return NF_HOOK(PF_DECnet, NF_DN_POST_ROUTING, skb, NULL, neigh->dev, dn_neigh_output_packet); 269 return NF_HOOK(NFPROTO_DECNET, NF_DN_POST_ROUTING, skb, NULL,
270 neigh->dev, dn_neigh_output_packet);
270} 271}
271 272
272static int dn_short_output(struct sk_buff *skb) 273static int dn_short_output(struct sk_buff *skb)
@@ -305,7 +306,8 @@ static int dn_short_output(struct sk_buff *skb)
305 306
306 skb_reset_network_header(skb); 307 skb_reset_network_header(skb);
307 308
308 return NF_HOOK(PF_DECnet, NF_DN_POST_ROUTING, skb, NULL, neigh->dev, dn_neigh_output_packet); 309 return NF_HOOK(NFPROTO_DECNET, NF_DN_POST_ROUTING, skb, NULL,
310 neigh->dev, dn_neigh_output_packet);
309} 311}
310 312
311/* 313/*
@@ -347,7 +349,8 @@ static int dn_phase3_output(struct sk_buff *skb)
347 349
348 skb_reset_network_header(skb); 350 skb_reset_network_header(skb);
349 351
350 return NF_HOOK(PF_DECnet, NF_DN_POST_ROUTING, skb, NULL, neigh->dev, dn_neigh_output_packet); 352 return NF_HOOK(NFPROTO_DECNET, NF_DN_POST_ROUTING, skb, NULL,
353 neigh->dev, dn_neigh_output_packet);
351} 354}
352 355
353/* 356/*
diff --git a/net/decnet/dn_nsp_in.c b/net/decnet/dn_nsp_in.c
index 25a37299bc65..b430549e2b91 100644
--- a/net/decnet/dn_nsp_in.c
+++ b/net/decnet/dn_nsp_in.c
@@ -810,7 +810,8 @@ free_out:
810 810
811int dn_nsp_rx(struct sk_buff *skb) 811int dn_nsp_rx(struct sk_buff *skb)
812{ 812{
813 return NF_HOOK(PF_DECnet, NF_DN_LOCAL_IN, skb, skb->dev, NULL, dn_nsp_rx_packet); 813 return NF_HOOK(NFPROTO_DECNET, NF_DN_LOCAL_IN, skb, skb->dev, NULL,
814 dn_nsp_rx_packet);
814} 815}
815 816
816/* 817/*
diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c
index 70ebe74027d5..a8432e399545 100644
--- a/net/decnet/dn_route.c
+++ b/net/decnet/dn_route.c
@@ -518,7 +518,8 @@ static int dn_route_rx_long(struct sk_buff *skb)
518 ptr++; 518 ptr++;
519 cb->hops = *ptr++; /* Visit Count */ 519 cb->hops = *ptr++; /* Visit Count */
520 520
521 return NF_HOOK(PF_DECnet, NF_DN_PRE_ROUTING, skb, skb->dev, NULL, dn_route_rx_packet); 521 return NF_HOOK(NFPROTO_DECNET, NF_DN_PRE_ROUTING, skb, skb->dev, NULL,
522 dn_route_rx_packet);
522 523
523drop_it: 524drop_it:
524 kfree_skb(skb); 525 kfree_skb(skb);
@@ -544,7 +545,8 @@ static int dn_route_rx_short(struct sk_buff *skb)
544 ptr += 2; 545 ptr += 2;
545 cb->hops = *ptr & 0x3f; 546 cb->hops = *ptr & 0x3f;
546 547
547 return NF_HOOK(PF_DECnet, NF_DN_PRE_ROUTING, skb, skb->dev, NULL, dn_route_rx_packet); 548 return NF_HOOK(NFPROTO_DECNET, NF_DN_PRE_ROUTING, skb, skb->dev, NULL,
549 dn_route_rx_packet);
548 550
549drop_it: 551drop_it:
550 kfree_skb(skb); 552 kfree_skb(skb);
@@ -646,16 +648,24 @@ int dn_route_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type
646 648
647 switch(flags & DN_RT_CNTL_MSK) { 649 switch(flags & DN_RT_CNTL_MSK) {
648 case DN_RT_PKT_HELO: 650 case DN_RT_PKT_HELO:
649 return NF_HOOK(PF_DECnet, NF_DN_HELLO, skb, skb->dev, NULL, dn_route_ptp_hello); 651 return NF_HOOK(NFPROTO_DECNET, NF_DN_HELLO,
652 skb, skb->dev, NULL,
653 dn_route_ptp_hello);
650 654
651 case DN_RT_PKT_L1RT: 655 case DN_RT_PKT_L1RT:
652 case DN_RT_PKT_L2RT: 656 case DN_RT_PKT_L2RT:
653 return NF_HOOK(PF_DECnet, NF_DN_ROUTE, skb, skb->dev, NULL, dn_route_discard); 657 return NF_HOOK(NFPROTO_DECNET, NF_DN_ROUTE,
658 skb, skb->dev, NULL,
659 dn_route_discard);
654 case DN_RT_PKT_ERTH: 660 case DN_RT_PKT_ERTH:
655 return NF_HOOK(PF_DECnet, NF_DN_HELLO, skb, skb->dev, NULL, dn_neigh_router_hello); 661 return NF_HOOK(NFPROTO_DECNET, NF_DN_HELLO,
662 skb, skb->dev, NULL,
663 dn_neigh_router_hello);
656 664
657 case DN_RT_PKT_EEDH: 665 case DN_RT_PKT_EEDH:
658 return NF_HOOK(PF_DECnet, NF_DN_HELLO, skb, skb->dev, NULL, dn_neigh_endnode_hello); 666 return NF_HOOK(NFPROTO_DECNET, NF_DN_HELLO,
667 skb, skb->dev, NULL,
668 dn_neigh_endnode_hello);
659 } 669 }
660 } else { 670 } else {
661 if (dn->parms.state != DN_DEV_S_RU) 671 if (dn->parms.state != DN_DEV_S_RU)
@@ -704,7 +714,8 @@ static int dn_output(struct sk_buff *skb)
704 cb->rt_flags |= DN_RT_F_IE; 714 cb->rt_flags |= DN_RT_F_IE;
705 cb->hops = 0; 715 cb->hops = 0;
706 716
707 return NF_HOOK(PF_DECnet, NF_DN_LOCAL_OUT, skb, NULL, dev, neigh->output); 717 return NF_HOOK(NFPROTO_DECNET, NF_DN_LOCAL_OUT, skb, NULL, dev,
718 neigh->output);
708 719
709error: 720error:
710 if (net_ratelimit()) 721 if (net_ratelimit())
@@ -753,7 +764,8 @@ static int dn_forward(struct sk_buff *skb)
753 if (rt->rt_flags & RTCF_DOREDIRECT) 764 if (rt->rt_flags & RTCF_DOREDIRECT)
754 cb->rt_flags |= DN_RT_F_IE; 765 cb->rt_flags |= DN_RT_F_IE;
755 766
756 return NF_HOOK(PF_DECnet, NF_DN_FORWARD, skb, dev, skb->dev, neigh->output); 767 return NF_HOOK(NFPROTO_DECNET, NF_DN_FORWARD, skb, dev, skb->dev,
768 neigh->output);
757 769
758drop: 770drop:
759 kfree_skb(skb); 771 kfree_skb(skb);
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
index af10942b326c..56cdf68a074c 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -112,8 +112,8 @@ int ip_forward(struct sk_buff *skb)
112 112
113 skb->priority = rt_tos2priority(iph->tos); 113 skb->priority = rt_tos2priority(iph->tos);
114 114
115 return NF_HOOK(PF_INET, NF_INET_FORWARD, skb, skb->dev, rt->u.dst.dev, 115 return NF_HOOK(NFPROTO_IPV4, NF_INET_FORWARD, skb, skb->dev,
116 ip_forward_finish); 116 rt->u.dst.dev, ip_forward_finish);
117 117
118sr_failed: 118sr_failed:
119 /* 119 /*
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index f8ab7a380d4a..af76de5f76de 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -266,7 +266,7 @@ int ip_local_deliver(struct sk_buff *skb)
266 return 0; 266 return 0;
267 } 267 }
268 268
269 return NF_HOOK(PF_INET, NF_INET_LOCAL_IN, skb, skb->dev, NULL, 269 return NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_IN, skb, skb->dev, NULL,
270 ip_local_deliver_finish); 270 ip_local_deliver_finish);
271} 271}
272 272
@@ -444,7 +444,7 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt,
444 /* Must drop socket now because of tproxy. */ 444 /* Must drop socket now because of tproxy. */
445 skb_orphan(skb); 445 skb_orphan(skb);
446 446
447 return NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, dev, NULL, 447 return NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, dev, NULL,
448 ip_rcv_finish); 448 ip_rcv_finish);
449 449
450inhdr_error: 450inhdr_error:
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index f0392191740b..252897443ef9 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -96,8 +96,8 @@ int __ip_local_out(struct sk_buff *skb)
96 96
97 iph->tot_len = htons(skb->len); 97 iph->tot_len = htons(skb->len);
98 ip_send_check(iph); 98 ip_send_check(iph);
99 return nf_hook(PF_INET, NF_INET_LOCAL_OUT, skb, NULL, skb_dst(skb)->dev, 99 return nf_hook(NFPROTO_IPV4, NF_INET_LOCAL_OUT, skb, NULL,
100 dst_output); 100 skb_dst(skb)->dev, dst_output);
101} 101}
102 102
103int ip_local_out(struct sk_buff *skb) 103int ip_local_out(struct sk_buff *skb)
@@ -272,8 +272,8 @@ int ip_mc_output(struct sk_buff *skb)
272 ) { 272 ) {
273 struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC); 273 struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC);
274 if (newskb) 274 if (newskb)
275 NF_HOOK(PF_INET, NF_INET_POST_ROUTING, newskb, 275 NF_HOOK(NFPROTO_IPV4, NF_INET_POST_ROUTING,
276 NULL, newskb->dev, 276 newskb, NULL, newskb->dev,
277 ip_dev_loopback_xmit); 277 ip_dev_loopback_xmit);
278 } 278 }
279 279
@@ -288,12 +288,12 @@ int ip_mc_output(struct sk_buff *skb)
288 if (rt->rt_flags&RTCF_BROADCAST) { 288 if (rt->rt_flags&RTCF_BROADCAST) {
289 struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC); 289 struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC);
290 if (newskb) 290 if (newskb)
291 NF_HOOK(PF_INET, NF_INET_POST_ROUTING, newskb, NULL, 291 NF_HOOK(NFPROTO_IPV4, NF_INET_POST_ROUTING, newskb,
292 newskb->dev, ip_dev_loopback_xmit); 292 NULL, newskb->dev, ip_dev_loopback_xmit);
293 } 293 }
294 294
295 return NF_HOOK_COND(PF_INET, NF_INET_POST_ROUTING, skb, NULL, skb->dev, 295 return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb, NULL,
296 ip_finish_output, 296 skb->dev, ip_finish_output,
297 !(IPCB(skb)->flags & IPSKB_REROUTED)); 297 !(IPCB(skb)->flags & IPSKB_REROUTED));
298} 298}
299 299
@@ -306,7 +306,7 @@ int ip_output(struct sk_buff *skb)
306 skb->dev = dev; 306 skb->dev = dev;
307 skb->protocol = htons(ETH_P_IP); 307 skb->protocol = htons(ETH_P_IP);
308 308
309 return NF_HOOK_COND(PF_INET, NF_INET_POST_ROUTING, skb, NULL, dev, 309 return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb, NULL, dev,
310 ip_finish_output, 310 ip_finish_output,
311 !(IPCB(skb)->flags & IPSKB_REROUTED)); 311 !(IPCB(skb)->flags & IPSKB_REROUTED));
312} 312}
@@ -469,6 +469,10 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
469 469
470 hlen = iph->ihl * 4; 470 hlen = iph->ihl * 4;
471 mtu = dst_mtu(&rt->u.dst) - hlen; /* Size of data space */ 471 mtu = dst_mtu(&rt->u.dst) - hlen; /* Size of data space */
472#ifdef CONFIG_BRIDGE_NETFILTER
473 if (skb->nf_bridge)
474 mtu -= nf_bridge_mtu_reduction(skb);
475#endif
472 IPCB(skb)->flags |= IPSKB_FRAG_COMPLETE; 476 IPCB(skb)->flags |= IPSKB_FRAG_COMPLETE;
473 477
474 /* When frag_list is given, use it. First, check its validity: 478 /* When frag_list is given, use it. First, check its validity:
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index eddfd12f55b8..f3f1c6b5c70c 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1599,7 +1599,7 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt,
1599 * not mrouter) cannot join to more than one interface - it will 1599 * not mrouter) cannot join to more than one interface - it will
1600 * result in receiving multiple packets. 1600 * result in receiving multiple packets.
1601 */ 1601 */
1602 NF_HOOK(PF_INET, NF_INET_FORWARD, skb, skb->dev, dev, 1602 NF_HOOK(NFPROTO_IPV4, NF_INET_FORWARD, skb, skb->dev, dev,
1603 ipmr_forward_finish); 1603 ipmr_forward_finish);
1604 return; 1604 return;
1605 1605
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index f07d77f65751..07a699059390 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -523,13 +523,11 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
523 return ret; 523 return ret;
524 524
525 t = arpt_get_target(e); 525 t = arpt_get_target(e);
526 target = try_then_request_module(xt_find_target(NFPROTO_ARP, 526 target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
527 t->u.user.name, 527 t->u.user.revision);
528 t->u.user.revision), 528 if (IS_ERR(target)) {
529 "arpt_%s", t->u.user.name);
530 if (IS_ERR(target) || !target) {
531 duprintf("find_check_entry: `%s' not found\n", t->u.user.name); 529 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
532 ret = target ? PTR_ERR(target) : -ENOENT; 530 ret = PTR_ERR(target);
533 goto out; 531 goto out;
534 } 532 }
535 t->u.kernel.target = target; 533 t->u.kernel.target = target;
@@ -651,6 +649,9 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
651 if (ret != 0) 649 if (ret != 0)
652 break; 650 break;
653 ++i; 651 ++i;
652 if (strcmp(arpt_get_target(iter)->u.user.name,
653 XT_ERROR_TARGET) == 0)
654 ++newinfo->stacksize;
654 } 655 }
655 duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret); 656 duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret);
656 if (ret != 0) 657 if (ret != 0)
@@ -1252,14 +1253,12 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
1252 entry_offset = (void *)e - (void *)base; 1253 entry_offset = (void *)e - (void *)base;
1253 1254
1254 t = compat_arpt_get_target(e); 1255 t = compat_arpt_get_target(e);
1255 target = try_then_request_module(xt_find_target(NFPROTO_ARP, 1256 target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
1256 t->u.user.name, 1257 t->u.user.revision);
1257 t->u.user.revision), 1258 if (IS_ERR(target)) {
1258 "arpt_%s", t->u.user.name);
1259 if (IS_ERR(target) || !target) {
1260 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n", 1259 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1261 t->u.user.name); 1260 t->u.user.name);
1262 ret = target ? PTR_ERR(target) : -ENOENT; 1261 ret = PTR_ERR(target);
1263 goto out; 1262 goto out;
1264 } 1263 }
1265 t->u.kernel.target = target; 1264 t->u.kernel.target = target;
@@ -1778,8 +1777,7 @@ struct xt_table *arpt_register_table(struct net *net,
1778{ 1777{
1779 int ret; 1778 int ret;
1780 struct xt_table_info *newinfo; 1779 struct xt_table_info *newinfo;
1781 struct xt_table_info bootstrap 1780 struct xt_table_info bootstrap = {0};
1782 = { 0, 0, 0, { 0 }, { 0 }, { } };
1783 void *loc_cpu_entry; 1781 void *loc_cpu_entry;
1784 struct xt_table *new_table; 1782 struct xt_table *new_table;
1785 1783
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index b0d5b1d0a769..4b51a027f307 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -54,7 +54,7 @@ target(struct sk_buff *skb, const struct xt_target_param *par)
54 return mangle->target; 54 return mangle->target;
55} 55}
56 56
57static bool checkentry(const struct xt_tgchk_param *par) 57static int checkentry(const struct xt_tgchk_param *par)
58{ 58{
59 const struct arpt_mangle *mangle = par->targinfo; 59 const struct arpt_mangle *mangle = par->targinfo;
60 60
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index e2787048aa0a..c838238104f5 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -161,8 +161,7 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
161 break; 161 break;
162 162
163 case IPQ_COPY_PACKET: 163 case IPQ_COPY_PACKET:
164 if ((entry->skb->ip_summed == CHECKSUM_PARTIAL || 164 if (entry->skb->ip_summed == CHECKSUM_PARTIAL &&
165 entry->skb->ip_summed == CHECKSUM_COMPLETE) &&
166 (*errp = skb_checksum_help(entry->skb))) { 165 (*errp = skb_checksum_help(entry->skb))) {
167 read_unlock_bh(&queue_lock); 166 read_unlock_bh(&queue_lock);
168 return NULL; 167 return NULL;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index b29c66df8d1f..3e6af1036fbc 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -39,13 +39,13 @@ MODULE_DESCRIPTION("IPv4 packet filter");
39/*#define DEBUG_IP_FIREWALL_USER*/ 39/*#define DEBUG_IP_FIREWALL_USER*/
40 40
41#ifdef DEBUG_IP_FIREWALL 41#ifdef DEBUG_IP_FIREWALL
42#define dprintf(format, args...) printk(format , ## args) 42#define dprintf(format, args...) pr_info(format , ## args)
43#else 43#else
44#define dprintf(format, args...) 44#define dprintf(format, args...)
45#endif 45#endif
46 46
47#ifdef DEBUG_IP_FIREWALL_USER 47#ifdef DEBUG_IP_FIREWALL_USER
48#define duprintf(format, args...) printk(format , ## args) 48#define duprintf(format, args...) pr_info(format , ## args)
49#else 49#else
50#define duprintf(format, args...) 50#define duprintf(format, args...)
51#endif 51#endif
@@ -168,8 +168,7 @@ static unsigned int
168ipt_error(struct sk_buff *skb, const struct xt_target_param *par) 168ipt_error(struct sk_buff *skb, const struct xt_target_param *par)
169{ 169{
170 if (net_ratelimit()) 170 if (net_ratelimit())
171 printk("ip_tables: error: `%s'\n", 171 pr_info("error: `%s'\n", (const char *)par->targinfo);
172 (const char *)par->targinfo);
173 172
174 return NF_DROP; 173 return NF_DROP;
175} 174}
@@ -322,8 +321,6 @@ ipt_do_table(struct sk_buff *skb,
322 const struct net_device *out, 321 const struct net_device *out,
323 struct xt_table *table) 322 struct xt_table *table)
324{ 323{
325#define tb_comefrom ((struct ipt_entry *)table_base)->comefrom
326
327 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 324 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
328 const struct iphdr *ip; 325 const struct iphdr *ip;
329 bool hotdrop = false; 326 bool hotdrop = false;
@@ -331,7 +328,8 @@ ipt_do_table(struct sk_buff *skb,
331 unsigned int verdict = NF_DROP; 328 unsigned int verdict = NF_DROP;
332 const char *indev, *outdev; 329 const char *indev, *outdev;
333 const void *table_base; 330 const void *table_base;
334 struct ipt_entry *e, *back; 331 struct ipt_entry *e, **jumpstack;
332 unsigned int *stackptr, origptr, cpu;
335 const struct xt_table_info *private; 333 const struct xt_table_info *private;
336 struct xt_match_param mtpar; 334 struct xt_match_param mtpar;
337 struct xt_target_param tgpar; 335 struct xt_target_param tgpar;
@@ -357,19 +355,23 @@ ipt_do_table(struct sk_buff *skb,
357 IP_NF_ASSERT(table->valid_hooks & (1 << hook)); 355 IP_NF_ASSERT(table->valid_hooks & (1 << hook));
358 xt_info_rdlock_bh(); 356 xt_info_rdlock_bh();
359 private = table->private; 357 private = table->private;
360 table_base = private->entries[smp_processor_id()]; 358 cpu = smp_processor_id();
359 table_base = private->entries[cpu];
360 jumpstack = (struct ipt_entry **)private->jumpstack[cpu];
361 stackptr = &private->stackptr[cpu];
362 origptr = *stackptr;
361 363
362 e = get_entry(table_base, private->hook_entry[hook]); 364 e = get_entry(table_base, private->hook_entry[hook]);
363 365
364 /* For return from builtin chain */ 366 pr_debug("Entering %s(hook %u); sp at %u (UF %p)\n",
365 back = get_entry(table_base, private->underflow[hook]); 367 table->name, hook, origptr,
368 get_entry(table_base, private->underflow[hook]));
366 369
367 do { 370 do {
368 const struct ipt_entry_target *t; 371 const struct ipt_entry_target *t;
369 const struct xt_entry_match *ematch; 372 const struct xt_entry_match *ematch;
370 373
371 IP_NF_ASSERT(e); 374 IP_NF_ASSERT(e);
372 IP_NF_ASSERT(back);
373 if (!ip_packet_match(ip, indev, outdev, 375 if (!ip_packet_match(ip, indev, outdev,
374 &e->ip, mtpar.fragoff)) { 376 &e->ip, mtpar.fragoff)) {
375 no_match: 377 no_match:
@@ -404,41 +406,39 @@ ipt_do_table(struct sk_buff *skb,
404 verdict = (unsigned)(-v) - 1; 406 verdict = (unsigned)(-v) - 1;
405 break; 407 break;
406 } 408 }
407 e = back; 409 if (*stackptr == 0) {
408 back = get_entry(table_base, back->comefrom); 410 e = get_entry(table_base,
411 private->underflow[hook]);
412 pr_debug("Underflow (this is normal) "
413 "to %p\n", e);
414 } else {
415 e = jumpstack[--*stackptr];
416 pr_debug("Pulled %p out from pos %u\n",
417 e, *stackptr);
418 e = ipt_next_entry(e);
419 }
409 continue; 420 continue;
410 } 421 }
411 if (table_base + v != ipt_next_entry(e) && 422 if (table_base + v != ipt_next_entry(e) &&
412 !(e->ip.flags & IPT_F_GOTO)) { 423 !(e->ip.flags & IPT_F_GOTO)) {
413 /* Save old back ptr in next entry */ 424 if (*stackptr >= private->stacksize) {
414 struct ipt_entry *next = ipt_next_entry(e); 425 verdict = NF_DROP;
415 next->comefrom = (void *)back - table_base; 426 break;
416 /* set back pointer to next entry */ 427 }
417 back = next; 428 jumpstack[(*stackptr)++] = e;
429 pr_debug("Pushed %p into pos %u\n",
430 e, *stackptr - 1);
418 } 431 }
419 432
420 e = get_entry(table_base, v); 433 e = get_entry(table_base, v);
421 continue; 434 continue;
422 } 435 }
423 436
424 /* Targets which reenter must return
425 abs. verdicts */
426 tgpar.target = t->u.kernel.target; 437 tgpar.target = t->u.kernel.target;
427 tgpar.targinfo = t->data; 438 tgpar.targinfo = t->data;
428 439
429 440
430#ifdef CONFIG_NETFILTER_DEBUG
431 tb_comefrom = 0xeeeeeeec;
432#endif
433 verdict = t->u.kernel.target->target(skb, &tgpar); 441 verdict = t->u.kernel.target->target(skb, &tgpar);
434#ifdef CONFIG_NETFILTER_DEBUG
435 if (tb_comefrom != 0xeeeeeeec && verdict == IPT_CONTINUE) {
436 printk("Target %s reentered!\n",
437 t->u.kernel.target->name);
438 verdict = NF_DROP;
439 }
440 tb_comefrom = 0x57acc001;
441#endif
442 /* Target might have changed stuff. */ 442 /* Target might have changed stuff. */
443 ip = ip_hdr(skb); 443 ip = ip_hdr(skb);
444 if (verdict == IPT_CONTINUE) 444 if (verdict == IPT_CONTINUE)
@@ -448,7 +448,9 @@ ipt_do_table(struct sk_buff *skb,
448 break; 448 break;
449 } while (!hotdrop); 449 } while (!hotdrop);
450 xt_info_rdunlock_bh(); 450 xt_info_rdunlock_bh();
451 451 pr_debug("Exiting %s; resetting sp from %u to %u\n",
452 __func__, *stackptr, origptr);
453 *stackptr = origptr;
452#ifdef DEBUG_ALLOW_ALL 454#ifdef DEBUG_ALLOW_ALL
453 return NF_ACCEPT; 455 return NF_ACCEPT;
454#else 456#else
@@ -456,8 +458,6 @@ ipt_do_table(struct sk_buff *skb,
456 return NF_DROP; 458 return NF_DROP;
457 else return verdict; 459 else return verdict;
458#endif 460#endif
459
460#undef tb_comefrom
461} 461}
462 462
463/* Figures out from what hook each rule can be called: returns 0 if 463/* Figures out from what hook each rule can be called: returns 0 if
@@ -591,7 +591,7 @@ check_entry(const struct ipt_entry *e, const char *name)
591 const struct ipt_entry_target *t; 591 const struct ipt_entry_target *t;
592 592
593 if (!ip_checkentry(&e->ip)) { 593 if (!ip_checkentry(&e->ip)) {
594 duprintf("ip_tables: ip check failed %p %s.\n", e, name); 594 duprintf("ip check failed %p %s.\n", e, name);
595 return -EINVAL; 595 return -EINVAL;
596 } 596 }
597 597
@@ -618,8 +618,7 @@ check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
618 ret = xt_check_match(par, m->u.match_size - sizeof(*m), 618 ret = xt_check_match(par, m->u.match_size - sizeof(*m),
619 ip->proto, ip->invflags & IPT_INV_PROTO); 619 ip->proto, ip->invflags & IPT_INV_PROTO);
620 if (ret < 0) { 620 if (ret < 0) {
621 duprintf("ip_tables: check failed for `%s'.\n", 621 duprintf("check failed for `%s'.\n", par.match->name);
622 par.match->name);
623 return ret; 622 return ret;
624 } 623 }
625 return 0; 624 return 0;
@@ -631,12 +630,11 @@ find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
631 struct xt_match *match; 630 struct xt_match *match;
632 int ret; 631 int ret;
633 632
634 match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name, 633 match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
635 m->u.user.revision), 634 m->u.user.revision);
636 "ipt_%s", m->u.user.name); 635 if (IS_ERR(match)) {
637 if (IS_ERR(match) || !match) {
638 duprintf("find_check_match: `%s' not found\n", m->u.user.name); 636 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
639 return match ? PTR_ERR(match) : -ENOENT; 637 return PTR_ERR(match);
640 } 638 }
641 m->u.kernel.match = match; 639 m->u.kernel.match = match;
642 640
@@ -667,7 +665,7 @@ static int check_target(struct ipt_entry *e, struct net *net, const char *name)
667 ret = xt_check_target(&par, t->u.target_size - sizeof(*t), 665 ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
668 e->ip.proto, e->ip.invflags & IPT_INV_PROTO); 666 e->ip.proto, e->ip.invflags & IPT_INV_PROTO);
669 if (ret < 0) { 667 if (ret < 0) {
670 duprintf("ip_tables: check failed for `%s'.\n", 668 duprintf("check failed for `%s'.\n",
671 t->u.kernel.target->name); 669 t->u.kernel.target->name);
672 return ret; 670 return ret;
673 } 671 }
@@ -703,13 +701,11 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
703 } 701 }
704 702
705 t = ipt_get_target(e); 703 t = ipt_get_target(e);
706 target = try_then_request_module(xt_find_target(AF_INET, 704 target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
707 t->u.user.name, 705 t->u.user.revision);
708 t->u.user.revision), 706 if (IS_ERR(target)) {
709 "ipt_%s", t->u.user.name);
710 if (IS_ERR(target) || !target) {
711 duprintf("find_check_entry: `%s' not found\n", t->u.user.name); 707 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
712 ret = target ? PTR_ERR(target) : -ENOENT; 708 ret = PTR_ERR(target);
713 goto cleanup_matches; 709 goto cleanup_matches;
714 } 710 }
715 t->u.kernel.target = target; 711 t->u.kernel.target = target;
@@ -843,6 +839,9 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
843 if (ret != 0) 839 if (ret != 0)
844 return ret; 840 return ret;
845 ++i; 841 ++i;
842 if (strcmp(ipt_get_target(iter)->u.user.name,
843 XT_ERROR_TARGET) == 0)
844 ++newinfo->stacksize;
846 } 845 }
847 846
848 if (i != repl->num_entries) { 847 if (i != repl->num_entries) {
@@ -1311,7 +1310,7 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
1311 if (ret != 0) 1310 if (ret != 0)
1312 goto free_newinfo; 1311 goto free_newinfo;
1313 1312
1314 duprintf("ip_tables: Translated table\n"); 1313 duprintf("Translated table\n");
1315 1314
1316 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo, 1315 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1317 tmp.num_counters, tmp.counters); 1316 tmp.num_counters, tmp.counters);
@@ -1476,13 +1475,12 @@ compat_find_calc_match(struct ipt_entry_match *m,
1476{ 1475{
1477 struct xt_match *match; 1476 struct xt_match *match;
1478 1477
1479 match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name, 1478 match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
1480 m->u.user.revision), 1479 m->u.user.revision);
1481 "ipt_%s", m->u.user.name); 1480 if (IS_ERR(match)) {
1482 if (IS_ERR(match) || !match) {
1483 duprintf("compat_check_calc_match: `%s' not found\n", 1481 duprintf("compat_check_calc_match: `%s' not found\n",
1484 m->u.user.name); 1482 m->u.user.name);
1485 return match ? PTR_ERR(match) : -ENOENT; 1483 return PTR_ERR(match);
1486 } 1484 }
1487 m->u.kernel.match = match; 1485 m->u.kernel.match = match;
1488 *size += xt_compat_match_offset(match); 1486 *size += xt_compat_match_offset(match);
@@ -1549,14 +1547,12 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
1549 } 1547 }
1550 1548
1551 t = compat_ipt_get_target(e); 1549 t = compat_ipt_get_target(e);
1552 target = try_then_request_module(xt_find_target(AF_INET, 1550 target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
1553 t->u.user.name, 1551 t->u.user.revision);
1554 t->u.user.revision), 1552 if (IS_ERR(target)) {
1555 "ipt_%s", t->u.user.name);
1556 if (IS_ERR(target) || !target) {
1557 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n", 1553 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1558 t->u.user.name); 1554 t->u.user.name);
1559 ret = target ? PTR_ERR(target) : -ENOENT; 1555 ret = PTR_ERR(target);
1560 goto release_matches; 1556 goto release_matches;
1561 } 1557 }
1562 t->u.kernel.target = target; 1558 t->u.kernel.target = target;
@@ -2094,8 +2090,7 @@ struct xt_table *ipt_register_table(struct net *net,
2094{ 2090{
2095 int ret; 2091 int ret;
2096 struct xt_table_info *newinfo; 2092 struct xt_table_info *newinfo;
2097 struct xt_table_info bootstrap 2093 struct xt_table_info bootstrap = {0};
2098 = { 0, 0, 0, { 0 }, { 0 }, { } };
2099 void *loc_cpu_entry; 2094 void *loc_cpu_entry;
2100 struct xt_table *new_table; 2095 struct xt_table *new_table;
2101 2096
@@ -2184,12 +2179,12 @@ icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
2184 !!(icmpinfo->invflags&IPT_ICMP_INV)); 2179 !!(icmpinfo->invflags&IPT_ICMP_INV));
2185} 2180}
2186 2181
2187static bool icmp_checkentry(const struct xt_mtchk_param *par) 2182static int icmp_checkentry(const struct xt_mtchk_param *par)
2188{ 2183{
2189 const struct ipt_icmp *icmpinfo = par->matchinfo; 2184 const struct ipt_icmp *icmpinfo = par->matchinfo;
2190 2185
2191 /* Must specify no unknown invflags */ 2186 /* Must specify no unknown invflags */
2192 return !(icmpinfo->invflags & ~IPT_ICMP_INV); 2187 return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0;
2193} 2188}
2194 2189
2195/* The built-in targets: standard (NULL) and error. */ 2190/* The built-in targets: standard (NULL) and error. */
@@ -2276,7 +2271,7 @@ static int __init ip_tables_init(void)
2276 if (ret < 0) 2271 if (ret < 0)
2277 goto err5; 2272 goto err5;
2278 2273
2279 printk(KERN_INFO "ip_tables: (C) 2000-2006 Netfilter Core Team\n"); 2274 pr_info("(C) 2000-2006 Netfilter Core Team\n");
2280 return 0; 2275 return 0;
2281 2276
2282err5: 2277err5:
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index a992dc826f1c..8815d458de46 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -9,6 +9,7 @@
9 * published by the Free Software Foundation. 9 * published by the Free Software Foundation.
10 * 10 *
11 */ 11 */
12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12#include <linux/module.h> 13#include <linux/module.h>
13#include <linux/proc_fs.h> 14#include <linux/proc_fs.h>
14#include <linux/jhash.h> 15#include <linux/jhash.h>
@@ -239,8 +240,7 @@ clusterip_hashfn(const struct sk_buff *skb,
239 break; 240 break;
240 default: 241 default:
241 if (net_ratelimit()) 242 if (net_ratelimit())
242 printk(KERN_NOTICE "CLUSTERIP: unknown protocol `%u'\n", 243 pr_info("unknown protocol %u\n", iph->protocol);
243 iph->protocol);
244 sport = dport = 0; 244 sport = dport = 0;
245 } 245 }
246 246
@@ -262,7 +262,7 @@ clusterip_hashfn(const struct sk_buff *skb,
262 hashval = 0; 262 hashval = 0;
263 /* This cannot happen, unless the check function wasn't called 263 /* This cannot happen, unless the check function wasn't called
264 * at rule load time */ 264 * at rule load time */
265 printk("CLUSTERIP: unknown mode `%u'\n", config->hash_mode); 265 pr_info("unknown mode %u\n", config->hash_mode);
266 BUG(); 266 BUG();
267 break; 267 break;
268 } 268 }
@@ -295,7 +295,7 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
295 295
296 ct = nf_ct_get(skb, &ctinfo); 296 ct = nf_ct_get(skb, &ctinfo);
297 if (ct == NULL) { 297 if (ct == NULL) {
298 printk(KERN_ERR "CLUSTERIP: no conntrack!\n"); 298 pr_info("no conntrack!\n");
299 /* FIXME: need to drop invalid ones, since replies 299 /* FIXME: need to drop invalid ones, since replies
300 * to outgoing connections of other nodes will be 300 * to outgoing connections of other nodes will be
301 * marked as INVALID */ 301 * marked as INVALID */
@@ -348,25 +348,24 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
348 return XT_CONTINUE; 348 return XT_CONTINUE;
349} 349}
350 350
351static bool clusterip_tg_check(const struct xt_tgchk_param *par) 351static int clusterip_tg_check(const struct xt_tgchk_param *par)
352{ 352{
353 struct ipt_clusterip_tgt_info *cipinfo = par->targinfo; 353 struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
354 const struct ipt_entry *e = par->entryinfo; 354 const struct ipt_entry *e = par->entryinfo;
355
356 struct clusterip_config *config; 355 struct clusterip_config *config;
356 int ret;
357 357
358 if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP && 358 if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP &&
359 cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT && 359 cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT &&
360 cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) { 360 cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) {
361 printk(KERN_WARNING "CLUSTERIP: unknown mode `%u'\n", 361 pr_info("unknown mode %u\n", cipinfo->hash_mode);
362 cipinfo->hash_mode); 362 return -EINVAL;
363 return false;
364 363
365 } 364 }
366 if (e->ip.dmsk.s_addr != htonl(0xffffffff) || 365 if (e->ip.dmsk.s_addr != htonl(0xffffffff) ||
367 e->ip.dst.s_addr == 0) { 366 e->ip.dst.s_addr == 0) {
368 printk(KERN_ERR "CLUSTERIP: Please specify destination IP\n"); 367 pr_info("Please specify destination IP\n");
369 return false; 368 return -EINVAL;
370 } 369 }
371 370
372 /* FIXME: further sanity checks */ 371 /* FIXME: further sanity checks */
@@ -374,41 +373,41 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par)
374 config = clusterip_config_find_get(e->ip.dst.s_addr, 1); 373 config = clusterip_config_find_get(e->ip.dst.s_addr, 1);
375 if (!config) { 374 if (!config) {
376 if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) { 375 if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) {
377 printk(KERN_WARNING "CLUSTERIP: no config found for %pI4, need 'new'\n", &e->ip.dst.s_addr); 376 pr_info("no config found for %pI4, need 'new'\n",
378 return false; 377 &e->ip.dst.s_addr);
378 return -EINVAL;
379 } else { 379 } else {
380 struct net_device *dev; 380 struct net_device *dev;
381 381
382 if (e->ip.iniface[0] == '\0') { 382 if (e->ip.iniface[0] == '\0') {
383 printk(KERN_WARNING "CLUSTERIP: Please specify an interface name\n"); 383 pr_info("Please specify an interface name\n");
384 return false; 384 return -EINVAL;
385 } 385 }
386 386
387 dev = dev_get_by_name(&init_net, e->ip.iniface); 387 dev = dev_get_by_name(&init_net, e->ip.iniface);
388 if (!dev) { 388 if (!dev) {
389 printk(KERN_WARNING "CLUSTERIP: no such interface %s\n", e->ip.iniface); 389 pr_info("no such interface %s\n",
390 return false; 390 e->ip.iniface);
391 return -ENOENT;
391 } 392 }
392 393
393 config = clusterip_config_init(cipinfo, 394 config = clusterip_config_init(cipinfo,
394 e->ip.dst.s_addr, dev); 395 e->ip.dst.s_addr, dev);
395 if (!config) { 396 if (!config) {
396 printk(KERN_WARNING "CLUSTERIP: cannot allocate config\n"); 397 pr_info("cannot allocate config\n");
397 dev_put(dev); 398 dev_put(dev);
398 return false; 399 return -ENOMEM;
399 } 400 }
400 dev_mc_add(config->dev, config->clustermac); 401 dev_mc_add(config->dev, config->clustermac);
401 } 402 }
402 } 403 }
403 cipinfo->config = config; 404 cipinfo->config = config;
404 405
405 if (nf_ct_l3proto_try_module_get(par->target->family) < 0) { 406 ret = nf_ct_l3proto_try_module_get(par->family);
406 printk(KERN_WARNING "can't load conntrack support for " 407 if (ret < 0)
407 "proto=%u\n", par->target->family); 408 pr_info("cannot load conntrack support for proto=%u\n",
408 return false; 409 par->family);
409 } 410 return ret;
410
411 return true;
412} 411}
413 412
414/* drop reference count of cluster config when rule is deleted */ 413/* drop reference count of cluster config when rule is deleted */
@@ -422,7 +421,7 @@ static void clusterip_tg_destroy(const struct xt_tgdtor_param *par)
422 421
423 clusterip_config_put(cipinfo->config); 422 clusterip_config_put(cipinfo->config);
424 423
425 nf_ct_l3proto_module_put(par->target->family); 424 nf_ct_l3proto_module_put(par->family);
426} 425}
427 426
428#ifdef CONFIG_COMPAT 427#ifdef CONFIG_COMPAT
@@ -479,8 +478,8 @@ static void arp_print(struct arp_payload *payload)
479 } 478 }
480 hbuffer[--k]='\0'; 479 hbuffer[--k]='\0';
481 480
482 printk("src %pI4@%s, dst %pI4\n", 481 pr_debug("src %pI4@%s, dst %pI4\n",
483 &payload->src_ip, hbuffer, &payload->dst_ip); 482 &payload->src_ip, hbuffer, &payload->dst_ip);
484} 483}
485#endif 484#endif
486 485
@@ -519,7 +518,7 @@ arp_mangle(unsigned int hook,
519 * this wouldn't work, since we didn't subscribe the mcast group on 518 * this wouldn't work, since we didn't subscribe the mcast group on
520 * other interfaces */ 519 * other interfaces */
521 if (c->dev != out) { 520 if (c->dev != out) {
522 pr_debug("CLUSTERIP: not mangling arp reply on different " 521 pr_debug("not mangling arp reply on different "
523 "interface: cip'%s'-skb'%s'\n", 522 "interface: cip'%s'-skb'%s'\n",
524 c->dev->name, out->name); 523 c->dev->name, out->name);
525 clusterip_config_put(c); 524 clusterip_config_put(c);
@@ -530,7 +529,7 @@ arp_mangle(unsigned int hook,
530 memcpy(payload->src_hw, c->clustermac, arp->ar_hln); 529 memcpy(payload->src_hw, c->clustermac, arp->ar_hln);
531 530
532#ifdef DEBUG 531#ifdef DEBUG
533 pr_debug(KERN_DEBUG "CLUSTERIP mangled arp reply: "); 532 pr_debug("mangled arp reply: ");
534 arp_print(payload); 533 arp_print(payload);
535#endif 534#endif
536 535
@@ -601,7 +600,8 @@ static void *clusterip_seq_next(struct seq_file *s, void *v, loff_t *pos)
601 600
602static void clusterip_seq_stop(struct seq_file *s, void *v) 601static void clusterip_seq_stop(struct seq_file *s, void *v)
603{ 602{
604 kfree(v); 603 if (!IS_ERR(v))
604 kfree(v);
605} 605}
606 606
607static int clusterip_seq_show(struct seq_file *s, void *v) 607static int clusterip_seq_show(struct seq_file *s, void *v)
@@ -706,13 +706,13 @@ static int __init clusterip_tg_init(void)
706#ifdef CONFIG_PROC_FS 706#ifdef CONFIG_PROC_FS
707 clusterip_procdir = proc_mkdir("ipt_CLUSTERIP", init_net.proc_net); 707 clusterip_procdir = proc_mkdir("ipt_CLUSTERIP", init_net.proc_net);
708 if (!clusterip_procdir) { 708 if (!clusterip_procdir) {
709 printk(KERN_ERR "CLUSTERIP: Unable to proc dir entry\n"); 709 pr_err("Unable to proc dir entry\n");
710 ret = -ENOMEM; 710 ret = -ENOMEM;
711 goto cleanup_hook; 711 goto cleanup_hook;
712 } 712 }
713#endif /* CONFIG_PROC_FS */ 713#endif /* CONFIG_PROC_FS */
714 714
715 printk(KERN_NOTICE "ClusterIP Version %s loaded successfully\n", 715 pr_info("ClusterIP Version %s loaded successfully\n",
716 CLUSTERIP_VERSION); 716 CLUSTERIP_VERSION);
717 return 0; 717 return 0;
718 718
@@ -727,8 +727,7 @@ cleanup_target:
727 727
728static void __exit clusterip_tg_exit(void) 728static void __exit clusterip_tg_exit(void)
729{ 729{
730 printk(KERN_NOTICE "ClusterIP Version %s unloading\n", 730 pr_info("ClusterIP Version %s unloading\n", CLUSTERIP_VERSION);
731 CLUSTERIP_VERSION);
732#ifdef CONFIG_PROC_FS 731#ifdef CONFIG_PROC_FS
733 remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent); 732 remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
734#endif 733#endif
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index ea5cea2415c1..563049f31aef 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -6,7 +6,7 @@
6 * it under the terms of the GNU General Public License version 2 as 6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation. 7 * published by the Free Software Foundation.
