aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--net/netfilter/core.c6
-rw-r--r--net/netfilter/nf_conntrack_core.c18
-rw-r--r--net/netfilter/nf_conntrack_expect.c2
-rw-r--r--net/netfilter/nf_conntrack_ftp.c14
-rw-r--r--net/netfilter/nf_conntrack_h323_main.c20
-rw-r--r--net/netfilter/nf_conntrack_irc.c2
-rw-r--r--net/netfilter/nf_conntrack_l3proto_generic.c2
-rw-r--r--net/netfilter/nf_conntrack_netbios_ns.c2
-rw-r--r--net/netfilter/nf_conntrack_netlink.c106
-rw-r--r--net/netfilter/nf_conntrack_pptp.c2
-rw-r--r--net/netfilter/nf_conntrack_proto_sctp.c72
-rw-r--r--net/netfilter/nf_conntrack_proto_tcp.c204
-rw-r--r--net/netfilter/nf_conntrack_sip.c6
-rw-r--r--net/netfilter/nf_conntrack_standalone.c2
-rw-r--r--net/netfilter/nf_conntrack_tftp.c2
-rw-r--r--net/netfilter/nf_internals.h2
-rw-r--r--net/netfilter/nf_log.c6
-rw-r--r--net/netfilter/nf_queue.c22
-rw-r--r--net/netfilter/nf_sockopt.c12
-rw-r--r--net/netfilter/nfnetlink.c10
-rw-r--r--net/netfilter/nfnetlink_log.c52
-rw-r--r--net/netfilter/nfnetlink_queue.c84
-rw-r--r--net/netfilter/x_tables.c12
-rw-r--r--net/netfilter/xt_CLASSIFY.c4
-rw-r--r--net/netfilter/xt_MARK.c4
-rw-r--r--net/netfilter/xt_NFQUEUE.c4
-rw-r--r--net/netfilter/xt_NOTRACK.c4
-rw-r--r--net/netfilter/xt_SECMARK.c2
-rw-r--r--net/netfilter/xt_conntrack.c32
-rw-r--r--net/netfilter/xt_dccp.c20
-rw-r--r--net/netfilter/xt_hashlimit.c8
-rw-r--r--net/netfilter/xt_helper.c18
-rw-r--r--net/netfilter/xt_length.c4
-rw-r--r--net/netfilter/xt_limit.c2
-rw-r--r--net/netfilter/xt_mark.c6
-rw-r--r--net/netfilter/xt_multiport.c2
-rw-r--r--net/netfilter/xt_physdev.c2
-rw-r--r--net/netfilter/xt_policy.c24
-rw-r--r--net/netfilter/xt_quota.c4
-rw-r--r--net/netfilter/xt_realm.c2
-rw-r--r--net/netfilter/xt_sctp.c30
-rw-r--r--net/netfilter/xt_string.c8
-rw-r--r--net/netfilter/xt_tcpmss.c4
43 files changed, 422 insertions, 422 deletions
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index f61e0c2eece9..c3ebdbd917e9 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -1,4 +1,4 @@
1/* netfilter.c: look after the filters for various protocols. 1/* netfilter.c: look after the filters for various protocols.
2 * Heavily influenced by the old firewall.c by David Bonn and Alan Cox. 2 * Heavily influenced by the old firewall.c by David Bonn and Alan Cox.
3 * 3 *
4 * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any 4 * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any
@@ -141,14 +141,14 @@ unsigned int nf_iterate(struct list_head *head,
141 continue; 141 continue;
142 142
143 /* Optimization: we don't need to hold module 143 /* Optimization: we don't need to hold module
144 reference here, since function can't sleep. --RR */ 144 reference here, since function can't sleep. --RR */
145 verdict = elem->hook(hook, skb, indev, outdev, okfn); 145 verdict = elem->hook(hook, skb, indev, outdev, okfn);
146 if (verdict != NF_ACCEPT) { 146 if (verdict != NF_ACCEPT) {
147#ifdef CONFIG_NETFILTER_DEBUG 147#ifdef CONFIG_NETFILTER_DEBUG
148 if (unlikely((verdict & NF_VERDICT_MASK) 148 if (unlikely((verdict & NF_VERDICT_MASK)
149 > NF_MAX_VERDICT)) { 149 > NF_MAX_VERDICT)) {
150 NFDEBUG("Evil return from %p(%u).\n", 150 NFDEBUG("Evil return from %p(%u).\n",
151 elem->hook, hook); 151 elem->hook, hook);
152 continue; 152 continue;
153 } 153 }
154#endif 154#endif
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 0cc150560fb7..32891ebc9e68 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -424,7 +424,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_find_get);
424 424
425static void __nf_conntrack_hash_insert(struct nf_conn *ct, 425static void __nf_conntrack_hash_insert(struct nf_conn *ct,
426 unsigned int hash, 426 unsigned int hash,
427 unsigned int repl_hash) 427 unsigned int repl_hash)