8*/ 8*/
9 9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10#include <linux/in.h> 10#include <linux/in.h>
11#include <linux/module.h> 11#include <linux/module.h>
12#include <linux/skbuff.h> 12#include <linux/skbuff.h>
@@ -93,28 +93,25 @@ ecn_tg(struct sk_buff *skb, const struct xt_target_param *par)
93 return XT_CONTINUE; 93 return XT_CONTINUE;
94} 94}
95 95
96static bool ecn_tg_check(const struct xt_tgchk_param *par) 96static int ecn_tg_check(const struct xt_tgchk_param *par)
97{ 97{
98 const struct ipt_ECN_info *einfo = par->targinfo; 98 const struct ipt_ECN_info *einfo = par->targinfo;
99 const struct ipt_entry *e = par->entryinfo; 99 const struct ipt_entry *e = par->entryinfo;
100 100
101 if (einfo->operation & IPT_ECN_OP_MASK) { 101 if (einfo->operation & IPT_ECN_OP_MASK) {
102 printk(KERN_WARNING "ECN: unsupported ECN operation %x\n", 102 pr_info("unsupported ECN operation %x\n", einfo->operation);
103 einfo->operation); 103 return -EINVAL;
104 return false;
105 } 104 }
106 if (einfo->ip_ect & ~IPT_ECN_IP_MASK) { 105 if (einfo->ip_ect & ~IPT_ECN_IP_MASK) {
107 printk(KERN_WARNING "ECN: new ECT codepoint %x out of mask\n", 106 pr_info("new ECT codepoint %x out of mask\n", einfo->ip_ect);
108 einfo->ip_ect); 107 return -EINVAL;
109 return false;
110 } 108 }
111 if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) && 109 if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
112 (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) { 110 (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
113 printk(KERN_WARNING "ECN: cannot use TCP operations on a " 111 pr_info("cannot use TCP operations on a non-tcp rule\n");
114 "non-tcp rule\n"); 112 return -EINVAL;
115 return false;
116 } 113 }
117 return true; 114 return 0;
118} 115}
119 116
120static struct xt_target ecn_tg_reg __read_mostly = { 117static struct xt_target ecn_tg_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index ee128efa1c8d..3bd35f370817 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -9,7 +9,7 @@
9 * it under the terms of the GNU General Public License version 2 as 9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation. 10 * published by the Free Software Foundation.
11 */ 11 */
12 12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13#include <linux/module.h> 13#include <linux/module.h>
14#include <linux/spinlock.h> 14#include <linux/spinlock.h>
15#include <linux/skbuff.h> 15#include <linux/skbuff.h>
@@ -367,7 +367,7 @@ static struct nf_loginfo default_loginfo = {
367 .type = NF_LOG_TYPE_LOG, 367 .type = NF_LOG_TYPE_LOG,
368 .u = { 368 .u = {
369 .log = { 369 .log = {
370 .level = 0, 370 .level = 5,
371 .logflags = NF_LOG_MASK, 371 .logflags = NF_LOG_MASK,
372 }, 372 },
373 }, 373 },
@@ -439,20 +439,19 @@ log_tg(struct sk_buff *skb, const struct xt_target_param *par)
439 return XT_CONTINUE; 439 return XT_CONTINUE;
440} 440}
441 441
442static bool log_tg_check(const struct xt_tgchk_param *par) 442static int log_tg_check(const struct xt_tgchk_param *par)
443{ 443{
444 const struct ipt_log_info *loginfo = par->targinfo; 444 const struct ipt_log_info *loginfo = par->targinfo;
445 445
446 if (loginfo->level >= 8) { 446 if (loginfo->level >= 8) {
447 pr_debug("LOG: level %u >= 8\n", loginfo->level); 447 pr_debug("level %u >= 8\n", loginfo->level);
448 return false; 448 return -EINVAL;
449 } 449 }
450 if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { 450 if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
451 pr_debug("LOG: prefix term %i\n", 451 pr_debug("prefix is not null-terminated\n");
452 loginfo->prefix[sizeof(loginfo->prefix)-1]); 452 return -EINVAL;
453 return false;
454 } 453 }
455 return true; 454 return 0;
456} 455}
457 456
458static struct xt_target log_tg_reg __read_mostly = { 457static struct xt_target log_tg_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 650b54042b01..02b1bc477998 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -8,7 +8,7 @@
8 * it under the terms of the GNU General Public License version 2 as 8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation. 9 * published by the Free Software Foundation.
10 */ 10 */
11 11#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12#include <linux/types.h> 12#include <linux/types.h>
13#include <linux/inetdevice.h> 13#include <linux/inetdevice.h>
14#include <linux/ip.h> 14#include <linux/ip.h>
@@ -28,19 +28,19 @@ MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
28MODULE_DESCRIPTION("Xtables: automatic-address SNAT"); 28MODULE_DESCRIPTION("Xtables: automatic-address SNAT");
29 29
30/* FIXME: Multiple targets. --RR */ 30/* FIXME: Multiple targets. --RR */
31static bool masquerade_tg_check(const struct xt_tgchk_param *par) 31static int masquerade_tg_check(const struct xt_tgchk_param *par)
32{ 32{
33 const struct nf_nat_multi_range_compat *mr = par->targinfo; 33 const struct nf_nat_multi_range_compat *mr = par->targinfo;
34 34
35 if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { 35 if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
36 pr_debug("masquerade_check: bad MAP_IPS.\n"); 36 pr_debug("bad MAP_IPS.\n");
37 return false; 37 return -EINVAL;
38 } 38 }
39 if (mr->rangesize != 1) { 39 if (mr->rangesize != 1) {
40 pr_debug("masquerade_check: bad rangesize %u\n", mr->rangesize); 40 pr_debug("bad rangesize %u\n", mr->rangesize);
41 return false; 41 return -EINVAL;
42 } 42 }
43 return true; 43 return 0;
44} 44}
45 45
46static unsigned int 46static unsigned int
@@ -72,7 +72,7 @@ masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par)
72 rt = skb_rtable(skb); 72 rt = skb_rtable(skb);
73 newsrc = inet_select_addr(par->out, rt->rt_gateway, RT_SCOPE_UNIVERSE); 73 newsrc = inet_select_addr(par->out, rt->rt_gateway, RT_SCOPE_UNIVERSE);
74 if (!newsrc) { 74 if (!newsrc) {
75 printk("MASQUERADE: %s ate my IP address\n", par->out->name); 75 pr_info("%s ate my IP address\n", par->out->name);
76 return NF_DROP; 76 return NF_DROP;
77 } 77 }
78 78
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index 7c29582d4ec8..708c7f8f7eea 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -9,7 +9,7 @@
9 * it under the terms of the GNU General Public License version 2 as 9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation. 10 * published by the Free Software Foundation.
11 */ 11 */
12 12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13#include <linux/ip.h> 13#include <linux/ip.h>
14#include <linux/module.h> 14#include <linux/module.h>
15#include <linux/netdevice.h> 15#include <linux/netdevice.h>
@@ -22,19 +22,19 @@ MODULE_LICENSE("GPL");
22MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>"); 22MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>");
23MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets"); 23MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets");
24 24
25static bool netmap_tg_check(const struct xt_tgchk_param *par) 25static int netmap_tg_check(const struct xt_tgchk_param *par)
26{ 26{
27 const struct nf_nat_multi_range_compat *mr = par->targinfo; 27 const struct nf_nat_multi_range_compat *mr = par->targinfo;
28 28
29 if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) { 29 if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) {
30 pr_debug("NETMAP:check: bad MAP_IPS.\n"); 30 pr_debug("bad MAP_IPS.\n");
31 return false; 31 return -EINVAL;
32 } 32 }
33 if (mr->rangesize != 1) { 33 if (mr->rangesize != 1) {
34 pr_debug("NETMAP:check: bad rangesize %u.\n", mr->rangesize); 34 pr_debug("bad rangesize %u.\n", mr->rangesize);
35 return false; 35 return -EINVAL;
36 } 36 }
37 return true; 37 return 0;
38} 38}
39 39
40static unsigned int 40static unsigned int
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 698e5e78685b..3cf101916523 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -6,7 +6,7 @@
6 * it under the terms of the GNU General Public License version 2 as 6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation. 7 * published by the Free Software Foundation.
8 */ 8 */
9 9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10#include <linux/types.h> 10#include <linux/types.h>
11#include <linux/ip.h> 11#include <linux/ip.h>
12#include <linux/timer.h> 12#include <linux/timer.h>
@@ -26,19 +26,19 @@ MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
26MODULE_DESCRIPTION("Xtables: Connection redirection to localhost"); 26MODULE_DESCRIPTION("Xtables: Connection redirection to localhost");
27 27
28/* FIXME: Take multiple ranges --RR */ 28/* FIXME: Take multiple ranges --RR */
29static bool redirect_tg_check(const struct xt_tgchk_param *par) 29static int redirect_tg_check(const struct xt_tgchk_param *par)
30{ 30{
31 const struct nf_nat_multi_range_compat *mr = par->targinfo; 31 const struct nf_nat_multi_range_compat *mr = par->targinfo;
32 32
33 if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) { 33 if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
34 pr_debug("redirect_check: bad MAP_IPS.\n"); 34 pr_debug("bad MAP_IPS.\n");
35 return false; 35 return -EINVAL;
36 } 36 }
37 if (mr->rangesize != 1) { 37 if (mr->rangesize != 1) {
38 pr_debug("redirect_check: bad rangesize %u.\n", mr->rangesize); 38 pr_debug("bad rangesize %u.\n", mr->rangesize);
39 return false; 39 return -EINVAL;
40 } 40 }
41 return true; 41 return 0;
42} 42}
43 43
44static unsigned int 44static unsigned int
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index a0e8bcf04159..a86135a28058 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -9,7 +9,7 @@
9 * it under the terms of the GNU General Public License version 2 as 9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation. 10 * published by the Free Software Foundation.
11 */ 11 */
12 12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13#include <linux/module.h> 13#include <linux/module.h>
14#include <linux/skbuff.h> 14#include <linux/skbuff.h>
15#include <linux/slab.h> 15#include <linux/slab.h>
@@ -140,9 +140,6 @@ reject_tg(struct sk_buff *skb, const struct xt_target_param *par)
140{ 140{
141 const struct ipt_reject_info *reject = par->targinfo; 141 const struct ipt_reject_info *reject = par->targinfo;
142 142
143 /* WARNING: This code causes reentry within iptables.
144 This means that the iptables jump stack is now crap. We
145 must return an absolute verdict. --RR */
146 switch (reject->with) { 143 switch (reject->with) {
147 case IPT_ICMP_NET_UNREACHABLE: 144 case IPT_ICMP_NET_UNREACHABLE:
148 send_unreach(skb, ICMP_NET_UNREACH); 145 send_unreach(skb, ICMP_NET_UNREACH);
@@ -175,23 +172,23 @@ reject_tg(struct sk_buff *skb, const struct xt_target_param *par)
175 return NF_DROP; 172 return NF_DROP;
176} 173}
177 174
178static bool reject_tg_check(const struct xt_tgchk_param *par) 175static int reject_tg_check(const struct xt_tgchk_param *par)
179{ 176{
180 const struct ipt_reject_info *rejinfo = par->targinfo; 177 const struct ipt_reject_info *rejinfo = par->targinfo;
181 const struct ipt_entry *e = par->entryinfo; 178 const struct ipt_entry *e = par->entryinfo;
182 179
183 if (rejinfo->with == IPT_ICMP_ECHOREPLY) { 180 if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
184 printk("ipt_REJECT: ECHOREPLY no longer supported.\n"); 181 pr_info("ECHOREPLY no longer supported.\n");
185 return false; 182 return -EINVAL;
186 } else if (rejinfo->with == IPT_TCP_RESET) { 183 } else if (rejinfo->with == IPT_TCP_RESET) {
187 /* Must specify that it's a TCP packet */ 184 /* Must specify that it's a TCP packet */
188 if (e->ip.proto != IPPROTO_TCP || 185 if (e->ip.proto != IPPROTO_TCP ||
189 (e->ip.invflags & XT_INV_PROTO)) { 186 (e->ip.invflags & XT_INV_PROTO)) {
190 printk("ipt_REJECT: TCP_RESET invalid for non-tcp\n"); 187 pr_info("TCP_RESET invalid for non-tcp\n");
191 return false; 188 return -EINVAL;
192 } 189 }
193 } 190 }
194 return true; 191 return 0;
195} 192}
196 193
197static struct xt_target reject_tg_reg __read_mostly = { 194static struct xt_target reject_tg_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 0dbe697f164f..8f60749e87a3 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -29,7 +29,7 @@
29 * Specify, after how many hundredths of a second the queue should be 29 * Specify, after how many hundredths of a second the queue should be
30 * flushed even if it is not full yet. 30 * flushed even if it is not full yet.
31 */ 31 */
32 32#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
33#include <linux/module.h> 33#include <linux/module.h>
34#include <linux/spinlock.h> 34#include <linux/spinlock.h>
35#include <linux/socket.h> 35#include <linux/socket.h>
@@ -57,8 +57,6 @@ MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NFLOG);
57#define ULOG_NL_EVENT 111 /* Harald's favorite number */ 57#define ULOG_NL_EVENT 111 /* Harald's favorite number */
58#define ULOG_MAXNLGROUPS 32 /* numer of nlgroups */ 58#define ULOG_MAXNLGROUPS 32 /* numer of nlgroups */
59 59
60#define PRINTR(format, args...) do { if (net_ratelimit()) printk(format , ## args); } while (0)
61
62static unsigned int nlbufsiz = NLMSG_GOODSIZE; 60static unsigned int nlbufsiz = NLMSG_GOODSIZE;
63module_param(nlbufsiz, uint, 0400); 61module_param(nlbufsiz, uint, 0400);
64MODULE_PARM_DESC(nlbufsiz, "netlink buffer size"); 62MODULE_PARM_DESC(nlbufsiz, "netlink buffer size");
@@ -91,12 +89,12 @@ static void ulog_send(unsigned int nlgroupnum)
91 ulog_buff_t *ub = &ulog_buffers[nlgroupnum]; 89 ulog_buff_t *ub = &ulog_buffers[nlgroupnum];
92 90
93 if (timer_pending(&ub->timer)) { 91 if (timer_pending(&ub->timer)) {
94 pr_debug("ipt_ULOG: ulog_send: timer was pending, deleting\n"); 92 pr_debug("ulog_send: timer was pending, deleting\n");
95 del_timer(&ub->timer); 93 del_timer(&ub->timer);
96 } 94 }
97 95
98 if (!ub->skb) { 96 if (!ub->skb) {
99 pr_debug("ipt_ULOG: ulog_send: nothing to send\n"); 97 pr_debug("ulog_send: nothing to send\n");
100 return; 98 return;
101 } 99 }
102 100
@@ -105,7 +103,7 @@ static void ulog_send(unsigned int nlgroupnum)
105 ub->lastnlh->nlmsg_type = NLMSG_DONE; 103 ub->lastnlh->nlmsg_type = NLMSG_DONE;
106 104
107 NETLINK_CB(ub->skb).dst_group = nlgroupnum + 1; 105 NETLINK_CB(ub->skb).dst_group = nlgroupnum + 1;
108 pr_debug("ipt_ULOG: throwing %d packets to netlink group %u\n", 106 pr_debug("throwing %d packets to netlink group %u\n",
109 ub->qlen, nlgroupnum + 1); 107 ub->qlen, nlgroupnum + 1);
110 netlink_broadcast(nflognl, ub->skb, 0, nlgroupnum + 1, GFP_ATOMIC); 108 netlink_broadcast(nflognl, ub->skb, 0, nlgroupnum + 1, GFP_ATOMIC);
111 109
@@ -118,7 +116,7 @@ static void ulog_send(unsigned int nlgroupnum)
118/* timer function to flush queue in flushtimeout time */ 116/* timer function to flush queue in flushtimeout time */
119static void ulog_timer(unsigned long data) 117static void ulog_timer(unsigned long data)
120{ 118{
121 pr_debug("ipt_ULOG: timer function called, calling ulog_send\n"); 119 pr_debug("timer function called, calling ulog_send\n");
122 120
123 /* lock to protect against somebody modifying our structure 121 /* lock to protect against somebody modifying our structure
124 * from ipt_ulog_target at the same time */ 122 * from ipt_ulog_target at the same time */
@@ -139,7 +137,7 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size)
139 n = max(size, nlbufsiz); 137 n = max(size, nlbufsiz);
140 skb = alloc_skb(n, GFP_ATOMIC); 138 skb = alloc_skb(n, GFP_ATOMIC);
141 if (!skb) { 139 if (!skb) {
142 PRINTR("ipt_ULOG: can't alloc whole buffer %ub!\n", n); 140 pr_debug("cannot alloc whole buffer %ub!\n", n);
143 141
144 if (n > size) { 142 if (n > size) {
145 /* try to allocate only as much as we need for 143 /* try to allocate only as much as we need for
@@ -147,8 +145,7 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size)
147 145
148 skb = alloc_skb(size, GFP_ATOMIC); 146 skb = alloc_skb(size, GFP_ATOMIC);
149 if (!skb) 147 if (!skb)
150 PRINTR("ipt_ULOG: can't even allocate %ub\n", 148 pr_debug("cannot even allocate %ub\n", size);
151 size);
152 } 149 }
153 } 150 }
154 151
@@ -199,8 +196,7 @@ static void ipt_ulog_packet(unsigned int hooknum,
199 goto alloc_failure; 196 goto alloc_failure;
200 } 197 }
201 198
202 pr_debug("ipt_ULOG: qlen %d, qthreshold %Zu\n", ub->qlen, 199 pr_debug("qlen %d, qthreshold %Zu\n", ub->qlen, loginfo->qthreshold);
203 loginfo->qthreshold);
204 200
205 /* NLMSG_PUT contains a hidden goto nlmsg_failure !!! */ 201 /* NLMSG_PUT contains a hidden goto nlmsg_failure !!! */
206 nlh = NLMSG_PUT(ub->skb, 0, ub->qlen, ULOG_NL_EVENT, 202 nlh = NLMSG_PUT(ub->skb, 0, ub->qlen, ULOG_NL_EVENT,
@@ -273,11 +269,9 @@ static void ipt_ulog_packet(unsigned int hooknum,
273 return; 269 return;
274 270
275nlmsg_failure: 271nlmsg_failure:
276 PRINTR("ipt_ULOG: error during NLMSG_PUT\n"); 272 pr_debug("error during NLMSG_PUT\n");
277
278alloc_failure: 273alloc_failure:
279 PRINTR("ipt_ULOG: Error building netlink message\n"); 274 pr_debug("Error building netlink message\n");
280
281 spin_unlock_bh(&ulog_lock); 275 spin_unlock_bh(&ulog_lock);
282} 276}
283 277
@@ -314,21 +308,20 @@ static void ipt_logfn(u_int8_t pf,
314 ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix); 308 ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix);
315} 309}
316 310
317static bool ulog_tg_check(const struct xt_tgchk_param *par) 311static int ulog_tg_check(const struct xt_tgchk_param *par)
318{ 312{
319 const struct ipt_ulog_info *loginfo = par->targinfo; 313 const struct ipt_ulog_info *loginfo = par->targinfo;
320 314
321 if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') { 315 if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') {
322 pr_debug("ipt_ULOG: prefix term %i\n", 316 pr_debug("prefix not null-terminated\n");
323 loginfo->prefix[sizeof(loginfo->prefix) - 1]); 317 return -EINVAL;
324 return false;
325 } 318 }
326 if (loginfo->qthreshold > ULOG_MAX_QLEN) { 319 if (loginfo->qthreshold > ULOG_MAX_QLEN) {
327 pr_debug("ipt_ULOG: queue threshold %Zu > MAX_QLEN\n", 320 pr_debug("queue threshold %Zu > MAX_QLEN\n",
328 loginfo->qthreshold); 321 loginfo->qthreshold);
329 return false; 322 return -EINVAL;
330 } 323 }
331 return true; 324 return 0;
332} 325}
333 326
334#ifdef CONFIG_COMPAT 327#ifdef CONFIG_COMPAT
@@ -390,10 +383,10 @@ static int __init ulog_tg_init(void)
390{ 383{
391 int ret, i; 384 int ret, i;
392 385
393 pr_debug("ipt_ULOG: init module\n"); 386 pr_debug("init module\n");
394 387
395 if (nlbufsiz > 128*1024) { 388 if (nlbufsiz > 128*1024) {
396 printk("Netlink buffer has to be <= 128kB\n"); 389 pr_warning("Netlink buffer has to be <= 128kB\n");
397 return -EINVAL; 390 return -EINVAL;
398 } 391 }
399 392
@@ -423,7 +416,7 @@ static void __exit ulog_tg_exit(void)
423 ulog_buff_t *ub; 416 ulog_buff_t *ub;
424 int i; 417 int i;
425 418
426 pr_debug("ipt_ULOG: cleanup_module\n"); 419 pr_debug("cleanup_module\n");
427 420
428 if (nflog) 421 if (nflog)
429 nf_log_unregister(&ipt_ulog_logger); 422 nf_log_unregister(&ipt_ulog_logger);
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index 3b216be3bc9f..e4b8f2bf8aaa 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -8,7 +8,7 @@
8 * it under the terms of the GNU General Public License version 2 as 8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation. 9 * published by the Free Software Foundation.
10 */ 10 */
11 11#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12#include <linux/kernel.h> 12#include <linux/kernel.h>
13#include <linux/module.h> 13#include <linux/module.h>
14#include <linux/skbuff.h> 14#include <linux/skbuff.h>
@@ -70,34 +70,34 @@ addrtype_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
70 return ret; 70 return ret;
71} 71}
72 72
73static bool addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par) 73static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
74{ 74{
75 struct ipt_addrtype_info_v1 *info = par->matchinfo; 75 struct ipt_addrtype_info_v1 *info = par->matchinfo;
76 76
77 if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN && 77 if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN &&
78 info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { 78 info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
79 printk(KERN_ERR "ipt_addrtype: both incoming and outgoing " 79 pr_info("both incoming and outgoing "
80 "interface limitation cannot be selected\n"); 80 "interface limitation cannot be selected\n");
81 return false; 81 return -EINVAL;
82 } 82 }
83 83
84 if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | 84 if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
85 (1 << NF_INET_LOCAL_IN)) && 85 (1 << NF_INET_LOCAL_IN)) &&
86 info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) { 86 info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
87 printk(KERN_ERR "ipt_addrtype: output interface limitation " 87 pr_info("output interface limitation "
88 "not valid in PRE_ROUTING and INPUT\n"); 88 "not valid in PREROUTING and INPUT\n");
89 return false; 89 return -EINVAL;
90 } 90 }
91 91
92 if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | 92 if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
93 (1 << NF_INET_LOCAL_OUT)) && 93 (1 << NF_INET_LOCAL_OUT)) &&
94 info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) { 94 info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
95 printk(KERN_ERR "ipt_addrtype: input interface limitation " 95 pr_info("input interface limitation "
96 "not valid in POST_ROUTING and OUTPUT\n"); 96 "not valid in POSTROUTING and OUTPUT\n");
97 return false; 97 return -EINVAL;
98 } 98 }
99 99
100 return true; 100 return 0;
101} 101}
102 102
103static struct xt_match addrtype_mt_reg[] __read_mostly = { 103static struct xt_match addrtype_mt_reg[] __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 0104c0b399de..9f9810204892 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -5,7 +5,7 @@
5 * it under the terms of the GNU General Public License version 2 as 5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation. 6 * published by the Free Software Foundation.
7 */ 7 */
8 8#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9#include <linux/in.h> 9#include <linux/in.h>
10#include <linux/module.h> 10#include <linux/module.h>
11#include <linux/skbuff.h> 11#include <linux/skbuff.h>
@@ -18,21 +18,15 @@ MODULE_LICENSE("GPL");
18MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>"); 18MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
19MODULE_DESCRIPTION("Xtables: IPv4 IPsec-AH SPI match"); 19MODULE_DESCRIPTION("Xtables: IPv4 IPsec-AH SPI match");
20 20
21#ifdef DEBUG_CONNTRACK
22#define duprintf(format, args...) printk(format , ## args)
23#else
24#define duprintf(format, args...)
25#endif
26
27/* Returns 1 if the spi is matched by the range, 0 otherwise */ 21/* Returns 1 if the spi is matched by the range, 0 otherwise */
28static inline bool 22static inline bool
29spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert) 23spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
30{ 24{
31 bool r; 25 bool r;
32 duprintf("ah spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ', 26 pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
33 min,spi,max); 27 invert ? '!' : ' ', min, spi, max);
34 r=(spi >= min && spi <= max) ^ invert; 28 r=(spi >= min && spi <= max) ^ invert;
35 duprintf(" result %s\n",r? "PASS" : "FAILED"); 29 pr_debug(" result %s\n", r ? "PASS" : "FAILED");
36 return r; 30 return r;
37} 31}
38 32
@@ -51,7 +45,7 @@ static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
51 /* We've been asked to examine this packet, and we 45 /* We've been asked to examine this packet, and we
52 * can't. Hence, no choice but to drop. 46 * can't. Hence, no choice but to drop.
53 */ 47 */
54 duprintf("Dropping evil AH tinygram.\n"); 48 pr_debug("Dropping evil AH tinygram.\n");
55 *par->hotdrop = true; 49 *par->hotdrop = true;
56 return 0; 50 return 0;
57 } 51 }
@@ -61,16 +55,16 @@ static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
61 !!(ahinfo->invflags & IPT_AH_INV_SPI)); 55 !!(ahinfo->invflags & IPT_AH_INV_SPI));
62} 56}
63 57
64static bool ah_mt_check(const struct xt_mtchk_param *par) 58static int ah_mt_check(const struct xt_mtchk_param *par)
65{ 59{
66 const struct ipt_ah *ahinfo = par->matchinfo; 60 const struct ipt_ah *ahinfo = par->matchinfo;
67 61
68 /* Must specify no unknown invflags */ 62 /* Must specify no unknown invflags */
69 if (ahinfo->invflags & ~IPT_AH_INV_MASK) { 63 if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
70 duprintf("ipt_ah: unknown flags %X\n", ahinfo->invflags); 64 pr_debug("unknown flags %X\n", ahinfo->invflags);
71 return false; 65 return -EINVAL;
72 } 66 }
73 return true; 67 return 0;
74} 68}
75 69
76static struct xt_match ah_mt_reg __read_mostly = { 70static struct xt_match ah_mt_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index 2a1e56b71908..32e24100d8d1 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -6,7 +6,7 @@
6 * it under the terms of the GNU General Public License version 2 as 6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation. 7 * published by the Free Software Foundation.
8 */ 8 */
9 9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10#include <linux/in.h> 10#include <linux/in.h>
11#include <linux/ip.h> 11#include <linux/ip.h>
12#include <net/ip.h> 12#include <net/ip.h>
@@ -85,25 +85,24 @@ static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par)
85 return true; 85 return true;
86} 86}
87 87
88static bool ecn_mt_check(const struct xt_mtchk_param *par) 88static int ecn_mt_check(const struct xt_mtchk_param *par)
89{ 89{
90 const struct ipt_ecn_info *info = par->matchinfo; 90 const struct ipt_ecn_info *info = par->matchinfo;
91 const struct ipt_ip *ip = par->entryinfo; 91 const struct ipt_ip *ip = par->entryinfo;
92 92
93 if (info->operation & IPT_ECN_OP_MATCH_MASK) 93 if (info->operation & IPT_ECN_OP_MATCH_MASK)
94 return false; 94 return -EINVAL;
95 95
96 if (info->invert & IPT_ECN_OP_MATCH_MASK) 96 if (info->invert & IPT_ECN_OP_MATCH_MASK)
97 return false; 97 return -EINVAL;
98 98
99 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) && 99 if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
100 ip->proto != IPPROTO_TCP) { 100 ip->proto != IPPROTO_TCP) {
101 printk(KERN_WARNING "ipt_ecn: can't match TCP bits in rule for" 101 pr_info("cannot match TCP bits in rule for non-tcp packets\n");
102 " non-tcp packets\n"); 102 return -EINVAL;
103 return false;
104 } 103 }
105 104
106 return true; 105 return 0;
107} 106}
108 107
109static struct xt_match ecn_mt_reg __read_mostly = { 108static struct xt_match ecn_mt_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index 2fb7b76da94f..244f7cb08d68 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -336,12 +336,12 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
336 const struct ip_conntrack_stat *st = v; 336 const struct ip_conntrack_stat *st = v;
337 337
338 if (v == SEQ_START_TOKEN) { 338 if (v == SEQ_START_TOKEN) {
339 seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete\n"); 339 seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n");
340 return 0; 340 return 0;
341 } 341 }
342 342
343 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " 343 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x "
344 "%08x %08x %08x %08x %08x %08x %08x %08x \n", 344 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n",
345 nr_conntracks, 345 nr_conntracks,
346 st->searched, 346 st->searched,
347 st->found, 347 st->found,
@@ -358,7 +358,8 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
358 358
359 st->expect_new, 359 st->expect_new,
360 st->expect_create, 360 st->expect_create,
361 st->expect_delete 361 st->expect_delete,
362 st->search_restart
362 ); 363 );
363 return 0; 364 return 0;
364} 365}
diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c
index 7e8e6fc75413..d4c061874f8f 100644
--- a/net/ipv4/netfilter/nf_nat_h323.c
+++ b/net/ipv4/netfilter/nf_nat_h323.c
@@ -10,7 +10,6 @@
10 */ 10 */
11 11
12#include <linux/module.h> 12#include <linux/module.h>
13#include <linux/moduleparam.h>
14#include <linux/tcp.h> 13#include <linux/tcp.h>
15#include <net/tcp.h> 14#include <net/tcp.h>
16 15
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 26de2c1f7fab..b48a0fc3d9ed 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -7,6 +7,7 @@
7 */ 7 */
8 8
9/* Everything about the rules for NAT. */ 9/* Everything about the rules for NAT. */
10#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10#include <linux/types.h> 11#include <linux/types.h>
11#include <linux/ip.h> 12#include <linux/ip.h>
12#include <linux/netfilter.h> 13#include <linux/netfilter.h>
@@ -74,28 +75,28 @@ ipt_dnat_target(struct sk_buff *skb, const struct xt_target_param *par)
74 return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST); 75 return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST);
75} 76}
76 77
77static bool ipt_snat_checkentry(const struct xt_tgchk_param *par) 78static int ipt_snat_checkentry(const struct xt_tgchk_param *par)
78{ 79{
79 const struct nf_nat_multi_range_compat *mr = par->targinfo; 80 const struct nf_nat_multi_range_compat *mr = par->targinfo;
80 81
81 /* Must be a valid range */ 82 /* Must be a valid range */
82 if (mr->rangesize != 1) { 83 if (mr->rangesize != 1) {
83 printk("SNAT: multiple ranges no longer supported\n"); 84 pr_info("SNAT: multiple ranges no longer supported\n");
84 return false; 85 return -EINVAL;
85 } 86 }
86 return true; 87 return 0;
87} 88}
88 89
89static bool ipt_dnat_checkentry(const struct xt_tgchk_param *par) 90static int ipt_dnat_checkentry(const struct xt_tgchk_param *par)
90{ 91{
91 const struct nf_nat_multi_range_compat *mr = par->targinfo; 92 const struct nf_nat_multi_range_compat *mr = par->targinfo;
92 93
93 /* Must be a valid range */ 94 /* Must be a valid range */
94 if (mr->rangesize != 1) { 95 if (mr->rangesize != 1) {
95 printk("DNAT: multiple ranges no longer supported\n"); 96 pr_info("DNAT: multiple ranges no longer supported\n");
96 return false; 97 return -EINVAL;
97 } 98 }
98 return true; 99 return 0;
99} 100}
100 101
101unsigned int 102unsigned int
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index c39c9cf6bee6..84c7974f5830 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -138,9 +138,8 @@ nf_nat_fn(unsigned int hooknum,
138 ret = nf_nat_rule_find(skb, hooknum, in, out, 138 ret = nf_nat_rule_find(skb, hooknum, in, out,
139 ct); 139 ct);
140 140
141 if (ret != NF_ACCEPT) { 141 if (ret != NF_ACCEPT)
142 return ret; 142 return ret;
143 }
144 } else 143 } else
145 pr_debug("Already setup manip %s for ct %p\n", 144 pr_debug("Already setup manip %s for ct %p\n",
146 maniptype == IP_NAT_MANIP_SRC ? "SRC" : "DST", 145 maniptype == IP_NAT_MANIP_SRC ? "SRC" : "DST",
diff --git a/net/ipv4/netfilter/nf_nat_tftp.c b/net/ipv4/netfilter/nf_nat_tftp.c
index b096e81500ae..7274a43c7a12 100644
--- a/net/ipv4/netfilter/nf_nat_tftp.c
+++ b/net/ipv4/netfilter/nf_nat_tftp.c
@@ -6,7 +6,6 @@
6 */ 6 */
7 7
8#include <linux/module.h> 8#include <linux/module.h>
9#include <linux/moduleparam.h>
10#include <linux/udp.h> 9#include <linux/udp.h>
11 10
12#include <net/netfilter/nf_nat_helper.h> 11#include <net/netfilter/nf_nat_helper.h>
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 52ef5af78a45..2c7a1639388a 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -381,8 +381,8 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length,
381 icmp_out_count(net, ((struct icmphdr *) 381 icmp_out_count(net, ((struct icmphdr *)
382 skb_transport_header(skb))->type); 382 skb_transport_header(skb))->type);
383 383
384 err = NF_HOOK(PF_INET, NF_INET_LOCAL_OUT, skb, NULL, rt->u.dst.dev, 384 err = NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, skb, NULL,
385 dst_output); 385 rt->u.dst.dev, dst_output);
386 if (err > 0) 386 if (err > 0)
387 err = net_xmit_errno(err); 387 err = net_xmit_errno(err);
388 if (err) 388 if (err)
diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
index c791bb63203f..abcd7ed65db1 100644
--- a/net/ipv4/xfrm4_input.c
+++ b/net/ipv4/xfrm4_input.c
@@ -61,7 +61,7 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async)
61 iph->tot_len = htons(skb->len); 61 iph->tot_len = htons(skb->len);
62 ip_send_check(iph); 62 ip_send_check(iph);
63 63
64 NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, 64 NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
65 xfrm4_rcv_encap_finish); 65 xfrm4_rcv_encap_finish);
66 return 0; 66 return 0;
67} 67}
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index c908bd99bcba..571aa96a175c 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -86,7 +86,7 @@ static int xfrm4_output_finish(struct sk_buff *skb)
86 86
87int xfrm4_output(struct sk_buff *skb) 87int xfrm4_output(struct sk_buff *skb)
88{ 88{
89 return NF_HOOK_COND(PF_INET, NF_INET_POST_ROUTING, skb, 89 return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb,
90 NULL, skb_dst(skb)->dev, xfrm4_output_finish, 90 NULL, skb_dst(skb)->dev, xfrm4_output_finish,
91 !(IPCB(skb)->flags & IPSKB_REROUTED)); 91 !(IPCB(skb)->flags & IPSKB_REROUTED));
92} 92}
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index 6aa7ee1295c2..a83e9209cecc 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -143,7 +143,7 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
143 /* Must drop socket now because of tproxy. */ 143 /* Must drop socket now because of tproxy. */
144 skb_orphan(skb); 144 skb_orphan(skb);
145 145
146 return NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, dev, NULL, 146 return NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, dev, NULL,
147 ip6_rcv_finish); 147 ip6_rcv_finish);
148err: 148err:
149 IP6_INC_STATS_BH(net, idev, IPSTATS_MIB_INHDRERRORS); 149 IP6_INC_STATS_BH(net, idev, IPSTATS_MIB_INHDRERRORS);
@@ -236,7 +236,7 @@ discard:
236 236
237int ip6_input(struct sk_buff *skb) 237int ip6_input(struct sk_buff *skb)
238{ 238{
239 return NF_HOOK(PF_INET6, NF_INET_LOCAL_IN, skb, skb->dev, NULL, 239 return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_IN, skb, skb->dev, NULL,
240 ip6_input_finish); 240 ip6_input_finish);
241} 241}
242 242
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index e7a5f17d5e95..5173acaeb501 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -67,8 +67,8 @@ int __ip6_local_out(struct sk_buff *skb)
67 len = 0; 67 len = 0;
68 ipv6_hdr(skb)->payload_len = htons(len); 68 ipv6_hdr(skb)->payload_len = htons(len);
69 69
70 return nf_hook(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb_dst(skb)->dev, 70 return nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL,
71 dst_output); 71 skb_dst(skb)->dev, dst_output);
72} 72}
73 73
74int ip6_local_out(struct sk_buff *skb) 74int ip6_local_out(struct sk_buff *skb)
@@ -83,22 +83,6 @@ int ip6_local_out(struct sk_buff *skb)
83} 83}
84EXPORT_SYMBOL_GPL(ip6_local_out); 84EXPORT_SYMBOL_GPL(ip6_local_out);
85 85
86static int ip6_output_finish(struct sk_buff *skb)
87{
88 struct dst_entry *dst = skb_dst(skb);
89
90 if (dst->hh)
91 return neigh_hh_output(dst->hh, skb);
92 else if (dst->neighbour)
93 return dst->neighbour->output(skb);
94
95 IP6_INC_STATS_BH(dev_net(dst->dev),
96 ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
97 kfree_skb(skb);
98 return -EINVAL;
99
100}
101
102/* dev_loopback_xmit for use with netfilter. */ 86/* dev_loopback_xmit for use with netfilter. */
103static int ip6_dev_loopback_xmit(struct sk_buff *newskb) 87static int ip6_dev_loopback_xmit(struct sk_buff *newskb)
104{ 88{
@@ -112,8 +96,7 @@ static int ip6_dev_loopback_xmit(struct sk_buff *newskb)
112 return 0; 96 return 0;
113} 97}
114 98
115 99static int ip6_finish_output2(struct sk_buff *skb)
116static int ip6_output2(struct sk_buff *skb)
117{ 100{
118 struct dst_entry *dst = skb_dst(skb); 101 struct dst_entry *dst = skb_dst(skb);
119 struct net_device *dev = dst->dev; 102 struct net_device *dev = dst->dev;
@@ -135,8 +118,8 @@ static int ip6_output2(struct sk_buff *skb)
135 is not supported in any case. 118 is not supported in any case.
136 */ 119 */
137 if (newskb) 120 if (newskb)
138 NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, newskb, 121 NF_HOOK(NFPROTO_IPV6, NF_INET_POST_ROUTING,
139 NULL, newskb->dev, 122 newskb, NULL, newskb->dev,
140 ip6_dev_loopback_xmit); 123 ip6_dev_loopback_xmit);
141 124
142 if (ipv6_hdr(skb)->hop_limit == 0) { 125 if (ipv6_hdr(skb)->hop_limit == 0) {
@@ -151,8 +134,15 @@ static int ip6_output2(struct sk_buff *skb)
151 skb->len); 134 skb->len);
152 } 135 }
153 136
154 return NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, skb, NULL, skb->dev, 137 if (dst->hh)
155 ip6_output_finish); 138 return neigh_hh_output(dst->hh, skb);
139 else if (dst->neighbour)
140 return dst->neighbour->output(skb);
141
142 IP6_INC_STATS_BH(dev_net(dst->dev),
143 ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
144 kfree_skb(skb);
145 return -EINVAL;
156} 146}
157 147
158static inline int ip6_skb_dst_mtu(struct sk_buff *skb) 148static inline int ip6_skb_dst_mtu(struct sk_buff *skb)
@@ -163,21 +153,29 @@ static inline int ip6_skb_dst_mtu(struct sk_buff *skb)
163 skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb)); 153 skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb));
164} 154}
165 155
156static int ip6_finish_output(struct sk_buff *skb)
157{
158 if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
159 dst_allfrag(skb_dst(skb)))
160 return ip6_fragment(skb, ip6_finish_output2);
161 else
162 return ip6_finish_output2(skb);
163}
164
166int ip6_output(struct sk_buff *skb) 165int ip6_output(struct sk_buff *skb)
167{ 166{
167 struct net_device *dev = skb_dst(skb)->dev;
168 struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb)); 168 struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
169 if (unlikely(idev->cnf.disable_ipv6)) { 169 if (unlikely(idev->cnf.disable_ipv6)) {
170 IP6_INC_STATS(dev_net(skb_dst(skb)->dev), idev, 170 IP6_INC_STATS(dev_net(dev), idev,
171 IPSTATS_MIB_OUTDISCARDS); 171 IPSTATS_MIB_OUTDISCARDS);
172 kfree_skb(skb); 172 kfree_skb(skb);
173 return 0; 173 return 0;
174 } 174 }
175 175
176 if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) || 176 return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING, skb, NULL, dev,
177 dst_allfrag(skb_dst(skb))) 177 ip6_finish_output,
178 return ip6_fragment(skb, ip6_output2); 178 !(IP6CB(skb)->flags & IP6SKB_REROUTED));
179 else
180 return ip6_output2(skb);
181} 179}
182 180
183/* 181/*
@@ -256,8 +254,8 @@ int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl,
256 if ((skb->len <= mtu) || skb->local_df || skb_is_gso(skb)) { 254 if ((skb->len <= mtu) || skb->local_df || skb_is_gso(skb)) {
257 IP6_UPD_PO_STATS(net, ip6_dst_idev(skb_dst(skb)), 255 IP6_UPD_PO_STATS(net, ip6_dst_idev(skb_dst(skb)),
258 IPSTATS_MIB_OUT, skb->len); 256 IPSTATS_MIB_OUT, skb->len);
259 return NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev, 257 return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL,
260 dst_output); 258 dst->dev, dst_output);
261 } 259 }
262 260
263 if (net_ratelimit()) 261 if (net_ratelimit())
@@ -533,7 +531,7 @@ int ip6_forward(struct sk_buff *skb)
533 hdr->hop_limit--; 531 hdr->hop_limit--;
534 532
535 IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS); 533 IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
536 return NF_HOOK(PF_INET6, NF_INET_FORWARD, skb, skb->dev, dst->dev, 534 return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD, skb, skb->dev, dst->dev,
537 ip6_forward_finish); 535 ip6_forward_finish);
538 536
539error: 537error:
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 3e333268db89..e0b530ca394c 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1570,7 +1570,7 @@ static int ip6mr_forward2(struct sk_buff *skb, struct mfc6_cache *c, int vifi)
1570 1570
1571 IP6CB(skb)->flags |= IP6SKB_FORWARDED; 1571 IP6CB(skb)->flags |= IP6SKB_FORWARDED;
1572 1572
1573 return NF_HOOK(PF_INET6, NF_INET_FORWARD, skb, skb->dev, dev, 1573 return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD, skb, skb->dev, dev,
1574 ip6mr_forward2_finish); 1574 ip6mr_forward2_finish);
1575 1575
1576out_free: 1576out_free:
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index 006aee683a0f..59f1881968c7 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1428,7 +1428,7 @@ static void mld_sendpack(struct sk_buff *skb)
1428 1428
1429 payload_len = skb->len; 1429 payload_len = skb->len;
1430 1430
1431 err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev, 1431 err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev,
1432 dst_output); 1432 dst_output);
1433out: 1433out:
1434 if (!err) { 1434 if (!err) {
@@ -1793,7 +1793,7 @@ static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type)
1793 goto err_out; 1793 goto err_out;
1794 1794
1795 skb_dst_set(skb, dst); 1795 skb_dst_set(skb, dst);
1796 err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev, 1796 err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev,
1797 dst_output); 1797 dst_output);
1798out: 1798out:
1799 if (!err) { 1799 if (!err) {
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index da0a4d2adc69..3f7c12b70a26 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -536,7 +536,7 @@ void ndisc_send_skb(struct sk_buff *skb,
536 idev = in6_dev_get(dst->dev); 536 idev = in6_dev_get(dst->dev);
537 IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len); 537 IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len);
538 538
539 err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev, 539 err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev,
540 dst_output); 540 dst_output);
541 if (!err) { 541 if (!err) {
542 ICMP6MSGOUT_INC_STATS(net, idev, type); 542 ICMP6MSGOUT_INC_STATS(net, idev, type);
@@ -1618,7 +1618,7 @@ void ndisc_send_redirect(struct sk_buff *skb, struct neighbour *neigh,
1618 skb_dst_set(buff, dst); 1618 skb_dst_set(buff, dst);
1619 idev = in6_dev_get(dst->dev); 1619 idev = in6_dev_get(dst->dev);
1620 IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len); 1620 IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len);
1621 err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, buff, NULL, dst->dev, 1621 err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, buff, NULL, dst->dev,
1622 dst_output); 1622 dst_output);
1623 if (!err) { 1623 if (!err) {
1624 ICMP6MSGOUT_INC_STATS(net, idev, NDISC_REDIRECT); 1624 ICMP6MSGOUT_INC_STATS(net, idev, NDISC_REDIRECT);
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index d5ed92b14346..a74951c039b6 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -25,20 +25,6 @@ int ip6_route_me_harder(struct sk_buff *skb)
25 }; 25 };
26 26
27 dst = ip6_route_output(net, skb->sk, &fl); 27 dst = ip6_route_output(net, skb->sk, &fl);
28
29#ifdef CONFIG_XFRM
30 if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
31 xfrm_decode_session(skb, &fl, AF_INET6) == 0) {
32 struct dst_entry *dst2 = skb_dst(skb);
33
34 if (xfrm_lookup(net, &dst2, &fl, skb->sk, 0)) {
35 skb_dst_set(skb, NULL);
36 return -1;
37 }
38 skb_dst_set(skb, dst2);
39 }
40#endif
41
42 if (dst->error) { 28 if (dst->error) {
43 IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES); 29 IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
44 LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n"); 30 LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
@@ -50,6 +36,17 @@ int ip6_route_me_harder(struct sk_buff *skb)
50 skb_dst_drop(skb); 36 skb_dst_drop(skb);
51 37
52 skb_dst_set(skb, dst); 38 skb_dst_set(skb, dst);
39
40#ifdef CONFIG_XFRM
41 if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
42 xfrm_decode_session(skb, &fl, AF_INET6) == 0) {
43 skb_dst_set(skb, NULL);
44 if (xfrm_lookup(net, &dst, &fl, skb->sk, 0))
45 return -1;
46 skb_dst_set(skb, dst);
47 }
48#endif
49
53 return 0; 50 return 0;
54} 51}
55EXPORT_SYMBOL(ip6_route_me_harder); 52EXPORT_SYMBOL(ip6_route_me_harder);
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index 6a68a74d14a3..8656eb75520c 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -162,8 +162,7 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
162 break; 162 break;
163 163
164 case IPQ_COPY_PACKET: 164 case IPQ_COPY_PACKET:
165 if ((entry->skb->ip_summed == CHECKSUM_PARTIAL || 165 if (entry->skb->ip_summed == CHECKSUM_PARTIAL &&
166 entry->skb->ip_summed == CHECKSUM_COMPLETE) &&
167 (*errp = skb_checksum_help(entry->skb))) { 166 (*errp = skb_checksum_help(entry->skb))) {
168 read_unlock_bh(&queue_lock); 167 read_unlock_bh(&queue_lock);
169 return NULL; 168 return NULL;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 9210e312edf1..7afa11773164 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -40,13 +40,13 @@ MODULE_DESCRIPTION("IPv6 packet filter");
40/*#define DEBUG_IP_FIREWALL_USER*/ 40/*#define DEBUG_IP_FIREWALL_USER*/
41 41
42#ifdef DEBUG_IP_FIREWALL 42#ifdef DEBUG_IP_FIREWALL
43#define dprintf(format, args...) printk(format , ## args) 43#define dprintf(format, args...) pr_info(format , ## args)
44#else 44#else
45#define dprintf(format, args...) 45#define dprintf(format, args...)