428{ 428{
429 ct->id = ++nf_conntrack_next_id; 429 ct->id = ++nf_conntrack_next_id;
430 list_add(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list, 430 list_add(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list,
@@ -1066,7 +1066,7 @@ get_next_corpse(int (*iter)(struct nf_conn *i, void *data),
1066 if (iter(ct, data)) 1066 if (iter(ct, data))
1067 goto found; 1067 goto found;
1068 } 1068 }
1069 } 1069 }
1070 list_for_each_entry(h, &unconfirmed, list) { 1070 list_for_each_entry(h, &unconfirmed, list) {
1071 ct = nf_ct_tuplehash_to_ctrack(h); 1071 ct = nf_ct_tuplehash_to_ctrack(h);
1072 if (iter(ct, data)) 1072 if (iter(ct, data))
@@ -1107,7 +1107,7 @@ static void free_conntrack_hash(struct list_head *hash, int vmalloced, int size)
1107 if (vmalloced) 1107 if (vmalloced)
1108 vfree(hash); 1108 vfree(hash);
1109 else 1109 else
1110 free_pages((unsigned long)hash, 1110 free_pages((unsigned long)hash,
1111 get_order(sizeof(struct list_head) * size)); 1111 get_order(sizeof(struct list_head) * size));
1112} 1112}
1113 1113
@@ -1168,18 +1168,18 @@ static struct list_head *alloc_hashtable(int size, int *vmalloced)
1168 struct list_head *hash; 1168 struct list_head *hash;
1169 unsigned int i; 1169 unsigned int i;
1170 1170
1171 *vmalloced = 0; 1171 *vmalloced = 0;
1172 hash = (void*)__get_free_pages(GFP_KERNEL, 1172 hash = (void*)__get_free_pages(GFP_KERNEL,
1173 get_order(sizeof(struct list_head) 1173 get_order(sizeof(struct list_head)
1174 * size)); 1174 * size));
1175 if (!hash) { 1175 if (!hash) {
1176 *vmalloced = 1; 1176 *vmalloced = 1;
1177 printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n"); 1177 printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n");
1178 hash = vmalloc(sizeof(struct list_head) * size); 1178 hash = vmalloc(sizeof(struct list_head) * size);
1179 } 1179 }
1180 1180
1181 if (hash) 1181 if (hash)
1182 for (i = 0; i < size; i++) 1182 for (i = 0; i < size; i++)
1183 INIT_LIST_HEAD(&hash[i]); 1183 INIT_LIST_HEAD(&hash[i]);
1184 1184
1185 return hash; 1185 return hash;
@@ -1286,9 +1286,9 @@ int __init nf_conntrack_init(void)
1286 1286
1287 /* Don't NEED lock here, but good form anyway. */ 1287 /* Don't NEED lock here, but good form anyway. */
1288 write_lock_bh(&nf_conntrack_lock); 1288 write_lock_bh(&nf_conntrack_lock);
1289 for (i = 0; i < AF_MAX; i++) 1289 for (i = 0; i < AF_MAX; i++)
1290 nf_ct_l3protos[i] = &nf_conntrack_l3proto_generic; 1290 nf_ct_l3protos[i] = &nf_conntrack_l3proto_generic;
1291 write_unlock_bh(&nf_conntrack_lock); 1291 write_unlock_bh(&nf_conntrack_lock);
1292 1292
1293 /* For use by REJECT target */ 1293 /* For use by REJECT target */
1294 rcu_assign_pointer(ip_ct_attach, __nf_conntrack_attach); 1294 rcu_assign_pointer(ip_ct_attach, __nf_conntrack_attach);
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 5cdcd7f4e813..ce70a6fc6bda 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -130,7 +130,7 @@ void nf_ct_remove_expectations(struct nf_conn *ct)
130 if (i->master == ct && del_timer(&i->timeout)) { 130 if (i->master == ct && del_timer(&i->timeout)) {
131 nf_ct_unlink_expect(i); 131 nf_ct_unlink_expect(i);
132 nf_conntrack_expect_put(i); 132 nf_conntrack_expect_put(i);
133 } 133 }
134 } 134 }
135} 135}
136EXPORT_SYMBOL_GPL(nf_ct_remove_expectations); 136EXPORT_SYMBOL_GPL(nf_ct_remove_expectations);
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 92a947168761..3089dfc40c88 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -126,7 +126,7 @@ get_ipv6_addr(const char *src, size_t dlen, struct in6_addr *dst, u_int8_t term)
126} 126}
127 127
128static int try_number(const char *data, size_t dlen, u_int32_t array[], 128static int try_number(const char *data, size_t dlen, u_int32_t array[],