46#endif 46#endif
47 47
48#ifdef DEBUG_IP_FIREWALL_USER 48#ifdef DEBUG_IP_FIREWALL_USER
49#define duprintf(format, args...) printk(format , ## args) 49#define duprintf(format, args...) pr_info(format , ## args)
50#else 50#else
51#define duprintf(format, args...) 51#define duprintf(format, args...)
52#endif 52#endif
@@ -200,8 +200,7 @@ static unsigned int
200ip6t_error(struct sk_buff *skb, const struct xt_target_param *par) 200ip6t_error(struct sk_buff *skb, const struct xt_target_param *par)
201{ 201{
202 if (net_ratelimit()) 202 if (net_ratelimit())
203 printk("ip6_tables: error: `%s'\n", 203 pr_info("error: `%s'\n", (const char *)par->targinfo);
204 (const char *)par->targinfo);
205 204
206 return NF_DROP; 205 return NF_DROP;
207} 206}
@@ -352,15 +351,14 @@ ip6t_do_table(struct sk_buff *skb,
352 const struct net_device *out, 351 const struct net_device *out,
353 struct xt_table *table) 352 struct xt_table *table)
354{ 353{
355#define tb_comefrom ((struct ip6t_entry *)table_base)->comefrom
356
357 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long)))); 354 static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
358 bool hotdrop = false; 355 bool hotdrop = false;
359 /* Initializing verdict to NF_DROP keeps gcc happy. */ 356 /* Initializing verdict to NF_DROP keeps gcc happy. */
360 unsigned int verdict = NF_DROP; 357 unsigned int verdict = NF_DROP;
361 const char *indev, *outdev; 358 const char *indev, *outdev;
362 const void *table_base; 359 const void *table_base;
363 struct ip6t_entry *e, *back; 360 struct ip6t_entry *e, **jumpstack;
361 unsigned int *stackptr, origptr, cpu;
364 const struct xt_table_info *private; 362 const struct xt_table_info *private;
365 struct xt_match_param mtpar; 363 struct xt_match_param mtpar;
366 struct xt_target_param tgpar; 364 struct xt_target_param tgpar;
@@ -384,19 +382,19 @@ ip6t_do_table(struct sk_buff *skb,
384 382
385 xt_info_rdlock_bh(); 383 xt_info_rdlock_bh();
386 private = table->private; 384 private = table->private;
387 table_base = private->entries[smp_processor_id()]; 385 cpu = smp_processor_id();
386 table_base = private->entries[cpu];
387 jumpstack = (struct ip6t_entry **)private->jumpstack[cpu];
388 stackptr = &private->stackptr[cpu];
389 origptr = *stackptr;
388 390
389 e = get_entry(table_base, private->hook_entry[hook]); 391 e = get_entry(table_base, private->hook_entry[hook]);
390 392
391 /* For return from builtin chain */
392 back = get_entry(table_base, private->underflow[hook]);
393
394 do { 393 do {
395 const struct ip6t_entry_target *t; 394 const struct ip6t_entry_target *t;
396 const struct xt_entry_match *ematch; 395 const struct xt_entry_match *ematch;
397 396
398 IP_NF_ASSERT(e); 397 IP_NF_ASSERT(e);
399 IP_NF_ASSERT(back);
400 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6, 398 if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
401 &mtpar.thoff, &mtpar.fragoff, &hotdrop)) { 399 &mtpar.thoff, &mtpar.fragoff, &hotdrop)) {
402 no_match: 400 no_match:
@@ -433,41 +431,30 @@ ip6t_do_table(struct sk_buff *skb,
433 verdict = (unsigned)(-v) - 1; 431 verdict = (unsigned)(-v) - 1;
434 break; 432 break;
435 } 433 }
436 e = back; 434 if (*stackptr == 0)
437 back = get_entry(table_base, back->comefrom); 435 e = get_entry(table_base,
436 private->underflow[hook]);
437 else
438 e = ip6t_next_entry(jumpstack[--*stackptr]);
438 continue; 439 continue;
439 } 440 }
440 if (table_base + v != ip6t_next_entry(e) && 441 if (table_base + v != ip6t_next_entry(e) &&
441 !(e->ipv6.flags & IP6T_F_GOTO)) { 442 !(e->ipv6.flags & IP6T_F_GOTO)) {
442 /* Save old back ptr in next entry */ 443 if (*stackptr >= private->stacksize) {
443 struct ip6t_entry *next = ip6t_next_entry(e); 444 verdict = NF_DROP;
444 next->comefrom = (void *)back - table_base; 445 break;
445 /* set back pointer to next entry */ 446 }
446 back = next; 447 jumpstack[(*stackptr)++] = e;
447 } 448 }
448 449
449 e = get_entry(table_base, v); 450 e = get_entry(table_base, v);
450 continue; 451 continue;
451 } 452 }
452 453
453 /* Targets which reenter must return
454 abs. verdicts */
455 tgpar.target = t->u.kernel.target; 454 tgpar.target = t->u.kernel.target;
456 tgpar.targinfo = t->data; 455 tgpar.targinfo = t->data;
457 456
458#ifdef CONFIG_NETFILTER_DEBUG
459 tb_comefrom = 0xeeeeeeec;
460#endif
461 verdict = t->u.kernel.target->target(skb, &tgpar); 457 verdict = t->u.kernel.target->target(skb, &tgpar);
462
463#ifdef CONFIG_NETFILTER_DEBUG
464 if (tb_comefrom != 0xeeeeeeec && verdict == IP6T_CONTINUE) {
465 printk("Target %s reentered!\n",
466 t->u.kernel.target->name);
467 verdict = NF_DROP;
468 }
469 tb_comefrom = 0x57acc001;
470#endif
471 if (verdict == IP6T_CONTINUE) 458 if (verdict == IP6T_CONTINUE)
472 e = ip6t_next_entry(e); 459 e = ip6t_next_entry(e);
473 else 460 else
@@ -475,10 +462,8 @@ ip6t_do_table(struct sk_buff *skb,
475 break; 462 break;
476 } while (!hotdrop); 463 } while (!hotdrop);
477 464
478#ifdef CONFIG_NETFILTER_DEBUG
479 tb_comefrom = NETFILTER_LINK_POISON;
480#endif
481 xt_info_rdunlock_bh(); 465 xt_info_rdunlock_bh();
466 *stackptr = origptr;
482 467
483#ifdef DEBUG_ALLOW_ALL 468#ifdef DEBUG_ALLOW_ALL
484 return NF_ACCEPT; 469 return NF_ACCEPT;
@@ -487,8 +472,6 @@ ip6t_do_table(struct sk_buff *skb,
487 return NF_DROP; 472 return NF_DROP;
488 else return verdict; 473 else return verdict;
489#endif 474#endif
490
491#undef tb_comefrom
492} 475}
493 476
494/* Figures out from what hook each rule can be called: returns 0 if 477/* Figures out from what hook each rule can be called: returns 0 if
@@ -661,12 +644,11 @@ find_check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par)
661 struct xt_match *match; 644 struct xt_match *match;
662 int ret; 645 int ret;
663 646
664 match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name, 647 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
665 m->u.user.revision), 648 m->u.user.revision);
666 "ip6t_%s", m->u.user.name); 649 if (IS_ERR(match)) {
667 if (IS_ERR(match) || !match) {
668 duprintf("find_check_match: `%s' not found\n", m->u.user.name); 650 duprintf("find_check_match: `%s' not found\n", m->u.user.name);
669 return match ? PTR_ERR(match) : -ENOENT; 651 return PTR_ERR(match);
670 } 652 }
671 m->u.kernel.match = match; 653 m->u.kernel.match = match;
672 654
@@ -734,13 +716,11 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
734 } 716 }
735 717
736 t = ip6t_get_target(e); 718 t = ip6t_get_target(e);
737 target = try_then_request_module(xt_find_target(AF_INET6, 719 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
738 t->u.user.name, 720 t->u.user.revision);
739 t->u.user.revision), 721 if (IS_ERR(target)) {
740 "ip6t_%s", t->u.user.name);
741 if (IS_ERR(target) || !target) {
742 duprintf("find_check_entry: `%s' not found\n", t->u.user.name); 722 duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
743 ret = target ? PTR_ERR(target) : -ENOENT; 723 ret = PTR_ERR(target);
744 goto cleanup_matches; 724 goto cleanup_matches;
745 } 725 }
746 t->u.kernel.target = target; 726 t->u.kernel.target = target;
@@ -873,6 +853,9 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
873 if (ret != 0) 853 if (ret != 0)
874 return ret; 854 return ret;
875 ++i; 855 ++i;
856 if (strcmp(ip6t_get_target(iter)->u.user.name,
857 XT_ERROR_TARGET) == 0)
858 ++newinfo->stacksize;
876 } 859 }
877 860
878 if (i != repl->num_entries) { 861 if (i != repl->num_entries) {
@@ -1509,13 +1492,12 @@ compat_find_calc_match(struct ip6t_entry_match *m,
1509{ 1492{
1510 struct xt_match *match; 1493 struct xt_match *match;
1511 1494
1512 match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name, 1495 match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
1513 m->u.user.revision), 1496 m->u.user.revision);
1514 "ip6t_%s", m->u.user.name); 1497 if (IS_ERR(match)) {
1515 if (IS_ERR(match) || !match) {
1516 duprintf("compat_check_calc_match: `%s' not found\n", 1498 duprintf("compat_check_calc_match: `%s' not found\n",
1517 m->u.user.name); 1499 m->u.user.name);
1518 return match ? PTR_ERR(match) : -ENOENT; 1500 return PTR_ERR(match);
1519 } 1501 }
1520 m->u.kernel.match = match; 1502 m->u.kernel.match = match;
1521 *size += xt_compat_match_offset(match); 1503 *size += xt_compat_match_offset(match);
@@ -1582,14 +1564,12 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1582 } 1564 }
1583 1565
1584 t = compat_ip6t_get_target(e); 1566 t = compat_ip6t_get_target(e);
1585 target = try_then_request_module(xt_find_target(AF_INET6, 1567 target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
1586 t->u.user.name, 1568 t->u.user.revision);
1587 t->u.user.revision), 1569 if (IS_ERR(target)) {
1588 "ip6t_%s", t->u.user.name);
1589 if (IS_ERR(target) || !target) {
1590 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n", 1570 duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1591 t->u.user.name); 1571 t->u.user.name);
1592 ret = target ? PTR_ERR(target) : -ENOENT; 1572 ret = PTR_ERR(target);
1593 goto release_matches; 1573 goto release_matches;
1594 } 1574 }
1595 t->u.kernel.target = target; 1575 t->u.kernel.target = target;
@@ -2127,8 +2107,7 @@ struct xt_table *ip6t_register_table(struct net *net,
2127{ 2107{
2128 int ret; 2108 int ret;
2129 struct xt_table_info *newinfo; 2109 struct xt_table_info *newinfo;
2130 struct xt_table_info bootstrap 2110 struct xt_table_info bootstrap = {0};
2131 = { 0, 0, 0, { 0 }, { 0 }, { } };
2132 void *loc_cpu_entry; 2111 void *loc_cpu_entry;
2133 struct xt_table *new_table; 2112 struct xt_table *new_table;
2134 2113
@@ -2216,12 +2195,12 @@ icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par)
2216} 2195}
2217 2196
2218/* Called when user tries to insert an entry of this type. */ 2197/* Called when user tries to insert an entry of this type. */
2219static bool icmp6_checkentry(const struct xt_mtchk_param *par) 2198static int icmp6_checkentry(const struct xt_mtchk_param *par)
2220{ 2199{
2221 const struct ip6t_icmp *icmpinfo = par->matchinfo; 2200 const struct ip6t_icmp *icmpinfo = par->matchinfo;
2222 2201
2223 /* Must specify no unknown invflags */ 2202 /* Must specify no unknown invflags */
2224 return !(icmpinfo->invflags & ~IP6T_ICMP_INV); 2203 return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;
2225} 2204}
2226 2205
2227/* The built-in targets: standard (NULL) and error. */ 2206/* The built-in targets: standard (NULL) and error. */
@@ -2308,7 +2287,7 @@ static int __init ip6_tables_init(void)
2308 if (ret < 0) 2287 if (ret < 0)
2309 goto err5; 2288 goto err5;
2310 2289
2311 printk(KERN_INFO "ip6_tables: (C) 2000-2006 Netfilter Core Team\n"); 2290 pr_info("(C) 2000-2006 Netfilter Core Team\n");
2312 return 0; 2291 return 0;
2313 2292
2314err5: 2293err5:
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index b285fdf19050..1f47a525f484 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -9,9 +9,8 @@
9 * it under the terms of the GNU General Public License version 2 as 9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation. 10 * published by the Free Software Foundation.
11 */ 11 */
12 12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13#include <linux/module.h> 13#include <linux/module.h>
14#include <linux/moduleparam.h>
15#include <linux/skbuff.h> 14#include <linux/skbuff.h>
16#include <linux/if_arp.h> 15#include <linux/if_arp.h>
17#include <linux/ip.h> 16#include <linux/ip.h>
@@ -378,7 +377,7 @@ static struct nf_loginfo default_loginfo = {
378 .type = NF_LOG_TYPE_LOG, 377 .type = NF_LOG_TYPE_LOG,
379 .u = { 378 .u = {
380 .log = { 379 .log = {
381 .level = 0, 380 .level = 5,
382 .logflags = NF_LOG_MASK, 381 .logflags = NF_LOG_MASK,
383 }, 382 },
384 }, 383 },
@@ -452,20 +451,19 @@ log_tg6(struct sk_buff *skb, const struct xt_target_param *par)
452} 451}
453 452
454 453
455static bool log_tg6_check(const struct xt_tgchk_param *par) 454static int log_tg6_check(const struct xt_tgchk_param *par)
456{ 455{
457 const struct ip6t_log_info *loginfo = par->targinfo; 456 const struct ip6t_log_info *loginfo = par->targinfo;
458 457
459 if (loginfo->level >= 8) { 458 if (loginfo->level >= 8) {
460 pr_debug("LOG: level %u >= 8\n", loginfo->level); 459 pr_debug("level %u >= 8\n", loginfo->level);
461 return false; 460 return -EINVAL;
462 } 461 }
463 if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') { 462 if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
464 pr_debug("LOG: prefix term %i\n", 463 pr_debug("prefix not null-terminated\n");
465 loginfo->prefix[sizeof(loginfo->prefix)-1]); 464 return -EINVAL;
466 return false;
467 } 465 }
468 return true; 466 return 0;
469} 467}
470 468
471static struct xt_target log_tg6_reg __read_mostly = { 469static struct xt_target log_tg6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 39b50c3768e8..af1d6494ac39 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -14,6 +14,7 @@
14 * as published by the Free Software Foundation; either version 14 * as published by the Free Software Foundation; either version
15 * 2 of the License, or (at your option) any later version. 15 * 2 of the License, or (at your option) any later version.
16 */ 16 */
17#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
17 18
18#include <linux/gfp.h> 19#include <linux/gfp.h>
19#include <linux/module.h> 20#include <linux/module.h>
@@ -50,7 +51,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
50 51
51 if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) || 52 if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) ||
52 (!(ipv6_addr_type(&oip6h->daddr) & IPV6_ADDR_UNICAST))) { 53 (!(ipv6_addr_type(&oip6h->daddr) & IPV6_ADDR_UNICAST))) {
53 pr_debug("ip6t_REJECT: addr is not unicast.\n"); 54 pr_debug("addr is not unicast.\n");
54 return; 55 return;
55 } 56 }
56 57
@@ -58,7 +59,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
58 tcphoff = ipv6_skip_exthdr(oldskb, ((u8*)(oip6h+1) - oldskb->data), &proto); 59 tcphoff = ipv6_skip_exthdr(oldskb, ((u8*)(oip6h+1) - oldskb->data), &proto);
59 60
60 if ((tcphoff < 0) || (tcphoff > oldskb->len)) { 61 if ((tcphoff < 0) || (tcphoff > oldskb->len)) {
61 pr_debug("ip6t_REJECT: Can't get TCP header.\n"); 62 pr_debug("Cannot get TCP header.\n");
62 return; 63 return;
63 } 64 }
64 65
@@ -66,7 +67,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
66 67
67 /* IP header checks: fragment, too short. */ 68 /* IP header checks: fragment, too short. */
68 if (proto != IPPROTO_TCP || otcplen < sizeof(struct tcphdr)) { 69 if (proto != IPPROTO_TCP || otcplen < sizeof(struct tcphdr)) {
69 pr_debug("ip6t_REJECT: proto(%d) != IPPROTO_TCP, " 70 pr_debug("proto(%d) != IPPROTO_TCP, "
70 "or too short. otcplen = %d\n", 71 "or too short. otcplen = %d\n",
71 proto, otcplen); 72 proto, otcplen);
72 return; 73 return;
@@ -77,14 +78,14 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
77 78
78 /* No RST for RST. */ 79 /* No RST for RST. */
79 if (otcph.rst) { 80 if (otcph.rst) {
80 pr_debug("ip6t_REJECT: RST is set\n"); 81 pr_debug("RST is set\n");
81 return; 82 return;
82 } 83 }
83 84
84 /* Check checksum. */ 85 /* Check checksum. */
85 if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP, 86 if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
86 skb_checksum(oldskb, tcphoff, otcplen, 0))) { 87 skb_checksum(oldskb, tcphoff, otcplen, 0))) {
87 pr_debug("ip6t_REJECT: TCP checksum is invalid\n"); 88 pr_debug("TCP checksum is invalid\n");
88 return; 89 return;
89 } 90 }
90 91
@@ -108,7 +109,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
108 109
109 if (!nskb) { 110 if (!nskb) {
110 if (net_ratelimit()) 111 if (net_ratelimit())
111 printk("ip6t_REJECT: Can't alloc skb\n"); 112 pr_debug("cannot alloc skb\n");
112 dst_release(dst); 113 dst_release(dst);
113 return; 114 return;
114 } 115 }
@@ -180,9 +181,6 @@ reject_tg6(struct sk_buff *skb, const struct xt_target_param *par)
180 struct net *net = dev_net((par->in != NULL) ? par->in : par->out); 181 struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
181 182
182 pr_debug("%s: medium point\n", __func__); 183 pr_debug("%s: medium point\n", __func__);
183 /* WARNING: This code causes reentry within ip6tables.
184 This means that the ip6tables jump stack is now crap. We
185 must return an absolute verdict. --RR */
186 switch (reject->with) { 184 switch (reject->with) {
187 case IP6T_ICMP6_NO_ROUTE: 185 case IP6T_ICMP6_NO_ROUTE:
188 send_unreach(net, skb, ICMPV6_NOROUTE, par->hooknum); 186 send_unreach(net, skb, ICMPV6_NOROUTE, par->hooknum);
@@ -207,30 +205,30 @@ reject_tg6(struct sk_buff *skb, const struct xt_target_param *par)
207 break; 205 break;
208 default: 206 default:
209 if (net_ratelimit()) 207 if (net_ratelimit())
210 printk(KERN_WARNING "ip6t_REJECT: case %u not handled yet\n", reject->with); 208 pr_info("case %u not handled yet\n", reject->with);
211 break; 209 break;
212 } 210 }
213 211
214 return NF_DROP; 212 return NF_DROP;
215} 213}
216 214
217static bool reject_tg6_check(const struct xt_tgchk_param *par) 215static int reject_tg6_check(const struct xt_tgchk_param *par)
218{ 216{
219 const struct ip6t_reject_info *rejinfo = par->targinfo; 217 const struct ip6t_reject_info *rejinfo = par->targinfo;
220 const struct ip6t_entry *e = par->entryinfo; 218 const struct ip6t_entry *e = par->entryinfo;
221 219
222 if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) { 220 if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
223 printk("ip6t_REJECT: ECHOREPLY is not supported.\n"); 221 pr_info("ECHOREPLY is not supported.\n");
224 return false; 222 return -EINVAL;
225 } else if (rejinfo->with == IP6T_TCP_RESET) { 223 } else if (rejinfo->with == IP6T_TCP_RESET) {
226 /* Must specify that it's a TCP packet */ 224 /* Must specify that it's a TCP packet */
227 if (e->ipv6.proto != IPPROTO_TCP || 225 if (e->ipv6.proto != IPPROTO_TCP ||
228 (e->ipv6.invflags & XT_INV_PROTO)) { 226 (e->ipv6.invflags & XT_INV_PROTO)) {
229 printk("ip6t_REJECT: TCP_RESET illegal for non-tcp\n"); 227 pr_info("TCP_RESET illegal for non-tcp\n");
230 return false; 228 return -EINVAL;
231 } 229 }
232 } 230 }
233 return true; 231 return 0;
234} 232}
235 233
236static struct xt_target reject_tg6_reg __read_mostly = { 234static struct xt_target reject_tg6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index ac0b7c629d78..1580693c86c1 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -6,7 +6,7 @@
6 * it under the terms of the GNU General Public License version 2 as 6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation. 7 * published by the Free Software Foundation.
8 */ 8 */
9 9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10#include <linux/module.h> 10#include <linux/module.h>
11#include <linux/skbuff.h> 11#include <linux/skbuff.h>
12#include <linux/ip.h> 12#include <linux/ip.h>
@@ -29,7 +29,7 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
29{ 29{
30 bool r; 30 bool r;
31 31
32 pr_debug("ah spi_match:%c 0x%x <= 0x%x <= 0x%x", 32 pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
33 invert ? '!' : ' ', min, spi, max); 33 invert ? '!' : ' ', min, spi, max);
34 r = (spi >= min && spi <= max) ^ invert; 34 r = (spi >= min && spi <= max) ^ invert;
35 pr_debug(" result %s\n", r ? "PASS" : "FAILED"); 35 pr_debug(" result %s\n", r ? "PASS" : "FAILED");
@@ -87,15 +87,15 @@ static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
87 !(ahinfo->hdrres && ah->reserved); 87 !(ahinfo->hdrres && ah->reserved);
88} 88}
89 89
90static bool ah_mt6_check(const struct xt_mtchk_param *par) 90static int ah_mt6_check(const struct xt_mtchk_param *par)
91{ 91{
92 const struct ip6t_ah *ahinfo = par->matchinfo; 92 const struct ip6t_ah *ahinfo = par->matchinfo;
93 93
94 if (ahinfo->invflags & ~IP6T_AH_INV_MASK) { 94 if (ahinfo->invflags & ~IP6T_AH_INV_MASK) {
95 pr_debug("ip6t_ah: unknown flags %X\n", ahinfo->invflags); 95 pr_debug("unknown flags %X\n", ahinfo->invflags);
96 return false; 96 return -EINVAL;
97 } 97 }
98 return true; 98 return 0;
99} 99}
100 100
101static struct xt_match ah_mt6_reg __read_mostly = { 101static struct xt_match ah_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index 7b91c2598ed5..a5daf0ffb4ec 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -6,7 +6,7 @@
6 * it under the terms of the GNU General Public License version 2 as 6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation. 7 * published by the Free Software Foundation.
8 */ 8 */
9 9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10#include <linux/module.h> 10#include <linux/module.h>
11#include <linux/skbuff.h> 11#include <linux/skbuff.h>
12#include <linux/ipv6.h> 12#include <linux/ipv6.h>
@@ -27,7 +27,7 @@ static inline bool
27id_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert) 27id_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
28{ 28{
29 bool r; 29 bool r;
30 pr_debug("frag id_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ', 30 pr_debug("id_match:%c 0x%x <= 0x%x <= 0x%x\n", invert ? '!' : ' ',
31 min, id, max); 31 min, id, max);
32 r = (id >= min && id <= max) ^ invert; 32 r = (id >= min && id <= max) ^ invert;
33 pr_debug(" result %s\n", r ? "PASS" : "FAILED"); 33 pr_debug(" result %s\n", r ? "PASS" : "FAILED");
@@ -102,15 +102,15 @@ frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
102 (ntohs(fh->frag_off) & IP6_MF)); 102 (ntohs(fh->frag_off) & IP6_MF));
103} 103}
104 104
105static bool frag_mt6_check(const struct xt_mtchk_param *par) 105static int frag_mt6_check(const struct xt_mtchk_param *par)
106{ 106{
107 const struct ip6t_frag *fraginfo = par->matchinfo; 107 const struct ip6t_frag *fraginfo = par->matchinfo;
108 108
109 if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) { 109 if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) {
110 pr_debug("ip6t_frag: unknown flags %X\n", fraginfo->invflags); 110 pr_debug("unknown flags %X\n", fraginfo->invflags);
111 return false; 111 return -EINVAL;
112 } 112 }
113 return true; 113 return 0;
114} 114}
115 115
116static struct xt_match frag_mt6_reg __read_mostly = { 116static struct xt_match frag_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index e60677519e40..e424e7c8f824 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -6,7 +6,7 @@
6 * it under the terms of the GNU General Public License version 2 as 6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation. 7 * published by the Free Software Foundation.
8 */ 8 */
9 9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10#include <linux/module.h> 10#include <linux/module.h>
11#include <linux/skbuff.h> 11#include <linux/skbuff.h>
12#include <linux/ipv6.h> 12#include <linux/ipv6.h>
@@ -41,6 +41,8 @@ MODULE_ALIAS("ip6t_dst");
41 * 5 -> RTALERT 2 x x 41 * 5 -> RTALERT 2 x x
42 */ 42 */
43 43
44static struct xt_match hbh_mt6_reg[] __read_mostly;
45
44static bool 46static bool
45hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par) 47hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
46{ 48{
@@ -58,7 +60,9 @@ hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
58 unsigned int optlen; 60 unsigned int optlen;
59 int err; 61 int err;
60 62
61 err = ipv6_find_hdr(skb, &ptr, par->match->data, NULL); 63 err = ipv6_find_hdr(skb, &ptr,
64 (par->match == &hbh_mt6_reg[0]) ?
65 NEXTHDR_HOP : NEXTHDR_DEST, NULL);
62 if (err < 0) { 66 if (err < 0) {
63 if (err != -ENOENT) 67 if (err != -ENOENT)
64 *par->hotdrop = true; 68 *par->hotdrop = true;
@@ -160,32 +164,32 @@ hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
160 return false; 164 return false;
161} 165}
162 166
163static bool hbh_mt6_check(const struct xt_mtchk_param *par) 167static int hbh_mt6_check(const struct xt_mtchk_param *par)
164{ 168{
165 const struct ip6t_opts *optsinfo = par->matchinfo; 169 const struct ip6t_opts *optsinfo = par->matchinfo;
166 170
167 if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) { 171 if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) {
168 pr_debug("ip6t_opts: unknown flags %X\n", optsinfo->invflags); 172 pr_debug("unknown flags %X\n", optsinfo->invflags);
169 return false; 173 return -EINVAL;
170 } 174 }
171 175
172 if (optsinfo->flags & IP6T_OPTS_NSTRICT) { 176 if (optsinfo->flags & IP6T_OPTS_NSTRICT) {
173 pr_debug("ip6t_opts: Not strict - not implemented"); 177 pr_debug("Not strict - not implemented");
174 return false; 178 return -EINVAL;
175 } 179 }
176 180
177 return true; 181 return 0;
178} 182}
179 183
180static struct xt_match hbh_mt6_reg[] __read_mostly = { 184static struct xt_match hbh_mt6_reg[] __read_mostly = {
181 { 185 {
186 /* Note, hbh_mt6 relies on the order of hbh_mt6_reg */
182 .name = "hbh", 187 .name = "hbh",
183 .family = NFPROTO_IPV6, 188 .family = NFPROTO_IPV6,
184 .match = hbh_mt6, 189 .match = hbh_mt6,
185 .matchsize = sizeof(struct ip6t_opts), 190 .matchsize = sizeof(struct ip6t_opts),
186 .checkentry = hbh_mt6_check, 191 .checkentry = hbh_mt6_check,
187 .me = THIS_MODULE, 192 .me = THIS_MODULE,
188 .data = NEXTHDR_HOP,
189 }, 193 },
190 { 194 {
191 .name = "dst", 195 .name = "dst",
@@ -194,7 +198,6 @@ static struct xt_match hbh_mt6_reg[] __read_mostly = {
194 .matchsize = sizeof(struct ip6t_opts), 198 .matchsize = sizeof(struct ip6t_opts),
195 .checkentry = hbh_mt6_check, 199 .checkentry = hbh_mt6_check,
196 .me = THIS_MODULE, 200 .me = THIS_MODULE,
197 .data = NEXTHDR_DEST,
198 }, 201 },
199}; 202};
200 203
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 91490ad9302c..46fbabb493fa 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -118,16 +118,16 @@ ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
118 } 118 }
119} 119}
120 120
121static bool ipv6header_mt6_check(const struct xt_mtchk_param *par) 121static int ipv6header_mt6_check(const struct xt_mtchk_param *par)
122{ 122{
123 const struct ip6t_ipv6header_info *info = par->matchinfo; 123 const struct ip6t_ipv6header_info *info = par->matchinfo;
124 124
125 /* invflags is 0 or 0xff in hard mode */ 125 /* invflags is 0 or 0xff in hard mode */
126 if ((!info->modeflag) && info->invflags != 0x00 && 126 if ((!info->modeflag) && info->invflags != 0x00 &&
127 info->invflags != 0xFF) 127 info->invflags != 0xFF)
128 return false; 128 return -EINVAL;
129 129
130 return true; 130 return 0;
131} 131}
132 132
133static struct xt_match ipv6header_mt6_reg __read_mostly = { 133static struct xt_match ipv6header_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index aafe4e66577b..c9f443e0138f 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -11,6 +11,7 @@
11 * Based on net/netfilter/xt_tcpudp.c 11 * Based on net/netfilter/xt_tcpudp.c
12 * 12 *
13 */ 13 */
14#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14#include <linux/types.h> 15#include <linux/types.h>
15#include <linux/module.h> 16#include <linux/module.h>
16#include <net/ip.h> 17#include <net/ip.h>
@@ -24,12 +25,6 @@
24MODULE_DESCRIPTION("Xtables: IPv6 Mobility Header match"); 25MODULE_DESCRIPTION("Xtables: IPv6 Mobility Header match");
25MODULE_LICENSE("GPL"); 26MODULE_LICENSE("GPL");
26 27
27#ifdef DEBUG_IP_FIREWALL_USER
28#define duprintf(format, args...) printk(format , ## args)
29#else
30#define duprintf(format, args...)
31#endif
32
33/* Returns 1 if the type is matched by the range, 0 otherwise */ 28/* Returns 1 if the type is matched by the range, 0 otherwise */
34static inline bool 29static inline bool
35type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert) 30type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert)
@@ -51,13 +46,13 @@ static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
51 if (mh == NULL) { 46 if (mh == NULL) {
52 /* We've been asked to examine this packet, and we 47 /* We've been asked to examine this packet, and we
53 can't. Hence, no choice but to drop. */ 48 can't. Hence, no choice but to drop. */
54 duprintf("Dropping evil MH tinygram.\n"); 49 pr_debug("Dropping evil MH tinygram.\n");
55 *par->hotdrop = true; 50 *par->hotdrop = true;
56 return false; 51 return false;
57 } 52 }
58 53
59 if (mh->ip6mh_proto != IPPROTO_NONE) { 54 if (mh->ip6mh_proto != IPPROTO_NONE) {
60 duprintf("Dropping invalid MH Payload Proto: %u\n", 55 pr_debug("Dropping invalid MH Payload Proto: %u\n",
61 mh->ip6mh_proto); 56 mh->ip6mh_proto);
62 *par->hotdrop = true; 57 *par->hotdrop = true;
63 return false; 58 return false;
@@ -67,12 +62,12 @@ static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
67 !!(mhinfo->invflags & IP6T_MH_INV_TYPE)); 62 !!(mhinfo->invflags & IP6T_MH_INV_TYPE));
68} 63}
69 64
70static bool mh_mt6_check(const struct xt_mtchk_param *par) 65static int mh_mt6_check(const struct xt_mtchk_param *par)
71{ 66{
72 const struct ip6t_mh *mhinfo = par->matchinfo; 67 const struct ip6t_mh *mhinfo = par->matchinfo;
73 68
74 /* Must specify no unknown invflags */ 69 /* Must specify no unknown invflags */
75 return !(mhinfo->invflags & ~IP6T_MH_INV_MASK); 70 return (mhinfo->invflags & ~IP6T_MH_INV_MASK) ? -EINVAL : 0;
76} 71}
77 72
78static struct xt_match mh_mt6_reg __read_mostly = { 73static struct xt_match mh_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index b77307fc8743..09322720d2a6 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -6,7 +6,7 @@
6 * it under the terms of the GNU General Public License version 2 as 6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation. 7 * published by the Free Software Foundation.
8 */ 8 */
9 9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10#include <linux/module.h> 10#include <linux/module.h>
11#include <linux/skbuff.h> 11#include <linux/skbuff.h>
12#include <linux/ipv6.h> 12#include <linux/ipv6.h>
@@ -29,7 +29,7 @@ static inline bool
29segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert) 29segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
30{ 30{
31 bool r; 31 bool r;
32 pr_debug("rt segsleft_match:%c 0x%x <= 0x%x <= 0x%x", 32 pr_debug("segsleft_match:%c 0x%x <= 0x%x <= 0x%x\n",
33 invert ? '!' : ' ', min, id, max); 33 invert ? '!' : ' ', min, id, max);
34 r = (id >= min && id <= max) ^ invert; 34 r = (id >= min && id <= max) ^ invert;
35 pr_debug(" result %s\n", r ? "PASS" : "FAILED"); 35 pr_debug(" result %s\n", r ? "PASS" : "FAILED");
@@ -183,23 +183,23 @@ static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
183 return false; 183 return false;
184} 184}
185 185
186static bool rt_mt6_check(const struct xt_mtchk_param *par) 186static int rt_mt6_check(const struct xt_mtchk_param *par)
187{ 187{
188 const struct ip6t_rt *rtinfo = par->matchinfo; 188 const struct ip6t_rt *rtinfo = par->matchinfo;
189 189
190 if (rtinfo->invflags & ~IP6T_RT_INV_MASK) { 190 if (rtinfo->invflags & ~IP6T_RT_INV_MASK) {
191 pr_debug("ip6t_rt: unknown flags %X\n", rtinfo->invflags); 191 pr_debug("unknown flags %X\n", rtinfo->invflags);
192 return false; 192 return -EINVAL;
193 } 193 }
194 if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) && 194 if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) &&
195 (!(rtinfo->flags & IP6T_RT_TYP) || 195 (!(rtinfo->flags & IP6T_RT_TYP) ||
196 (rtinfo->rt_type != 0) || 196 (rtinfo->rt_type != 0) ||
197 (rtinfo->invflags & IP6T_RT_INV_TYP))) { 197 (rtinfo->invflags & IP6T_RT_INV_TYP))) {
198 pr_debug("`--rt-type 0' required before `--rt-0-*'"); 198 pr_debug("`--rt-type 0' required before `--rt-0-*'");
199 return false; 199 return -EINVAL;
200 } 200 }
201 201
202 return true; 202 return 0;
203} 203}
204 204
205static struct xt_match rt_mt6_reg __read_mostly = { 205static struct xt_match rt_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index dd5b9bd61c62..6fb890187de0 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -644,7 +644,7 @@ void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
644 s2 = s->next; 644 s2 = s->next;
645 s->next = NULL; 645 s->next = NULL;
646 646
647 NF_HOOK_THRESH(PF_INET6, hooknum, s, in, out, okfn, 647 NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, s, in, out, okfn,
648 NF_IP6_PRI_CONNTRACK_DEFRAG + 1); 648 NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
649 s = s2; 649 s = s2;
650 } 650 }
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 0e3d2dd92078..4a4dcbe4f8b2 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -640,8 +640,8 @@ static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
640 goto error_fault; 640 goto error_fault;
641 641
642 IP6_UPD_PO_STATS(sock_net(sk), rt->rt6i_idev, IPSTATS_MIB_OUT, skb->len); 642 IP6_UPD_PO_STATS(sock_net(sk), rt->rt6i_idev, IPSTATS_MIB_OUT, skb->len);
643 err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, rt->u.dst.dev, 643 err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL,
644 dst_output); 644 rt->u.dst.dev, dst_output);
645 if (err > 0) 645 if (err > 0)
646 err = net_xmit_errno(err); 646 err = net_xmit_errno(err);
647 if (err) 647 if (err)
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
index 2bc98ede1235..f8c3cf842f53 100644
--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -42,7 +42,7 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async)
42 ipv6_hdr(skb)->payload_len = htons(skb->len); 42 ipv6_hdr(skb)->payload_len = htons(skb->len);
43 __skb_push(skb, skb->data - skb_network_header(skb)); 43 __skb_push(skb, skb->data - skb_network_header(skb));
44 44
45 NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL, 45 NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
46 ip6_rcv_finish); 46 ip6_rcv_finish);
47 return -1; 47 return -1;
48} 48}
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 0c92112dcba3..6434bd5ce088 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -90,6 +90,6 @@ static int xfrm6_output_finish(struct sk_buff *skb)
90 90
91int xfrm6_output(struct sk_buff *skb) 91int xfrm6_output(struct sk_buff *skb)
92{ 92{
93 return NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, skb, NULL, skb_dst(skb)->dev, 93 return NF_HOOK(NFPROTO_IPV6, NF_INET_POST_ROUTING, skb, NULL,
94 xfrm6_output_finish); 94 skb_dst(skb)->dev, xfrm6_output_finish);
95} 95}
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 18d77b5c351a..673a6c8f0e95 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -314,8 +314,39 @@ config NETFILTER_XTABLES
314 314
315if NETFILTER_XTABLES 315if NETFILTER_XTABLES
316 316
317comment "Xtables combined modules"
318
319config NETFILTER_XT_MARK
320 tristate 'nfmark target and match support'
321 default m if NETFILTER_ADVANCED=n
322 ---help---
323 This option adds the "MARK" target and "mark" match.
324
325 Netfilter mark matching allows you to match packets based on the
326 "nfmark" value in the packet.
327 The target allows you to create rules in the "mangle" table which alter
328 the netfilter mark (nfmark) field associated with the packet.
329
330 Prior to routing, the nfmark can influence the routing method (see
331 "Use netfilter MARK value as routing key") and can also be used by
332 other subsystems to change their behavior.
333
334config NETFILTER_XT_CONNMARK
335 tristate 'ctmark target and match support'
336 depends on NF_CONNTRACK
337 depends on NETFILTER_ADVANCED
338 select NF_CONNTRACK_MARK
339 ---help---
340 This option adds the "CONNMARK" target and "connmark" match.
341
342 Netfilter allows you to store a mark value per connection (a.k.a.
343 ctmark), similarly to the packet mark (nfmark). Using this
344 target and match, you can set and match on this mark.
345
317# alphabetically ordered list of targets 346# alphabetically ordered list of targets
318 347
348comment "Xtables targets"
349
319config NETFILTER_XT_TARGET_CLASSIFY 350config NETFILTER_XT_TARGET_CLASSIFY
320 tristate '"CLASSIFY" target support' 351 tristate '"CLASSIFY" target support'
321 depends on NETFILTER_ADVANCED 352 depends on NETFILTER_ADVANCED
@@ -332,15 +363,11 @@ config NETFILTER_XT_TARGET_CONNMARK
332 tristate '"CONNMARK" target support' 363 tristate '"CONNMARK" target support'
333 depends on NF_CONNTRACK 364 depends on NF_CONNTRACK
334 depends on NETFILTER_ADVANCED 365 depends on NETFILTER_ADVANCED
335 select NF_CONNTRACK_MARK 366 select NETFILTER_XT_CONNMARK
336 help 367 ---help---
337 This option adds a `CONNMARK' target, which allows one to manipulate 368 This is a backwards-compat option for the user's convenience
338 the connection mark value. Similar to the MARK target, but 369 (e.g. when running oldconfig). It selects
339 affects the connection mark value rather than the packet mark value. 370 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
340
341 If you want to compile it as a module, say M here and read
342 <file:Documentation/kbuild/modules.txt>. The module will be called
343 ipt_CONNMARK. If unsure, say `N'.
344 371
345config NETFILTER_XT_TARGET_CONNSECMARK 372config NETFILTER_XT_TARGET_CONNSECMARK
346 tristate '"CONNSECMARK" target support' 373 tristate '"CONNSECMARK" target support'
@@ -423,16 +450,12 @@ config NETFILTER_XT_TARGET_LED
423 450
424config NETFILTER_XT_TARGET_MARK 451config NETFILTER_XT_TARGET_MARK
425 tristate '"MARK" target support' 452 tristate '"MARK" target support'
426 default m if NETFILTER_ADVANCED=n 453 depends on NETFILTER_ADVANCED
427 help 454 select NETFILTER_XT_MARK
428 This option adds a `MARK' target, which allows you to create rules 455 ---help---
429 in the `mangle' table which alter the netfilter mark (nfmark) field 456 This is a backwards-compat option for the user's convenience
430 associated with the packet prior to routing. This can change 457 (e.g. when running oldconfig). It selects
431 the routing method (see `Use netfilter MARK value as routing 458 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
432 key') and can also be used by other subsystems to change their
433 behavior.
434
435 To compile it as a module, choose M here. If unsure, say N.
436 459
437config NETFILTER_XT_TARGET_NFLOG 460config NETFILTER_XT_TARGET_NFLOG
438 tristate '"NFLOG" target support' 461 tristate '"NFLOG" target support'
@@ -479,6 +502,13 @@ config NETFILTER_XT_TARGET_RATEEST
479 502
480 To compile it as a module, choose M here. If unsure, say N. 503 To compile it as a module, choose M here. If unsure, say N.
481 504
505config NETFILTER_XT_TARGET_TEE
506 tristate '"TEE" - packet cloning to alternate destiantion'
507 depends on NETFILTER_ADVANCED
508 ---help---
509 This option adds a "TEE" target with which a packet can be cloned and
510 this clone be rerouted to another nexthop.
511
482config NETFILTER_XT_TARGET_TPROXY 512config NETFILTER_XT_TARGET_TPROXY
483 tristate '"TPROXY" target support (EXPERIMENTAL)' 513 tristate '"TPROXY" target support (EXPERIMENTAL)'
484 depends on EXPERIMENTAL 514 depends on EXPERIMENTAL
@@ -552,6 +582,10 @@ config NETFILTER_XT_TARGET_TCPOPTSTRIP
552 This option adds a "TCPOPTSTRIP" target, which allows you to strip 582 This option adds a "TCPOPTSTRIP" target, which allows you to strip
553 TCP options from TCP packets. 583 TCP options from TCP packets.
554 584
585# alphabetically ordered list of matches
586
587comment "Xtables matches"
588
555config NETFILTER_XT_MATCH_CLUSTER 589config NETFILTER_XT_MATCH_CLUSTER
556 tristate '"cluster" match support' 590 tristate '"cluster" match support'
557 depends on NF_CONNTRACK 591 depends on NF_CONNTRACK
@@ -602,14 +636,11 @@ config NETFILTER_XT_MATCH_CONNMARK
602 tristate '"connmark" connection mark match support' 636 tristate '"connmark" connection mark match support'
603 depends on NF_CONNTRACK 637 depends on NF_CONNTRACK
604 depends on NETFILTER_ADVANCED 638 depends on NETFILTER_ADVANCED
605 select NF_CONNTRACK_MARK 639 select NETFILTER_XT_CONNMARK
606 help 640 ---help---
607 This option adds a `connmark' match, which allows you to match the 641 This is a backwards-compat option for the user's convenience
608 connection mark value previously set for the session by `CONNMARK'. 642 (e.g. when running oldconfig). It selects
609 643 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
610 If you want to compile it as a module, say M here and read
611 <file:Documentation/kbuild/modules.txt>. The module will be called
612 ipt_connmark. If unsure, say `N'.
613 644
614config NETFILTER_XT_MATCH_CONNTRACK 645config NETFILTER_XT_MATCH_CONNTRACK
615 tristate '"conntrack" connection tracking match support' 646 tristate '"conntrack" connection tracking match support'
@@ -733,13 +764,12 @@ config NETFILTER_XT_MATCH_MAC
733 764
734config NETFILTER_XT_MATCH_MARK 765config NETFILTER_XT_MATCH_MARK
735 tristate '"mark" match support' 766 tristate '"mark" match support'
736 default m if NETFILTER_ADVANCED=n 767 depends on NETFILTER_ADVANCED
737 help 768 select NETFILTER_XT_MARK
738 Netfilter mark matching allows you to match packets based on the 769 ---help---
739 `nfmark' value in the packet. This can be set by the MARK target 770 This is a backwards-compat option for the user's convenience
740 (see below). 771 (e.g. when running oldconfig). It selects
741 772 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
742 To compile it as a module, choose M here. If unsure, say N.
743 773
744config NETFILTER_XT_MATCH_MULTIPORT 774config NETFILTER_XT_MATCH_MULTIPORT
745 tristate '"multiport" Multiple port match support' 775 tristate '"multiport" Multiple port match support'
@@ -751,6 +781,19 @@ config NETFILTER_XT_MATCH_MULTIPORT
751 781
752 To compile it as a module, choose M here. If unsure, say N. 782 To compile it as a module, choose M here. If unsure, say N.
753 783
784config NETFILTER_XT_MATCH_OSF
785 tristate '"osf" Passive OS fingerprint match'
786 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
787 help
788 This option selects the Passive OS Fingerprinting match module
789 that allows to passively match the remote operating system by
790 analyzing incoming TCP SYN packets.
791
792 Rules and loading software can be downloaded from
793 http://www.ioremap.net/projects/osf
794
795 To compile it as a module, choose M here. If unsure, say N.
796
754config NETFILTER_XT_MATCH_OWNER 797config NETFILTER_XT_MATCH_OWNER
755 tristate '"owner" match support' 798 tristate '"owner" match support'
756 depends on NETFILTER_ADVANCED 799 depends on NETFILTER_ADVANCED
@@ -836,13 +879,6 @@ config NETFILTER_XT_MATCH_RECENT
836 Short options are available by using 'iptables -m recent -h' 879 Short options are available by using 'iptables -m recent -h'
837 Official Website: <http://snowman.net/projects/ipt_recent/> 880 Official Website: <http://snowman.net/projects/ipt_recent/>
838 881
839config NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
840 bool 'Enable obsolete /proc/net/ipt_recent'
841 depends on NETFILTER_XT_MATCH_RECENT && PROC_FS
842 ---help---
843 This option enables the old /proc/net/ipt_recent interface,
844 which has been obsoleted by /proc/net/xt_recent.
845
846config NETFILTER_XT_MATCH_SCTP 882config NETFILTER_XT_MATCH_SCTP
847 tristate '"sctp" protocol match support (EXPERIMENTAL)' 883 tristate '"sctp" protocol match support (EXPERIMENTAL)'
848 depends on EXPERIMENTAL 884 depends on EXPERIMENTAL
@@ -942,19 +978,6 @@ config NETFILTER_XT_MATCH_U32
942 978
943 Details and examples are in the kernel module source. 979 Details and examples are in the kernel module source.
944 980
945config NETFILTER_XT_MATCH_OSF
946 tristate '"osf" Passive OS fingerprint match'
947 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
948 help
949 This option selects the Passive OS Fingerprinting match module
950 that allows to passively match the remote operating system by
951 analyzing incoming TCP SYN packets.
952
953 Rules and loading software can be downloaded from
954 http://www.ioremap.net/projects/osf
955
956 To compile it as a module, choose M here. If unsure, say N.
957
958endif # NETFILTER_XTABLES 981endif # NETFILTER_XTABLES
959 982
960endmenu 983endmenu
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index f873644f02f6..14e3a8fd8180 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -40,15 +40,17 @@ obj-$(CONFIG_NETFILTER_TPROXY) += nf_tproxy_core.o
40# generic X tables 40# generic X tables
41obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o 41obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
42 42
43# combos
44obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o
45obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o
46
43# targets 47# targets
44obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o 48obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
45obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
46obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o 49obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
47obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o 50obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o
48obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o 51obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
49obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o 52obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o
50obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o 53obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
51obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
52obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o 54obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
53obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o 55obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
54obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o 56obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
@@ -57,6 +59,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
57obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o 59obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o
58obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o 60obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
59obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) += xt_TCPOPTSTRIP.o 61obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) += xt_TCPOPTSTRIP.o
62obj-$(CONFIG_NETFILTER_XT_TARGET_TEE) += xt_TEE.o
60obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o 63obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
61 64
62# matches 65# matches
@@ -64,7 +67,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o
64obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o 67obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
65obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o 68obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o
66obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o 69obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o
67obj-$(CONFIG_NETFILTER_XT_MATCH_CONNMARK) += xt_connmark.o
68obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o 70obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o
69obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o 71obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
70obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o 72obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
@@ -76,7 +78,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) += xt_iprange.o
76obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o 78obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
77obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o 79obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
78obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o 80obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
79obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
80obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o 81obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
81obj-$(CONFIG_NETFILTER_XT_MATCH_OSF) += xt_osf.o 82obj-$(CONFIG_NETFILTER_XT_MATCH_OSF) += xt_osf.o
82obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o 83obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c
index 2c7f185dfae4..2ae747a376a5 100644
--- a/net/netfilter/ipvs/ip_vs_ftp.c
+++ b/net/netfilter/ipvs/ip_vs_ftp.c
@@ -209,8 +209,14 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
209 */ 209 */
210 from.ip = n_cp->vaddr.ip; 210 from.ip = n_cp->vaddr.ip;
211 port = n_cp->vport; 211 port = n_cp->vport;
212 sprintf(buf, "%u,%u,%u,%u,%u,%u", NIPQUAD(from.ip), 212 snprintf(buf, sizeof(buf), "%u,%u,%u,%u,%u,%u",
213 (ntohs(port)>>8)&255, ntohs(port)&255); 213 ((unsigned char *)&from.ip)[0],
214 ((unsigned char *)&from.ip)[1],
215 ((unsigned char *)&from.ip)[2],
216 ((unsigned char *)&from.ip)[3],
217 ntohs(port) >> 8,
218 ntohs(port) & 0xFF);
219
214 buf_len = strlen(buf); 220 buf_len = strlen(buf);
215 221
216 /* 222 /*
diff --git a/net/netfilter/ipvs/ip_vs_proto.c b/net/netfilter/ipvs/ip_vs_proto.c
index 7fc49f4cf5ad..2d3d5e4b35f8 100644
--- a/net/netfilter/ipvs/ip_vs_proto.c
+++ b/net/netfilter/ipvs/ip_vs_proto.c
@@ -167,26 +167,24 @@ ip_vs_tcpudp_debug_packet_v4(struct ip_vs_protocol *pp,
167 167
168 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 168 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
169 if (ih == NULL) 169 if (ih == NULL)
170 sprintf(buf, "%s TRUNCATED", pp->name); 170 sprintf(buf, "TRUNCATED");
171 else if (ih->frag_off & htons(IP_OFFSET)) 171 else if (ih->frag_off & htons(IP_OFFSET))
172 sprintf(buf, "%s %pI4->%pI4 frag", 172 sprintf(buf, "%pI4->%pI4 frag", &ih->saddr, &ih->daddr);
173 pp->name, &ih->saddr, &ih->daddr);
174 else { 173 else {
175 __be16 _ports[2], *pptr 174 __be16 _ports[2], *pptr
176; 175;
177 pptr = skb_header_pointer(skb, offset + ih->ihl*4, 176 pptr = skb_header_pointer(skb, offset + ih->ihl*4,
178 sizeof(_ports), _ports); 177 sizeof(_ports), _ports);
179 if (pptr == NULL) 178 if (pptr == NULL)
180 sprintf(buf, "%s TRUNCATED %pI4->%pI4", 179 sprintf(buf, "TRUNCATED %pI4->%pI4",
181 pp->name, &ih->saddr, &ih->daddr); 180 &ih->saddr, &ih->daddr);
182 else 181 else
183 sprintf(buf, "%s %pI4:%u->%pI4:%u", 182 sprintf(buf, "%pI4:%u->%pI4:%u",
184 pp->name,
185 &ih->saddr, ntohs(pptr[0]), 183 &ih->saddr, ntohs(pptr[0]),
186 &ih->daddr, ntohs(pptr[1])); 184 &ih->daddr, ntohs(pptr[1]));
187 } 185 }
188 186
189 pr_debug("%s: %s\n", msg, buf); 187 pr_debug("%s: %s %s\n", msg, pp->name, buf);
190} 188}
191 189
192#ifdef CONFIG_IP_VS_IPV6 190#ifdef CONFIG_IP_VS_IPV6
@@ -201,26 +199,24 @@ ip_vs_tcpudp_debug_packet_v6(struct ip_vs_protocol *pp,
201 199
202 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 200 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
203 if (ih == NULL) 201 if (ih == NULL)
204 sprintf(buf, "%s TRUNCATED", pp->name); 202 sprintf(buf, "TRUNCATED");
205 else if (ih->nexthdr == IPPROTO_FRAGMENT) 203 else if (ih->nexthdr == IPPROTO_FRAGMENT)
206 sprintf(buf, "%s %pI6->%pI6 frag", 204 sprintf(buf, "%pI6->%pI6 frag", &ih->saddr, &ih->daddr);
207 pp->name, &ih->saddr, &ih->daddr);
208 else { 205 else {
209 __be16 _ports[2], *pptr; 206 __be16 _ports[2], *pptr;
210 207
211 pptr = skb_header_pointer(skb, offset + sizeof(struct ipv6hdr), 208 pptr = skb_header_pointer(skb, offset + sizeof(struct ipv6hdr),
212 sizeof(_ports), _ports); 209 sizeof(_ports), _ports);
213 if (pptr == NULL) 210 if (pptr == NULL)
214 sprintf(buf, "%s TRUNCATED %pI6->%pI6", 211 sprintf(buf, "TRUNCATED %pI6->%pI6",
215 pp->name, &ih->saddr, &ih->daddr); 212 &ih->saddr, &ih->daddr);
216 else 213 else
217 sprintf(buf, "%s %pI6:%u->%pI6:%u", 214 sprintf(buf, "%pI6:%u->%pI6:%u",
218 pp->name,
219 &ih->saddr, ntohs(pptr[0]), 215 &ih->saddr, ntohs(pptr[0]),
220 &ih->daddr, ntohs(pptr[1])); 216 &ih->daddr, ntohs(pptr[1]));
221 } 217 }
222 218
223 pr_debug("%s: %s\n", msg, buf); 219 pr_debug("%s: %s %s\n", msg, pp->name, buf);
224} 220}
225#endif 221#endif
226 222
diff --git a/net/netfilter/ipvs/ip_vs_proto_ah_esp.c b/net/netfilter/ipvs/ip_vs_proto_ah_esp.c
index c30b43c36cd7..1892dfc12fdd 100644
--- a/net/netfilter/ipvs/ip_vs_proto_ah_esp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_ah_esp.c
@@ -136,12 +136,11 @@ ah_esp_debug_packet_v4(struct ip_vs_protocol *pp, const struct sk_buff *skb,
136 136
137 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 137 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
138 if (ih == NULL) 138 if (ih == NULL)
139 sprintf(buf, "%s TRUNCATED", pp->name); 139 sprintf(buf, "TRUNCATED");
140 else 140 else
141 sprintf(buf, "%s %pI4->%pI4", 141 sprintf(buf, "%pI4->%pI4", &ih->saddr, &ih->daddr);
142 pp->name, &ih->saddr, &ih->daddr);
143 142
144 pr_debug("%s: %s\n", msg, buf); 143 pr_debug("%s: %s %s\n", msg, pp->name, buf);
145} 144}
146 145
147#ifdef CONFIG_IP_VS_IPV6 146#ifdef CONFIG_IP_VS_IPV6
@@ -154,12 +153,11 @@ ah_esp_debug_packet_v6(struct ip_vs_protocol *pp, const struct sk_buff *skb,
154 153
155 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph); 154 ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
156 if (ih == NULL) 155 if (ih == NULL)
157 sprintf(buf, "%s TRUNCATED", pp->name); 156 sprintf(buf, "TRUNCATED");
158 else 157 else
159 sprintf(buf, "%s %pI6->%pI6", 158 sprintf(buf, "%pI6->%pI6", &ih->saddr, &ih->daddr);
160 pp->name, &ih->saddr, &ih->daddr);
161 159
162 pr_debug("%s: %s\n", msg, buf); 160 pr_debug("%s: %s %s\n", msg, pp->name, buf);
163} 161}
164#endif 162#endif
165 163
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index e450cd6f4eb5..93c15a107b2c 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -270,7 +270,7 @@ ip_vs_bypass_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
270 /* Another hack: avoid icmp_send in ip_fragment */ 270 /* Another hack: avoid icmp_send in ip_fragment */
271 skb->local_df = 1; 271 skb->local_df = 1;
272 272
273 IP_VS_XMIT(PF_INET, skb, rt); 273 IP_VS_XMIT(NFPROTO_IPV4, skb, rt);
274 274
275 LeaveFunction(10); 275 LeaveFunction(10);
276 return NF_STOLEN; 276 return NF_STOLEN;
@@ -334,7 +334,7 @@ ip_vs_bypass_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
334 /* Another hack: avoid icmp_send in ip_fragment */ 334 /* Another hack: avoid icmp_send in ip_fragment */
335 skb->local_df = 1; 335 skb->local_df = 1;
336 336
337 IP_VS_XMIT(PF_INET6, skb, rt); 337 IP_VS_XMIT(NFPROTO_IPV6, skb, rt);
338 338
339 LeaveFunction(10); 339 LeaveFunction(10);
340 return NF_STOLEN; 340 return NF_STOLEN;
@@ -410,7 +410,7 @@ ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
410 /* Another hack: avoid icmp_send in ip_fragment */ 410 /* Another hack: avoid icmp_send in ip_fragment */
411 skb->local_df = 1; 411 skb->local_df = 1;
412 412
413 IP_VS_XMIT(PF_INET, skb, rt); 413 IP_VS_XMIT(NFPROTO_IPV4, skb, rt);
414 414
415 LeaveFunction(10); 415 LeaveFunction(10);
416 return NF_STOLEN; 416 return NF_STOLEN;
@@ -486,7 +486,7 @@ ip_vs_nat_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
486 /* Another hack: avoid icmp_send in ip_fragment */ 486 /* Another hack: avoid icmp_send in ip_fragment */
487 skb->local_df = 1; 487 skb->local_df = 1;
488 488
489 IP_VS_XMIT(PF_INET6, skb, rt); 489 IP_VS_XMIT(NFPROTO_IPV6, skb, rt);
490 490
491 LeaveFunction(10); 491 LeaveFunction(10);
492 return NF_STOLEN; 492 return NF_STOLEN;
@@ -785,7 +785,7 @@ ip_vs_dr_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
785 /* Another hack: avoid icmp_send in ip_fragment */ 785 /* Another hack: avoid icmp_send in ip_fragment */
786 skb->local_df = 1; 786 skb->local_df = 1;
787 787
788 IP_VS_XMIT(PF_INET, skb, rt); 788 IP_VS_XMIT(NFPROTO_IPV4, skb, rt);
789 789
790 LeaveFunction(10); 790 LeaveFunction(10);
791 return NF_STOLEN; 791 return NF_STOLEN;
@@ -838,7 +838,7 @@ ip_vs_dr_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
838 /* Another hack: avoid icmp_send in ip_fragment */ 838 /* Another hack: avoid icmp_send in ip_fragment */
839 skb->local_df = 1; 839 skb->local_df = 1;
840 840
841 IP_VS_XMIT(PF_INET6, skb, rt); 841 IP_VS_XMIT(NFPROTO_IPV6, skb, rt);
842 842
843 LeaveFunction(10); 843 LeaveFunction(10);
844 return NF_STOLEN; 844 return NF_STOLEN;
@@ -912,7 +912,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
912 /* Another hack: avoid icmp_send in ip_fragment */ 912 /* Another hack: avoid icmp_send in ip_fragment */
913 skb->local_df = 1; 913 skb->local_df = 1;
914 914
915 IP_VS_XMIT(PF_INET, skb, rt); 915 IP_VS_XMIT(NFPROTO_IPV4, skb, rt);
916 916
917 rc = NF_STOLEN; 917 rc = NF_STOLEN;
918 goto out; 918 goto out;
@@ -987,7 +987,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
987 /* Another hack: avoid icmp_send in ip_fragment */ 987 /* Another hack: avoid icmp_send in ip_fragment */
988 skb->local_df = 1; 988 skb->local_df = 1;
989 989
990 IP_VS_XMIT(PF_INET6, skb, rt); 990 IP_VS_XMIT(NFPROTO_IPV6, skb, rt);
991 991
992 rc = NF_STOLEN; 992 rc = NF_STOLEN;
993 goto out; 993 goto out;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 0c9bbe93cc16..3907efb97a7c 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -319,8 +319,10 @@ begin:
319 * not the expected one, we must restart lookup. 319 * not the expected one, we must restart lookup.
320 * We probably met an item that was moved to another chain. 320 * We probably met an item that was moved to another chain.
321 */ 321 */
322 if (get_nulls_value(n) != hash) 322 if (get_nulls_value(n) != hash) {
323 NF_CT_STAT_INC(net, search_restart);
323 goto begin; 324 goto begin;
325 }
324 local_bh_enable(); 326 local_bh_enable();
325 327
326 return NULL; 328 return NULL;
diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
index f516961a83b4..cdcc7649476b 100644
--- a/net/netfilter/nf_conntrack_ecache.c
+++ b/net/netfilter/nf_conntrack_ecache.c
@@ -85,7 +85,8 @@ int nf_conntrack_register_notifier(struct nf_ct_event_notifier *new)
85 struct nf_ct_event_notifier *notify; 85 struct nf_ct_event_notifier *notify;
86 86
87 mutex_lock(&nf_ct_ecache_mutex); 87 mutex_lock(&nf_ct_ecache_mutex);
88 notify = rcu_dereference(nf_conntrack_event_cb); 88 notify = rcu_dereference_protected(nf_conntrack_event_cb,
89 lockdep_is_held(&nf_ct_ecache_mutex));
89 if (notify != NULL) { 90 if (notify != NULL) {
90 ret = -EBUSY; 91 ret = -EBUSY;
91 goto out_unlock; 92 goto out_unlock;
@@ -105,7 +106,8 @@ void nf_conntrack_unregister_notifier(struct nf_ct_event_notifier *new)
105 struct nf_ct_event_notifier *notify; 106 struct nf_ct_event_notifier *notify;
106 107
107 mutex_lock(&nf_ct_ecache_mutex); 108 mutex_lock(&nf_ct_ecache_mutex);
108 notify = rcu_dereference(nf_conntrack_event_cb); 109 notify = rcu_dereference_protected(nf_conntrack_event_cb,
110 lockdep_is_held(&nf_ct_ecache_mutex));
109 BUG_ON(notify != new); 111 BUG_ON(notify != new);
110 rcu_assign_pointer(nf_conntrack_event_cb, NULL); 112 rcu_assign_pointer(nf_conntrack_event_cb, NULL);
111 mutex_unlock(&nf_ct_ecache_mutex); 113 mutex_unlock(&nf_ct_ecache_mutex);
@@ -118,7 +120,8 @@ int nf_ct_expect_register_notifier(struct nf_exp_event_notifier *new)
118 struct nf_exp_event_notifier *notify; 120 struct nf_exp_event_notifier *notify;
119 121
120 mutex_lock(&nf_ct_ecache_mutex); 122 mutex_lock(&nf_ct_ecache_mutex);
121 notify = rcu_dereference(nf_expect_event_cb); 123 notify = rcu_dereference_protected(nf_expect_event_cb,
124 lockdep_is_held(&nf_ct_ecache_mutex));
122 if (notify != NULL) { 125 if (notify != NULL) {
123 ret = -EBUSY; 126 ret = -EBUSY;
124 goto out_unlock; 127 goto out_unlock;
@@ -138,7 +141,8 @@ void nf_ct_expect_unregister_notifier(struct nf_exp_event_notifier *new)
138 struct nf_exp_event_notifier *notify; 141 struct nf_exp_event_notifier *notify;
139 142
140 mutex_lock(&nf_ct_ecache_mutex); 143 mutex_lock(&nf_ct_ecache_mutex);
141 notify = rcu_dereference(nf_expect_event_cb); 144 notify = rcu_dereference_protected(nf_expect_event_cb,
145 lockdep_is_held(&nf_ct_ecache_mutex));
142 BUG_ON(notify != new); 146 BUG_ON(notify != new);
143 rcu_assign_pointer(nf_expect_event_cb, NULL); 147 rcu_assign_pointer(nf_expect_event_cb, NULL);
144 mutex_unlock(&nf_ct_ecache_mutex); 148 mutex_unlock(&nf_ct_ecache_mutex);
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index a487c8038044..48bf15073a85 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -194,8 +194,7 @@ static int get_tpkt_data(struct sk_buff *skb, unsigned int protoff,
194 return 0; 194 return 0;
195 } 195 }
196 196
197 if (net_ratelimit()) 197 pr_debug("nf_ct_h323: incomplete TPKT (fragmented?)\n");
198 printk("nf_ct_h323: incomplete TPKT (fragmented?)\n");
199 goto clear_out; 198 goto clear_out;
200 } 199 }
201 200
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index afc52f2ee4ac..4e55403bf263 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -427,6 +427,17 @@ ctnetlink_proto_size(const struct nf_conn *ct)
427} 427}
428 428
429static inline size_t 429static inline size_t
430ctnetlink_counters_size(const struct nf_conn *ct)
431{
432 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
433 return 0;
434 return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
435 + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
436 + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
437 ;
438}
439
440static inline size_t
430ctnetlink_nlmsg_size(const struct nf_conn *ct) 441ctnetlink_nlmsg_size(const struct nf_conn *ct)
431{ 442{
432 return NLMSG_ALIGN(sizeof(struct nfgenmsg)) 443 return NLMSG_ALIGN(sizeof(struct nfgenmsg))
@@ -436,11 +447,7 @@ ctnetlink_nlmsg_size(const struct nf_conn *ct)
436 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ 447 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
437 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ 448 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
438 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ 449 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
439#ifdef CONFIG_NF_CT_ACCT 450 + ctnetlink_counters_size(ct)
440 + 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
441 + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
442 + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
443#endif
444 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ 451 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
445 + nla_total_size(0) /* CTA_PROTOINFO */ 452 + nla_total_size(0) /* CTA_PROTOINFO */
446 + nla_total_size(0) /* CTA_HELP */ 453 + nla_total_size(0) /* CTA_HELP */
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index a44fa75b5178..5886ba1d52a0 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -14,12 +14,10 @@
14#include <linux/module.h> 14#include <linux/module.h>
15#include <linux/slab.h> 15#include <linux/slab.h>
16#include <linux/mutex.h> 16#include <linux/mutex.h>
17#include <linux/skbuff.h>
18#include <linux/vmalloc.h> 17#include <linux/vmalloc.h>
19#include <linux/stddef.h> 18#include <linux/stddef.h>
20#include <linux/err.h> 19#include <linux/err.h>
21#include <linux/percpu.h> 20#include <linux/percpu.h>
22#include <linux/moduleparam.h>
23#include <linux/notifier.h> 21#include <linux/notifier.h>
24#include <linux/kernel.h> 22#include <linux/kernel.h>
25#include <linux/netdevice.h> 23#include <linux/netdevice.h>
@@ -119,9 +117,13 @@ void nf_ct_l3proto_module_put(unsigned short l3proto)
119{ 117{
120 struct nf_conntrack_l3proto *p; 118 struct nf_conntrack_l3proto *p;
121 119
122 /* rcu_read_lock not necessary since the caller holds a reference */ 120 /* rcu_read_lock not necessary since the caller holds a reference, but
121 * taken anyways to avoid lockdep warnings in __nf_ct_l3proto_find()
122 */
123 rcu_read_lock();
123 p = __nf_ct_l3proto_find(l3proto); 124 p = __nf_ct_l3proto_find(l3proto);
124 module_put(p->me); 125 module_put(p->me);
126 rcu_read_unlock();
125} 127}
126EXPORT_SYMBOL_GPL(nf_ct_l3proto_module_put); 128EXPORT_SYMBOL_GPL(nf_ct_l3proto_module_put);
127 129
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index faa8eb3722b9..ea4a8d384234 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -252,12 +252,12 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
252 const struct ip_conntrack_stat *st = v; 252 const struct ip_conntrack_stat *st = v;
253 253
254 if (v == SEQ_START_TOKEN) { 254 if (v == SEQ_START_TOKEN) {
255 seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete\n"); 255 seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n");
256 return 0; 256 return 0;
257 } 257 }
258 258
259 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x " 259 seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x "
260 "%08x %08x %08x %08x %08x %08x %08x %08x \n", 260 "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n",
261 nr_conntracks, 261 nr_conntracks,
262 st->searched, 262 st->searched,
263 st->found, 263 st->found,
@@ -274,7 +274,8 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
274 274
275 st->expect_new, 275 st->expect_new,
276 st->expect_create, 276 st->expect_create,
277 st->expect_delete 277 st->expect_delete,
278 st->search_restart
278 ); 279 );
279 return 0; 280 return 0;
280} 281}
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 015725a5cd50..7df37fd786bc 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -52,7 +52,8 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger)
52 } else { 52 } else {
53 /* register at end of list to honor first register win */ 53 /* register at end of list to honor first register win */
54 list_add_tail(&logger->list[pf], &nf_loggers_l[pf]); 54 list_add_tail(&logger->list[pf], &nf_loggers_l[pf]);
55 llog = rcu_dereference(nf_loggers[pf]); 55 llog = rcu_dereference_protected(nf_loggers[pf],
56 lockdep_is_held(&nf_log_mutex));
56 if (llog == NULL) 57 if (llog == NULL)
57 rcu_assign_pointer(nf_loggers[pf], logger); 58 rcu_assign_pointer(nf_loggers[pf], logger);
58 } 59 }
@@ -70,7 +71,8 @@ void nf_log_unregister(struct nf_logger *logger)
70 71
71 mutex_lock(&nf_log_mutex); 72 mutex_lock(&nf_log_mutex);
72 for (i = 0; i < ARRAY_SIZE(nf_loggers); i++) { 73 for (i = 0; i < ARRAY_SIZE(nf_loggers); i++) {
73 c_logger = rcu_dereference(nf_loggers[i]); 74 c_logger = rcu_dereference_protected(nf_loggers[i],
75 lockdep_is_held(&nf_log_mutex));
74 if (c_logger == logger) 76 if (c_logger == logger)
75 rcu_assign_pointer(nf_loggers[i], NULL); 77 rcu_assign_pointer(nf_loggers[i], NULL);
76 list_del(&logger->list[i]); 78 list_del(&logger->list[i]);
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 6afa3d52ea5f..39b0e3100575 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -18,12 +18,9 @@
18#include <linux/types.h> 18#include <linux/types.h>
19#include <linux/socket.h> 19#include <linux/socket.h>
20#include <linux/kernel.h> 20#include <linux/kernel.h>
21#include <linux/major.h>
22#include <linux/timer.h>
23#include <linux/string.h> 21#include <linux/string.h>
24#include <linux/sockios.h> 22#include <linux/sockios.h>
25#include <linux/net.h> 23#include <linux/net.h>
26#include <linux/fcntl.h>
27#include <linux/skbuff.h> 24#include <linux/skbuff.h>
28#include <asm/uaccess.h> 25#include <asm/uaccess.h>
29#include <asm/system.h> 26#include <asm/system.h>
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index e70a6ef1f4f2..12e1ab37fcd8 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -246,8 +246,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
246 break; 246 break;
247 247
248 case NFQNL_COPY_PACKET: 248 case NFQNL_COPY_PACKET:
249 if ((entskb->ip_summed == CHECKSUM_PARTIAL || 249 if (entskb->ip_summed == CHECKSUM_PARTIAL &&
250 entskb->ip_summed == CHECKSUM_COMPLETE) &&
251 skb_checksum_help(entskb)) { 250 skb_checksum_help(entskb)) {
252 spin_unlock_bh(&queue->lock); 251 spin_unlock_bh(&queue->lock);
253 return NULL; 252 return NULL;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 665f5beef6ad..445de702b8b7 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -12,7 +12,7 @@
12 * published by the Free Software Foundation. 12 * published by the Free Software Foundation.
13 * 13 *
14 */ 14 */
15 15#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
16#include <linux/kernel.h> 16#include <linux/kernel.h>
17#include <linux/socket.h> 17#include <linux/socket.h>
18#include <linux/net.h> 18#include <linux/net.h>
@@ -55,12 +55,6 @@ struct xt_af {
55 55
56static struct xt_af *xt; 56static struct xt_af *xt;
57 57
58#ifdef DEBUG_IP_FIREWALL_USER
59#define duprintf(format, args...) printk(format , ## args)
60#else
61#define duprintf(format, args...)
62#endif
63
64static const char *const xt_prefix[NFPROTO_NUMPROTO] = { 58static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
65 [NFPROTO_UNSPEC] = "x", 59 [NFPROTO_UNSPEC] = "x",
66 [NFPROTO_IPV4] = "ip", 60 [NFPROTO_IPV4] = "ip",
@@ -69,6 +63,9 @@ static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
69 [NFPROTO_IPV6] = "ip6", 63 [NFPROTO_IPV6] = "ip6",
70}; 64};
71 65
66/* Allow this many total (re)entries. */
67static const unsigned int xt_jumpstack_multiplier = 2;
68
72/* Registration hooks for targets. */ 69/* Registration hooks for targets. */
73int 70int
74xt_register_target(struct xt_target *target) 71xt_register_target(struct xt_target *target)
@@ -221,6 +218,17 @@ struct xt_match *xt_find_match(u8 af, const char *name, u8 revision)
221} 218}
222EXPORT_SYMBOL(xt_find_match); 219EXPORT_SYMBOL(xt_find_match);
223 220
221struct xt_match *
222xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
223{
224 struct xt_match *match;
225
226 match = try_then_request_module(xt_find_match(nfproto, name, revision),
227 "%st_%s", xt_prefix[nfproto], name);
228 return (match != NULL) ? match : ERR_PTR(-ENOENT);
229}
230EXPORT_SYMBOL_GPL(xt_request_find_match);
231
224/* Find target, grabs ref. Returns ERR_PTR() on error. */ 232/* Find target, grabs ref. Returns ERR_PTR() on error. */
225struct xt_target *xt_find_target(u8 af, const char *name, u8 revision) 233struct xt_target *xt_find_target(u8 af, const char *name, u8 revision)
226{ 234{
@@ -257,9 +265,7 @@ struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision)
257 265
258 target = try_then_request_module(xt_find_target(af, name, revision), 266 target = try_then_request_module(xt_find_target(af, name, revision),
259 "%st_%s", xt_prefix[af], name); 267 "%st_%s", xt_prefix[af], name);
260 if (IS_ERR(target) || !target) 268 return (target != NULL) ? target : ERR_PTR(-ENOENT);
261 return NULL;
262 return target;
263} 269}
264EXPORT_SYMBOL_GPL(xt_request_find_target); 270EXPORT_SYMBOL_GPL(xt_request_find_target);
265 271
@@ -361,6 +367,8 @@ static char *textify_hooks(char *buf, size_t size, unsigned int mask)
361int xt_check_match(struct xt_mtchk_param *par, 367int xt_check_match(struct xt_mtchk_param *par,
362 unsigned int size, u_int8_t proto, bool inv_proto) 368 unsigned int size, u_int8_t proto, bool inv_proto)
363{ 369{
370 int ret;
371
364 if (XT_ALIGN(par->match->matchsize) != size && 372 if (XT_ALIGN(par->match->matchsize) != size &&
365 par->match->matchsize != -1) { 373 par->match->matchsize != -1) {
366 /* 374 /*
@@ -397,8 +405,14 @@ int xt_check_match(struct xt_mtchk_param *par,
397 par->match->proto); 405 par->match->proto);
398 return -EINVAL; 406 return -EINVAL;
399 } 407 }
400 if (par->match->checkentry != NULL && !par->match->checkentry(par)) 408 if (par->match->checkentry != NULL) {
401 return -EINVAL; 409 ret = par->match->checkentry(par);
410 if (ret < 0)
411 return ret;
412 else if (ret > 0)
413 /* Flag up potential errors. */
414 return -EIO;
415 }
402 return 0; 416 return 0;
403} 417}
404EXPORT_SYMBOL_GPL(xt_check_match); 418EXPORT_SYMBOL_GPL(xt_check_match);
@@ -518,6 +532,8 @@ EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
518int xt_check_target(struct xt_tgchk_param *par, 532int xt_check_target(struct xt_tgchk_param *par,
519 unsigned int size, u_int8_t proto, bool inv_proto) 533 unsigned int size, u_int8_t proto, bool inv_proto)
520{ 534{
535 int ret;
536
521 if (XT_ALIGN(par->target->targetsize) != size) { 537 if (XT_ALIGN(par->target->targetsize) != size) {
522 pr_err("%s_tables: %s.%u target: invalid size " 538 pr_err("%s_tables: %s.%u target: invalid size "
523 "%u (kernel) != (user) %u\n", 539 "%u (kernel) != (user) %u\n",
@@ -549,8 +565,14 @@ int xt_check_target(struct xt_tgchk_param *par,
549 par->target->proto); 565 par->target->proto);
550 return -EINVAL; 566 return -EINVAL;
551 } 567 }
552 if (par->target->checkentry != NULL && !par->target->checkentry(par)) 568 if (par->target->checkentry != NULL) {
553 return -EINVAL; 569 ret = par->target->checkentry(par);
570 if (ret < 0)
571 return ret;
572 else if (ret > 0)
573 /* Flag up potential errors. */
574 return -EIO;
575 }
554 return 0; 576 return 0;
555} 577}
556EXPORT_SYMBOL_GPL(xt_check_target); 578EXPORT_SYMBOL_GPL(xt_check_target);
@@ -662,6 +684,26 @@ void xt_free_table_info(struct xt_table_info *info)
662 else 684 else
663 vfree(info->entries[cpu]); 685 vfree(info->entries[cpu]);
664 } 686 }
687
688 if (info->jumpstack != NULL) {
689 if (sizeof(void *) * info->stacksize > PAGE_SIZE) {
690 for_each_possible_cpu(cpu)
691 vfree(info->jumpstack[cpu]);
692 } else {
693 for_each_possible_cpu(cpu)
694 kfree(info->jumpstack[cpu]);
695 }
696 }
697
698 if (sizeof(void **) * nr_cpu_ids > PAGE_SIZE)
699 vfree(info->jumpstack);
700 else
701 kfree(info->jumpstack);
702 if (sizeof(unsigned int) * nr_cpu_ids > PAGE_SIZE)
703 vfree(info->stackptr);
704 else
705 kfree(info->stackptr);
706
665 kfree(info); 707 kfree(info);
666} 708}
667EXPORT_SYMBOL(xt_free_table_info); 709EXPORT_SYMBOL(xt_free_table_info);
@@ -706,6 +748,49 @@ EXPORT_SYMBOL_GPL(xt_compat_unlock);
706DEFINE_PER_CPU(struct xt_info_lock, xt_info_locks); 748DEFINE_PER_CPU(struct xt_info_lock, xt_info_locks);
707EXPORT_PER_CPU_SYMBOL_GPL(xt_info_locks); 749EXPORT_PER_CPU_SYMBOL_GPL(xt_info_locks);
708 750
751static int xt_jumpstack_alloc(struct xt_table_info *i)
752{
753 unsigned int size;
754 int cpu;
755
756 size = sizeof(unsigned int) * nr_cpu_ids;
757 if (size > PAGE_SIZE)
758 i->stackptr = vmalloc(size);
759 else
760 i->stackptr = kmalloc(size, GFP_KERNEL);
761 if (i->stackptr == NULL)
762 return -ENOMEM;
763 memset(i->stackptr, 0, size);
764
765 size = sizeof(void **) * nr_cpu_ids;
766 if (size > PAGE_SIZE)
767 i->jumpstack = vmalloc(size);
768 else
769 i->jumpstack = kmalloc(size, GFP_KERNEL);
770 if (i->jumpstack == NULL)
771 return -ENOMEM;
772 memset(i->jumpstack, 0, size);
773
774 i->stacksize *= xt_jumpstack_multiplier;
775 size = sizeof(void *) * i->stacksize;
776 for_each_possible_cpu(cpu) {
777 if (size > PAGE_SIZE)
778 i->jumpstack[cpu] = vmalloc_node(size,
779 cpu_to_node(cpu));
780 else
781 i->jumpstack[cpu] = kmalloc_node(size,
782 GFP_KERNEL, cpu_to_node(cpu));
783 if (i->jumpstack[cpu] == NULL)
784 /*
785 * Freeing will be done later on by the callers. The
786 * chain is: xt_replace_table -> __do_replace ->
787 * do_replace -> xt_free_table_info.