129 int array_size, char sep, char term) 129 int array_size, char sep, char term)
130{ 130{
131 u_int32_t i, len; 131 u_int32_t i, len;
132 132
@@ -413,8 +413,8 @@ static int help(struct sk_buff **pskb,
413 goto out_update_nl; 413 goto out_update_nl;
414 } 414 }
415 415
416 /* Initialize IP/IPv6 addr to expected address (it's not mentioned 416 /* Initialize IP/IPv6 addr to expected address (it's not mentioned
417 in EPSV responses) */ 417 in EPSV responses) */
418 cmd.l3num = ct->tuplehash[dir].tuple.src.l3num; 418 cmd.l3num = ct->tuplehash[dir].tuple.src.l3num;
419 memcpy(cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all, 419 memcpy(cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all,
420 sizeof(cmd.u3.all)); 420 sizeof(cmd.u3.all));
@@ -466,11 +466,11 @@ static int help(struct sk_buff **pskb,
466 memcmp(&cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all, 466 memcmp(&cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all,
467 sizeof(cmd.u3.all))) { 467 sizeof(cmd.u3.all))) {
468 /* Enrico Scholz's passive FTP to partially RNAT'd ftp 468 /* Enrico Scholz's passive FTP to partially RNAT'd ftp
469 server: it really wants us to connect to a 469 server: it really wants us to connect to a
470 different IP address. Simply don't record it for 470 different IP address. Simply don't record it for
471 NAT. */ 471 NAT. */
472 if (cmd.l3num == PF_INET) { 472 if (cmd.l3num == PF_INET) {
473 DEBUGP("conntrack_ftp: NOT RECORDING: " NIPQUAD_FMT " != " NIPQUAD_FMT "\n", 473 DEBUGP("conntrack_ftp: NOT RECORDING: " NIPQUAD_FMT " != " NIPQUAD_FMT "\n",
474 NIPQUAD(cmd.u3.ip), 474 NIPQUAD(cmd.u3.ip),
475 NIPQUAD(ct->tuplehash[dir].tuple.src.u3.ip)); 475 NIPQUAD(ct->tuplehash[dir].tuple.src.u3.ip));
476 } else { 476 } else {
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 6d8568959f82..b284db73ca7c 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -49,7 +49,7 @@ MODULE_PARM_DESC(gkrouted_only, "only accept calls from gatekeeper");
49static int callforward_filter __read_mostly = 1; 49static int callforward_filter __read_mostly = 1;
50module_param(callforward_filter, bool, 0600); 50module_param(callforward_filter, bool, 0600);
51MODULE_PARM_DESC(callforward_filter, "only create call forwarding expectations " 51MODULE_PARM_DESC(callforward_filter, "only create call forwarding expectations "
52 "if both endpoints are on different sides " 52 "if both endpoints are on different sides "
53 "(determined by routing information)"); 53 "(determined by routing information)");
54 54
55/* Hooks for NAT */ 55/* Hooks for NAT */
@@ -300,7 +300,7 @@ static int expect_rtp_rtcp(struct sk_buff **pskb, struct nf_conn *ct,
300 IPPROTO_UDP, NULL, &rtcp_port); 300 IPPROTO_UDP, NULL, &rtcp_port);
301 301
302 if (memcmp(&ct->tuplehash[dir].tuple.src.u3, 302 if (memcmp(&ct->tuplehash[dir].tuple.src.u3,
303 &ct->tuplehash[!dir].tuple.dst.u3, 303 &ct->tuplehash[!dir].tuple.dst.u3,
304 sizeof(ct->tuplehash[dir].tuple.src.u3)) && 304 sizeof(ct->tuplehash[dir].tuple.src.u3)) &&
305 (nat_rtp_rtcp = rcu_dereference(nat_rtp_rtcp_hook)) && 305 (nat_rtp_rtcp = rcu_dereference(nat_rtp_rtcp_hook)) &&
306 ct->status & IPS_NAT_MASK) { 306 ct->status & IPS_NAT_MASK) {
@@ -743,7 +743,7 @@ static int callforward_do_filter(union nf_conntrack_address *src,
743 rt2 = (struct rt6_info *)ip6_route_output(NULL, &fl2); 743 rt2 = (struct rt6_info *)ip6_route_output(NULL, &fl2);
744 if (rt2) { 744 if (rt2) {
745 if (!memcmp(&rt1->rt6i_gateway, &rt2->rt6i_gateway, 745 if (!memcmp(&rt1->rt6i_gateway, &rt2->rt6i_gateway,
746 sizeof(rt1->rt6i_gateway)) && 746 sizeof(rt1->rt6i_gateway)) &&
747 rt1->u.dst.dev == rt2->u.dst.dev) 747 rt1->u.dst.dev == rt2->u.dst.dev)
748 ret = 1; 748 ret = 1;