788 */
789 return -ENOMEM;
790 }
791
792 return 0;
793}
709 794
710struct xt_table_info * 795struct xt_table_info *
711xt_replace_table(struct xt_table *table, 796xt_replace_table(struct xt_table *table,
@@ -714,6 +799,13 @@ xt_replace_table(struct xt_table *table,
714 int *error) 799 int *error)
715{ 800{
716 struct xt_table_info *private; 801 struct xt_table_info *private;
802 int ret;
803
804 ret = xt_jumpstack_alloc(newinfo);
805 if (ret < 0) {
806 *error = ret;
807 return NULL;
808 }
717 809
718 /* Do the substitution. */ 810 /* Do the substitution. */
719 local_bh_disable(); 811 local_bh_disable();
@@ -721,7 +813,7 @@ xt_replace_table(struct xt_table *table,
721 813
722 /* Check inside lock: is the old number correct? */ 814 /* Check inside lock: is the old number correct? */
723 if (num_counters != private->number) { 815 if (num_counters != private->number) {
724 duprintf("num_counters != table->private->number (%u/%u)\n", 816 pr_debug("num_counters != table->private->number (%u/%u)\n",
725 num_counters, private->number); 817 num_counters, private->number);
726 local_bh_enable(); 818 local_bh_enable();
727 *error = -EAGAIN; 819 *error = -EAGAIN;
@@ -752,6 +844,10 @@ struct xt_table *xt_register_table(struct net *net,
752 struct xt_table_info *private; 844 struct xt_table_info *private;
753 struct xt_table *t, *table; 845 struct xt_table *t, *table;
754 846
847 ret = xt_jumpstack_alloc(newinfo);
848 if (ret < 0)
849 return ERR_PTR(ret);
850
755 /* Don't add one object to multiple lists. */ 851 /* Don't add one object to multiple lists. */
756 table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL); 852 table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL);
757 if (!table) { 853 if (!table) {
@@ -778,7 +874,7 @@ struct xt_table *xt_register_table(struct net *net,
778 goto unlock; 874 goto unlock;
779 875
780 private = table->private; 876 private = table->private;
781 duprintf("table->private->number = %u\n", private->number); 877 pr_debug("table->private->number = %u\n", private->number);
782 878
783 /* save number of initial entries */ 879 /* save number of initial entries */
784 private->initial_entries = private->number; 880 private->initial_entries = private->number;
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c
deleted file mode 100644
index 593457068ae1..000000000000
--- a/net/netfilter/xt_CONNMARK.c
+++ /dev/null
@@ -1,113 +0,0 @@
1/*
2 * xt_CONNMARK - Netfilter module to modify the connection mark values
3 *
4 * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
5 * by Henrik Nordstrom <hno@marasystems.com>
6 * Copyright © CC Computer Consultants GmbH, 2007 - 2008
7 * Jan Engelhardt <jengelh@computergmbh.de>
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 */
23#include <linux/module.h>
24#include <linux/skbuff.h>
25#include <linux/ip.h>
26#include <net/checksum.h>
27
28MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");
29MODULE_DESCRIPTION("Xtables: connection mark modification");
30MODULE_LICENSE("GPL");
31MODULE_ALIAS("ipt_CONNMARK");
32MODULE_ALIAS("ip6t_CONNMARK");
33
34#include <linux/netfilter/x_tables.h>
35#include <linux/netfilter/xt_CONNMARK.h>
36#include <net/netfilter/nf_conntrack_ecache.h>
37
38static unsigned int
39connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
40{
41 const struct xt_connmark_tginfo1 *info = par->targinfo;
42 enum ip_conntrack_info ctinfo;
43 struct nf_conn *ct;
44 u_int32_t newmark;
45
46 ct = nf_ct_get(skb, &ctinfo);
47 if (ct == NULL)
48 return XT_CONTINUE;
49
50 switch (info->mode) {
51 case XT_CONNMARK_SET:
52 newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
53 if (ct->mark != newmark) {
54 ct->mark = newmark;
55 nf_conntrack_event_cache(IPCT_MARK, ct);
56 }
57 break;
58 case XT_CONNMARK_SAVE:
59 newmark = (ct->mark & ~info->ctmask) ^
60 (skb->mark & info->nfmask);
61 if (ct->mark != newmark) {
62 ct->mark = newmark;
63 nf_conntrack_event_cache(IPCT_MARK, ct);
64 }
65 break;
66 case XT_CONNMARK_RESTORE:
67 newmark = (skb->mark & ~info->nfmask) ^
68 (ct->mark & info->ctmask);
69 skb->mark = newmark;
70 break;
71 }
72
73 return XT_CONTINUE;
74}
75
76static bool connmark_tg_check(const struct xt_tgchk_param *par)
77{
78 if (nf_ct_l3proto_try_module_get(par->family) < 0) {
79 printk(KERN_WARNING "cannot load conntrack support for "
80 "proto=%u\n", par->family);
81 return false;
82 }
83 return true;
84}
85
86static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
87{
88 nf_ct_l3proto_module_put(par->family);
89}
90
91static struct xt_target connmark_tg_reg __read_mostly = {
92 .name = "CONNMARK",
93 .revision = 1,
94 .family = NFPROTO_UNSPEC,
95 .checkentry = connmark_tg_check,
96 .target = connmark_tg,
97 .targetsize = sizeof(struct xt_connmark_tginfo1),
98 .destroy = connmark_tg_destroy,
99 .me = THIS_MODULE,
100};
101
102static int __init connmark_tg_init(void)
103{
104 return xt_register_target(&connmark_tg_reg);
105}
106
107static void __exit connmark_tg_exit(void)
108{
109 xt_unregister_target(&connmark_tg_reg);
110}
111
112module_init(connmark_tg_init);
113module_exit(connmark_tg_exit);
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index b54c3756fdc3..e953e302141d 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -15,6 +15,7 @@
15 * published by the Free Software Foundation. 15 * published by the Free Software Foundation.
16 * 16 *
17 */ 17 */
18#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18#include <linux/module.h> 19#include <linux/module.h>
19#include <linux/skbuff.h> 20#include <linux/skbuff.h>
20#include <linux/netfilter/x_tables.h> 21#include <linux/netfilter/x_tables.h>
@@ -22,8 +23,6 @@
22#include <net/netfilter/nf_conntrack.h> 23#include <net/netfilter/nf_conntrack.h>
23#include <net/netfilter/nf_conntrack_ecache.h> 24#include <net/netfilter/nf_conntrack_ecache.h>
24 25
25#define PFX "CONNSECMARK: "
26
27MODULE_LICENSE("GPL"); 26MODULE_LICENSE("GPL");
28MODULE_AUTHOR("James Morris <jmorris@redhat.com>"); 27MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
29MODULE_DESCRIPTION("Xtables: target for copying between connection and security mark"); 28MODULE_DESCRIPTION("Xtables: target for copying between connection and security mark");
@@ -85,15 +84,16 @@ connsecmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
85 return XT_CONTINUE; 84 return XT_CONTINUE;
86} 85}
87 86
88static bool connsecmark_tg_check(const struct xt_tgchk_param *par) 87static int connsecmark_tg_check(const struct xt_tgchk_param *par)
89{ 88{
90 const struct xt_connsecmark_target_info *info = par->targinfo; 89 const struct xt_connsecmark_target_info *info = par->targinfo;
90 int ret;
91 91
92 if (strcmp(par->table, "mangle") != 0 && 92 if (strcmp(par->table, "mangle") != 0 &&
93 strcmp(par->table, "security") != 0) { 93 strcmp(par->table, "security") != 0) {
94 printk(KERN_INFO PFX "target only valid in the \'mangle\' " 94 pr_info("target only valid in the \'mangle\' "
95 "or \'security\' tables, not \'%s\'.\n", par->table); 95 "or \'security\' tables, not \'%s\'.\n", par->table);
96 return false; 96 return -EINVAL;
97 } 97 }
98 98
99 switch (info->mode) { 99 switch (info->mode) {
@@ -102,16 +102,15 @@ static bool connsecmark_tg_check(const struct xt_tgchk_param *par)
102 break; 102 break;
103 103
104 default: 104 default:
105 printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode); 105 pr_info("invalid mode: %hu\n", info->mode);
106 return false; 106 return -EINVAL;
107 } 107 }
108 108
109 if (nf_ct_l3proto_try_module_get(par->family) < 0) { 109 ret = nf_ct_l3proto_try_module_get(par->family);
110 printk(KERN_WARNING "can't load conntrack support for " 110 if (ret < 0)
111 "proto=%u\n", par->family); 111 pr_info("cannot load conntrack support for proto=%u\n",
112 return false; 112 par->family);
113 } 113 return ret;
114 return true;
115} 114}
116 115
117static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par) 116static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index ee18b231b950..c8f547829bad 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -38,13 +38,13 @@ static unsigned int xt_ct_target(struct sk_buff *skb,
38 38
39static u8 xt_ct_find_proto(const struct xt_tgchk_param *par) 39static u8 xt_ct_find_proto(const struct xt_tgchk_param *par)
40{ 40{
41 if (par->family == AF_INET) { 41 if (par->family == NFPROTO_IPV4) {
42 const struct ipt_entry *e = par->entryinfo; 42 const struct ipt_entry *e = par->entryinfo;
43 43
44 if (e->ip.invflags & IPT_INV_PROTO) 44 if (e->ip.invflags & IPT_INV_PROTO)
45 return 0; 45 return 0;
46 return e->ip.proto; 46 return e->ip.proto;
47 } else if (par->family == AF_INET6) { 47 } else if (par->family == NFPROTO_IPV6) {
48 const struct ip6t_entry *e = par->entryinfo; 48 const struct ip6t_entry *e = par->entryinfo;
49 49
50 if (e->ipv6.invflags & IP6T_INV_PROTO) 50 if (e->ipv6.invflags & IP6T_INV_PROTO)
@@ -54,16 +54,17 @@ static u8 xt_ct_find_proto(const struct xt_tgchk_param *par)
54 return 0; 54 return 0;
55} 55}
56 56
57static bool xt_ct_tg_check(const struct xt_tgchk_param *par) 57static int xt_ct_tg_check(const struct xt_tgchk_param *par)
58{ 58{
59 struct xt_ct_target_info *info = par->targinfo; 59 struct xt_ct_target_info *info = par->targinfo;
60 struct nf_conntrack_tuple t; 60 struct nf_conntrack_tuple t;
61 struct nf_conn_help *help; 61 struct nf_conn_help *help;
62 struct nf_conn *ct; 62 struct nf_conn *ct;
63 int ret = 0;
63 u8 proto; 64 u8 proto;
64 65
65 if (info->flags & ~XT_CT_NOTRACK) 66 if (info->flags & ~XT_CT_NOTRACK)
66 return false; 67 return -EINVAL;
67 68
68 if (info->flags & XT_CT_NOTRACK) { 69 if (info->flags & XT_CT_NOTRACK) {
69 ct = &nf_conntrack_untracked; 70 ct = &nf_conntrack_untracked;
@@ -76,28 +77,34 @@ static bool xt_ct_tg_check(const struct xt_tgchk_param *par)
76 goto err1; 77 goto err1;
77#endif 78#endif
78 79
79 if (nf_ct_l3proto_try_module_get(par->family) < 0) 80 ret = nf_ct_l3proto_try_module_get(par->family);
81 if (ret < 0)
80 goto err1; 82 goto err1;
81 83
82 memset(&t, 0, sizeof(t)); 84 memset(&t, 0, sizeof(t));
83 ct = nf_conntrack_alloc(par->net, info->zone, &t, &t, GFP_KERNEL); 85 ct = nf_conntrack_alloc(par->net, info->zone, &t, &t, GFP_KERNEL);
86 ret = PTR_ERR(ct);
84 if (IS_ERR(ct)) 87 if (IS_ERR(ct))
85 goto err2; 88 goto err2;
86 89
90 ret = 0;
87 if ((info->ct_events || info->exp_events) && 91 if ((info->ct_events || info->exp_events) &&
88 !nf_ct_ecache_ext_add(ct, info->ct_events, info->exp_events, 92 !nf_ct_ecache_ext_add(ct, info->ct_events, info->exp_events,
89 GFP_KERNEL)) 93 GFP_KERNEL))
90 goto err3; 94 goto err3;
91 95
92 if (info->helper[0]) { 96 if (info->helper[0]) {
97 ret = -ENOENT;
93 proto = xt_ct_find_proto(par); 98 proto = xt_ct_find_proto(par);
94 if (!proto) 99 if (!proto)
95 goto err3; 100 goto err3;
96 101
102 ret = -ENOMEM;
97 help = nf_ct_helper_ext_add(ct, GFP_KERNEL); 103 help = nf_ct_helper_ext_add(ct, GFP_KERNEL);
98 if (help == NULL) 104 if (help == NULL)
99 goto err3; 105 goto err3;
100 106
107 ret = -ENOENT;
101 help->helper = nf_conntrack_helper_try_module_get(info->helper, 108 help->helper = nf_conntrack_helper_try_module_get(info->helper,
102 par->family, 109 par->family,
103 proto); 110 proto);
@@ -109,14 +116,14 @@ static bool xt_ct_tg_check(const struct xt_tgchk_param *par)
109 __set_bit(IPS_CONFIRMED_BIT, &ct->status); 116 __set_bit(IPS_CONFIRMED_BIT, &ct->status);
110out: 117out:
111 info->ct = ct; 118 info->ct = ct;
112 return true; 119 return 0;
113 120
114err3: 121err3:
115 nf_conntrack_free(ct); 122 nf_conntrack_free(ct);
116err2: 123err2:
117 nf_ct_l3proto_module_put(par->family); 124 nf_ct_l3proto_module_put(par->family);
118err1: 125err1:
119 return false; 126 return ret;
120} 127}
121 128
122static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par) 129static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par)
@@ -138,7 +145,7 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par)
138static struct xt_target xt_ct_tg __read_mostly = { 145static struct xt_target xt_ct_tg __read_mostly = {
139 .name = "CT", 146 .name = "CT",
140 .family = NFPROTO_UNSPEC, 147 .family = NFPROTO_UNSPEC,
141 .targetsize = XT_ALIGN(sizeof(struct xt_ct_target_info)), 148 .targetsize = sizeof(struct xt_ct_target_info),
142 .checkentry = xt_ct_tg_check, 149 .checkentry = xt_ct_tg_check,
143 .destroy = xt_ct_tg_destroy, 150 .destroy = xt_ct_tg_destroy,
144 .target = xt_ct_target, 151 .target = xt_ct_target,
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 74ce89260056..969634f293e5 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -9,7 +9,7 @@
9 * 9 *
10 * See RFC2474 for a description of the DSCP field within the IP Header. 10 * See RFC2474 for a description of the DSCP field within the IP Header.
11*/ 11*/
12 12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13#include <linux/module.h> 13#include <linux/module.h>
14#include <linux/skbuff.h> 14#include <linux/skbuff.h>
15#include <linux/ip.h> 15#include <linux/ip.h>
@@ -60,15 +60,15 @@ dscp_tg6(struct sk_buff *skb, const struct xt_target_param *par)
60 return XT_CONTINUE; 60 return XT_CONTINUE;
61} 61}
62 62
63static bool dscp_tg_check(const struct xt_tgchk_param *par) 63static int dscp_tg_check(const struct xt_tgchk_param *par)
64{ 64{
65 const struct xt_DSCP_info *info = par->targinfo; 65 const struct xt_DSCP_info *info = par->targinfo;
66 66
67 if (info->dscp > XT_DSCP_MAX) { 67 if (info->dscp > XT_DSCP_MAX) {
68 printk(KERN_WARNING "DSCP: dscp %x out of range\n", info->dscp); 68 pr_info("dscp %x out of range\n", info->dscp);
69 return false; 69 return -EDOM;
70 } 70 }
71 return true; 71 return 0;
72} 72}
73 73
74static unsigned int 74static unsigned int
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
index 10e789e2d12a..77b99f732711 100644
--- a/net/netfilter/xt_HL.c
+++ b/net/netfilter/xt_HL.c
@@ -9,7 +9,7 @@
9 * it under the terms of the GNU General Public License version 2 as 9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation. 10 * published by the Free Software Foundation.
11 */ 11 */
12 12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13#include <linux/module.h> 13#include <linux/module.h>
14#include <linux/skbuff.h> 14#include <linux/skbuff.h>
15#include <linux/ip.h> 15#include <linux/ip.h>
@@ -101,35 +101,33 @@ hl_tg6(struct sk_buff *skb, const struct xt_target_param *par)
101 return XT_CONTINUE; 101 return XT_CONTINUE;
102} 102}
103 103
104static bool ttl_tg_check(const struct xt_tgchk_param *par) 104static int ttl_tg_check(const struct xt_tgchk_param *par)
105{ 105{
106 const struct ipt_TTL_info *info = par->targinfo; 106 const struct ipt_TTL_info *info = par->targinfo;
107 107
108 if (info->mode > IPT_TTL_MAXMODE) { 108 if (info->mode > IPT_TTL_MAXMODE) {
109 printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n", 109 pr_info("TTL: invalid or unknown mode %u\n", info->mode);
110 info->mode); 110 return -EINVAL;
111 return false;
112 } 111 }
113 if (info->mode != IPT_TTL_SET && info->ttl == 0) 112 if (info->mode != IPT_TTL_SET && info->ttl == 0)
114 return false; 113 return -EINVAL;
115 return true; 114 return 0;
116} 115}
117 116
118static bool hl_tg6_check(const struct xt_tgchk_param *par) 117static int hl_tg6_check(const struct xt_tgchk_param *par)
119{ 118{
120 const struct ip6t_HL_info *info = par->targinfo; 119 const struct ip6t_HL_info *info = par->targinfo;
121 120
122 if (info->mode > IP6T_HL_MAXMODE) { 121 if (info->mode > IP6T_HL_MAXMODE) {
123 printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n", 122 pr_info("invalid or unknown mode %u\n", info->mode);
124 info->mode); 123 return -EINVAL;
125 return false;
126 } 124 }
127 if (info->mode != IP6T_HL_SET && info->hop_limit == 0) { 125 if (info->mode != IP6T_HL_SET && info->hop_limit == 0) {
128 printk(KERN_WARNING "ip6t_HL: increment/decrement doesn't " 126 pr_info("increment/decrement does not "
129 "make sense with value 0\n"); 127 "make sense with value 0\n");
130 return false; 128 return -EINVAL;
131 } 129 }
132 return true; 130 return 0;
133} 131}
134 132
135static struct xt_target hl_tg_reg[] __read_mostly = { 133static struct xt_target hl_tg_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index 3271c8e52153..ab6f8ff9c9a7 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -18,7 +18,7 @@
18 * 02110-1301 USA. 18 * 02110-1301 USA.
19 * 19 *
20 */ 20 */
21 21#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
22#include <linux/module.h> 22#include <linux/module.h>
23#include <linux/skbuff.h> 23#include <linux/skbuff.h>
24#include <linux/netfilter/x_tables.h> 24#include <linux/netfilter/x_tables.h>
@@ -32,12 +32,18 @@ MODULE_LICENSE("GPL");
32MODULE_AUTHOR("Adam Nielsen <a.nielsen@shikadi.net>"); 32MODULE_AUTHOR("Adam Nielsen <a.nielsen@shikadi.net>");
33MODULE_DESCRIPTION("Xtables: trigger LED devices on packet match"); 33MODULE_DESCRIPTION("Xtables: trigger LED devices on packet match");
34 34
35static LIST_HEAD(xt_led_triggers);
36static DEFINE_MUTEX(xt_led_mutex);
37
35/* 38/*
36 * This is declared in here (the kernel module) only, to avoid having these 39 * This is declared in here (the kernel module) only, to avoid having these
37 * dependencies in userspace code. This is what xt_led_info.internal_data 40 * dependencies in userspace code. This is what xt_led_info.internal_data
38 * points to. 41 * points to.
39 */ 42 */
40struct xt_led_info_internal { 43struct xt_led_info_internal {
44 struct list_head list;
45 int refcnt;
46 char *trigger_id;
41 struct led_trigger netfilter_led_trigger; 47 struct led_trigger netfilter_led_trigger;
42 struct timer_list timer; 48 struct timer_list timer;
43}; 49};
@@ -54,7 +60,7 @@ led_tg(struct sk_buff *skb, const struct xt_target_param *par)
54 */ 60 */
55 if ((ledinfo->delay > 0) && ledinfo->always_blink && 61 if ((ledinfo->delay > 0) && ledinfo->always_blink &&
56 timer_pending(&ledinternal->timer)) 62 timer_pending(&ledinternal->timer))
57 led_trigger_event(&ledinternal->netfilter_led_trigger,LED_OFF); 63 led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF);
58 64
59 led_trigger_event(&ledinternal->netfilter_led_trigger, LED_FULL); 65 led_trigger_event(&ledinternal->netfilter_led_trigger, LED_FULL);
60 66
@@ -75,54 +81,86 @@ led_tg(struct sk_buff *skb, const struct xt_target_param *par)
75 81
76static void led_timeout_callback(unsigned long data) 82static void led_timeout_callback(unsigned long data)
77{ 83{
78 struct xt_led_info *ledinfo = (struct xt_led_info *)data; 84 struct xt_led_info_internal *ledinternal = (struct xt_led_info_internal *)data;
79 struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
80 85
81 led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF); 86 led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF);
82} 87}
83 88
84static bool led_tg_check(const struct xt_tgchk_param *par) 89static struct xt_led_info_internal *led_trigger_lookup(const char *name)
90{
91 struct xt_led_info_internal *ledinternal;
92
93 list_for_each_entry(ledinternal, &xt_led_triggers, list) {
94 if (!strcmp(name, ledinternal->netfilter_led_trigger.name)) {
95 return ledinternal;
96 }
97 }
98 return NULL;
99}
100
101static int led_tg_check(const struct xt_tgchk_param *par)
85{ 102{
86 struct xt_led_info *ledinfo = par->targinfo; 103 struct xt_led_info *ledinfo = par->targinfo;
87 struct xt_led_info_internal *ledinternal; 104 struct xt_led_info_internal *ledinternal;
88 int err; 105 int err;
89 106
90 if (ledinfo->id[0] == '\0') { 107 if (ledinfo->id[0] == '\0') {
91 printk(KERN_ERR KBUILD_MODNAME ": No 'id' parameter given.\n"); 108 pr_info("No 'id' parameter given.\n");
92 return false; 109 return -EINVAL;
93 } 110 }
94 111
95 ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL); 112 mutex_lock(&xt_led_mutex);
96 if (!ledinternal) { 113
97 printk(KERN_CRIT KBUILD_MODNAME ": out of memory\n"); 114 ledinternal = led_trigger_lookup(ledinfo->id);
98 return false; 115 if (ledinternal) {
116 ledinternal->refcnt++;
117 goto out;
99 } 118 }
100 119
101 ledinternal->netfilter_led_trigger.name = ledinfo->id; 120 err = -ENOMEM;
121 ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL);
122 if (!ledinternal)
123 goto exit_mutex_only;
124
125 ledinternal->trigger_id = kstrdup(ledinfo->id, GFP_KERNEL);
126 if (!ledinternal->trigger_id)
127 goto exit_internal_alloc;
128
129 ledinternal->refcnt = 1;
130 ledinternal->netfilter_led_trigger.name = ledinternal->trigger_id;
102 131
103 err = led_trigger_register(&ledinternal->netfilter_led_trigger); 132 err = led_trigger_register(&ledinternal->netfilter_led_trigger);
104 if (err) { 133 if (err) {
105 printk(KERN_CRIT KBUILD_MODNAME 134 pr_warning("led_trigger_register() failed\n");
106 ": led_trigger_register() failed\n");
107 if (err == -EEXIST) 135 if (err == -EEXIST)
108 printk(KERN_ERR KBUILD_MODNAME 136 pr_warning("Trigger name is already in use.\n");
109 ": Trigger name is already in use.\n");
110 goto exit_alloc; 137 goto exit_alloc;
111 } 138 }
112 139
113 /* See if we need to set up a timer */ 140 /* See if we need to set up a timer */
114 if (ledinfo->delay > 0) 141 if (ledinfo->delay > 0)
115 setup_timer(&ledinternal->timer, led_timeout_callback, 142 setup_timer(&ledinternal->timer, led_timeout_callback,
116 (unsigned long)ledinfo); 143 (unsigned long)ledinternal);
144
145 list_add_tail(&ledinternal->list, &xt_led_triggers);
146
147out:
148 mutex_unlock(&xt_led_mutex);
117 149
118 ledinfo->internal_data = ledinternal; 150 ledinfo->internal_data = ledinternal;
119 151
120 return true; 152 return 0;
121 153
122exit_alloc: 154exit_alloc:
155 kfree(ledinternal->trigger_id);
156
157exit_internal_alloc:
123 kfree(ledinternal); 158 kfree(ledinternal);
124 159
125 return false; 160exit_mutex_only:
161 mutex_unlock(&xt_led_mutex);
162
163 return err;
126} 164}
127 165
128static void led_tg_destroy(const struct xt_tgdtor_param *par) 166static void led_tg_destroy(const struct xt_tgdtor_param *par)
@@ -130,10 +168,23 @@ static void led_tg_destroy(const struct xt_tgdtor_param *par)
130 const struct xt_led_info *ledinfo = par->targinfo; 168 const struct xt_led_info *ledinfo = par->targinfo;
131 struct xt_led_info_internal *ledinternal = ledinfo->internal_data; 169 struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
132 170
171 mutex_lock(&xt_led_mutex);
172
173 if (--ledinternal->refcnt) {
174 mutex_unlock(&xt_led_mutex);
175 return;
176 }
177
178 list_del(&ledinternal->list);
179
133 if (ledinfo->delay > 0) 180 if (ledinfo->delay > 0)
134 del_timer_sync(&ledinternal->timer); 181 del_timer_sync(&ledinternal->timer);
135 182
136 led_trigger_unregister(&ledinternal->netfilter_led_trigger); 183 led_trigger_unregister(&ledinternal->netfilter_led_trigger);
184
185 mutex_unlock(&xt_led_mutex);
186
187 kfree(ledinternal->trigger_id);
137 kfree(ledinternal); 188 kfree(ledinternal);
138} 189}
139 190
@@ -142,7 +193,7 @@ static struct xt_target led_tg_reg __read_mostly = {
142 .revision = 0, 193 .revision = 0,
143 .family = NFPROTO_UNSPEC, 194 .family = NFPROTO_UNSPEC,
144 .target = led_tg, 195 .target = led_tg,
145 .targetsize = XT_ALIGN(sizeof(struct xt_led_info)), 196 .targetsize = sizeof(struct xt_led_info),
146 .checkentry = led_tg_check, 197 .checkentry = led_tg_check,
147 .destroy = led_tg_destroy, 198 .destroy = led_tg_destroy,
148 .me = THIS_MODULE, 199 .me = THIS_MODULE,
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
deleted file mode 100644
index 225f8d11e173..000000000000
--- a/net/netfilter/xt_MARK.c
+++ /dev/null
@@ -1,56 +0,0 @@
1/*
2 * xt_MARK - Netfilter module to modify the NFMARK field of an skb
3 *
4 * (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
5 * Copyright © CC Computer Consultants GmbH, 2007 - 2008
6 * Jan Engelhardt <jengelh@computergmbh.de>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
11 */
12
13#include <linux/module.h>
14#include <linux/skbuff.h>
15#include <linux/ip.h>
16#include <net/checksum.h>
17
18#include <linux/netfilter/x_tables.h>
19#include <linux/netfilter/xt_MARK.h>
20
21MODULE_LICENSE("GPL");
22MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
23MODULE_DESCRIPTION("Xtables: packet mark modification");
24MODULE_ALIAS("ipt_MARK");
25MODULE_ALIAS("ip6t_MARK");
26
27static unsigned int
28mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
29{
30 const struct xt_mark_tginfo2 *info = par->targinfo;
31
32 skb->mark = (skb->mark & ~info->mask) ^ info->mark;
33 return XT_CONTINUE;
34}
35
36static struct xt_target mark_tg_reg __read_mostly = {
37 .name = "MARK",
38 .revision = 2,
39 .family = NFPROTO_UNSPEC,
40 .target = mark_tg,
41 .targetsize = sizeof(struct xt_mark_tginfo2),
42 .me = THIS_MODULE,
43};
44
45static int __init mark_tg_init(void)
46{
47 return xt_register_target(&mark_tg_reg);
48}
49
50static void __exit mark_tg_exit(void)
51{
52 xt_unregister_target(&mark_tg_reg);
53}
54
55module_init(mark_tg_init);
56module_exit(mark_tg_exit);
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index a57c5cf018ec..42dd8747b421 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -37,15 +37,15 @@ nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
37 return XT_CONTINUE; 37 return XT_CONTINUE;
38} 38}
39 39
40static bool nflog_tg_check(const struct xt_tgchk_param *par) 40static int nflog_tg_check(const struct xt_tgchk_param *par)
41{ 41{
42 const struct xt_nflog_info *info = par->targinfo; 42 const struct xt_nflog_info *info = par->targinfo;
43 43
44 if (info->flags & ~XT_NFLOG_MASK) 44 if (info->flags & ~XT_NFLOG_MASK)
45 return false; 45 return -EINVAL;
46 if (info->prefix[sizeof(info->prefix) - 1] != '\0') 46 if (info->prefix[sizeof(info->prefix) - 1] != '\0')
47 return false; 47 return -EINVAL;
48 return true; 48 return 0;
49} 49}
50 50
51static struct xt_target nflog_tg_reg __read_mostly = { 51static struct xt_target nflog_tg_reg __read_mostly = {
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 12dcd7007c3e..f9217cb56fe3 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -49,17 +49,6 @@ static u32 hash_v4(const struct sk_buff *skb)
49 return jhash_2words((__force u32)ipaddr, iph->protocol, jhash_initval); 49 return jhash_2words((__force u32)ipaddr, iph->protocol, jhash_initval);
50} 50}
51 51
52static unsigned int
53nfqueue_tg4_v1(struct sk_buff *skb, const struct xt_target_param *par)
54{
55 const struct xt_NFQ_info_v1 *info = par->targinfo;
56 u32 queue = info->queuenum;
57
58 if (info->queues_total > 1)
59 queue = hash_v4(skb) % info->queues_total + queue;
60 return NF_QUEUE_NR(queue);
61}
62
63#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) 52#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
64static u32 hash_v6(const struct sk_buff *skb) 53static u32 hash_v6(const struct sk_buff *skb)
65{ 54{
@@ -73,20 +62,26 @@ static u32 hash_v6(const struct sk_buff *skb)
73 62
74 return jhash2((__force u32 *)addr, ARRAY_SIZE(addr), jhash_initval); 63 return jhash2((__force u32 *)addr, ARRAY_SIZE(addr), jhash_initval);
75} 64}
65#endif
76 66
77static unsigned int 67static unsigned int
78nfqueue_tg6_v1(struct sk_buff *skb, const struct xt_target_param *par) 68nfqueue_tg_v1(struct sk_buff *skb, const struct xt_target_param *par)
79{ 69{
80 const struct xt_NFQ_info_v1 *info = par->targinfo; 70 const struct xt_NFQ_info_v1 *info = par->targinfo;
81 u32 queue = info->queuenum; 71 u32 queue = info->queuenum;
82 72
83 if (info->queues_total > 1) 73 if (info->queues_total > 1) {
84 queue = hash_v6(skb) % info->queues_total + queue; 74 if (par->family == NFPROTO_IPV4)
75 queue = hash_v4(skb) % info->queues_total + queue;
76#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
77 else if (par->family == NFPROTO_IPV6)
78 queue = hash_v6(skb) % info->queues_total + queue;
79#endif
80 }
85 return NF_QUEUE_NR(queue); 81 return NF_QUEUE_NR(queue);
86} 82}
87#endif
88 83
89static bool nfqueue_tg_v1_check(const struct xt_tgchk_param *par) 84static int nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
90{ 85{
91 const struct xt_NFQ_info_v1 *info = par->targinfo; 86 const struct xt_NFQ_info_v1 *info = par->targinfo;
92 u32 maxid; 87 u32 maxid;
@@ -97,15 +92,15 @@ static bool nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
97 } 92 }
98 if (info->queues_total == 0) { 93 if (info->queues_total == 0) {
99 pr_err("NFQUEUE: number of total queues is 0\n"); 94 pr_err("NFQUEUE: number of total queues is 0\n");
100 return false; 95 return -EINVAL;
101 } 96 }
102 maxid = info->queues_total - 1 + info->queuenum; 97 maxid = info->queues_total - 1 + info->queuenum;
103 if (maxid > 0xffff) { 98 if (maxid > 0xffff) {
104 pr_err("NFQUEUE: number of queues (%u) out of range (got %u)\n", 99 pr_err("NFQUEUE: number of queues (%u) out of range (got %u)\n",
105 info->queues_total, maxid); 100 info->queues_total, maxid);
106 return false; 101 return -ERANGE;
107 } 102 }
108 return true; 103 return 0;
109} 104}
110 105
111static struct xt_target nfqueue_tg_reg[] __read_mostly = { 106static struct xt_target nfqueue_tg_reg[] __read_mostly = {
@@ -119,23 +114,12 @@ static struct xt_target nfqueue_tg_reg[] __read_mostly = {
119 { 114 {
120 .name = "NFQUEUE", 115 .name = "NFQUEUE",
121 .revision = 1, 116 .revision = 1,
122 .family = NFPROTO_IPV4, 117 .family = NFPROTO_UNSPEC,
123 .checkentry = nfqueue_tg_v1_check,
124 .target = nfqueue_tg4_v1,
125 .targetsize = sizeof(struct xt_NFQ_info_v1),
126 .me = THIS_MODULE,
127 },
128#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
129 {
130 .name = "NFQUEUE",
131 .revision = 1,
132 .family = NFPROTO_IPV6,
133 .checkentry = nfqueue_tg_v1_check, 118 .checkentry = nfqueue_tg_v1_check,
134 .target = nfqueue_tg6_v1, 119 .target = nfqueue_tg_v1,
135 .targetsize = sizeof(struct xt_NFQ_info_v1), 120 .targetsize = sizeof(struct xt_NFQ_info_v1),
136 .me = THIS_MODULE, 121 .me = THIS_MODULE,
137 }, 122 },
138#endif
139}; 123};
140 124
141static int __init nfqueue_tg_init(void) 125static int __init nfqueue_tg_init(void)
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index d16d55df4f61..a02193f06e39 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -86,7 +86,7 @@ xt_rateest_tg(struct sk_buff *skb, const struct xt_target_param *par)
86 return XT_CONTINUE; 86 return XT_CONTINUE;
87} 87}
88 88
89static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) 89static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
90{ 90{
91 struct xt_rateest_target_info *info = par->targinfo; 91 struct xt_rateest_target_info *info = par->targinfo;
92 struct xt_rateest *est; 92 struct xt_rateest *est;
@@ -94,6 +94,7 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
94 struct nlattr opt; 94 struct nlattr opt;
95 struct gnet_estimator est; 95 struct gnet_estimator est;
96 } cfg; 96 } cfg;
97 int ret;
97 98
98 if (unlikely(!rnd_inited)) { 99 if (unlikely(!rnd_inited)) {
99 get_random_bytes(&jhash_rnd, sizeof(jhash_rnd)); 100 get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
@@ -110,12 +111,13 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
110 (info->interval != est->params.interval || 111 (info->interval != est->params.interval ||
111 info->ewma_log != est->params.ewma_log)) { 112 info->ewma_log != est->params.ewma_log)) {
112 xt_rateest_put(est); 113 xt_rateest_put(est);
113 return false; 114 return -EINVAL;
114 } 115 }
115 info->est = est; 116 info->est = est;
116 return true; 117 return 0;
117 } 118 }
118 119
120 ret = -ENOMEM;
119 est = kzalloc(sizeof(*est), GFP_KERNEL); 121 est = kzalloc(sizeof(*est), GFP_KERNEL);
120 if (!est) 122 if (!est)
121 goto err1; 123 goto err1;
@@ -131,19 +133,19 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
131 cfg.est.interval = info->interval; 133 cfg.est.interval = info->interval;
132 cfg.est.ewma_log = info->ewma_log; 134 cfg.est.ewma_log = info->ewma_log;
133 135
134 if (gen_new_estimator(&est->bstats, &est->rstats, &est->lock, 136 ret = gen_new_estimator(&est->bstats, &est->rstats,
135 &cfg.opt) < 0) 137 &est->lock, &cfg.opt);
138 if (ret < 0)
136 goto err2; 139 goto err2;
137 140
138 info->est = est; 141 info->est = est;
139 xt_rateest_hash_insert(est); 142 xt_rateest_hash_insert(est);
140 143 return 0;
141 return true;
142 144
143err2: 145err2:
144 kfree(est); 146 kfree(est);
145err1: 147err1:
146 return false; 148 return ret;
147} 149}
148 150
149static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par) 151static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 7a6f9e6f5dfa..a91d4a7d5a2c 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -12,6 +12,7 @@
12 * published by the Free Software Foundation. 12 * published by the Free Software Foundation.
13 * 13 *
14 */ 14 */
15#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15#include <linux/module.h> 16#include <linux/module.h>
16#include <linux/skbuff.h> 17#include <linux/skbuff.h>
17#include <linux/selinux.h> 18#include <linux/selinux.h>
@@ -49,7 +50,7 @@ secmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
49 return XT_CONTINUE; 50 return XT_CONTINUE;
50} 51}
51 52
52static bool checkentry_selinux(struct xt_secmark_target_info *info) 53static int checkentry_selinux(struct xt_secmark_target_info *info)
53{ 54{
54 int err; 55 int err;
55 struct xt_secmark_target_selinux_info *sel = &info->u.sel; 56 struct xt_secmark_target_selinux_info *sel = &info->u.sel;
@@ -59,58 +60,59 @@ static bool checkentry_selinux(struct xt_secmark_target_info *info)
59 err = selinux_string_to_sid(sel->selctx, &sel->selsid); 60 err = selinux_string_to_sid(sel->selctx, &sel->selsid);
60 if (err) { 61 if (err) {
61 if (err == -EINVAL) 62 if (err == -EINVAL)
62 printk(KERN_INFO PFX "invalid SELinux context \'%s\'\n", 63 pr_info("invalid SELinux context \'%s\'\n",
63 sel->selctx); 64 sel->selctx);
64 return false; 65 return err;
65 } 66 }
66 67
67 if (!sel->selsid) { 68 if (!sel->selsid) {
68 printk(KERN_INFO PFX "unable to map SELinux context \'%s\'\n", 69 pr_info("unable to map SELinux context \'%s\'\n", sel->selctx);
69 sel->selctx); 70 return -ENOENT;
70 return false;
71 } 71 }
72 72
73 err = selinux_secmark_relabel_packet_permission(sel->selsid); 73 err = selinux_secmark_relabel_packet_permission(sel->selsid);
74 if (err) { 74 if (err) {
75 printk(KERN_INFO PFX "unable to obtain relabeling permission\n"); 75 pr_info("unable to obtain relabeling permission\n");
76 return false; 76 return err;
77 } 77 }
78 78
79 selinux_secmark_refcount_inc(); 79 selinux_secmark_refcount_inc();
80 return true; 80 return 0;
81} 81}
82 82
83static bool secmark_tg_check(const struct xt_tgchk_param *par) 83static int secmark_tg_check(const struct xt_tgchk_param *par)
84{ 84{
85 struct xt_secmark_target_info *info = par->targinfo; 85 struct xt_secmark_target_info *info = par->targinfo;
86 int err;
86 87
87 if (strcmp(par->table, "mangle") != 0 && 88 if (strcmp(par->table, "mangle") != 0 &&
88 strcmp(par->table, "security") != 0) { 89 strcmp(par->table, "security") != 0) {
89 printk(KERN_INFO PFX "target only valid in the \'mangle\' " 90 pr_info("target only valid in the \'mangle\' "
90 "or \'security\' tables, not \'%s\'.\n", par->table); 91 "or \'security\' tables, not \'%s\'.\n", par->table);
91 return false; 92 return -EINVAL;
92 } 93 }
93 94
94 if (mode && mode != info->mode) { 95 if (mode && mode != info->mode) {
95 printk(KERN_INFO PFX "mode already set to %hu cannot mix with " 96 pr_info("mode already set to %hu cannot mix with "
96 "rules for mode %hu\n", mode, info->mode); 97 "rules for mode %hu\n", mode, info->mode);
97 return false; 98 return -EINVAL;
98 } 99 }
99 100
100 switch (info->mode) { 101 switch (info->mode) {
101 case SECMARK_MODE_SEL: 102 case SECMARK_MODE_SEL:
102 if (!checkentry_selinux(info)) 103 err = checkentry_selinux(info);
103 return false; 104 if (err <= 0)
105 return err;
104 break; 106 break;
105 107
106 default: 108 default:
107 printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode); 109 pr_info("invalid mode: %hu\n", info->mode);
108 return false; 110 return -EINVAL;
109 } 111 }
110 112
111 if (!mode) 113 if (!mode)
112 mode = info->mode; 114 mode = info->mode;
113 return true; 115 return 0;
114} 116}
115 117
116static void secmark_tg_destroy(const struct xt_tgdtor_param *par) 118static void secmark_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index c5f4b9919e9a..d04606459c9d 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -7,7 +7,7 @@
7 * it under the terms of the GNU General Public License version 2 as 7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation. 8 * published by the Free Software Foundation.
9 */ 9 */
10 10#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11#include <linux/module.h> 11#include <linux/module.h>
12#include <linux/skbuff.h> 12#include <linux/skbuff.h>
13#include <linux/ip.h> 13#include <linux/ip.h>
@@ -68,15 +68,14 @@ tcpmss_mangle_packet(struct sk_buff *skb,
68 if (info->mss == XT_TCPMSS_CLAMP_PMTU) { 68 if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
69 if (dst_mtu(skb_dst(skb)) <= minlen) { 69 if (dst_mtu(skb_dst(skb)) <= minlen) {
70 if (net_ratelimit()) 70 if (net_ratelimit())
71 printk(KERN_ERR "xt_TCPMSS: " 71 pr_err("unknown or invalid path-MTU (%u)\n",
72 "unknown or invalid path-MTU (%u)\n",
73 dst_mtu(skb_dst(skb))); 72 dst_mtu(skb_dst(skb)));
74 return -1; 73 return -1;
75 } 74 }
76 if (in_mtu <= minlen) { 75 if (in_mtu <= minlen) {
77 if (net_ratelimit()) 76 if (net_ratelimit())
78 printk(KERN_ERR "xt_TCPMSS: unknown or " 77 pr_err("unknown or invalid path-MTU (%u)\n",
79 "invalid path-MTU (%u)\n", in_mtu); 78 in_mtu);
80 return -1; 79 return -1;
81 } 80 }
82 newmss = min(dst_mtu(skb_dst(skb)), in_mtu) - minlen; 81 newmss = min(dst_mtu(skb_dst(skb)), in_mtu) - minlen;
@@ -236,7 +235,7 @@ static inline bool find_syn_match(const struct xt_entry_match *m)
236 return false; 235 return false;
237} 236}
238 237
239static bool tcpmss_tg4_check(const struct xt_tgchk_param *par) 238static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
240{ 239{
241 const struct xt_tcpmss_info *info = par->targinfo; 240 const struct xt_tcpmss_info *info = par->targinfo;
242 const struct ipt_entry *e = par->entryinfo; 241 const struct ipt_entry *e = par->entryinfo;
@@ -246,19 +245,19 @@ static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
246 (par->hook_mask & ~((1 << NF_INET_FORWARD) | 245 (par->hook_mask & ~((1 << NF_INET_FORWARD) |
247 (1 << NF_INET_LOCAL_OUT) | 246 (1 << NF_INET_LOCAL_OUT) |
248 (1 << NF_INET_POST_ROUTING))) != 0) { 247 (1 << NF_INET_POST_ROUTING))) != 0) {
249 printk("xt_TCPMSS: path-MTU clamping only supported in " 248 pr_info("path-MTU clamping only supported in "
250 "FORWARD, OUTPUT and POSTROUTING hooks\n"); 249 "FORWARD, OUTPUT and POSTROUTING hooks\n");
251 return false; 250 return -EINVAL;
252 } 251 }
253 xt_ematch_foreach(ematch, e) 252 xt_ematch_foreach(ematch, e)
254 if (find_syn_match(ematch)) 253 if (find_syn_match(ematch))
255 return true; 254 return 0;
256 printk("xt_TCPMSS: Only works on TCP SYN packets\n"); 255 pr_info("Only works on TCP SYN packets\n");
257 return false; 256 return -EINVAL;
258} 257}
259 258
260#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) 259#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
261static bool tcpmss_tg6_check(const struct xt_tgchk_param *par) 260static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
262{ 261{
263 const struct xt_tcpmss_info *info = par->targinfo; 262 const struct xt_tcpmss_info *info = par->targinfo;
264 const struct ip6t_entry *e = par->entryinfo; 263 const struct ip6t_entry *e = par->entryinfo;
@@ -268,15 +267,15 @@ static bool tcpmss_tg6_check(const struct xt_tgchk_param *par)
268 (par->hook_mask & ~((1 << NF_INET_FORWARD) | 267 (par->hook_mask & ~((1 << NF_INET_FORWARD) |
269 (1 << NF_INET_LOCAL_OUT) | 268 (1 << NF_INET_LOCAL_OUT) |
270 (1 << NF_INET_POST_ROUTING))) != 0) { 269 (1 << NF_INET_POST_ROUTING))) != 0) {
271 printk("xt_TCPMSS: path-MTU clamping only supported in " 270 pr_info("path-MTU clamping only supported in "
272 "FORWARD, OUTPUT and POSTROUTING hooks\n"); 271 "FORWARD, OUTPUT and POSTROUTING hooks\n");
273 return false; 272 return -EINVAL;
274 } 273 }
275 xt_ematch_foreach(ematch, e) 274 xt_ematch_foreach(ematch, e)
276 if (find_syn_match(ematch)) 275 if (find_syn_match(ematch))
277 return true; 276 return 0;
278 printk("xt_TCPMSS: Only works on TCP SYN packets\n"); 277 pr_info("Only works on TCP SYN packets\n");
279 return false; 278 return -EINVAL;
280} 279}
281#endif 280#endif
282 281
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 9dd8c8ef63eb..e8b57609ddc0 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -3,7 +3,6 @@
3 * 3 *
4 * Copyright (C) 2007 Sven Schnelle <svens@bitebene.org> 4 * Copyright (C) 2007 Sven Schnelle <svens@bitebene.org>
5 * Copyright © CC Computer Consultants GmbH, 2007 5 * Copyright © CC Computer Consultants GmbH, 2007
6 * Contact: Jan Engelhardt <jengelh@computergmbh.de>
7 * 6 *
8 * This program is free software; you can redistribute it and/or modify 7 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as 8 * it under the terms of the GNU General Public License version 2 as
@@ -136,7 +135,7 @@ static void __exit tcpoptstrip_tg_exit(void)
136 135
137module_init(tcpoptstrip_tg_init); 136module_init(tcpoptstrip_tg_init);
138module_exit(tcpoptstrip_tg_exit); 137module_exit(tcpoptstrip_tg_exit);
139MODULE_AUTHOR("Sven Schnelle <svens@bitebene.org>, Jan Engelhardt <jengelh@computergmbh.de>"); 138MODULE_AUTHOR("Sven Schnelle <svens@bitebene.org>, Jan Engelhardt <jengelh@medozas.de>");
140MODULE_DESCRIPTION("Xtables: TCP option stripping"); 139MODULE_DESCRIPTION("Xtables: TCP option stripping");
141MODULE_LICENSE("GPL"); 140MODULE_LICENSE("GPL");
142MODULE_ALIAS("ipt_TCPOPTSTRIP"); 141MODULE_ALIAS("ipt_TCPOPTSTRIP");
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
new file mode 100644
index 000000000000..49da6c05f4e0
--- /dev/null
+++ b/net/netfilter/xt_TEE.c
@@ -0,0 +1,309 @@
1/*
2 * "TEE" target extension for Xtables
3 * Copyright © Sebastian Claßen, 2007
4 * Jan Engelhardt, 2007-2010
5 *
6 * based on ipt_ROUTE.c from Cédric de Launois
7 * <delaunois@info.ucl.be>
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License
11 * version 2 or later, as published by the Free Software Foundation.
12 */
13#include <linux/ip.h>
14#include <linux/module.h>
15#include <linux/percpu.h>
16#include <linux/route.h>
17#include <linux/skbuff.h>
18#include <linux/notifier.h>
19#include <net/checksum.h>
20#include <net/icmp.h>
21#include <net/ip.h>
22#include <net/ipv6.h>
23#include <net/ip6_route.h>
24#include <net/route.h>
25#include <linux/netfilter/x_tables.h>
26#include <linux/netfilter/xt_TEE.h>
27
28#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
29# define WITH_CONNTRACK 1
30# include <net/netfilter/nf_conntrack.h>
31#endif
32#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
33# define WITH_IPV6 1
34#endif
35
36struct xt_tee_priv {
37 struct notifier_block notifier;
38 struct xt_tee_tginfo *tginfo;
39 int oif;
40};
41
42static const union nf_inet_addr tee_zero_address;
43static DEFINE_PER_CPU(bool, tee_active);
44
45static struct net *pick_net(struct sk_buff *skb)
46{
47#ifdef CONFIG_NET_NS
48 const struct dst_entry *dst;
49
50 if (skb->dev != NULL)
51 return dev_net(skb->dev);
52 dst = skb_dst(skb);
53 if (dst != NULL && dst->dev != NULL)
54 return dev_net(dst->dev);
55#endif
56 return &init_net;
57}
58
59static bool
60tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
61{
62 const struct iphdr *iph = ip_hdr(skb);
63 struct net *net = pick_net(skb);
64 struct rtable *rt;
65 struct flowi fl;
66
67 memset(&fl, 0, sizeof(fl));
68 if (info->priv) {
69 if (info->priv->oif == -1)
70 return false;
71 fl.oif = info->priv->oif;
72 }
73 fl.nl_u.ip4_u.daddr = info->gw.ip;
74 fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
75 fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
76 if (ip_route_output_key(net, &rt, &fl) != 0)
77 return false;
78
79 dst_release(skb_dst(skb));
80 skb_dst_set(skb, &rt->u.dst);
81 skb->dev = rt->u.dst.dev;
82 skb->protocol = htons(ETH_P_IP);
83 return true;
84}
85
86static unsigned int
87tee_tg4(struct sk_buff *skb, const struct xt_target_param *par)
88{
89 const struct xt_tee_tginfo *info = par->targinfo;
90 struct iphdr *iph;
91
92 if (percpu_read(tee_active))
93 return XT_CONTINUE;
94 /*
95 * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
96 * the original skb, which should continue on its way as if nothing has
97 * happened. The copy should be independently delivered to the TEE
98 * --gateway.
99 */
100 skb = pskb_copy(skb, GFP_ATOMIC);
101 if (skb == NULL)
102 return XT_CONTINUE;
103
104#ifdef WITH_CONNTRACK
105 /* Avoid counting cloned packets towards the original connection. */
106 nf_conntrack_put(skb->nfct);
107 skb->nfct = &nf_conntrack_untracked.ct_general;
108 skb->nfctinfo = IP_CT_NEW;
109 nf_conntrack_get(skb->nfct);
110#endif
111 /*
112 * If we are in PREROUTING/INPUT, the checksum must be recalculated
113 * since the length could have changed as a result of defragmentation.
114 *
115 * We also decrease the TTL to mitigate potential TEE loops
116 * between two hosts.
117 *
118 * Set %IP_DF so that the original source is notified of a potentially
119 * decreased MTU on the clone route. IPv6 does this too.
120 */
121 iph = ip_hdr(skb);
122 iph->frag_off |= htons(IP_DF);
123 if (par->hooknum == NF_INET_PRE_ROUTING ||
124 par->hooknum == NF_INET_LOCAL_IN)
125 --iph->ttl;
126 ip_send_check(iph);
127
128 if (tee_tg_route4(skb, info)) {
129 percpu_write(tee_active, true);
130 ip_local_out(skb);
131 percpu_write(tee_active, false);
132 } else {
133 kfree_skb(skb);
134 }
135 return XT_CONTINUE;
136}
137
138#ifdef WITH_IPV6
139static bool
140tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
141{
142 const struct ipv6hdr *iph = ipv6_hdr(skb);
143 struct net *net = pick_net(skb);
144 struct dst_entry *dst;
145 struct flowi fl;
146
147 memset(&fl, 0, sizeof(fl));
148 if (info->priv) {
149 if (info->priv->oif == -1)
150 return false;
151 fl.oif = info->priv->oif;
152 }
153 fl.nl_u.ip6_u.daddr = info->gw.in6;
154 fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
155 (iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
156 dst = ip6_route_output(net, NULL, &fl);
157 if (dst == NULL)
158 return false;
159
160 dst_release(skb_dst(skb));
161 skb_dst_set(skb, dst);
162 skb->dev = dst->dev;
163 skb->protocol = htons(ETH_P_IPV6);
164 return true;
165}
166
167static unsigned int
168tee_tg6(struct sk_buff *skb, const struct xt_target_param *par)
169{
170 const struct xt_tee_tginfo *info = par->targinfo;
171
172 if (percpu_read(tee_active))
173 return XT_CONTINUE;
174 skb = pskb_copy(skb, GFP_ATOMIC);
175 if (skb == NULL)
176 return XT_CONTINUE;
177
178#ifdef WITH_CONNTRACK
179 nf_conntrack_put(skb->nfct);
180 skb->nfct = &nf_conntrack_untracked.ct_general;
181 skb->nfctinfo = IP_CT_NEW;
182 nf_conntrack_get(skb->nfct);
183#endif
184 if (par->hooknum == NF_INET_PRE_ROUTING ||
185 par->hooknum == NF_INET_LOCAL_IN) {
186 struct ipv6hdr *iph = ipv6_hdr(skb);
187 --iph->hop_limit;
188 }
189 if (tee_tg_route6(skb, info)) {
190 percpu_write(tee_active, true);
191 ip6_local_out(skb);
192 percpu_write(tee_active, false);
193 } else {
194 kfree_skb(skb);
195 }
196 return XT_CONTINUE;
197}
198#endif /* WITH_IPV6 */
199
200static int tee_netdev_event(struct notifier_block *this, unsigned long event,
201 void *ptr)
202{
203 struct net_device *dev = ptr;
204 struct xt_tee_priv *priv;
205
206 priv = container_of(this, struct xt_tee_priv, notifier);
207 switch (event) {
208 case NETDEV_REGISTER:
209 if (!strcmp(dev->name, priv->tginfo->oif))
210 priv->oif = dev->ifindex;
211 break;
212 case NETDEV_UNREGISTER:
213 if (dev->ifindex == priv->oif)
214 priv->oif = -1;
215 break;
216 case NETDEV_CHANGENAME:
217 if (!strcmp(dev->name, priv->tginfo->oif))
218 priv->oif = dev->ifindex;
219 else if (dev->ifindex == priv->oif)
220 priv->oif = -1;
221 break;
222 }
223
224 return NOTIFY_DONE;
225}
226
227static int tee_tg_check(const struct xt_tgchk_param *par)
228{
229 struct xt_tee_tginfo *info = par->targinfo;
230 struct xt_tee_priv *priv;
231
232 /* 0.0.0.0 and :: not allowed */
233 if (memcmp(&info->gw, &tee_zero_address,
234 sizeof(tee_zero_address)) == 0)
235 return -EINVAL;
236
237 if (info->oif[0]) {
238 if (info->oif[sizeof(info->oif)-1] != '\0')
239 return -EINVAL;
240
241 priv = kzalloc(sizeof(*priv), GFP_KERNEL);
242 if (priv == NULL)
243 return -ENOMEM;
244
245 priv->tginfo = info;
246 priv->oif = -1;
247 priv->notifier.notifier_call = tee_netdev_event;
248 info->priv = priv;
249
250 register_netdevice_notifier(&priv->notifier);
251 } else
252 info->priv = NULL;
253
254 return 0;
255}
256
257static void tee_tg_destroy(const struct xt_tgdtor_param *par)
258{
259 struct xt_tee_tginfo *info = par->targinfo;
260
261 if (info->priv) {
262 unregister_netdevice_notifier(&info->priv->notifier);
263 kfree(info->priv);
264 }
265}
266
267static struct xt_target tee_tg_reg[] __read_mostly = {
268 {
269 .name = "TEE",
270 .revision = 1,
271 .family = NFPROTO_IPV4,
272 .target = tee_tg4,
273 .targetsize = sizeof(struct xt_tee_tginfo),
274 .checkentry = tee_tg_check,
275 .destroy = tee_tg_destroy,
276 .me = THIS_MODULE,
277 },
278#ifdef WITH_IPV6
279 {
280 .name = "TEE",
281 .revision = 1,
282 .family = NFPROTO_IPV6,
283 .target = tee_tg6,
284 .targetsize = sizeof(struct xt_tee_tginfo),
285 .checkentry = tee_tg_check,
286 .destroy = tee_tg_destroy,
287 .me = THIS_MODULE,
288 },
289#endif
290};
291
292static int __init tee_tg_init(void)
293{
294 return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
295}
296
297static void __exit tee_tg_exit(void)
298{
299 xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
300}
301
302module_init(tee_tg_init);
303module_exit(tee_tg_exit);
304MODULE_AUTHOR("Sebastian Claßen <sebastian.classen@freenet.ag>");
305MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
306MODULE_DESCRIPTION("Xtables: Reroute packet copy");
307MODULE_LICENSE("GPL");
308MODULE_ALIAS("ipt_TEE");
309MODULE_ALIAS("ip6t_TEE");
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index 1340c2fa3621..4f246ddc5c48 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -9,7 +9,7 @@
9 * published by the Free Software Foundation. 9 * published by the Free Software Foundation.
10 * 10 *
11 */ 11 */
12 12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13#include <linux/module.h> 13#include <linux/module.h>
14#include <linux/skbuff.h> 14#include <linux/skbuff.h>
15#include <linux/ip.h> 15#include <linux/ip.h>
@@ -59,17 +59,17 @@ tproxy_tg(struct sk_buff *skb, const struct xt_target_param *par)
59 return NF_DROP; 59 return NF_DROP;
60} 60}
61 61
62static bool tproxy_tg_check(const struct xt_tgchk_param *par) 62static int tproxy_tg_check(const struct xt_tgchk_param *par)
63{ 63{
64 const struct ipt_ip *i = par->entryinfo; 64 const struct ipt_ip *i = par->entryinfo;
65 65
66 if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP) 66 if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
67 && !(i->invflags & IPT_INV_PROTO)) 67 && !(i->invflags & IPT_INV_PROTO))
68 return true; 68 return 0;
69 69
70 pr_info("xt_TPROXY: Can be used only in combination with " 70 pr_info("Can be used only in combination with "
71 "either -p tcp or -p udp\n"); 71 "either -p tcp or -p udp\n");
72 return false; 72 return -EINVAL;
73} 73}
74 74
75static struct xt_target tproxy_tg_reg __read_mostly = { 75static struct xt_target tproxy_tg_reg __read_mostly = {
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 225ee3ecd69d..6c941e1c6b9e 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -5,6 +5,7 @@
5 * it under the terms of the GNU General Public License version 2 as 5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation. 6 * published by the Free Software Foundation.
7 */ 7 */
8#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
8#include <linux/module.h> 9#include <linux/module.h>
9#include <linux/skbuff.h> 10#include <linux/skbuff.h>
10#include <linux/jhash.h> 11#include <linux/jhash.h>
@@ -131,22 +132,22 @@ xt_cluster_mt(const struct sk_buff *skb, const struct xt_match_param *par)
131 !!(info->flags & XT_CLUSTER_F_INV); 132 !!(info->flags & XT_CLUSTER_F_INV);
132} 133}
133 134
134static bool xt_cluster_mt_checkentry(const struct xt_mtchk_param *par) 135static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
135{ 136{
136 struct xt_cluster_match_info *info = par->matchinfo; 137 struct xt_cluster_match_info *info = par->matchinfo;
137 138
138 if (info->total_nodes > XT_CLUSTER_NODES_MAX) { 139 if (info->total_nodes > XT_CLUSTER_NODES_MAX) {
139 printk(KERN_ERR "xt_cluster: you have exceeded the maximum " 140 pr_info("you have exceeded the maximum "
140 "number of cluster nodes (%u > %u)\n", 141 "number of cluster nodes (%u > %u)\n",
141 info->total_nodes, XT_CLUSTER_NODES_MAX); 142 info->total_nodes, XT_CLUSTER_NODES_MAX);
142 return false; 143 return -EINVAL;
143 } 144 }
144 if (info->node_mask >= (1ULL << info->total_nodes)) { 145 if (info->node_mask >= (1ULL << info->total_nodes)) {
145 printk(KERN_ERR "xt_cluster: this node mask cannot be " 146 pr_info("this node mask cannot be "
146 "higher than the total number of nodes\n"); 147 "higher than the total number of nodes\n");
147 return false; 148 return -EDOM;
148 } 149 }
149 return true; 150 return 0;
150} 151}
151 152
152static struct xt_match xt_cluster_match __read_mostly = { 153static struct xt_match xt_cluster_match __read_mostly = {
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 955e6598a7f0..ff738a5f963a 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -1,6 +1,7 @@
1/* Kernel module to match connection tracking byte counter. 1/* Kernel module to match connection tracking byte counter.
2 * GPL (C) 2002 Martin Devera (devik@cdi.cz). 2 * GPL (C) 2002 Martin Devera (devik@cdi.cz).
3 */ 3 */
4#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
4#include <linux/module.h> 5#include <linux/module.h>
5#include <linux/bitops.h> 6#include <linux/bitops.h>
6#include <linux/skbuff.h> 7#include <linux/skbuff.h>
@@ -92,27 +93,26 @@ connbytes_mt(const struct sk_buff *skb, const struct xt_match_param *par)
92 return what >= sinfo->count.from; 93 return what >= sinfo->count.from;
93} 94}
94 95
95static bool connbytes_mt_check(const struct xt_mtchk_param *par) 96static int connbytes_mt_check(const struct xt_mtchk_param *par)
96{ 97{
97 const struct xt_connbytes_info *sinfo = par->matchinfo; 98 const struct xt_connbytes_info *sinfo = par->matchinfo;
99 int ret;
98 100
99 if (sinfo->what != XT_CONNBYTES_PKTS && 101 if (sinfo->what != XT_CONNBYTES_PKTS &&
100 sinfo->what != XT_CONNBYTES_BYTES && 102 sinfo->what != XT_CONNBYTES_BYTES &&
101 sinfo->what != XT_CONNBYTES_AVGPKT) 103 sinfo->what != XT_CONNBYTES_AVGPKT)
102 return false; 104 return -EINVAL;
103 105
104 if (sinfo->direction != XT_CONNBYTES_DIR_ORIGINAL && 106 if (sinfo->direction != XT_CONNBYTES_DIR_ORIGINAL &&
105 sinfo->direction != XT_CONNBYTES_DIR_REPLY && 107 sinfo->direction != XT_CONNBYTES_DIR_REPLY &&
106 sinfo->direction != XT_CONNBYTES_DIR_BOTH) 108 sinfo->direction != XT_CONNBYTES_DIR_BOTH)
107 return false; 109 return -EINVAL;
108
109 if (nf_ct_l3proto_try_module_get(par->family) < 0) {
110 printk(KERN_WARNING "can't load conntrack support for "
111 "proto=%u\n", par->family);
112 return false;
113 }
114 110
115 return true; 111 ret = nf_ct_l3proto_try_module_get(par->family);
112 if (ret < 0)
113 pr_info("cannot load conntrack support for proto=%u\n",
114 par->family);
115 return ret;
116} 116}
117 117
118static void connbytes_mt_destroy(const struct xt_mtdtor_param *par) 118static void connbytes_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 388ca4596098..326bc1b81681 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -5,13 +5,13 @@
5 * Nov 2002: Martin Bene <martin.bene@icomedias.com>: 5 * Nov 2002: Martin Bene <martin.bene@icomedias.com>:
6 * only ignore TIME_WAIT or gone connections 6 * only ignore TIME_WAIT or gone connections
7 * (C) CC Computer Consultants GmbH, 2007 7 * (C) CC Computer Consultants GmbH, 2007
8 * Contact: <jengelh@computergmbh.de>
9 * 8 *
10 * based on ... 9 * based on ...
11 * 10 *
12 * Kernel module to match connection tracking information. 11 * Kernel module to match connection tracking information.
13 * GPL (C) 1999 Rusty Russell (rusty@rustcorp.com.au). 12 * GPL (C) 1999 Rusty Russell (rusty@rustcorp.com.au).
14 */ 13 */
14#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15#include <linux/in.h> 15#include <linux/in.h>
16#include <linux/in6.h> 16#include <linux/in6.h>
17#include <linux/ip.h> 17#include <linux/ip.h>
@@ -217,33 +217,35 @@ connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
217 return false; 217 return false;
218} 218}
219 219
220static bool connlimit_mt_check(const struct xt_mtchk_param *par) 220static int connlimit_mt_check(const struct xt_mtchk_param *par)
221{ 221{
222 struct xt_connlimit_info *info = par->matchinfo; 222 struct xt_connlimit_info *info = par->matchinfo;
223 unsigned int i; 223 unsigned int i;
224 int ret;
224 225
225 if (unlikely(!connlimit_rnd_inited)) { 226 if (unlikely(!connlimit_rnd_inited)) {
226 get_random_bytes(&connlimit_rnd, sizeof(connlimit_rnd)); 227 get_random_bytes(&connlimit_rnd, sizeof(connlimit_rnd));
227 connlimit_rnd_inited = true; 228 connlimit_rnd_inited = true;
228 } 229 }
229 if (nf_ct_l3proto_try_module_get(par->family) < 0) { 230 ret = nf_ct_l3proto_try_module_get(par->family);
230 printk(KERN_WARNING "cannot load conntrack support for " 231 if (ret < 0) {
231 "address family %u\n", par->family); 232 pr_info("cannot load conntrack support for "
232 return false; 233 "address family %u\n", par->family);
234 return ret;
233 } 235 }
234 236
235 /* init private data */ 237 /* init private data */
236 info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL); 238 info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL);
237 if (info->data == NULL) { 239 if (info->data == NULL) {
238 nf_ct_l3proto_module_put(par->family); 240 nf_ct_l3proto_module_put(par->family);
239 return false; 241 return -ENOMEM;
240 } 242 }
241 243
242 spin_lock_init(&info->data->lock); 244 spin_lock_init(&info->data->lock);
243 for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i) 245 for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i)
244 INIT_LIST_HEAD(&info->data->iphash[i]); 246 INIT_LIST_HEAD(&info->data->iphash[i]);
245 247
246 return true; 248 return 0;
247} 249}
248 250
249static void connlimit_mt_destroy(const struct xt_mtdtor_param *par) 251static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 122aa8b0147b..ae1015484ae2 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -1,10 +1,10 @@
1/* 1/*
2 * xt_connmark - Netfilter module to match connection mark values 2 * xt_connmark - Netfilter module to operate on connection marks
3 * 3 *
4 * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> 4 * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
5 * by Henrik Nordstrom <hno@marasystems.com> 5 * by Henrik Nordstrom <hno@marasystems.com>
6 * Copyright © CC Computer Consultants GmbH, 2007 - 2008 6 * Copyright © CC Computer Consultants GmbH, 2007 - 2008
7 * Jan Engelhardt <jengelh@computergmbh.de> 7 * Jan Engelhardt <jengelh@medozas.de>
8 * 8 *
9 * This program is free software; you can redistribute it and/or modify 9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by 10 * it under the terms of the GNU General Public License as published by
@@ -24,15 +24,72 @@
24#include <linux/module.h> 24#include <linux/module.h>
25#include <linux/skbuff.h> 25#include <linux/skbuff.h>
26#include <net/netfilter/nf_conntrack.h> 26#include <net/netfilter/nf_conntrack.h>
27#include <net/netfilter/nf_conntrack_ecache.h>
27#include <linux/netfilter/x_tables.h> 28#include <linux/netfilter/x_tables.h>
28#include <linux/netfilter/xt_connmark.h> 29#include <linux/netfilter/xt_connmark.h>
29 30
30MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>"); 31MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");
31MODULE_DESCRIPTION("Xtables: connection mark match"); 32MODULE_DESCRIPTION("Xtables: connection mark operations");
32MODULE_LICENSE("GPL"); 33MODULE_LICENSE("GPL");
34MODULE_ALIAS("ipt_CONNMARK");
35MODULE_ALIAS("ip6t_CONNMARK");
33MODULE_ALIAS("ipt_connmark"); 36MODULE_ALIAS("ipt_connmark");
34MODULE_ALIAS("ip6t_connmark"); 37MODULE_ALIAS("ip6t_connmark");
35 38
39static unsigned int
40connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
41{
42 const struct xt_connmark_tginfo1 *info = par->targinfo;
43 enum ip_conntrack_info ctinfo;
44 struct nf_conn *ct;
45 u_int32_t newmark;
46
47 ct = nf_ct_get(skb, &ctinfo);
48 if (ct == NULL)
49 return XT_CONTINUE;
50
51 switch (info->mode) {
52 case XT_CONNMARK_SET:
53 newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
54 if (ct->mark != newmark) {
55 ct->mark = newmark;
56 nf_conntrack_event_cache(IPCT_MARK, ct);
57 }
58 break;
59 case XT_CONNMARK_SAVE:
60 newmark = (ct->mark & ~info->ctmask) ^
61 (skb->mark & info->nfmask);
62 if (ct->mark != newmark) {
63 ct->mark = newmark;
64 nf_conntrack_event_cache(IPCT_MARK, ct);
65 }
66 break;
67 case XT_CONNMARK_RESTORE:
68 newmark = (skb->mark & ~info->nfmask) ^
69 (ct->mark & info->ctmask);
70 skb->mark = newmark;
71 break;
72 }
73
74 return XT_CONTINUE;
75}
76
77static int connmark_tg_check(const struct xt_tgchk_param *par)
78{
79 int ret;
80
81 ret = nf_ct_l3proto_try_module_get(par->family);
82 if (ret < 0)
83 pr_info("cannot load conntrack support for proto=%u\n",
84 par->family);
85 return ret;
86}
87
88static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
89{
90 nf_ct_l3proto_module_put(par->family);
91}
92
36static bool 93static bool
37connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par) 94connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
38{ 95{
@@ -47,14 +104,15 @@ connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
47 return ((ct->mark & info->mask) == info->mark) ^ info->invert; 104 return ((ct->mark & info->mask) == info->mark) ^ info->invert;
48} 105}
49 106
50static bool connmark_mt_check(const struct xt_mtchk_param *par) 107static int connmark_mt_check(const struct xt_mtchk_param *par)
51{ 108{
52 if (nf_ct_l3proto_try_module_get(par->family) < 0) { 109 int ret;
53 printk(KERN_WARNING "cannot load conntrack support for " 110
54 "proto=%u\n", par->family); 111 ret = nf_ct_l3proto_try_module_get(par->family);
55 return false; 112 if (ret < 0)
56 } 113 pr_info("cannot load conntrack support for proto=%u\n",
57 return true; 114 par->family);
115 return ret;
58} 116}
59 117
60static void connmark_mt_destroy(const struct xt_mtdtor_param *par) 118static void connmark_mt_destroy(const struct xt_mtdtor_param *par)
@@ -62,6 +120,17 @@ static void connmark_mt_destroy(const struct xt_mtdtor_param *par)
62 nf_ct_l3proto_module_put(par->family); 120 nf_ct_l3proto_module_put(par->family);
63} 121}
64 122
123static struct xt_target connmark_tg_reg __read_mostly = {
124 .name = "CONNMARK",
125 .revision = 1,
126 .family = NFPROTO_UNSPEC,
127 .checkentry = connmark_tg_check,
128 .target = connmark_tg,
129 .targetsize = sizeof(struct xt_connmark_tginfo1),
130 .destroy = connmark_tg_destroy,
131 .me = THIS_MODULE,
132};
133
65static struct xt_match connmark_mt_reg __read_mostly = { 134static struct xt_match connmark_mt_reg __read_mostly = {
66 .name = "connmark", 135 .name = "connmark",
67 .revision = 1, 136 .revision = 1,
@@ -75,12 +144,23 @@ static struct xt_match connmark_mt_reg __read_mostly = {
75 144
76static int __init connmark_mt_init(void) 145static int __init connmark_mt_init(void)
77{ 146{
78 return xt_register_match(&connmark_mt_reg); 147 int ret;
148
149 ret = xt_register_target(&connmark_tg_reg);
150 if (ret < 0)
151 return ret;
152 ret = xt_register_match(&connmark_mt_reg);
153 if (ret < 0) {
154 xt_unregister_target(&connmark_tg_reg);
155 return ret;
156 }
157 return 0;
79} 158}
80 159
81static void __exit connmark_mt_exit(void) 160static void __exit connmark_mt_exit(void)
82{ 161{
83 xt_unregister_match(&connmark_mt_reg); 162 xt_unregister_match(&connmark_mt_reg);
163 xt_unregister_target(&connmark_tg_reg);
84} 164}
85 165
86module_init(connmark_mt_init); 166module_init(connmark_mt_init);
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index ae66305f0fe5..3348706ce56d 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -9,7 +9,7 @@
9 * it under the terms of the GNU General Public License version 2 as 9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation. 10 * published by the Free Software Foundation.
11 */ 11 */
12 12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13#include <linux/module.h> 13#include <linux/module.h>
14#include <linux/skbuff.h> 14#include <linux/skbuff.h>
15#include <net/ipv6.h> 15#include <net/ipv6.h>
@@ -206,14 +206,15 @@ conntrack_mt_v2(const struct sk_buff *skb, const struct xt_match_param *par)
206 return conntrack_mt(skb, par, info->state_mask, info->status_mask); 206 return conntrack_mt(skb, par, info->state_mask, info->status_mask);
207} 207}
208 208
209static bool conntrack_mt_check(const struct xt_mtchk_param *par) 209static int conntrack_mt_check(const struct xt_mtchk_param *par)
210{ 210{
211 if (nf_ct_l3proto_try_module_get(par->family) < 0) { 211 int ret;
212 printk(KERN_WARNING "can't load conntrack support for " 212
213 "proto=%u\n", par->family); 213 ret = nf_ct_l3proto_try_module_get(par->family);
214 return false; 214 if (ret < 0)
215 } 215 pr_info("cannot load conntrack support for proto=%u\n",
216 return true; 216 par->family);
217 return ret;
217} 218}
218 219
219static void conntrack_mt_destroy(const struct xt_mtdtor_param *par) 220static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 395af5943ffd..0d260aec487f 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -124,13 +124,17 @@ dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
124 XT_DCCP_OPTION, info->flags, info->invflags); 124 XT_DCCP_OPTION, info->flags, info->invflags);
125} 125}
126 126
127static bool dccp_mt_check(const struct xt_mtchk_param *par) 127static int dccp_mt_check(const struct xt_mtchk_param *par)
128{ 128{
129 const struct xt_dccp_info *info = par->matchinfo; 129 const struct xt_dccp_info *info = par->matchinfo;
130 130
131 return !(info->flags & ~XT_DCCP_VALID_FLAGS) 131 if (info->flags & ~XT_DCCP_VALID_FLAGS)
132 && !(info->invflags & ~XT_DCCP_VALID_FLAGS) 132 return -EINVAL;
133 && !(info->invflags & ~info->flags); 133 if (info->invflags & ~XT_DCCP_VALID_FLAGS)
134 return -EINVAL;
135 if (info->invflags & ~info->flags)
136 return -EINVAL;
137 return 0;
134} 138}
135 139
136static struct xt_match dccp_mt_reg[] __read_mostly = { 140static struct xt_match dccp_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 0280d3a8c161..9db51fddbdb8 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -6,7 +6,7 @@
6 * it under the terms of the GNU General Public License version 2 as 6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation. 7 * published by the Free Software Foundation.
8 */ 8 */
9 9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10#include <linux/module.h> 10#include <linux/module.h>
11#include <linux/skbuff.h> 11#include <linux/skbuff.h>
12#include <linux/ip.h> 12#include <linux/ip.h>
@@ -42,23 +42,23 @@ dscp_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
42 return (dscp == info->dscp) ^ !!info->invert; 42 return (dscp == info->dscp) ^ !!info->invert;
43} 43}
44 44
45static bool dscp_mt_check(const struct xt_mtchk_param *par) 45static int dscp_mt_check(const struct xt_mtchk_param *par)
46{ 46{
47 const struct xt_dscp_info *info = par->matchinfo; 47 const struct xt_dscp_info *info = par->matchinfo;
48 48
49 if (info->dscp > XT_DSCP_MAX) { 49 if (info->dscp > XT_DSCP_MAX) {
50 printk(KERN_ERR "xt_dscp: dscp %x out of range\n", info->dscp); 50 pr_info("dscp %x out of range\n", info->dscp);
51 return false; 51 return -EDOM;
52 } 52 }
53 53
54 return true; 54 return 0;
55} 55}
56 56
57static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par) 57static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par)
58{ 58{
59 const struct xt_tos_match_info *info = par->matchinfo; 59 const struct xt_tos_match_info *info = par->matchinfo;
60 60
61 if (par->match->family == NFPROTO_IPV4) 61 if (par->family == NFPROTO_IPV4)
62 return ((ip_hdr(skb)->tos & info->tos_mask) == 62 return ((ip_hdr(skb)->tos & info->tos_mask) ==
63 info->tos_value) ^ !!info->invert; 63 info->tos_value) ^ !!info->invert;
64 else 64 else
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 609439967c2c..143bfdc8e38f 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -6,7 +6,7 @@
6 * it under the terms of the GNU General Public License version 2 as 6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation. 7 * published by the Free Software Foundation.
8 */ 8 */
9 9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10#include <linux/module.h> 10#include <linux/module.h>
11#include <linux/skbuff.h> 11#include <linux/skbuff.h>
12#include <linux/in.h> 12#include <linux/in.h>
@@ -24,21 +24,15 @@ MODULE_DESCRIPTION("Xtables: IPsec-ESP packet match");
24MODULE_ALIAS("ipt_esp"); 24MODULE_ALIAS("ipt_esp");
25MODULE_ALIAS("ip6t_esp"); 25MODULE_ALIAS("ip6t_esp");
26 26
27#if 0
28#define duprintf(format, args...) printk(format , ## args)
29#else
30#define duprintf(format, args...)
31#endif
32
33/* Returns 1 if the spi is matched by the range, 0 otherwise */ 27/* Returns 1 if the spi is matched by the range, 0 otherwise */
34static inline bool 28static inline bool
35spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert) 29spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
36{ 30{
37 bool r; 31 bool r;
38 duprintf("esp spi_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ', 32 pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
39 min, spi, max); 33 invert ? '!' : ' ', min, spi, max);
40 r = (spi >= min && spi <= max) ^ invert; 34 r = (spi >= min && spi <= max) ^ invert;
41 duprintf(" result %s\n", r ? "PASS" : "FAILED"); 35 pr_debug(" result %s\n", r ? "PASS" : "FAILED");
42 return r; 36 return r;
43} 37}
44 38
@@ -57,7 +51,7 @@ static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
57 /* We've been asked to examine this packet, and we 51 /* We've been asked to examine this packet, and we
58 * can't. Hence, no choice but to drop. 52 * can't. Hence, no choice but to drop.
59 */ 53 */
60 duprintf("Dropping evil ESP tinygram.\n"); 54 pr_debug("Dropping evil ESP tinygram.\n");
61 *par->hotdrop = true; 55 *par->hotdrop = true;
62 return false; 56 return false;
63 } 57 }
@@ -66,16 +60,16 @@ static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
66 !!(espinfo->invflags & XT_ESP_INV_SPI)); 60 !!(espinfo->invflags & XT_ESP_INV_SPI));
67} 61}
68 62
69static bool esp_mt_check(const struct xt_mtchk_param *par) 63static int esp_mt_check(const struct xt_mtchk_param *par)
70{ 64{
71 const struct xt_esp *espinfo = par->matchinfo; 65 const struct xt_esp *espinfo = par->matchinfo;
72 66
73 if (espinfo->invflags & ~XT_ESP_INV_MASK) { 67 if (espinfo->invflags & ~XT_ESP_INV_MASK) {
74 duprintf("xt_esp: unknown flags %X\n", espinfo->invflags); 68 pr_debug("unknown flags %X\n", espinfo->invflags);
75 return false; 69 return -EINVAL;
76 } 70 }
77 71
78 return true; 72 return 0;
79} 73}
80 74
81static struct xt_match esp_mt_reg[] __read_mostly = { 75static struct xt_match esp_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 215a64835de8..0c366d387c8c 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -7,6 +7,7 @@
7 * 7 *
8 * Development of this code was funded by Astaro AG, http://www.astaro.com/ 8 * Development of this code was funded by Astaro AG, http://www.astaro.com/
9 */ 9 */
10#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10#include <linux/module.h> 11#include <linux/module.h>
11#include <linux/spinlock.h> 12#include <linux/spinlock.h>
12#include <linux/random.h> 13#include <linux/random.h>
@@ -36,7 +37,7 @@
36 37
37MODULE_LICENSE("GPL"); 38MODULE_LICENSE("GPL");
38MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); 39MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
39MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>"); 40MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
40MODULE_DESCRIPTION("Xtables: per hash-bucket rate-limit match"); 41MODULE_DESCRIPTION("Xtables: per hash-bucket rate-limit match");
41MODULE_ALIAS("ipt_hashlimit"); 42MODULE_ALIAS("ipt_hashlimit");
42MODULE_ALIAS("ip6t_hashlimit"); 43MODULE_ALIAS("ip6t_hashlimit");
@@ -80,12 +81,14 @@ struct dsthash_ent {
80 struct dsthash_dst dst; 81 struct dsthash_dst dst;
81 82
82 /* modified structure members in the end */ 83 /* modified structure members in the end */
84 spinlock_t lock;
83 unsigned long expires; /* precalculated expiry time */ 85 unsigned long expires; /* precalculated expiry time */
84 struct { 86 struct {
85 unsigned long prev; /* last modification */ 87 unsigned long prev; /* last modification */
86 u_int32_t credit; 88 u_int32_t credit;
87 u_int32_t credit_cap, cost; 89 u_int32_t credit_cap, cost;
88 } rateinfo; 90 } rateinfo;
91 struct rcu_head rcu;
89}; 92};
90 93
91struct xt_hashlimit_htable { 94struct xt_hashlimit_htable {
@@ -142,9 +145,11 @@ dsthash_find(const struct xt_hashlimit_htable *ht,
142 u_int32_t hash = hash_dst(ht, dst); 145 u_int32_t hash = hash_dst(ht, dst);
143 146
144 if (!hlist_empty(&ht->hash[hash])) { 147 if (!hlist_empty(&ht->hash[hash])) {
145 hlist_for_each_entry(ent, pos, &ht->hash[hash], node) 148 hlist_for_each_entry_rcu(ent, pos, &ht->hash[hash], node)
146 if (dst_cmp(ent, dst)) 149 if (dst_cmp(ent, dst)) {
150 spin_lock(&ent->lock);
147 return ent; 151 return ent;
152 }
148 } 153 }
149 return NULL; 154 return NULL;
150} 155}
@@ -156,9 +161,10 @@ dsthash_alloc_init(struct xt_hashlimit_htable *ht,
156{ 161{
157 struct dsthash_ent *ent; 162 struct dsthash_ent *ent;
158 163
164 spin_lock(&ht->lock);
159 /* initialize hash with random val at the time we allocate 165 /* initialize hash with random val at the time we allocate
160 * the first hashtable entry */ 166 * the first hashtable entry */
161 if (!ht->rnd_initialized) { 167 if (unlikely(!ht->rnd_initialized)) {
162 get_random_bytes(&ht->rnd, sizeof(ht->rnd)); 168 get_random_bytes(&ht->rnd, sizeof(ht->rnd));
163 ht->rnd_initialized = true; 169 ht->rnd_initialized = true;
164 } 170 }
@@ -166,106 +172,40 @@ dsthash_alloc_init(struct xt_hashlimit_htable *ht,
166 if (ht->cfg.max && ht->count >= ht->cfg.max) { 172 if (ht->cfg.max && ht->count >= ht->cfg.max) {
167 /* FIXME: do something. question is what.. */ 173 /* FIXME: do something. question is what.. */
168 if (net_ratelimit()) 174 if (net_ratelimit())
169 printk(KERN_WARNING 175 pr_err("max count of %u reached\n", ht->cfg.max);
170 "xt_hashlimit: max count of %u reached\n", 176 ent = NULL;
171 ht->cfg.max); 177 } else
172 return NULL; 178 ent = kmem_cache_alloc(hashlimit_cachep, GFP_ATOMIC);
173 }
174
175 ent = kmem_cache_alloc(hashlimit_cachep, GFP_ATOMIC);
176 if (!ent) { 179 if (!ent) {
177 if (net_ratelimit()) 180 if (net_ratelimit())
178 printk(KERN_ERR 181 pr_err("cannot allocate dsthash_ent\n");
179 "xt_hashlimit: can't allocate dsthash_ent\n"); 182 } else {
180 return NULL; 183 memcpy(&ent->dst, dst, sizeof(ent->dst));
181 } 184 spin_lock_init(&ent->lock);
182 memcpy(&ent->dst, dst, sizeof(ent->dst));
183 185
184 hlist_add_head(&ent->node, &ht->hash[hash_dst(ht, dst)]); 186 spin_lock(&ent->lock);
185 ht->count++; 187 hlist_add_head_rcu(&ent->node, &ht->hash[hash_dst(ht, dst)]);
188 ht->count++;
189 }
190 spin_unlock(&ht->lock);
186 return ent; 191 return ent;
187} 192}
188 193
189static inline void 194static void dsthash_free_rcu(struct rcu_head *head)
190dsthash_free(struct xt_hashlimit_htable *ht, struct dsthash_ent *ent)
191{ 195{
192 hlist_del(&ent->node); 196 struct dsthash_ent *ent = container_of(head, struct dsthash_ent, rcu);
197
193 kmem_cache_free(hashlimit_cachep, ent); 198 kmem_cache_free(hashlimit_cachep, ent);
194 ht->count--;
195} 199}
196static void htable_gc(unsigned long htlong);
197 200
198static int htable_create_v0(struct net *net, struct xt_hashlimit_info *minfo, u_int8_t family) 201static inline void
202dsthash_free(struct xt_hashlimit_htable *ht, struct dsthash_ent *ent)
199{ 203{
200 struct hashlimit_net *hashlimit_net = hashlimit_pernet(net); 204 hlist_del_rcu(&ent->node);
201 struct xt_hashlimit_htable *hinfo; 205 call_rcu_bh(&ent->rcu, dsthash_free_rcu);
202 unsigned int size; 206 ht->count--;
203 unsigned int i;
204
205 if (minfo->cfg.size)
206 size = minfo->cfg.size;
207 else {
208 size = ((totalram_pages << PAGE_SHIFT) / 16384) /
209 sizeof(struct list_head);
210 if (totalram_pages > (1024 * 1024 * 1024 / PAGE_SIZE))
211 size = 8192;
212 if (size < 16)
213 size = 16;
214 }
215 /* FIXME: don't use vmalloc() here or anywhere else -HW */
216 hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) +
217 sizeof(struct list_head) * size);
218 if (!hinfo) {
219 printk(KERN_ERR "xt_hashlimit: unable to create hashtable\n");
220 return -1;
221 }
222 minfo->hinfo = hinfo;
223
224 /* copy match config into hashtable config */
225 hinfo->cfg.mode = minfo->cfg.mode;
226 hinfo->cfg.avg = minfo->cfg.avg;
227 hinfo->cfg.burst = minfo->cfg.burst;
228 hinfo->cfg.max = minfo->cfg.max;
229 hinfo->cfg.gc_interval = minfo->cfg.gc_interval;
230 hinfo->cfg.expire = minfo->cfg.expire;
231
232 if (family == NFPROTO_IPV4)
233 hinfo->cfg.srcmask = hinfo->cfg.dstmask = 32;
234 else
235 hinfo->cfg.srcmask = hinfo->cfg.dstmask = 128;
236
237 hinfo->cfg.size = size;
238 if (!hinfo->cfg.max)
239 hinfo->cfg.max = 8 * hinfo->cfg.size;
240 else if (hinfo->cfg.max < hinfo->cfg.size)
241 hinfo->cfg.max = hinfo->cfg.size;
242
243 for (i = 0; i < hinfo->cfg.size; i++)
244 INIT_HLIST_HEAD(&hinfo->hash[i]);
245
246 hinfo->use = 1;
247 hinfo->count = 0;
248 hinfo->family = family;
249 hinfo->rnd_initialized = false;
250 spin_lock_init(&hinfo->lock);
251 hinfo->pde = proc_create_data(minfo->name, 0,
252 (family == NFPROTO_IPV4) ?