749 dst_release(&rt2->u.dst); 749 dst_release(&rt2->u.dst);
@@ -780,7 +780,7 @@ static int expect_callforwarding(struct sk_buff **pskb,
780 * we don't need to track the second call */ 780 * we don't need to track the second call */
781 if (callforward_filter && 781 if (callforward_filter &&
782 callforward_do_filter(&addr, &ct->tuplehash[!dir].tuple.src.u3, 782 callforward_do_filter(&addr, &ct->tuplehash[!dir].tuple.src.u3,
783 ct->tuplehash[!dir].tuple.src.l3num)) { 783 ct->tuplehash[!dir].tuple.src.l3num)) {
784 DEBUGP("nf_ct_q931: Call Forwarding not tracked\n"); 784 DEBUGP("nf_ct_q931: Call Forwarding not tracked\n");
785 return 0; 785 return 0;
786 } 786 }
@@ -840,7 +840,7 @@ static int process_setup(struct sk_buff **pskb, struct nf_conn *ct,
840 if ((setup->options & eSetup_UUIE_destCallSignalAddress) && 840 if ((setup->options & eSetup_UUIE_destCallSignalAddress) &&
841 (set_h225_addr) && ct->status && IPS_NAT_MASK && 841 (set_h225_addr) && ct->status && IPS_NAT_MASK &&
842 get_h225_addr(ct, *data, &setup->destCallSignalAddress, 842 get_h225_addr(ct, *data, &setup->destCallSignalAddress,
843 &addr, &port) && 843 &addr, &port) &&
844 memcmp(&addr, &ct->tuplehash[!dir].tuple.src.u3, sizeof(addr))) { 844 memcmp(&addr, &ct->tuplehash[!dir].tuple.src.u3, sizeof(addr))) {
845 DEBUGP("nf_ct_q931: set destCallSignalAddress " 845 DEBUGP("nf_ct_q931: set destCallSignalAddress "
846 NIP6_FMT ":%hu->" NIP6_FMT ":%hu\n", 846 NIP6_FMT ":%hu->" NIP6_FMT ":%hu\n",
@@ -858,7 +858,7 @@ static int process_setup(struct sk_buff **pskb, struct nf_conn *ct,
858 if ((setup->options & eSetup_UUIE_sourceCallSignalAddress) && 858 if ((setup->options & eSetup_UUIE_sourceCallSignalAddress) &&
859 (set_h225_addr) && ct->status & IPS_NAT_MASK && 859 (set_h225_addr) && ct->status & IPS_NAT_MASK &&
860 get_h225_addr(ct, *data, &setup->sourceCallSignalAddress, 860 get_h225_addr(ct, *data, &setup->sourceCallSignalAddress,
861 &addr, &port) && 861 &addr, &port) &&
862 memcmp(&addr, &ct->tuplehash[!dir].tuple.dst.u3, sizeof(addr))) { 862 memcmp(&addr, &ct->tuplehash[!dir].tuple.dst.u3, sizeof(addr))) {
863 DEBUGP("nf_ct_q931: set sourceCallSignalAddress " 863 DEBUGP("nf_ct_q931: set sourceCallSignalAddress "
864 NIP6_FMT ":%hu->" NIP6_FMT ":%hu\n", 864 NIP6_FMT ":%hu->" NIP6_FMT ":%hu\n",
@@ -1282,7 +1282,7 @@ static int expect_q931(struct sk_buff **pskb, struct nf_conn *ct,
1282 for (i = 0; i < count; i++) { 1282 for (i = 0; i < count; i++) {
1283 if (get_h225_addr(ct, *data, &taddr[i], &addr, &port) && 1283 if (get_h225_addr(ct, *data, &taddr[i], &addr, &port) &&
1284 memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, 1284 memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3,
1285 sizeof(addr)) == 0 && port != 0) 1285 sizeof(addr)) == 0 && port != 0)
1286 break; 1286 break;
1287 } 1287 }
1288 1288
@@ -1294,7 +1294,7 @@ static int expect_q931(struct sk_buff **pskb, struct nf_conn *ct,
1294 return -1; 1294 return -1;
1295 nf_conntrack_expect_init(exp, ct->tuplehash[!dir].tuple.src.l3num, 1295 nf_conntrack_expect_init(exp, ct->tuplehash[!dir].tuple.src.l3num,
1296 gkrouted_only ? /* only accept calls from GK? */ 1296 gkrouted_only ? /* only accept calls from GK? */
1297 &ct->tuplehash[!dir].tuple.src.u3 : 1297 &ct->tuplehash[!dir].tuple.src.u3 :
1298 NULL, 1298 NULL,
1299 &ct->tuplehash[!dir].tuple.dst.u3, 1299 &ct->tuplehash[!dir].tuple.dst.u3,
1300 IPPROTO_TCP, NULL, &port); 1300 IPPROTO_TCP, NULL, &port);
@@ -1513,7 +1513,7 @@ static int process_arq(struct sk_buff **pskb, struct nf_conn *ct,
1513 set_h225_addr = rcu_dereference(set_h225_addr_hook); 1513 set_h225_addr = rcu_dereference(set_h225_addr_hook);
1514 if ((arq->options & eAdmissionRequest_destCallSignalAddress) && 1514 if ((arq->options & eAdmissionRequest_destCallSignalAddress) &&