253 hashlimit_net->ipt_hashlimit : hashlimit_net->ip6t_hashlimit,
254 &dl_file_ops, hinfo);
255 if (!hinfo->pde) {
256 vfree(hinfo);
257 return -1;
258 }
259 hinfo->net = net;
260
261 setup_timer(&hinfo->timer, htable_gc, (unsigned long )hinfo);
262 hinfo->timer.expires = jiffies + msecs_to_jiffies(hinfo->cfg.gc_interval);
263 add_timer(&hinfo->timer);
264
265 hlist_add_head(&hinfo->node, &hashlimit_net->htables);
266
267 return 0;
268} 207}
208static void htable_gc(unsigned long htlong);
269 209
270static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo, 210static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo,
271 u_int8_t family) 211 u_int8_t family)
@@ -288,10 +228,8 @@ static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo,
288 /* FIXME: don't use vmalloc() here or anywhere else -HW */ 228 /* FIXME: don't use vmalloc() here or anywhere else -HW */
289 hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) + 229 hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) +
290 sizeof(struct list_head) * size); 230 sizeof(struct list_head) * size);
291 if (hinfo == NULL) { 231 if (hinfo == NULL)
292 printk(KERN_ERR "xt_hashlimit: unable to create hashtable\n"); 232 return -ENOMEM;
293 return -1;
294 }
295 minfo->hinfo = hinfo; 233 minfo->hinfo = hinfo;
296 234
297 /* copy match config into hashtable config */ 235 /* copy match config into hashtable config */
@@ -317,7 +255,7 @@ static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo,
317 &dl_file_ops, hinfo); 255 &dl_file_ops, hinfo);
318 if (hinfo->pde == NULL) { 256 if (hinfo->pde == NULL) {
319 vfree(hinfo); 257 vfree(hinfo);
320 return -1; 258 return -ENOMEM;
321 } 259 }
322 hinfo->net = net; 260 hinfo->net = net;
323 261
@@ -578,57 +516,6 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
578} 516}
579 517
580static bool 518static bool
581hashlimit_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
582{
583 const struct xt_hashlimit_info *r = par->matchinfo;
584 struct xt_hashlimit_htable *hinfo = r->hinfo;
585 unsigned long now = jiffies;
586 struct dsthash_ent *dh;
587 struct dsthash_dst dst;
588
589 if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0)
590 goto hotdrop;
591
592 spin_lock_bh(&hinfo->lock);
593 dh = dsthash_find(hinfo, &dst);
594 if (!dh) {
595 dh = dsthash_alloc_init(hinfo, &dst);
596 if (!dh) {
597 spin_unlock_bh(&hinfo->lock);
598 goto hotdrop;
599 }
600
601 dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire);
602 dh->rateinfo.prev = jiffies;
603 dh->rateinfo.credit = user2credits(hinfo->cfg.avg *
604 hinfo->cfg.burst);
605 dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg *
606 hinfo->cfg.burst);
607 dh->rateinfo.cost = user2credits(hinfo->cfg.avg);
608 } else {
609 /* update expiration timeout */
610 dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
611 rateinfo_recalc(dh, now);
612 }
613
614 if (dh->rateinfo.credit >= dh->rateinfo.cost) {
615 /* We're underlimit. */
616 dh->rateinfo.credit -= dh->rateinfo.cost;
617 spin_unlock_bh(&hinfo->lock);
618 return true;
619 }
620
621 spin_unlock_bh(&hinfo->lock);
622
623 /* default case: we're overlimit, thus don't match */
624 return false;
625
626hotdrop:
627 *par->hotdrop = true;
628 return false;
629}
630
631static bool
632hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par) 519hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
633{ 520{
634 const struct xt_hashlimit_mtinfo1 *info = par->matchinfo; 521 const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
@@ -640,15 +527,14 @@ hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
640 if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0) 527 if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0)
641 goto hotdrop; 528 goto hotdrop;
642 529
643 spin_lock_bh(&hinfo->lock); 530 rcu_read_lock_bh();
644 dh = dsthash_find(hinfo, &dst); 531 dh = dsthash_find(hinfo, &dst);
645 if (dh == NULL) { 532 if (dh == NULL) {
646 dh = dsthash_alloc_init(hinfo, &dst); 533 dh = dsthash_alloc_init(hinfo, &dst);
647 if (dh == NULL) { 534 if (dh == NULL) {
648 spin_unlock_bh(&hinfo->lock); 535 rcu_read_unlock_bh();
649 goto hotdrop; 536 goto hotdrop;
650 } 537 }
651
652 dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire); 538 dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire);
653 dh->rateinfo.prev = jiffies; 539 dh->rateinfo.prev = jiffies;
654 dh->rateinfo.credit = user2credits(hinfo->cfg.avg * 540 dh->rateinfo.credit = user2credits(hinfo->cfg.avg *
@@ -665,11 +551,13 @@ hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
665 if (dh->rateinfo.credit >= dh->rateinfo.cost) { 551 if (dh->rateinfo.credit >= dh->rateinfo.cost) {
666 /* below the limit */ 552 /* below the limit */
667 dh->rateinfo.credit -= dh->rateinfo.cost; 553 dh->rateinfo.credit -= dh->rateinfo.cost;
668 spin_unlock_bh(&hinfo->lock); 554 spin_unlock(&dh->lock);
555 rcu_read_unlock_bh();
669 return !(info->cfg.mode & XT_HASHLIMIT_INVERT); 556 return !(info->cfg.mode & XT_HASHLIMIT_INVERT);
670 } 557 }
671 558
672 spin_unlock_bh(&hinfo->lock); 559 spin_unlock(&dh->lock);
560 rcu_read_unlock_bh();
673 /* default match is underlimit - so over the limit, we need to invert */ 561 /* default match is underlimit - so over the limit, we need to invert */
674 return info->cfg.mode & XT_HASHLIMIT_INVERT; 562 return info->cfg.mode & XT_HASHLIMIT_INVERT;
675 563
@@ -678,83 +566,43 @@ hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
678 return false; 566 return false;
679} 567}
680 568
681static bool hashlimit_mt_check_v0(const struct xt_mtchk_param *par) 569static int hashlimit_mt_check(const struct xt_mtchk_param *par)
682{
683 struct net *net = par->net;
684 struct xt_hashlimit_info *r = par->matchinfo;
685
686 /* Check for overflow. */
687 if (r->cfg.burst == 0 ||
688 user2credits(r->cfg.avg * r->cfg.burst) < user2credits(r->cfg.avg)) {
689 printk(KERN_ERR "xt_hashlimit: overflow, try lower: %u/%u\n",
690 r->cfg.avg, r->cfg.burst);
691 return false;
692 }
693 if (r->cfg.mode == 0 ||
694 r->cfg.mode > (XT_HASHLIMIT_HASH_DPT |
695 XT_HASHLIMIT_HASH_DIP |
696 XT_HASHLIMIT_HASH_SIP |
697 XT_HASHLIMIT_HASH_SPT))
698 return false;
699 if (!r->cfg.gc_interval)
700 return false;
701 if (!r->cfg.expire)
702 return false;
703 if (r->name[sizeof(r->name) - 1] != '\0')
704 return false;
705
706 mutex_lock(&hashlimit_mutex);
707 r->hinfo = htable_find_get(net, r->name, par->match->family);
708 if (!r->hinfo && htable_create_v0(net, r, par->match->family) != 0) {
709 mutex_unlock(&hashlimit_mutex);
710 return false;
711 }
712 mutex_unlock(&hashlimit_mutex);
713
714 return true;
715}
716
717static bool hashlimit_mt_check(const struct xt_mtchk_param *par)
718{ 570{
719 struct net *net = par->net; 571 struct net *net = par->net;
720 struct xt_hashlimit_mtinfo1 *info = par->matchinfo; 572 struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
573 int ret;
721 574
722 /* Check for overflow. */ 575 /* Check for overflow. */
723 if (info->cfg.burst == 0 || 576 if (info->cfg.burst == 0 ||
724 user2credits(info->cfg.avg * info->cfg.burst) < 577 user2credits(info->cfg.avg * info->cfg.burst) <
725 user2credits(info->cfg.avg)) { 578 user2credits(info->cfg.avg)) {
726 printk(KERN_ERR "xt_hashlimit: overflow, try lower: %u/%u\n", 579 pr_info("overflow, try lower: %u/%u\n",
727 info->cfg.avg, info->cfg.burst); 580 info->cfg.avg, info->cfg.burst);
728 return false; 581 return -ERANGE;
729 } 582 }
730 if (info->cfg.gc_interval == 0 || info->cfg.expire == 0) 583 if (info->cfg.gc_interval == 0 || info->cfg.expire == 0)
731 return false; 584 return -EINVAL;
732 if (info->name[sizeof(info->name)-1] != '\0') 585 if (info->name[sizeof(info->name)-1] != '\0')
733 return false; 586 return -EINVAL;
734 if (par->match->family == NFPROTO_IPV4) { 587 if (par->family == NFPROTO_IPV4) {
735 if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32) 588 if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32)
736 return false; 589 return -EINVAL;
737 } else { 590 } else {
738 if (info->cfg.srcmask > 128 || info->cfg.dstmask > 128) 591 if (info->cfg.srcmask > 128 || info->cfg.dstmask > 128)
739 return false; 592 return -EINVAL;
740 } 593 }
741 594
742 mutex_lock(&hashlimit_mutex); 595 mutex_lock(&hashlimit_mutex);
743 info->hinfo = htable_find_get(net, info->name, par->match->family); 596 info->hinfo = htable_find_get(net, info->name, par->family);
744 if (!info->hinfo && htable_create(net, info, par->match->family) != 0) { 597 if (info->hinfo == NULL) {
745 mutex_unlock(&hashlimit_mutex); 598 ret = htable_create(net, info, par->family);
746 return false; 599 if (ret < 0) {
600 mutex_unlock(&hashlimit_mutex);
601 return ret;
602 }
747 } 603 }
748 mutex_unlock(&hashlimit_mutex); 604 mutex_unlock(&hashlimit_mutex);
749 return true; 605 return 0;
750}
751
752static void
753hashlimit_mt_destroy_v0(const struct xt_mtdtor_param *par)
754{
755 const struct xt_hashlimit_info *r = par->matchinfo;
756
757 htable_put(r->hinfo);
758} 606}
759 607
760static void hashlimit_mt_destroy(const struct xt_mtdtor_param *par) 608static void hashlimit_mt_destroy(const struct xt_mtdtor_param *par)
@@ -764,47 +612,8 @@ static void hashlimit_mt_destroy(const struct xt_mtdtor_param *par)
764 htable_put(info->hinfo); 612 htable_put(info->hinfo);
765} 613}
766 614
767#ifdef CONFIG_COMPAT
768struct compat_xt_hashlimit_info {
769 char name[IFNAMSIZ];
770 struct hashlimit_cfg cfg;
771 compat_uptr_t hinfo;
772 compat_uptr_t master;
773};
774
775static void hashlimit_mt_compat_from_user(void *dst, const void *src)
776{
777 int off = offsetof(struct compat_xt_hashlimit_info, hinfo);
778
779 memcpy(dst, src, off);
780 memset(dst + off, 0, sizeof(struct compat_xt_hashlimit_info) - off);
781}
782
783static int hashlimit_mt_compat_to_user(void __user *dst, const void *src)
784{
785 int off = offsetof(struct compat_xt_hashlimit_info, hinfo);
786
787 return copy_to_user(dst, src, off) ? -EFAULT : 0;
788}
789#endif
790
791static struct xt_match hashlimit_mt_reg[] __read_mostly = { 615static struct xt_match hashlimit_mt_reg[] __read_mostly = {
792 { 616 {
793 .name = "hashlimit",
794 .revision = 0,
795 .family = NFPROTO_IPV4,
796 .match = hashlimit_mt_v0,
797 .matchsize = sizeof(struct xt_hashlimit_info),
798#ifdef CONFIG_COMPAT
799 .compatsize = sizeof(struct compat_xt_hashlimit_info),
800 .compat_from_user = hashlimit_mt_compat_from_user,
801 .compat_to_user = hashlimit_mt_compat_to_user,
802#endif
803 .checkentry = hashlimit_mt_check_v0,
804 .destroy = hashlimit_mt_destroy_v0,
805 .me = THIS_MODULE
806 },
807 {
808 .name = "hashlimit", 617 .name = "hashlimit",
809 .revision = 1, 618 .revision = 1,
810 .family = NFPROTO_IPV4, 619 .family = NFPROTO_IPV4,
@@ -816,20 +625,6 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = {
816 }, 625 },
817#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) 626#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
818 { 627 {
819 .name = "hashlimit",
820 .family = NFPROTO_IPV6,
821 .match = hashlimit_mt_v0,
822 .matchsize = sizeof(struct xt_hashlimit_info),
823#ifdef CONFIG_COMPAT
824 .compatsize = sizeof(struct compat_xt_hashlimit_info),
825 .compat_from_user = hashlimit_mt_compat_from_user,
826 .compat_to_user = hashlimit_mt_compat_to_user,
827#endif
828 .checkentry = hashlimit_mt_check_v0,
829 .destroy = hashlimit_mt_destroy_v0,
830 .me = THIS_MODULE
831 },
832 {
833 .name = "hashlimit", 628 .name = "hashlimit",
834 .revision = 1, 629 .revision = 1,
835 .family = NFPROTO_IPV6, 630 .family = NFPROTO_IPV6,
@@ -888,12 +683,15 @@ static void dl_seq_stop(struct seq_file *s, void *v)
888static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family, 683static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family,
889 struct seq_file *s) 684 struct seq_file *s)
890{ 685{
686 int res;
687
688 spin_lock(&ent->lock);
891 /* recalculate to show accurate numbers */ 689 /* recalculate to show accurate numbers */
892 rateinfo_recalc(ent, jiffies); 690 rateinfo_recalc(ent, jiffies);
893 691
894 switch (family) { 692 switch (family) {
895 case NFPROTO_IPV4: 693 case NFPROTO_IPV4:
896 return seq_printf(s, "%ld %pI4:%u->%pI4:%u %u %u %u\n", 694 res = seq_printf(s, "%ld %pI4:%u->%pI4:%u %u %u %u\n",
897 (long)(ent->expires - jiffies)/HZ, 695 (long)(ent->expires - jiffies)/HZ,
898 &ent->dst.ip.src, 696 &ent->dst.ip.src,
899 ntohs(ent->dst.src_port), 697 ntohs(ent->dst.src_port),
@@ -901,9 +699,10 @@ static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family,
901 ntohs(ent->dst.dst_port), 699 ntohs(ent->dst.dst_port),
902 ent->rateinfo.credit, ent->rateinfo.credit_cap, 700 ent->rateinfo.credit, ent->rateinfo.credit_cap,
903 ent->rateinfo.cost); 701 ent->rateinfo.cost);
702 break;
904#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE) 703#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
905 case NFPROTO_IPV6: 704 case NFPROTO_IPV6:
906 return seq_printf(s, "%ld %pI6:%u->%pI6:%u %u %u %u\n", 705 res = seq_printf(s, "%ld %pI6:%u->%pI6:%u %u %u %u\n",
907 (long)(ent->expires - jiffies)/HZ, 706 (long)(ent->expires - jiffies)/HZ,
908 &ent->dst.ip6.src, 707 &ent->dst.ip6.src,
909 ntohs(ent->dst.src_port), 708 ntohs(ent->dst.src_port),
@@ -911,11 +710,14 @@ static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family,
911 ntohs(ent->dst.dst_port), 710 ntohs(ent->dst.dst_port),
912 ent->rateinfo.credit, ent->rateinfo.credit_cap, 711 ent->rateinfo.credit, ent->rateinfo.credit_cap,
913 ent->rateinfo.cost); 712 ent->rateinfo.cost);
713 break;
914#endif 714#endif
915 default: 715 default:
916 BUG(); 716 BUG();
917 return 0; 717 res = 0;
918 } 718 }
719 spin_unlock(&ent->lock);
720 return res;
919} 721}
920 722
921static int dl_seq_show(struct seq_file *s, void *v) 723static int dl_seq_show(struct seq_file *s, void *v)
@@ -1024,7 +826,7 @@ static int __init hashlimit_mt_init(void)
1024 sizeof(struct dsthash_ent), 0, 0, 826 sizeof(struct dsthash_ent), 0, 0,
1025 NULL); 827 NULL);
1026 if (!hashlimit_cachep) { 828 if (!hashlimit_cachep) {
1027 printk(KERN_ERR "xt_hashlimit: unable to create slab cache\n"); 829 pr_warning("unable to create slab cache\n");
1028 goto err2; 830 goto err2;
1029 } 831 }
1030 return 0; 832 return 0;
@@ -1039,9 +841,11 @@ err1:
1039 841
1040static void __exit hashlimit_mt_exit(void) 842static void __exit hashlimit_mt_exit(void)
1041{ 843{
1042 kmem_cache_destroy(hashlimit_cachep);
1043 xt_unregister_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg)); 844 xt_unregister_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg));
1044 unregister_pernet_subsys(&hashlimit_net_ops); 845 unregister_pernet_subsys(&hashlimit_net_ops);
846
847 rcu_barrier_bh();
848 kmem_cache_destroy(hashlimit_cachep);
1045} 849}
1046 850
1047module_init(hashlimit_mt_init); 851module_init(hashlimit_mt_init);
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 64fc7f277221..b8b3e13dc71e 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -6,7 +6,7 @@
6 * it under the terms of the GNU General Public License version 2 as 6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation. 7 * published by the Free Software Foundation.
8 */ 8 */
9 9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10#include <linux/module.h> 10#include <linux/module.h>
11#include <linux/skbuff.h> 11#include <linux/skbuff.h>
12#include <linux/netfilter.h> 12#include <linux/netfilter.h>
@@ -54,17 +54,19 @@ helper_mt(const struct sk_buff *skb, const struct xt_match_param *par)
54 return ret; 54 return ret;
55} 55}
56 56
57static bool helper_mt_check(const struct xt_mtchk_param *par) 57static int helper_mt_check(const struct xt_mtchk_param *par)
58{ 58{
59 struct xt_helper_info *info = par->matchinfo; 59 struct xt_helper_info *info = par->matchinfo;
60 int ret;
60 61
61 if (nf_ct_l3proto_try_module_get(par->family) < 0) { 62 ret = nf_ct_l3proto_try_module_get(par->family);
62 printk(KERN_WARNING "can't load conntrack support for " 63 if (ret < 0) {
63 "proto=%u\n", par->family); 64 pr_info("cannot load conntrack support for proto=%u\n",
64 return false; 65 par->family);
66 return ret;
65 } 67 }
66 info->name[29] = '\0'; 68 info->name[29] = '\0';
67 return true; 69 return 0;
68} 70}
69 71
70static void helper_mt_destroy(const struct xt_mtdtor_param *par) 72static void helper_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_hl.c b/net/netfilter/xt_hl.c
index 7726154c87b2..be53f7299623 100644
--- a/net/netfilter/xt_hl.c
+++ b/net/netfilter/xt_hl.c
@@ -39,10 +39,6 @@ static bool ttl_mt(const struct sk_buff *skb, const struct xt_match_param *par)
39 return ttl < info->ttl; 39 return ttl < info->ttl;
40 case IPT_TTL_GT: 40 case IPT_TTL_GT:
41 return ttl > info->ttl; 41 return ttl > info->ttl;
42 default:
43 printk(KERN_WARNING "ipt_ttl: unknown mode %d\n",
44 info->mode);
45 return false;
46 } 42 }
47 43
48 return false; 44 return false;
@@ -56,20 +52,12 @@ static bool hl_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
56 switch (info->mode) { 52 switch (info->mode) {
57 case IP6T_HL_EQ: 53 case IP6T_HL_EQ:
58 return ip6h->hop_limit == info->hop_limit; 54 return ip6h->hop_limit == info->hop_limit;
59 break;
60 case IP6T_HL_NE: 55 case IP6T_HL_NE:
61 return ip6h->hop_limit != info->hop_limit; 56 return ip6h->hop_limit != info->hop_limit;
62 break;
63 case IP6T_HL_LT: 57 case IP6T_HL_LT:
64 return ip6h->hop_limit < info->hop_limit; 58 return ip6h->hop_limit < info->hop_limit;
65 break;
66 case IP6T_HL_GT: 59 case IP6T_HL_GT:
67 return ip6h->hop_limit > info->hop_limit; 60 return ip6h->hop_limit > info->hop_limit;
68 break;
69 default:
70 printk(KERN_WARNING "ip6t_hl: unknown mode %d\n",
71 info->mode);
72 return false;
73 } 61 }
74 62
75 return false; 63 return false;
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index ffc96387d556..8471d9715bde 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -8,6 +8,7 @@
8 * it under the terms of the GNU General Public License version 2 as 8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation. 9 * published by the Free Software Foundation.
10 */ 10 */
11#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11#include <linux/module.h> 12#include <linux/module.h>
12#include <linux/skbuff.h> 13#include <linux/skbuff.h>
13#include <linux/ip.h> 14#include <linux/ip.h>
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index e5d7e1ffb1a4..88215dca19cb 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -5,6 +5,7 @@
5 * it under the terms of the GNU General Public License version 2 as 5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation. 6 * published by the Free Software Foundation.
7 */ 7 */
8#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
8 9
9#include <linux/slab.h> 10#include <linux/slab.h>
10#include <linux/module.h> 11#include <linux/module.h>
@@ -98,7 +99,7 @@ user2credits(u_int32_t user)
98 return (user * HZ * CREDITS_PER_JIFFY) / XT_LIMIT_SCALE; 99 return (user * HZ * CREDITS_PER_JIFFY) / XT_LIMIT_SCALE;
99} 100}
100 101
101static bool limit_mt_check(const struct xt_mtchk_param *par) 102static int limit_mt_check(const struct xt_mtchk_param *par)
102{ 103{
103 struct xt_rateinfo *r = par->matchinfo; 104 struct xt_rateinfo *r = par->matchinfo;
104 struct xt_limit_priv *priv; 105 struct xt_limit_priv *priv;
@@ -106,14 +107,14 @@ static bool limit_mt_check(const struct xt_mtchk_param *par)
106 /* Check for overflow. */ 107 /* Check for overflow. */
107 if (r->burst == 0 108 if (r->burst == 0
108 || user2credits(r->avg * r->burst) < user2credits(r->avg)) { 109 || user2credits(r->avg * r->burst) < user2credits(r->avg)) {
109 printk("Overflow in xt_limit, try lower: %u/%u\n", 110 pr_info("Overflow, try lower: %u/%u\n",
110 r->avg, r->burst); 111 r->avg, r->burst);
111 return false; 112 return -ERANGE;
112 } 113 }
113 114
114 priv = kmalloc(sizeof(*priv), GFP_KERNEL); 115 priv = kmalloc(sizeof(*priv), GFP_KERNEL);
115 if (priv == NULL) 116 if (priv == NULL)
116 return false; 117 return -ENOMEM;
117 118
118 /* For SMP, we only want to use one set of state. */ 119 /* For SMP, we only want to use one set of state. */
119 r->master = priv; 120 r->master = priv;
@@ -125,7 +126,7 @@ static bool limit_mt_check(const struct xt_mtchk_param *par)
125 r->credit_cap = user2credits(r->avg * r->burst); /* Credits full. */ 126 r->credit_cap = user2credits(r->avg * r->burst); /* Credits full. */
126 r->cost = user2credits(r->avg); 127 r->cost = user2credits(r->avg);
127 } 128 }
128 return true; 129 return 0;
129} 130}
130 131
131static void limit_mt_destroy(const struct xt_mtdtor_param *par) 132static void limit_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index c2007116ce5b..b971ce93773e 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -10,6 +10,7 @@
10 10
11#include <linux/module.h> 11#include <linux/module.h>
12#include <linux/skbuff.h> 12#include <linux/skbuff.h>
13#include <linux/if_arp.h>
13#include <linux/if_ether.h> 14#include <linux/if_ether.h>
14#include <linux/etherdevice.h> 15#include <linux/etherdevice.h>
15 16
@@ -26,14 +27,18 @@ MODULE_ALIAS("ip6t_mac");
26 27
27static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par) 28static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
28{ 29{
29 const struct xt_mac_info *info = par->matchinfo; 30 const struct xt_mac_info *info = par->matchinfo;
30 31 bool ret;
31 /* Is mac pointer valid? */ 32
32 return skb_mac_header(skb) >= skb->head && 33 if (skb->dev == NULL || skb->dev->type != ARPHRD_ETHER)
33 skb_mac_header(skb) + ETH_HLEN <= skb->data 34 return false;
34 /* If so, compare... */ 35 if (skb_mac_header(skb) < skb->head)
35 && ((!compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr)) 36 return false;
36 ^ info->invert); 37 if (skb_mac_header(skb) + ETH_HLEN > skb->data)
38 return false;
39 ret = compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr) == 0;
40 ret ^= info->invert;
41 return ret;
37} 42}
38 43
39static struct xt_match mac_mt_reg __read_mostly = { 44static struct xt_match mac_mt_reg __read_mostly = {
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 1db07d8125f8..035c468a0040 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -18,9 +18,20 @@
18 18
19MODULE_LICENSE("GPL"); 19MODULE_LICENSE("GPL");
20MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>"); 20MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
21MODULE_DESCRIPTION("Xtables: packet mark match"); 21MODULE_DESCRIPTION("Xtables: packet mark operations");
22MODULE_ALIAS("ipt_mark"); 22MODULE_ALIAS("ipt_mark");
23MODULE_ALIAS("ip6t_mark"); 23MODULE_ALIAS("ip6t_mark");
24MODULE_ALIAS("ipt_MARK");
25MODULE_ALIAS("ip6t_MARK");
26
27static unsigned int
28mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
29{
30 const struct xt_mark_tginfo2 *info = par->targinfo;
31
32 skb->mark = (skb->mark & ~info->mask) ^ info->mark;
33 return XT_CONTINUE;
34}
24 35
25static bool 36static bool
26mark_mt(const struct sk_buff *skb, const struct xt_match_param *par) 37mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
@@ -30,6 +41,15 @@ mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
30 return ((skb->mark & info->mask) == info->mark) ^ info->invert; 41 return ((skb->mark & info->mask) == info->mark) ^ info->invert;
31} 42}
32 43
44static struct xt_target mark_tg_reg __read_mostly = {
45 .name = "MARK",
46 .revision = 2,
47 .family = NFPROTO_UNSPEC,
48 .target = mark_tg,
49 .targetsize = sizeof(struct xt_mark_tginfo2),
50 .me = THIS_MODULE,
51};
52
33static struct xt_match mark_mt_reg __read_mostly = { 53static struct xt_match mark_mt_reg __read_mostly = {
34 .name = "mark", 54 .name = "mark",
35 .revision = 1, 55 .revision = 1,
@@ -41,12 +61,23 @@ static struct xt_match mark_mt_reg __read_mostly = {
41 61
42static int __init mark_mt_init(void) 62static int __init mark_mt_init(void)
43{ 63{
44 return xt_register_match(&mark_mt_reg); 64 int ret;
65
66 ret = xt_register_target(&mark_tg_reg);
67 if (ret < 0)
68 return ret;
69 ret = xt_register_match(&mark_mt_reg);
70 if (ret < 0) {
71 xt_unregister_target(&mark_tg_reg);
72 return ret;
73 }
74 return 0;
45} 75}
46 76
47static void __exit mark_mt_exit(void) 77static void __exit mark_mt_exit(void)
48{ 78{
49 xt_unregister_match(&mark_mt_reg); 79 xt_unregister_match(&mark_mt_reg);
80 xt_unregister_target(&mark_tg_reg);
50} 81}
51 82
52module_init(mark_mt_init); 83module_init(mark_mt_init);
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index d06bb2dd3900..83b77ceb264f 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -8,7 +8,7 @@
8 * it under the terms of the GNU General Public License version 2 as 8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation. 9 * published by the Free Software Foundation.
10 */ 10 */
11 11#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12#include <linux/module.h> 12#include <linux/module.h>
13#include <linux/types.h> 13#include <linux/types.h>
14#include <linux/udp.h> 14#include <linux/udp.h>
@@ -26,29 +26,6 @@ MODULE_DESCRIPTION("Xtables: multiple port matching for TCP, UDP, UDP-Lite, SCTP
26MODULE_ALIAS("ipt_multiport"); 26MODULE_ALIAS("ipt_multiport");
27MODULE_ALIAS("ip6t_multiport"); 27MODULE_ALIAS("ip6t_multiport");
28 28
29#if 0
30#define duprintf(format, args...) printk(format , ## args)
31#else
32#define duprintf(format, args...)
33#endif
34
35/* Returns 1 if the port is matched by the test, 0 otherwise. */
36static inline bool
37ports_match_v0(const u_int16_t *portlist, enum xt_multiport_flags flags,
38 u_int8_t count, u_int16_t src, u_int16_t dst)
39{
40 unsigned int i;
41 for (i = 0; i < count; i++) {
42 if (flags != XT_MULTIPORT_DESTINATION && portlist[i] == src)
43 return true;
44
45 if (flags != XT_MULTIPORT_SOURCE && portlist[i] == dst)
46 return true;
47 }
48
49 return false;
50}
51
52/* Returns 1 if the port is matched by the test, 0 otherwise. */ 29/* Returns 1 if the port is matched by the test, 0 otherwise. */
53static inline bool 30static inline bool
54ports_match_v1(const struct xt_multiport_v1 *minfo, 31ports_match_v1(const struct xt_multiport_v1 *minfo,
@@ -63,7 +40,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
63 if (minfo->pflags[i]) { 40 if (minfo->pflags[i]) {
64 /* range port matching */ 41 /* range port matching */
65 e = minfo->ports[++i]; 42 e = minfo->ports[++i];
66 duprintf("src or dst matches with %d-%d?\n", s, e); 43 pr_debug("src or dst matches with %d-%d?\n", s, e);
67 44
68 if (minfo->flags == XT_MULTIPORT_SOURCE 45 if (minfo->flags == XT_MULTIPORT_SOURCE
69 && src >= s && src <= e) 46 && src >= s && src <= e)
@@ -77,7 +54,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
77 return true ^ minfo->invert; 54 return true ^ minfo->invert;
78 } else { 55 } else {
79 /* exact port matching */ 56 /* exact port matching */
80 duprintf("src or dst matches with %d?\n", s); 57 pr_debug("src or dst matches with %d?\n", s);
81 58
82 if (minfo->flags == XT_MULTIPORT_SOURCE 59 if (minfo->flags == XT_MULTIPORT_SOURCE
83 && src == s) 60 && src == s)
@@ -95,30 +72,6 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
95} 72}
96 73
97static bool 74static bool
98multiport_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
99{
100 const __be16 *pptr;
101 __be16 _ports[2];
102 const struct xt_multiport *multiinfo = par->matchinfo;
103
104 if (par->fragoff != 0)
105 return false;
106
107 pptr = skb_header_pointer(skb, par->thoff, sizeof(_ports), _ports);
108 if (pptr == NULL) {
109 /* We've been asked to examine this packet, and we
110 * can't. Hence, no choice but to drop.
111 */
112 duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
113 *par->hotdrop = true;
114 return false;
115 }
116
117 return ports_match_v0(multiinfo->ports, multiinfo->flags,
118 multiinfo->count, ntohs(pptr[0]), ntohs(pptr[1]));
119}
120
121static bool
122multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par) 75multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par)
123{ 76{
124 const __be16 *pptr; 77 const __be16 *pptr;
@@ -133,7 +86,7 @@ multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par)
133 /* We've been asked to examine this packet, and we 86 /* We've been asked to examine this packet, and we
134 * can't. Hence, no choice but to drop. 87 * can't. Hence, no choice but to drop.
135 */ 88 */
136 duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n"); 89 pr_debug("Dropping evil offset=0 tinygram.\n");
137 *par->hotdrop = true; 90 *par->hotdrop = true;
138 return false; 91 return false;
139 } 92 }
@@ -158,16 +111,7 @@ check(u_int16_t proto,
158 && count <= XT_MULTI_PORTS; 111 && count <= XT_MULTI_PORTS;
159} 112}
160 113
161static bool multiport_mt_check_v0(const struct xt_mtchk_param *par) 114static int multiport_mt_check(const struct xt_mtchk_param *par)
162{
163 const struct ipt_ip *ip = par->entryinfo;
164 const struct xt_multiport *multiinfo = par->matchinfo;
165
166 return check(ip->proto, ip->invflags, multiinfo->flags,
167 multiinfo->count);
168}
169
170static bool multiport_mt_check(const struct xt_mtchk_param *par)
171{ 115{
172 const struct ipt_ip *ip = par->entryinfo; 116 const struct ipt_ip *ip = par->entryinfo;
173 const struct xt_multiport_v1 *multiinfo = par->matchinfo; 117 const struct xt_multiport_v1 *multiinfo = par->matchinfo;
@@ -176,16 +120,7 @@ static bool multiport_mt_check(const struct xt_mtchk_param *par)
176 multiinfo->count); 120 multiinfo->count);
177} 121}
178 122
179static bool multiport_mt6_check_v0(const struct xt_mtchk_param *par) 123static int multiport_mt6_check(const struct xt_mtchk_param *par)
180{
181 const struct ip6t_ip6 *ip = par->entryinfo;
182 const struct xt_multiport *multiinfo = par->matchinfo;
183
184 return check(ip->proto, ip->invflags, multiinfo->flags,
185 multiinfo->count);
186}
187
188static bool multiport_mt6_check(const struct xt_mtchk_param *par)
189{ 124{
190 const struct ip6t_ip6 *ip = par->entryinfo; 125 const struct ip6t_ip6 *ip = par->entryinfo;
191 const struct xt_multiport_v1 *multiinfo = par->matchinfo; 126 const struct xt_multiport_v1 *multiinfo = par->matchinfo;
@@ -198,15 +133,6 @@ static struct xt_match multiport_mt_reg[] __read_mostly = {
198 { 133 {
199 .name = "multiport", 134 .name = "multiport",
200 .family = NFPROTO_IPV4, 135 .family = NFPROTO_IPV4,
201 .revision = 0,
202 .checkentry = multiport_mt_check_v0,
203 .match = multiport_mt_v0,
204 .matchsize = sizeof(struct xt_multiport),
205 .me = THIS_MODULE,
206 },
207 {
208 .name = "multiport",
209 .family = NFPROTO_IPV4,
210 .revision = 1, 136 .revision = 1,
211 .checkentry = multiport_mt_check, 137 .checkentry = multiport_mt_check,
212 .match = multiport_mt, 138 .match = multiport_mt,
@@ -216,15 +142,6 @@ static struct xt_match multiport_mt_reg[] __read_mostly = {
216 { 142 {
217 .name = "multiport", 143 .name = "multiport",
218 .family = NFPROTO_IPV6, 144 .family = NFPROTO_IPV6,
219 .revision = 0,
220 .checkentry = multiport_mt6_check_v0,
221 .match = multiport_mt_v0,
222 .matchsize = sizeof(struct xt_multiport),
223 .me = THIS_MODULE,
224 },
225 {
226 .name = "multiport",
227 .family = NFPROTO_IPV6,
228 .revision = 1, 145 .revision = 1,
229 .checkentry = multiport_mt6_check, 146 .checkentry = multiport_mt6_check,
230 .match = multiport_mt, 147 .match = multiport_mt,
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
index 4169e200588d..8dcde13a0781 100644
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -16,7 +16,7 @@
16 * along with this program; if not, write to the Free Software 16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18 */ 18 */
19 19#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
20#include <linux/module.h> 20#include <linux/module.h>
21#include <linux/kernel.h> 21#include <linux/kernel.h>
22 22
@@ -382,14 +382,14 @@ static int __init xt_osf_init(void)
382 382
383 err = nfnetlink_subsys_register(&xt_osf_nfnetlink); 383 err = nfnetlink_subsys_register(&xt_osf_nfnetlink);
384 if (err < 0) { 384 if (err < 0) {
385 printk(KERN_ERR "Failed (%d) to register OSF nsfnetlink helper.\n", err); 385 pr_err("Failed to register OSF nsfnetlink helper (%d)\n", err);
386 goto err_out_exit; 386 goto err_out_exit;
387 } 387 }
388 388
389 err = xt_register_match(&xt_osf_match); 389 err = xt_register_match(&xt_osf_match);
390 if (err) { 390 if (err) {
391 printk(KERN_ERR "Failed (%d) to register OS fingerprint " 391 pr_err("Failed to register OS fingerprint "
392 "matching module.\n", err); 392 "matching module (%d)\n", err);
393 goto err_out_remove; 393 goto err_out_remove;
394 } 394 }
395 395
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 8d28ca5848bc..d0bdf3dd4d25 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -7,7 +7,7 @@
7 * it under the terms of the GNU General Public License version 2 as 7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation. 8 * published by the Free Software Foundation.
9 */ 9 */
10 10#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11#include <linux/module.h> 11#include <linux/module.h>
12#include <linux/skbuff.h> 12#include <linux/skbuff.h>
13#include <linux/netfilter_bridge.h> 13#include <linux/netfilter_bridge.h>
@@ -83,25 +83,25 @@ match_outdev:
83 return (!!ret ^ !(info->invert & XT_PHYSDEV_OP_OUT)); 83 return (!!ret ^ !(info->invert & XT_PHYSDEV_OP_OUT));
84} 84}
85 85
86static bool physdev_mt_check(const struct xt_mtchk_param *par) 86static int physdev_mt_check(const struct xt_mtchk_param *par)
87{ 87{
88 const struct xt_physdev_info *info = par->matchinfo; 88 const struct xt_physdev_info *info = par->matchinfo;
89 89
90 if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || 90 if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
91 info->bitmask & ~XT_PHYSDEV_OP_MASK) 91 info->bitmask & ~XT_PHYSDEV_OP_MASK)
92 return false; 92 return -EINVAL;
93 if (info->bitmask & XT_PHYSDEV_OP_OUT && 93 if (info->bitmask & XT_PHYSDEV_OP_OUT &&
94 (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) || 94 (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
95 info->invert & XT_PHYSDEV_OP_BRIDGED) && 95 info->invert & XT_PHYSDEV_OP_BRIDGED) &&
96 par->hook_mask & ((1 << NF_INET_LOCAL_OUT) | 96 par->hook_mask & ((1 << NF_INET_LOCAL_OUT) |
97 (1 << NF_INET_FORWARD) | (1 << NF_INET_POST_ROUTING))) { 97 (1 << NF_INET_FORWARD) | (1 << NF_INET_POST_ROUTING))) {
98 printk(KERN_WARNING "physdev match: using --physdev-out in the " 98 pr_info("using --physdev-out in the OUTPUT, FORWARD and "
99 "OUTPUT, FORWARD and POSTROUTING chains for non-bridged " 99 "POSTROUTING chains for non-bridged traffic is not "
100 "traffic is not supported anymore.\n"); 100 "supported anymore.\n");
101 if (par->hook_mask & (1 << NF_INET_LOCAL_OUT)) 101 if (par->hook_mask & (1 << NF_INET_LOCAL_OUT))
102 return false; 102 return -EINVAL;
103 } 103 }
104 return true; 104 return 0;
105} 105}
106 106
107static struct xt_match physdev_mt_reg __read_mostly = { 107static struct xt_match physdev_mt_reg __read_mostly = {
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 4cbfebda8fa1..1fa239c1fb93 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -6,7 +6,7 @@
6 * it under the terms of the GNU General Public License version 2 as 6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation. 7 * published by the Free Software Foundation.