1515 get_h225_addr(ct, *data, &arq->destCallSignalAddress, 1515 get_h225_addr(ct, *data, &arq->destCallSignalAddress,
1516 &addr, &port) && 1516 &addr, &port) &&
1517 !memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) && 1517 !memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) &&
1518 port == info->sig_port[dir] && 1518 port == info->sig_port[dir] &&
1519 set_h225_addr && ct->status & IPS_NAT_MASK) { 1519 set_h225_addr && ct->status & IPS_NAT_MASK) {
@@ -1526,7 +1526,7 @@ static int process_arq(struct sk_buff **pskb, struct nf_conn *ct,
1526 1526
1527 if ((arq->options & eAdmissionRequest_srcCallSignalAddress) && 1527 if ((arq->options & eAdmissionRequest_srcCallSignalAddress) &&
1528 get_h225_addr(ct, *data, &arq->srcCallSignalAddress, 1528 get_h225_addr(ct, *data, &arq->srcCallSignalAddress,
1529 &addr, &port) && 1529 &addr, &port) &&
1530 !memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) && 1530 !memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) &&
1531 set_h225_addr && ct->status & IPS_NAT_MASK) { 1531 set_h225_addr && ct->status & IPS_NAT_MASK) {
1532 /* Calling ARQ */ 1532 /* Calling ARQ */
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index ed01db634399..43ccd0e2e8ae 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -57,7 +57,7 @@ static const char *dccprotos[] = {
57 57
58#if 0 58#if 0
59#define DEBUGP(format, args...) printk(KERN_DEBUG "%s:%s:" format, \ 59#define DEBUGP(format, args...) printk(KERN_DEBUG "%s:%s:" format, \
60 __FILE__, __FUNCTION__ , ## args) 60 __FILE__, __FUNCTION__ , ## args)
61#else 61#else
62#define DEBUGP(format, args...) 62#define DEBUGP(format, args...)
63#endif 63#endif
diff --git a/net/netfilter/nf_conntrack_l3proto_generic.c b/net/netfilter/nf_conntrack_l3proto_generic.c
index a3d31c3ac8e6..cbd96f3c1b89 100644
--- a/net/netfilter/nf_conntrack_l3proto_generic.c
+++ b/net/netfilter/nf_conntrack_l3proto_generic.c
@@ -77,7 +77,7 @@ generic_prepare(struct sk_buff **pskb, unsigned int hooknum,
77 77
78 78
79static u_int32_t generic_get_features(const struct nf_conntrack_tuple *tuple) 79static u_int32_t generic_get_features(const struct nf_conntrack_tuple *tuple)
80 80
81{ 81{
82 return NF_CT_F_BASIC; 82 return NF_CT_F_BASIC;
83} 83}
diff --git a/net/netfilter/nf_conntrack_netbios_ns.c b/net/netfilter/nf_conntrack_netbios_ns.c
index 2a48efdf0d67..bb26a658cc1c 100644
--- a/net/netfilter/nf_conntrack_netbios_ns.c
+++ b/net/netfilter/nf_conntrack_netbios_ns.c
@@ -43,7 +43,7 @@ module_param(timeout, uint, 0400);
43MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds"); 43MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds");
44 44
45static int help(struct sk_buff **pskb, unsigned int protoff, 45static int help(struct sk_buff **pskb, unsigned int protoff,
46 struct nf_conn *ct, enum ip_conntrack_info ctinfo) 46 struct nf_conn *ct, enum ip_conntrack_info ctinfo)
47{ 47{
48 struct nf_conntrack_expect *exp; 48 struct nf_conntrack_expect *exp;
49 struct iphdr *iph = (*pskb)->nh.iph; 49 struct iphdr *iph = (*pskb)->nh.iph;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index c64f029f7052..48f05314ebf7 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -6,10 +6,10 @@
6 * (C) 2003 by Patrick Mchardy <kaber@trash.net> 6 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
7 * (C) 2005-2006 by Pablo Neira Ayuso <pablo@eurodev.net> 7 * (C) 2005-2006 by Pablo Neira Ayuso <pablo@eurodev.net>
8 * 8 *
9 * I've reworked this stuff to use attributes instead of conntrack 9 * I've reworked this stuff to use attributes instead of conntrack
10 * structures. 5.44 am. I need more tea. --pablo 05/07/11. 10 * structures. 5.44 am. I need more tea. --pablo 05/07/11.
11 * 11 *
12 * Initial connection tracking via netlink development funded and 12 * Initial connection tracking via netlink development funded and
13 * generally made possible by Network Robots, Inc. (www.networkrobots.com) 13 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
14 * 14 *
15 * Further development of this code funded by Astaro AG (http://www.astaro.com) 15 * Further development of this code funded by Astaro AG (http://www.astaro.com)
@@ -53,7 +53,7 @@ MODULE_LICENSE("GPL");
53static char __initdata version[] = "0.93"; 53static char __initdata version[] = "0.93";
54 54
55static inline int 55static inline int
56ctnetlink_dump_tuples_proto(struct sk_buff *skb, 56ctnetlink_dump_tuples_proto(struct sk_buff *skb,
57 const struct nf_conntrack_tuple *tuple, 57 const struct nf_conntrack_tuple *tuple,
58 struct nf_conntrack_l4proto *l4proto) 58 struct nf_conntrack_l4proto *l4proto)
59{ 59{
@@ -64,7 +64,7 @@ ctnetlink_dump_tuples_proto(struct sk_buff *skb,
64 64
65 if (likely(l4proto->tuple_to_nfattr)) 65 if (likely(l4proto->tuple_to_nfattr))
66 ret = l4proto->tuple_to_nfattr(skb, tuple); 66 ret = l4proto->tuple_to_nfattr(skb, tuple);
67 67
68 NFA_NEST_END(skb, nest_parms); 68 NFA_NEST_END(skb, nest_parms);
69 69
70 return ret; 70 return ret;
@@ -135,7 +135,7 @@ ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
135 timeout = 0; 135 timeout = 0;
136 else 136 else
137 timeout = htonl(timeout_l / HZ); 137 timeout = htonl(timeout_l / HZ);
138 138
139 NFA_PUT(skb, CTA_TIMEOUT, sizeof(timeout), &timeout); 139 NFA_PUT(skb, CTA_TIMEOUT, sizeof(timeout), &timeout);
140 return 0; 140 return 0;
141 141
@@ -154,7 +154,7 @@ ctnetlink_dump_protoinfo(struct sk_buff *skb, const struct nf_conn *ct)
154 nf_ct_l4proto_put(l4proto); 154 nf_ct_l4proto_put(l4proto);
155 return 0; 155 return 0;
156 } 156 }
157 157
158 nest_proto = NFA_NEST(skb, CTA_PROTOINFO); 158 nest_proto = NFA_NEST(skb, CTA_PROTOINFO);
159 159
160 ret = l4proto->to_nfattr(skb, nest_proto, ct); 160 ret = l4proto->to_nfattr(skb, nest_proto, ct);
@@ -178,7 +178,7 @@ ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct)
178 178
179 if (!help || !help->helper) 179 if (!help || !help->helper)
180 return 0; 180 return 0;
181 181
182 nest_helper = NFA_NEST(skb, CTA_HELP); 182 nest_helper = NFA_NEST(skb, CTA_HELP);
183 NFA_PUT(skb, CTA_HELP_NAME, strlen(help->helper->name), help->helper->name); 183 NFA_PUT(skb, CTA_HELP_NAME, strlen(help->helper->name), help->helper->name);
184 184
@@ -250,7 +250,7 @@ static inline int
250ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct) 250ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
251{ 251{
252 __be32 use = htonl(atomic_read(&ct->ct_general.use)); 252 __be32 use = htonl(atomic_read(&ct->ct_general.use));
253 253
254 NFA_PUT(skb, CTA_USE, sizeof(u_int32_t), &use); 254 NFA_PUT(skb, CTA_USE, sizeof(u_int32_t), &use);
255 return 0; 255 return 0;
256 256
@@ -262,7 +262,7 @@ nfattr_failure:
262 262
263static int 263static int
264ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq, 264ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
265 int event, int nowait, 265 int event, int nowait,
266 const struct nf_conn *ct) 266 const struct nf_conn *ct)
267{ 267{
268 struct nlmsghdr *nlh; 268 struct nlmsghdr *nlh;
@@ -277,7 +277,7 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
277 nfmsg = NLMSG_DATA(nlh); 277 nfmsg = NLMSG_DATA(nlh);
278 278
279 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0; 279 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0;
280 nfmsg->nfgen_family = 280 nfmsg->nfgen_family =
281 ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num; 281 ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
282 nfmsg->version = NFNETLINK_V0; 282 nfmsg->version = NFNETLINK_V0;
283 nfmsg->res_id = 0; 283 nfmsg->res_id = 0;
@@ -286,7 +286,7 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
286 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 286 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
287 goto nfattr_failure; 287 goto nfattr_failure;
288 NFA_NEST_END(skb, nest_parms); 288 NFA_NEST_END(skb, nest_parms);
289 289
290 nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY); 290 nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY);
291 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0) 291 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
292 goto nfattr_failure; 292 goto nfattr_failure;
@@ -314,7 +314,7 @@ nfattr_failure:
314 314