8 */ 8 */
9 9#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10#include <linux/kernel.h> 10#include <linux/kernel.h>
11#include <linux/module.h> 11#include <linux/module.h>
12#include <linux/skbuff.h> 12#include <linux/skbuff.h>
@@ -116,9 +116,9 @@ policy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
116 int ret; 116 int ret;
117 117
118 if (info->flags & XT_POLICY_MATCH_IN) 118 if (info->flags & XT_POLICY_MATCH_IN)
119 ret = match_policy_in(skb, info, par->match->family); 119 ret = match_policy_in(skb, info, par->family);
120 else 120 else
121 ret = match_policy_out(skb, info, par->match->family); 121 ret = match_policy_out(skb, info, par->family);
122 122
123 if (ret < 0) 123 if (ret < 0)
124 ret = info->flags & XT_POLICY_MATCH_NONE ? true : false; 124 ret = info->flags & XT_POLICY_MATCH_NONE ? true : false;
@@ -128,32 +128,29 @@ policy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
128 return ret; 128 return ret;
129} 129}
130 130
131static bool policy_mt_check(const struct xt_mtchk_param *par) 131static int policy_mt_check(const struct xt_mtchk_param *par)
132{ 132{
133 const struct xt_policy_info *info = par->matchinfo; 133 const struct xt_policy_info *info = par->matchinfo;
134 134
135 if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) { 135 if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
136 printk(KERN_ERR "xt_policy: neither incoming nor " 136 pr_info("neither incoming nor outgoing policy selected\n");
137 "outgoing policy selected\n"); 137 return -EINVAL;
138 return false;
139 } 138 }
140 if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) | 139 if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
141 (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) { 140 (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) {
142 printk(KERN_ERR "xt_policy: output policy not valid in " 141 pr_info("output policy not valid in PREROUTING and INPUT\n");
143 "PRE_ROUTING and INPUT\n"); 142 return -EINVAL;
144 return false;
145 } 143 }
146 if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) | 144 if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
147 (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) { 145 (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) {
148 printk(KERN_ERR "xt_policy: input policy not valid in " 146 pr_info("input policy not valid in POSTROUTING and OUTPUT\n");
149 "POST_ROUTING and OUTPUT\n"); 147 return -EINVAL;
150 return false;
151 } 148 }
152 if (info->len > XT_POLICY_MAX_ELEM) { 149 if (info->len > XT_POLICY_MAX_ELEM) {
153 printk(KERN_ERR "xt_policy: too many policy elements\n"); 150 pr_info("too many policy elements\n");
154 return false; 151 return -EINVAL;
155 } 152 }
156 return true; 153 return 0;
157} 154}
158 155
159static struct xt_match policy_mt_reg[] __read_mostly = { 156static struct xt_match policy_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 2d5562498c43..7c95d69f6f06 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -44,19 +44,19 @@ quota_mt(const struct sk_buff *skb, const struct xt_match_param *par)
44 return ret; 44 return ret;
45} 45}
46 46
47static bool quota_mt_check(const struct xt_mtchk_param *par) 47static int quota_mt_check(const struct xt_mtchk_param *par)
48{ 48{
49 struct xt_quota_info *q = par->matchinfo; 49 struct xt_quota_info *q = par->matchinfo;
50 50
51 if (q->flags & ~XT_QUOTA_MASK) 51 if (q->flags & ~XT_QUOTA_MASK)
52 return false; 52 return -EINVAL;
53 53
54 q->master = kmalloc(sizeof(*q->master), GFP_KERNEL); 54 q->master = kmalloc(sizeof(*q->master), GFP_KERNEL);
55 if (q->master == NULL) 55 if (q->master == NULL)
56 return false; 56 return -ENOMEM;
57 57
58 q->master->quota = q->quota; 58 q->master->quota = q->quota;
59 return true; 59 return 0;
60} 60}
61 61
62static void quota_mt_destroy(const struct xt_mtdtor_param *par) 62static void quota_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index 4fc6a917f6de..23805f8a444b 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -74,10 +74,11 @@ xt_rateest_mt(const struct sk_buff *skb, const struct xt_match_param *par)
74 return ret; 74 return ret;
75} 75}
76 76
77static bool xt_rateest_mt_checkentry(const struct xt_mtchk_param *par) 77static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
78{ 78{
79 struct xt_rateest_match_info *info = par->matchinfo; 79 struct xt_rateest_match_info *info = par->matchinfo;
80 struct xt_rateest *est1, *est2; 80 struct xt_rateest *est1, *est2;
81 int ret = false;
81 82
82 if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS | 83 if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS |
83 XT_RATEEST_MATCH_REL)) != 1) 84 XT_RATEEST_MATCH_REL)) != 1)
@@ -95,6 +96,7 @@ static bool xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
95 goto err1; 96 goto err1;
96 } 97 }
97 98
99 ret = -ENOENT;
98 est1 = xt_rateest_lookup(info->name1); 100 est1 = xt_rateest_lookup(info->name1);
99 if (!est1) 101 if (!est1)
100 goto err1; 102 goto err1;
@@ -109,12 +111,12 @@ static bool xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
109 111
110 info->est1 = est1; 112 info->est1 = est1;
111 info->est2 = est2; 113 info->est2 = est2;
112 return true; 114 return 0;
113 115
114err2: 116err2:
115 xt_rateest_put(est1); 117 xt_rateest_put(est1);
116err1: 118err1:
117 return false; 119 return -EINVAL;
118} 120}
119 121
120static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par) 122static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 834b736857cb..b88d63b9c76a 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -12,6 +12,7 @@
12 * Author: Stephen Frost <sfrost@snowman.net> 12 * Author: Stephen Frost <sfrost@snowman.net>
13 * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org 13 * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org
14 */ 14 */
15#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15#include <linux/init.h> 16#include <linux/init.h>
16#include <linux/ip.h> 17#include <linux/ip.h>
17#include <linux/ipv6.h> 18#include <linux/ipv6.h>
@@ -35,8 +36,8 @@
35#include <linux/netfilter/xt_recent.h> 36#include <linux/netfilter/xt_recent.h>
36 37
37MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 38MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
38MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>"); 39MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
39MODULE_DESCRIPTION("Xtables: \"recently-seen\" host matching for IPv4"); 40MODULE_DESCRIPTION("Xtables: \"recently-seen\" host matching");
40MODULE_LICENSE("GPL"); 41MODULE_LICENSE("GPL");
41MODULE_ALIAS("ipt_recent"); 42MODULE_ALIAS("ipt_recent");
42MODULE_ALIAS("ip6t_recent"); 43MODULE_ALIAS("ip6t_recent");
@@ -51,14 +52,14 @@ module_param(ip_list_tot, uint, 0400);
51module_param(ip_pkt_list_tot, uint, 0400); 52module_param(ip_pkt_list_tot, uint, 0400);
52module_param(ip_list_hash_size, uint, 0400); 53module_param(ip_list_hash_size, uint, 0400);
53module_param(ip_list_perms, uint, 0400); 54module_param(ip_list_perms, uint, 0400);
54module_param(ip_list_uid, uint, 0400); 55module_param(ip_list_uid, uint, S_IRUGO | S_IWUSR);
55module_param(ip_list_gid, uint, 0400); 56module_param(ip_list_gid, uint, S_IRUGO | S_IWUSR);
56MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list"); 57MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list");
57MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (max. 255)"); 58MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (max. 255)");
58MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs"); 59MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs");
59MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files"); 60MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files");
60MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/xt_recent/* files"); 61MODULE_PARM_DESC(ip_list_uid, "default owner of /proc/net/xt_recent/* files");
61MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/xt_recent/* files"); 62MODULE_PARM_DESC(ip_list_gid, "default owning group of /proc/net/xt_recent/* files");
62 63
63struct recent_entry { 64struct recent_entry {
64 struct list_head list; 65 struct list_head list;
@@ -84,9 +85,6 @@ struct recent_net {
84 struct list_head tables; 85 struct list_head tables;
85#ifdef CONFIG_PROC_FS 86#ifdef CONFIG_PROC_FS
86 struct proc_dir_entry *xt_recent; 87 struct proc_dir_entry *xt_recent;
87#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
88 struct proc_dir_entry *ipt_recent;
89#endif
90#endif 88#endif
91}; 89};
92 90
@@ -147,6 +145,25 @@ static void recent_entry_remove(struct recent_table *t, struct recent_entry *e)
147 t->entries--; 145 t->entries--;
148} 146}
149 147
148/*
149 * Drop entries with timestamps older then 'time'.
150 */
151static void recent_entry_reap(struct recent_table *t, unsigned long time)
152{
153 struct recent_entry *e;
154
155 /*
156 * The head of the LRU list is always the oldest entry.
157 */
158 e = list_entry(t->lru_list.next, struct recent_entry, lru_list);
159
160 /*
161 * The last time stamp is the most recent.
162 */
163 if (time_after(time, e->stamps[e->index-1]))
164 recent_entry_remove(t, e);
165}
166
150static struct recent_entry * 167static struct recent_entry *
151recent_entry_init(struct recent_table *t, const union nf_inet_addr *addr, 168recent_entry_init(struct recent_table *t, const union nf_inet_addr *addr,
152 u_int16_t family, u_int8_t ttl) 169 u_int16_t family, u_int8_t ttl)
@@ -218,7 +235,7 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par)
218 u_int8_t ttl; 235 u_int8_t ttl;
219 bool ret = info->invert; 236 bool ret = info->invert;
220 237
221 if (par->match->family == NFPROTO_IPV4) { 238 if (par->family == NFPROTO_IPV4) {
222 const struct iphdr *iph = ip_hdr(skb); 239 const struct iphdr *iph = ip_hdr(skb);
223 240
224 if (info->side == XT_RECENT_DEST) 241 if (info->side == XT_RECENT_DEST)
@@ -244,12 +261,12 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par)
244 261
245 spin_lock_bh(&recent_lock); 262 spin_lock_bh(&recent_lock);
246 t = recent_table_lookup(recent_net, info->name); 263 t = recent_table_lookup(recent_net, info->name);
247 e = recent_entry_lookup(t, &addr, par->match->family, 264 e = recent_entry_lookup(t, &addr, par->family,
248 (info->check_set & XT_RECENT_TTL) ? ttl : 0); 265 (info->check_set & XT_RECENT_TTL) ? ttl : 0);
249 if (e == NULL) { 266 if (e == NULL) {
250 if (!(info->check_set & XT_RECENT_SET)) 267 if (!(info->check_set & XT_RECENT_SET))
251 goto out; 268 goto out;
252 e = recent_entry_init(t, &addr, par->match->family, ttl); 269 e = recent_entry_init(t, &addr, par->family, ttl);
253 if (e == NULL) 270 if (e == NULL)
254 *par->hotdrop = true; 271 *par->hotdrop = true;
255 ret = !ret; 272 ret = !ret;
@@ -273,6 +290,10 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par)
273 break; 290 break;
274 } 291 }
275 } 292 }
293
294 /* info->seconds must be non-zero */
295 if (info->check_set & XT_RECENT_REAP)
296 recent_entry_reap(t, time);
276 } 297 }
277 298
278 if (info->check_set & XT_RECENT_SET || 299 if (info->check_set & XT_RECENT_SET ||
@@ -285,7 +306,7 @@ out:
285 return ret; 306 return ret;
286} 307}
287 308
288static bool recent_mt_check(const struct xt_mtchk_param *par) 309static int recent_mt_check(const struct xt_mtchk_param *par)
289{ 310{
290 struct recent_net *recent_net = recent_pernet(par->net); 311 struct recent_net *recent_net = recent_pernet(par->net);
291 const struct xt_recent_mtinfo *info = par->matchinfo; 312 const struct xt_recent_mtinfo *info = par->matchinfo;
@@ -294,41 +315,51 @@ static bool recent_mt_check(const struct xt_mtchk_param *par)
294 struct proc_dir_entry *pde; 315 struct proc_dir_entry *pde;
295#endif 316#endif
296 unsigned i; 317 unsigned i;
297 bool ret = false; 318 int ret = -EINVAL;
298 319
299 if (unlikely(!hash_rnd_inited)) { 320 if (unlikely(!hash_rnd_inited)) {
300 get_random_bytes(&hash_rnd, sizeof(hash_rnd)); 321 get_random_bytes(&hash_rnd, sizeof(hash_rnd));
301 hash_rnd_inited = true; 322 hash_rnd_inited = true;
302 } 323 }
324 if (info->check_set & ~XT_RECENT_VALID_FLAGS) {
325 pr_info("Unsupported user space flags (%08x)\n",
326 info->check_set);
327 return -EINVAL;
328 }
303 if (hweight8(info->check_set & 329 if (hweight8(info->check_set &
304 (XT_RECENT_SET | XT_RECENT_REMOVE | 330 (XT_RECENT_SET | XT_RECENT_REMOVE |
305 XT_RECENT_CHECK | XT_RECENT_UPDATE)) != 1) 331 XT_RECENT_CHECK | XT_RECENT_UPDATE)) != 1)
306 return false; 332 return -EINVAL;
307 if ((info->check_set & (XT_RECENT_SET | XT_RECENT_REMOVE)) && 333 if ((info->check_set & (XT_RECENT_SET | XT_RECENT_REMOVE)) &&
308 (info->seconds || info->hit_count)) 334 (info->seconds || info->hit_count ||
309 return false; 335 (info->check_set & XT_RECENT_MODIFIERS)))
336 return -EINVAL;
337 if ((info->check_set & XT_RECENT_REAP) && !info->seconds)
338 return -EINVAL;
310 if (info->hit_count > ip_pkt_list_tot) { 339 if (info->hit_count > ip_pkt_list_tot) {
311 pr_info(KBUILD_MODNAME ": hitcount (%u) is larger than " 340 pr_info("hitcount (%u) is larger than "
312 "packets to be remembered (%u)\n", 341 "packets to be remembered (%u)\n",
313 info->hit_count, ip_pkt_list_tot); 342 info->hit_count, ip_pkt_list_tot);
314 return false; 343 return -EINVAL;
315 } 344 }
316 if (info->name[0] == '\0' || 345 if (info->name[0] == '\0' ||
317 strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN) 346 strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN)
318 return false; 347 return -EINVAL;
319 348
320 mutex_lock(&recent_mutex); 349 mutex_lock(&recent_mutex);
321 t = recent_table_lookup(recent_net, info->name); 350 t = recent_table_lookup(recent_net, info->name);
322 if (t != NULL) { 351 if (t != NULL) {
323 t->refcnt++; 352 t->refcnt++;
324 ret = true; 353 ret = 0;
325 goto out; 354 goto out;
326 } 355 }
327 356
328 t = kzalloc(sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size, 357 t = kzalloc(sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size,
329 GFP_KERNEL); 358 GFP_KERNEL);
330 if (t == NULL) 359 if (t == NULL) {
360 ret = -ENOMEM;
331 goto out; 361 goto out;
362 }
332 t->refcnt = 1; 363 t->refcnt = 1;
333 strcpy(t->name, info->name); 364 strcpy(t->name, info->name);
334 INIT_LIST_HEAD(&t->lru_list); 365 INIT_LIST_HEAD(&t->lru_list);
@@ -339,26 +370,16 @@ static bool recent_mt_check(const struct xt_mtchk_param *par)
339 &recent_mt_fops, t); 370 &recent_mt_fops, t);
340 if (pde == NULL) { 371 if (pde == NULL) {
341 kfree(t); 372 kfree(t);
342 goto out; 373 ret = -ENOMEM;
343 }
344 pde->uid = ip_list_uid;
345 pde->gid = ip_list_gid;
346#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
347 pde = proc_create_data(t->name, ip_list_perms, recent_net->ipt_recent,
348 &recent_old_fops, t);
349 if (pde == NULL) {
350 remove_proc_entry(t->name, recent_net->xt_recent);
351 kfree(t);
352 goto out; 374 goto out;
353 } 375 }
354 pde->uid = ip_list_uid; 376 pde->uid = ip_list_uid;
355 pde->gid = ip_list_gid; 377 pde->gid = ip_list_gid;
356#endif 378#endif
357#endif
358 spin_lock_bh(&recent_lock); 379 spin_lock_bh(&recent_lock);
359 list_add_tail(&t->list, &recent_net->tables); 380 list_add_tail(&t->list, &recent_net->tables);
360 spin_unlock_bh(&recent_lock); 381 spin_unlock_bh(&recent_lock);
361 ret = true; 382 ret = 0;
362out: 383out:
363 mutex_unlock(&recent_mutex); 384 mutex_unlock(&recent_mutex);
364 return ret; 385 return ret;
@@ -377,9 +398,6 @@ static void recent_mt_destroy(const struct xt_mtdtor_param *par)
377 list_del(&t->list); 398 list_del(&t->list);
378 spin_unlock_bh(&recent_lock); 399 spin_unlock_bh(&recent_lock);
379#ifdef CONFIG_PROC_FS 400#ifdef CONFIG_PROC_FS
380#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
381 remove_proc_entry(t->name, recent_net->ipt_recent);
382#endif
383 remove_proc_entry(t->name, recent_net->xt_recent); 401 remove_proc_entry(t->name, recent_net->xt_recent);
384#endif 402#endif
385 recent_table_flush(t); 403 recent_table_flush(t);
@@ -471,84 +489,6 @@ static int recent_seq_open(struct inode *inode, struct file *file)
471 return 0; 489 return 0;
472} 490}
473 491
474#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
475static int recent_old_seq_open(struct inode *inode, struct file *filp)
476{
477 static bool warned_of_old;
478
479 if (unlikely(!warned_of_old)) {
480 printk(KERN_INFO KBUILD_MODNAME ": Use of /proc/net/ipt_recent"
481 " is deprecated; use /proc/net/xt_recent.\n");
482 warned_of_old = true;
483 }
484 return recent_seq_open(inode, filp);
485}
486
487static ssize_t recent_old_proc_write(struct file *file,
488 const char __user *input,
489 size_t size, loff_t *loff)
490{
491 const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
492 struct recent_table *t = pde->data;
493 struct recent_entry *e;
494 char buf[sizeof("+255.255.255.255")], *c = buf;
495 union nf_inet_addr addr = {};
496 int add;
497
498 if (size > sizeof(buf))
499 size = sizeof(buf);
500 if (copy_from_user(buf, input, size))
501 return -EFAULT;
502
503 c = skip_spaces(c);
504
505 if (size - (c - buf) < 5)
506 return c - buf;
507 if (!strncmp(c, "clear", 5)) {
508 c += 5;
509 spin_lock_bh(&recent_lock);
510 recent_table_flush(t);
511 spin_unlock_bh(&recent_lock);
512 return c - buf;
513 }
514
515 switch (*c) {
516 case '-':
517 add = 0;
518 c++;
519 break;
520 case '+':
521 c++;
522 default:
523 add = 1;
524 break;
525 }
526 addr.ip = in_aton(c);
527
528 spin_lock_bh(&recent_lock);
529 e = recent_entry_lookup(t, &addr, NFPROTO_IPV4, 0);
530 if (e == NULL) {
531 if (add)
532 recent_entry_init(t, &addr, NFPROTO_IPV4, 0);
533 } else {
534 if (add)
535 recent_entry_update(t, e);
536 else
537 recent_entry_remove(t, e);
538 }
539 spin_unlock_bh(&recent_lock);
540 return size;
541}
542
543static const struct file_operations recent_old_fops = {
544 .open = recent_old_seq_open,
545 .read = seq_read,
546 .write = recent_old_proc_write,
547 .release = seq_release_private,
548 .owner = THIS_MODULE,
549};
550#endif
551
552static ssize_t 492static ssize_t
553recent_mt_proc_write(struct file *file, const char __user *input, 493recent_mt_proc_write(struct file *file, const char __user *input,
554 size_t size, loff_t *loff) 494 size_t size, loff_t *loff)
@@ -585,7 +525,7 @@ recent_mt_proc_write(struct file *file, const char __user *input,
585 add = true; 525 add = true;
586 break; 526 break;
587 default: 527 default:
588 printk(KERN_INFO KBUILD_MODNAME ": Need +ip, -ip or /\n"); 528 pr_info("Need \"+ip\", \"-ip\" or \"/\"\n");
589 return -EINVAL; 529 return -EINVAL;
590 } 530 }
591 531
@@ -600,8 +540,7 @@ recent_mt_proc_write(struct file *file, const char __user *input,
600 } 540 }
601 541
602 if (!succ) { 542 if (!succ) {
603 printk(KERN_INFO KBUILD_MODNAME ": illegal address written " 543 pr_info("illegal address written to procfs\n");
604 "to procfs\n");
605 return -EINVAL; 544 return -EINVAL;
606 } 545 }
607 546
@@ -637,21 +576,11 @@ static int __net_init recent_proc_net_init(struct net *net)
637 recent_net->xt_recent = proc_mkdir("xt_recent", net->proc_net); 576 recent_net->xt_recent = proc_mkdir("xt_recent", net->proc_net);
638 if (!recent_net->xt_recent) 577 if (!recent_net->xt_recent)
639 return -ENOMEM; 578 return -ENOMEM;
640#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
641 recent_net->ipt_recent = proc_mkdir("ipt_recent", net->proc_net);
642 if (!recent_net->ipt_recent) {
643 proc_net_remove(net, "xt_recent");
644 return -ENOMEM;
645 }
646#endif
647 return 0; 579 return 0;
648} 580}
649 581
650static void __net_exit recent_proc_net_exit(struct net *net) 582static void __net_exit recent_proc_net_exit(struct net *net)
651{ 583{
652#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
653 proc_net_remove(net, "ipt_recent");
654#endif
655 proc_net_remove(net, "xt_recent"); 584 proc_net_remove(net, "xt_recent");
656} 585}
657#else 586#else
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index a189ada9128f..c3694df54672 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -1,3 +1,4 @@
1#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
1#include <linux/module.h> 2#include <linux/module.h>
2#include <linux/skbuff.h> 3#include <linux/skbuff.h>
3#include <net/ip.h> 4#include <net/ip.h>
@@ -15,12 +16,6 @@ MODULE_DESCRIPTION("Xtables: SCTP protocol packet match");
15MODULE_ALIAS("ipt_sctp"); 16MODULE_ALIAS("ipt_sctp");
16MODULE_ALIAS("ip6t_sctp"); 17MODULE_ALIAS("ip6t_sctp");
17 18
18#ifdef DEBUG_SCTP
19#define duprintf(format, args...) printk(format , ## args)
20#else
21#define duprintf(format, args...)
22#endif
23
24#define SCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \ 19#define SCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \
25 || (!!((invflag) & (option)) ^ (cond))) 20 || (!!((invflag) & (option)) ^ (cond)))
26 21
@@ -52,7 +47,7 @@ match_packet(const struct sk_buff *skb,
52 const struct xt_sctp_flag_info *flag_info = info->flag_info; 47 const struct xt_sctp_flag_info *flag_info = info->flag_info;
53 int flag_count = info->flag_count; 48 int flag_count = info->flag_count;
54 49
55#ifdef DEBUG_SCTP 50#ifdef DEBUG
56 int i = 0; 51 int i = 0;
57#endif 52#endif
58 53
@@ -62,17 +57,19 @@ match_packet(const struct sk_buff *skb,
62 do { 57 do {
63 sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch); 58 sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
64 if (sch == NULL || sch->length == 0) { 59 if (sch == NULL || sch->length == 0) {
65 duprintf("Dropping invalid SCTP packet.\n"); 60 pr_debug("Dropping invalid SCTP packet.\n");
66 *hotdrop = true; 61 *hotdrop = true;
67 return false; 62 return false;
68 } 63 }
69 64#ifdef DEBUG
70 duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n", 65 pr_debug("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d"
71 ++i, offset, sch->type, htons(sch->length), sch->flags); 66 "\tflags: %x\n",
72 67 ++i, offset, sch->type, htons(sch->length),
68 sch->flags);
69#endif
73 offset += (ntohs(sch->length) + 3) & ~3; 70 offset += (ntohs(sch->length) + 3) & ~3;
74 71
75 duprintf("skb->len: %d\toffset: %d\n", skb->len, offset); 72 pr_debug("skb->len: %d\toffset: %d\n", skb->len, offset);
76 73
77 if (SCTP_CHUNKMAP_IS_SET(info->chunkmap, sch->type)) { 74 if (SCTP_CHUNKMAP_IS_SET(info->chunkmap, sch->type)) {
78 switch (chunk_match_type) { 75 switch (chunk_match_type) {
@@ -124,17 +121,17 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
124 sctp_sctphdr_t _sh; 121 sctp_sctphdr_t _sh;
125 122
126 if (par->fragoff != 0) { 123 if (par->fragoff != 0) {
127 duprintf("Dropping non-first fragment.. FIXME\n"); 124 pr_debug("Dropping non-first fragment.. FIXME\n");
128 return false; 125 return false;
129 } 126 }
130 127
131 sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh); 128 sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
132 if (sh == NULL) { 129 if (sh == NULL) {
133 duprintf("Dropping evil TCP offset=0 tinygram.\n"); 130 pr_debug("Dropping evil TCP offset=0 tinygram.\n");
134 *par->hotdrop = true; 131 *par->hotdrop = true;
135 return false; 132 return false;
136 } 133 }
137 duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); 134 pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
138 135
139 return SCCHECK(ntohs(sh->source) >= info->spts[0] 136 return SCCHECK(ntohs(sh->source) >= info->spts[0]
140 && ntohs(sh->source) <= info->spts[1], 137 && ntohs(sh->source) <= info->spts[1],
@@ -147,18 +144,22 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
147 XT_SCTP_CHUNK_TYPES, info->flags, info->invflags); 144 XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
148} 145}
149 146
150static bool sctp_mt_check(const struct xt_mtchk_param *par) 147static int sctp_mt_check(const struct xt_mtchk_param *par)
151{ 148{
152 const struct xt_sctp_info *info = par->matchinfo; 149 const struct xt_sctp_info *info = par->matchinfo;
153 150
154 return !(info->flags & ~XT_SCTP_VALID_FLAGS) 151 if (info->flags & ~XT_SCTP_VALID_FLAGS)
155 && !(info->invflags & ~XT_SCTP_VALID_FLAGS) 152 return -EINVAL;
156 && !(info->invflags & ~info->flags) 153 if (info->invflags & ~XT_SCTP_VALID_FLAGS)
157 && ((!(info->flags & XT_SCTP_CHUNK_TYPES)) || 154 return -EINVAL;
158 (info->chunk_match_type & 155 if (info->invflags & ~info->flags)
159 (SCTP_CHUNK_MATCH_ALL 156 return -EINVAL;
160 | SCTP_CHUNK_MATCH_ANY 157 if (!(info->flags & XT_SCTP_CHUNK_TYPES))
161 | SCTP_CHUNK_MATCH_ONLY))); 158 return 0;
159 if (info->chunk_match_type & (SCTP_CHUNK_MATCH_ALL |
160 SCTP_CHUNK_MATCH_ANY | SCTP_CHUNK_MATCH_ONLY))
161 return 0;
162 return -EINVAL;
162} 163}
163 164
164static struct xt_match sctp_mt_reg[] __read_mostly = { 165static struct xt_match sctp_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 6a902564d24f..a9b16867e1f7 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -9,7 +9,7 @@
9 * published by the Free Software Foundation. 9 * published by the Free Software Foundation.
10 * 10 *
11 */ 11 */
12 12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13#include <linux/module.h> 13#include <linux/module.h>
14#include <linux/skbuff.h> 14#include <linux/skbuff.h>
15#include <linux/netfilter/x_tables.h> 15#include <linux/netfilter/x_tables.h>
@@ -165,8 +165,7 @@ socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
165 sk = NULL; 165 sk = NULL;
166 } 166 }
167 167
168 pr_debug("socket match: proto %u %08x:%u -> %08x:%u " 168 pr_debug("proto %u %08x:%u -> %08x:%u (orig %08x:%u) sock %p\n",
169 "(orig %08x:%u) sock %p\n",
170 protocol, ntohl(saddr), ntohs(sport), 169 protocol, ntohl(saddr), ntohs(sport),
171 ntohl(daddr), ntohs(dport), 170 ntohl(daddr), ntohs(dport),
172 ntohl(iph->daddr), hp ? ntohs(hp->dest) : 0, sk); 171 ntohl(iph->daddr), hp ? ntohs(hp->dest) : 0, sk);
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index 4c946cbd731f..bb1271852d50 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -37,50 +37,40 @@ state_mt(const struct sk_buff *skb, const struct xt_match_param *par)
37 return (sinfo->statemask & statebit); 37 return (sinfo->statemask & statebit);
38} 38}
39 39
40static bool state_mt_check(const struct xt_mtchk_param *par) 40static int state_mt_check(const struct xt_mtchk_param *par)
41{ 41{
42 if (nf_ct_l3proto_try_module_get(par->match->family) < 0) { 42 int ret;
43 printk(KERN_WARNING "can't load conntrack support for " 43
44 "proto=%u\n", par->match->family); 44 ret = nf_ct_l3proto_try_module_get(par->family);
45 return false; 45 if (ret < 0)
46 } 46 pr_info("cannot load conntrack support for proto=%u\n",
47 return true; 47 par->family);
48 return ret;
48} 49}
49 50
50static void state_mt_destroy(const struct xt_mtdtor_param *par) 51static void state_mt_destroy(const struct xt_mtdtor_param *par)
51{ 52{
52 nf_ct_l3proto_module_put(par->match->family); 53 nf_ct_l3proto_module_put(par->family);
53} 54}
54 55
55static struct xt_match state_mt_reg[] __read_mostly = { 56static struct xt_match state_mt_reg __read_mostly = {
56 { 57 .name = "state",
57 .name = "state", 58 .family = NFPROTO_UNSPEC,
58 .family = NFPROTO_IPV4, 59 .checkentry = state_mt_check,
59 .checkentry = state_mt_check, 60 .match = state_mt,
60 .match = state_mt, 61 .destroy = state_mt_destroy,
61 .destroy = state_mt_destroy, 62 .matchsize = sizeof(struct xt_state_info),
62 .matchsize = sizeof(struct xt_state_info), 63 .me = THIS_MODULE,
63 .me = THIS_MODULE,
64 },
65 {
66 .name = "state",
67 .family = NFPROTO_IPV6,
68 .checkentry = state_mt_check,
69 .match = state_mt,
70 .destroy = state_mt_destroy,
71 .matchsize = sizeof(struct xt_state_info),
72 .me = THIS_MODULE,
73 },
74}; 64};
75 65
76static int __init state_mt_init(void) 66static int __init state_mt_init(void)
77{ 67{
78 return xt_register_matches(state_mt_reg, ARRAY_SIZE(state_mt_reg)); 68 return xt_register_match(&state_mt_reg);
79} 69}
80 70
81static void __exit state_mt_exit(void) 71static void __exit state_mt_exit(void)
82{ 72{
83 xt_unregister_matches(state_mt_reg, ARRAY_SIZE(state_mt_reg)); 73 xt_unregister_match(&state_mt_reg);
84} 74}
85 75
86module_init(state_mt_init); 76module_init(state_mt_init);
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index 937ce0633e99..5aeca1d023d8 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -53,22 +53,20 @@ statistic_mt(const struct sk_buff *skb, const struct xt_match_param *par)
53 return ret; 53 return ret;
54} 54}
55 55
56static bool statistic_mt_check(const struct xt_mtchk_param *par) 56static int statistic_mt_check(const struct xt_mtchk_param *par)
57{ 57{
58 struct xt_statistic_info *info = par->matchinfo; 58 struct xt_statistic_info *info = par->matchinfo;
59 59
60 if (info->mode > XT_STATISTIC_MODE_MAX || 60 if (info->mode > XT_STATISTIC_MODE_MAX ||
61 info->flags & ~XT_STATISTIC_MASK) 61 info->flags & ~XT_STATISTIC_MASK)
62 return false; 62 return -EINVAL;
63 63
64 info->master = kzalloc(sizeof(*info->master), GFP_KERNEL); 64 info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
65 if (info->master == NULL) { 65 if (info->master == NULL)
66 printk(KERN_ERR KBUILD_MODNAME ": Out of memory\n"); 66 return -ENOMEM;
67 return false;
68 }
69 info->master->count = info->u.nth.count; 67 info->master->count = info->u.nth.count;
70 68
71 return true; 69 return 0;
72} 70}
73 71
74static void statistic_mt_destroy(const struct xt_mtdtor_param *par) 72static void statistic_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index 96801ffd8af8..f6d5112175e6 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -27,12 +27,10 @@ string_mt(const struct sk_buff *skb, const struct xt_match_param *par)
27{ 27{
28 const struct xt_string_info *conf = par->matchinfo; 28 const struct xt_string_info *conf = par->matchinfo;
29 struct ts_state state; 29 struct ts_state state;
30 int invert; 30 bool invert;
31 31
32 memset(&state, 0, sizeof(struct ts_state)); 32 memset(&state, 0, sizeof(struct ts_state));
33 33 invert = conf->u.v1.flags & XT_STRING_FLAG_INVERT;
34 invert = (par->match->revision == 0 ? conf->u.v0.invert :
35 conf->u.v1.flags & XT_STRING_FLAG_INVERT);
36 34
37 return (skb_find_text((struct sk_buff *)skb, conf->from_offset, 35 return (skb_find_text((struct sk_buff *)skb, conf->from_offset,
38 conf->to_offset, conf->config, &state) 36 conf->to_offset, conf->config, &state)
@@ -41,7 +39,7 @@ string_mt(const struct sk_buff *skb, const struct xt_match_param *par)
41 39
42#define STRING_TEXT_PRIV(m) ((struct xt_string_info *)(m)) 40#define STRING_TEXT_PRIV(m) ((struct xt_string_info *)(m))
43 41
44static bool string_mt_check(const struct xt_mtchk_param *par) 42static int string_mt_check(const struct xt_mtchk_param *par)
45{ 43{
46 struct xt_string_info *conf = par->matchinfo; 44 struct xt_string_info *conf = par->matchinfo;
47 struct ts_config *ts_conf; 45 struct ts_config *ts_conf;
@@ -49,26 +47,23 @@ static bool string_mt_check(const struct xt_mtchk_param *par)
49 47
50 /* Damn, can't handle this case properly with iptables... */ 48 /* Damn, can't handle this case properly with iptables... */
51 if (conf->from_offset > conf->to_offset) 49 if (conf->from_offset > conf->to_offset)
52 return false; 50 return -EINVAL;
53 if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0') 51 if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0')
54 return false; 52 return -EINVAL;
55 if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE) 53 if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE)
56 return false; 54 return -EINVAL;
57 if (par->match->revision == 1) { 55 if (conf->u.v1.flags &
58 if (conf->u.v1.flags & 56 ~(XT_STRING_FLAG_IGNORECASE | XT_STRING_FLAG_INVERT))
59 ~(XT_STRING_FLAG_IGNORECASE | XT_STRING_FLAG_INVERT)) 57 return -EINVAL;
60 return false; 58 if (conf->u.v1.flags & XT_STRING_FLAG_IGNORECASE)
61 if (conf->u.v1.flags & XT_STRING_FLAG_IGNORECASE) 59 flags |= TS_IGNORECASE;
62 flags |= TS_IGNORECASE;
63 }
64 ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen, 60 ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen,
65 GFP_KERNEL, flags); 61 GFP_KERNEL, flags);
66 if (IS_ERR(ts_conf)) 62 if (IS_ERR(ts_conf))
67 return false; 63 return PTR_ERR(ts_conf);
68 64
69 conf->config = ts_conf; 65 conf->config = ts_conf;
70 66 return 0;
71 return true;
72} 67}
73 68
74static void string_mt_destroy(const struct xt_mtdtor_param *par) 69static void string_mt_destroy(const struct xt_mtdtor_param *par)
@@ -76,38 +71,25 @@ static void string_mt_destroy(const struct xt_mtdtor_param *par)
76 textsearch_destroy(STRING_TEXT_PRIV(par->matchinfo)->config); 71 textsearch_destroy(STRING_TEXT_PRIV(par->matchinfo)->config);
77} 72}
78 73
79static struct xt_match xt_string_mt_reg[] __read_mostly = { 74static struct xt_match xt_string_mt_reg __read_mostly = {
80 { 75 .name = "string",
81 .name = "string", 76 .revision = 1,
82 .revision = 0, 77 .family = NFPROTO_UNSPEC,
83 .family = NFPROTO_UNSPEC, 78 .checkentry = string_mt_check,
84 .checkentry = string_mt_check, 79 .match = string_mt,
85 .match = string_mt, 80 .destroy = string_mt_destroy,
86 .destroy = string_mt_destroy, 81 .matchsize = sizeof(struct xt_string_info),
87 .matchsize = sizeof(struct xt_string_info), 82 .me = THIS_MODULE,
88 .me = THIS_MODULE
89 },
90 {
91 .name = "string",
92 .revision = 1,
93 .family = NFPROTO_UNSPEC,
94 .checkentry = string_mt_check,
95 .match = string_mt,
96 .destroy = string_mt_destroy,
97 .matchsize = sizeof(struct xt_string_info),
98 .me = THIS_MODULE
99 },
100}; 83};
101 84
102static int __init string_mt_init(void) 85static int __init string_mt_init(void)
103{ 86{
104 return xt_register_matches(xt_string_mt_reg, 87 return xt_register_match(&xt_string_mt_reg);
105 ARRAY_SIZE(xt_string_mt_reg));
106} 88}
107 89
108static void __exit string_mt_exit(void) 90static void __exit string_mt_exit(void)
109{ 91{
110 xt_unregister_matches(xt_string_mt_reg, ARRAY_SIZE(xt_string_mt_reg)); 92 xt_unregister_match(&xt_string_mt_reg);
111} 93}
112 94
113module_init(string_mt_init); 95module_init(string_mt_init);
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 1ebdc4934eed..efa2ede24ae6 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -1,3 +1,4 @@
1#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
1#include <linux/types.h> 2#include <linux/types.h>
2#include <linux/module.h> 3#include <linux/module.h>
3#include <net/ip.h> 4#include <net/ip.h>
@@ -19,13 +20,6 @@ MODULE_ALIAS("ipt_tcp");
19MODULE_ALIAS("ip6t_udp"); 20MODULE_ALIAS("ip6t_udp");
20MODULE_ALIAS("ip6t_tcp"); 21MODULE_ALIAS("ip6t_tcp");
21 22
22#ifdef DEBUG_IP_FIREWALL_USER
23#define duprintf(format, args...) printk(format , ## args)
24#else
25#define duprintf(format, args...)
26#endif
27
28
29/* Returns 1 if the port is matched by the range, 0 otherwise */ 23/* Returns 1 if the port is matched by the range, 0 otherwise */
30static inline bool 24static inline bool
31port_match(u_int16_t min, u_int16_t max, u_int16_t port, bool invert) 25port_match(u_int16_t min, u_int16_t max, u_int16_t port, bool invert)
@@ -46,7 +40,7 @@ tcp_find_option(u_int8_t option,
46 u_int8_t _opt[60 - sizeof(struct tcphdr)]; 40 u_int8_t _opt[60 - sizeof(struct tcphdr)];
47 unsigned int i; 41 unsigned int i;
48 42
49 duprintf("tcp_match: finding option\n"); 43 pr_debug("finding option\n");
50 44
51 if (!optlen) 45 if (!optlen)
52 return invert; 46 return invert;
@@ -82,7 +76,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
82 flag overwrite to pass the direction checks. 76 flag overwrite to pass the direction checks.
83 */ 77 */
84 if (par->fragoff == 1) { 78 if (par->fragoff == 1) {
85 duprintf("Dropping evil TCP offset=1 frag.\n"); 79 pr_debug("Dropping evil TCP offset=1 frag.\n");
86 *par->hotdrop = true; 80 *par->hotdrop = true;
87 } 81 }
88 /* Must not be a fragment. */ 82 /* Must not be a fragment. */
@@ -95,7 +89,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
95 if (th == NULL) { 89 if (th == NULL) {
96 /* We've been asked to examine this packet, and we 90 /* We've been asked to examine this packet, and we
97 can't. Hence, no choice but to drop. */ 91 can't. Hence, no choice but to drop. */
98 duprintf("Dropping evil TCP offset=0 tinygram.\n"); 92 pr_debug("Dropping evil TCP offset=0 tinygram.\n");
99 *par->hotdrop = true; 93 *par->hotdrop = true;
100 return false; 94 return false;
101 } 95 }
@@ -126,12 +120,12 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
126 return true; 120 return true;
127} 121}
128 122
129static bool tcp_mt_check(const struct xt_mtchk_param *par) 123static int tcp_mt_check(const struct xt_mtchk_param *par)
130{ 124{
131 const struct xt_tcp *tcpinfo = par->matchinfo; 125 const struct xt_tcp *tcpinfo = par->matchinfo;
132 126
133 /* Must specify no unknown invflags */ 127 /* Must specify no unknown invflags */
134 return !(tcpinfo->invflags & ~XT_TCP_INV_MASK); 128 return (tcpinfo->invflags & ~XT_TCP_INV_MASK) ? -EINVAL : 0;
135} 129}
136 130
137static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par) 131static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
@@ -148,7 +142,7 @@ static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
148 if (uh == NULL) { 142 if (uh == NULL) {
149 /* We've been asked to examine this packet, and we 143 /* We've been asked to examine this packet, and we
150 can't. Hence, no choice but to drop. */ 144 can't. Hence, no choice but to drop. */
151 duprintf("Dropping evil UDP tinygram.\n"); 145 pr_debug("Dropping evil UDP tinygram.\n");
152 *par->hotdrop = true; 146 *par->hotdrop = true;
153 return false; 147 return false;
154 } 148 }
@@ -161,12 +155,12 @@ static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
161 !!(udpinfo->invflags & XT_UDP_INV_DSTPT)); 155 !!(udpinfo->invflags & XT_UDP_INV_DSTPT));
162} 156}
163 157
164static bool udp_mt_check(const struct xt_mtchk_param *par) 158static int udp_mt_check(const struct xt_mtchk_param *par)
165{ 159{
166 const struct xt_udp *udpinfo = par->matchinfo; 160 const struct xt_udp *udpinfo = par->matchinfo;
167 161
168 /* Must specify no unknown invflags */ 162 /* Must specify no unknown invflags */
169 return !(udpinfo->invflags & ~XT_UDP_INV_MASK); 163 return (udpinfo->invflags & ~XT_UDP_INV_MASK) ? -EINVAL : 0;
170} 164}
171 165
172static struct xt_match tcpudp_mt_reg[] __read_mostly = { 166static struct xt_match tcpudp_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 93acaa59d108..d8556fdda440 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -1,7 +1,6 @@
1/* 1/*
2 * xt_time 2 * xt_time
3 * Copyright © CC Computer Consultants GmbH, 2007 3 * Copyright © CC Computer Consultants GmbH, 2007
4 * Contact: <jengelh@computergmbh.de>
5 * 4 *
6 * based on ipt_time by Fabrice MARIE <fabrice@netfilter.org> 5 * based on ipt_time by Fabrice MARIE <fabrice@netfilter.org>
7 * This is a module which is used for time matching 6 * This is a module which is used for time matching
@@ -218,18 +217,18 @@ time_mt(const struct sk_buff *skb, const struct xt_match_param *par)
218 return true; 217 return true;
219} 218}
220 219
221static bool time_mt_check(const struct xt_mtchk_param *par) 220static int time_mt_check(const struct xt_mtchk_param *par)
222{ 221{
223 const struct xt_time_info *info = par->matchinfo; 222 const struct xt_time_info *info = par->matchinfo;
224 223
225 if (info->daytime_start > XT_TIME_MAX_DAYTIME || 224 if (info->daytime_start > XT_TIME_MAX_DAYTIME ||
226 info->daytime_stop > XT_TIME_MAX_DAYTIME) { 225 info->daytime_stop > XT_TIME_MAX_DAYTIME) {
227 printk(KERN_WARNING "xt_time: invalid argument - start or " 226 pr_info("invalid argument - start or "
228 "stop time greater than 23:59:59\n"); 227 "stop time greater than 23:59:59\n");
229 return false; 228 return -EDOM;
230 } 229 }
231 230
232 return true; 231 return 0;
233} 232}
234 233
235static struct xt_match xt_time_mt_reg __read_mostly = { 234static struct xt_match xt_time_mt_reg __read_mostly = {
@@ -264,7 +263,7 @@ static void __exit time_mt_exit(void)
264 263
265module_init(time_mt_init); 264module_init(time_mt_init);
266module_exit(time_mt_exit); 265module_exit(time_mt_exit);
267MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>"); 266MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
268MODULE_DESCRIPTION("Xtables: time-based matching"); 267MODULE_DESCRIPTION("Xtables: time-based matching");
269MODULE_LICENSE("GPL"); 268MODULE_LICENSE("GPL");
270MODULE_ALIAS("ipt_time"); 269MODULE_ALIAS("ipt_time");
diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c
index 24a527624500..d7c05f03a7e7 100644
--- a/net/netfilter/xt_u32.c
+++ b/net/netfilter/xt_u32.c
@@ -3,7 +3,6 @@
3 * 3 *
4 * Original author: Don Cohen <don@isis.cs3-inc.com> 4 * Original author: Don Cohen <don@isis.cs3-inc.com>
5 * (C) CC Computer Consultants GmbH, 2007 5 * (C) CC Computer Consultants GmbH, 2007
6 * Contact: <jengelh@computergmbh.de>
7 */ 6 */
8 7
9#include <linux/module.h> 8#include <linux/module.h>
@@ -117,7 +116,7 @@ static void __exit u32_mt_exit(void)
117 116
118module_init(u32_mt_init); 117module_init(u32_mt_init);
119module_exit(u32_mt_exit); 118module_exit(u32_mt_exit);
120MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>"); 119MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
121MODULE_DESCRIPTION("Xtables: arbitrary byte matching"); 120MODULE_DESCRIPTION("Xtables: arbitrary byte matching");
122MODULE_LICENSE("GPL"); 121MODULE_LICENSE("GPL");
123MODULE_ALIAS("ipt_u32"); 122MODULE_ALIAS("ipt_u32");
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index da27a170b6b7..03f80a0fa167 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -47,8 +47,8 @@ static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int
47 47
48 target = xt_request_find_target(AF_INET, t->u.user.name, 48 target = xt_request_find_target(AF_INET, t->u.user.name,
49 t->u.user.revision); 49 t->u.user.revision);
50 if (!target) 50 if (IS_ERR(target))
51 return -ENOENT; 51 return PTR_ERR(target);
52 52
53 t->u.kernel.target = target; 53 t->u.kernel.target = target;
54 par.table = table; 54 par.table = table;
generated by cgit v1.2.2 (git 2.25.0) at 2025-11-01 17:25:45 -0400