315#ifdef CONFIG_NF_CONNTRACK_EVENTS 315#ifdef CONFIG_NF_CONNTRACK_EVENTS
316static int ctnetlink_conntrack_event(struct notifier_block *this, 316static int ctnetlink_conntrack_event(struct notifier_block *this,
317 unsigned long events, void *ptr) 317 unsigned long events, void *ptr)
318{ 318{
319 struct nlmsghdr *nlh; 319 struct nlmsghdr *nlh;
320 struct nfgenmsg *nfmsg; 320 struct nfgenmsg *nfmsg;
@@ -364,7 +364,7 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
364 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 364 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
365 goto nfattr_failure; 365 goto nfattr_failure;
366 NFA_NEST_END(skb, nest_parms); 366 NFA_NEST_END(skb, nest_parms);
367 367
368 nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY); 368 nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY);
369 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0) 369 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
370 goto nfattr_failure; 370 goto nfattr_failure;
@@ -383,16 +383,16 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
383 383
384 if (events & IPCT_PROTOINFO 384 if (events & IPCT_PROTOINFO
385 && ctnetlink_dump_protoinfo(skb, ct) < 0) 385 && ctnetlink_dump_protoinfo(skb, ct) < 0)
386 goto nfattr_failure; 386 goto nfattr_failure;
387 387
388 if ((events & IPCT_HELPER || nfct_help(ct)) 388 if ((events & IPCT_HELPER || nfct_help(ct))
389 && ctnetlink_dump_helpinfo(skb, ct) < 0) 389 && ctnetlink_dump_helpinfo(skb, ct) < 0)
390 goto nfattr_failure; 390 goto nfattr_failure;
391 391
392#ifdef CONFIG_NF_CONNTRACK_MARK 392#ifdef CONFIG_NF_CONNTRACK_MARK
393 if ((events & IPCT_MARK || ct->mark) 393 if ((events & IPCT_MARK || ct->mark)
394 && ctnetlink_dump_mark(skb, ct) < 0) 394 && ctnetlink_dump_mark(skb, ct) < 0)
395 goto nfattr_failure; 395 goto nfattr_failure;
396#endif 396#endif
397 397
398 if (events & IPCT_COUNTER_FILLING && 398 if (events & IPCT_COUNTER_FILLING &&
@@ -450,7 +450,7 @@ restart:
450 cb->args[1] = 0; 450 cb->args[1] = 0;
451 } 451 }
452 if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid, 452 if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
453 cb->nlh->nlmsg_seq, 453 cb->nlh->nlmsg_seq,
454 IPCTNL_MSG_CT_NEW, 454 IPCTNL_MSG_CT_NEW,
455 1, ct) < 0) { 455 1, ct) < 0) {
456 nf_conntrack_get(&ct->ct_general); 456 nf_conntrack_get(&ct->ct_general);
@@ -500,7 +500,7 @@ static const size_t cta_min_proto[CTA_PROTO_MAX] = {
500}; 500};
501 501
502static inline int 502static inline int
503ctnetlink_parse_tuple_proto(struct nfattr *attr, 503ctnetlink_parse_tuple_proto(struct nfattr *attr,
504 struct nf_conntrack_tuple *tuple) 504 struct nf_conntrack_tuple *tuple)
505{ 505{
506 struct nfattr *tb[CTA_PROTO_MAX]; 506 struct nfattr *tb[CTA_PROTO_MAX];
@@ -522,7 +522,7 @@ ctnetlink_parse_tuple_proto(struct nfattr *attr,
522 ret = l4proto->nfattr_to_tuple(tb, tuple); 522 ret = l4proto->nfattr_to_tuple(tb, tuple);
523 523
524 nf_ct_l4proto_put(l4proto); 524 nf_ct_l4proto_put(l4proto);
525 525
526 return ret; 526 return ret;
527} 527}
528 528
@@ -609,7 +609,7 @@ nfnetlink_parse_nat(struct nfattr *nat,
609 int err; 609 int err;
610 610
611 memset(range, 0, sizeof(*range)); 611 memset(range, 0, sizeof(*range));
612 612
613 nfattr_parse_nested(tb, CTA_NAT_MAX, nat); 613 nfattr_parse_nested(tb, CTA_NAT_MAX, nat);
614 614
615 if (nfattr_bad_size(tb, CTA_NAT_MAX, cta_min_nat)) 615 if (nfattr_bad_size(tb, CTA_NAT_MAX, cta_min_nat))
@@ -661,7 +661,7 @@ static const size_t cta_min[CTA_MAX] = {
661}; 661};
662 662
663static int 663static int
664ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, 664ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
665 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) 665 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
666{ 666{
667 struct nf_conntrack_tuple_hash *h; 667 struct nf_conntrack_tuple_hash *h;
@@ -692,14 +692,14 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
692 return -ENOENT; 692 return -ENOENT;
693 693
694 ct = nf_ct_tuplehash_to_ctrack(h); 694 ct = nf_ct_tuplehash_to_ctrack(h);
695 695
696 if (cda[CTA_ID-1]) { 696 if (cda[CTA_ID-1]) {
697 u_int32_t id = ntohl(*(__be32 *)NFA_DATA(cda[CTA_ID-1])); 697 u_int32_t id = ntohl(*(__be32 *)NFA_DATA(cda[CTA_ID-1]));
698 if (ct->id != id) { 698 if (ct->id != id) {
699 nf_ct_put(ct); 699 nf_ct_put(ct);
700 return -ENOENT; 700 return -ENOENT;
701 } 701 }
702 } 702 }
703 if (del_timer(&ct->timeout)) 703 if (del_timer(&ct->timeout))
704 ct->timeout.function((unsigned long)ct); 704 ct->timeout.function((unsigned long)ct);
705 705
@@ -709,7 +709,7 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
709} 709}
710 710
711static int 711static int
712ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb, 712ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
713 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) 713 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
714{ 714{
715 struct nf_conntrack_tuple_hash *h; 715 struct nf_conntrack_tuple_hash *h;
@@ -765,7 +765,7 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
765 return -ENOMEM; 765 return -ENOMEM;
766 } 766 }
767 767
768 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 768 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq,
769 IPCTNL_MSG_CT_NEW, 1, ct); 769 IPCTNL_MSG_CT_NEW, 1, ct);
770 nf_ct_put(ct); 770 nf_ct_put(ct);
771 if (err <= 0) 771 if (err <= 0)
@@ -793,12 +793,12 @@ ctnetlink_change_status(struct nf_conn *ct, struct nfattr *cda[])
793 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) 793 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
794 /* unchangeable */ 794 /* unchangeable */
795 return -EINVAL; 795 return -EINVAL;
796 796
797 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) 797 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
798 /* SEEN_REPLY bit can only be set */ 798 /* SEEN_REPLY bit can only be set */
799 return -EINVAL; 799 return -EINVAL;
800 800
801 801
802 if (d & IPS_ASSURED && !(status & IPS_ASSURED)) 802 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
803 /* ASSURED bit can only be set */ 803 /* ASSURED bit can only be set */
804 return -EINVAL; 804 return -EINVAL;
@@ -877,7 +877,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nfattr *cda[])
877 memset(&help->help, 0, sizeof(help->help)); 877 memset(&help->help, 0, sizeof(help->help));
878 } 878 }
879 } 879 }
880 880
881 help->helper = helper; 881 help->helper = helper;
882 882
883 return 0; 883 return 0;
@@ -887,7 +887,7 @@ static inline int
887ctnetlink_change_timeout(struct nf_conn *ct, struct nfattr *cda[]) 887ctnetlink_change_timeout(struct nf_conn *ct, struct nfattr *cda[])
888{ 888{
889 u_int32_t timeout = ntohl(*(__be32 *)NFA_DATA(cda[CTA_TIMEOUT-1])); 889 u_int32_t timeout = ntohl(*(__be32 *)NFA_DATA(cda[CTA_TIMEOUT-1]));
890 890
891 if (!del_timer(&ct->timeout)) 891 if (!del_timer(&ct->timeout))
892 return -ETIME; 892 return -ETIME;
893 893
@@ -955,7 +955,7 @@ ctnetlink_change_conntrack(struct nf_conn *ct, struct nfattr *cda[])
955} 955}
956 956
957static int 957static int
958ctnetlink_create_conntrack(struct nfattr *cda[], 958ctnetlink_create_conntrack(struct nfattr *cda[],
959 struct nf_conntrack_tuple *otuple, 959 struct nf_conntrack_tuple *otuple,
960 struct nf_conntrack_tuple *rtuple) 960 struct nf_conntrack_tuple *rtuple)
961{ 961{
@@ -965,7 +965,7 @@ ctnetlink_create_conntrack(struct nfattr *cda[],
965 965
966 ct = nf_conntrack_alloc(otuple, rtuple); 966 ct = nf_conntrack_alloc(otuple, rtuple);
967 if (ct == NULL || IS_ERR(ct)) 967 if (ct == NULL || IS_ERR(ct))
968 return -ENOMEM; 968 return -ENOMEM;
969 969
970 if (!cda[CTA_TIMEOUT-1]) 970 if (!cda[CTA_TIMEOUT-1])
971 goto err; 971 goto err;
@@ -1003,13 +1003,13 @@ ctnetlink_create_conntrack(struct nfattr *cda[],
1003 1003
1004 return 0; 1004 return 0;
1005 1005
1006err: 1006err:
1007 nf_conntrack_free(ct); 1007 nf_conntrack_free(ct);
1008 return err; 1008 return err;
1009} 1009}
1010 1010
1011static int 1011static int
1012ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, 1012ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
1013 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) 1013 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1014{ 1014{
1015 struct nf_conntrack_tuple otuple, rtuple; 1015 struct nf_conntrack_tuple otuple, rtuple;
@@ -1065,9 +1065,9 @@ out_unlock:
1065 return err; 1065 return err;
1066} 1066}
1067 1067
1068/*********************************************************************** 1068/***********************************************************************
1069 * EXPECT 1069 * EXPECT
1070 ***********************************************************************/ 1070 ***********************************************************************/
1071 1071
1072static inline int 1072static inline int
1073ctnetlink_exp_dump_tuple(struct sk_buff *skb, 1073ctnetlink_exp_dump_tuple(struct sk_buff *skb,
@@ -1075,7 +1075,7 @@ ctnetlink_exp_dump_tuple(struct sk_buff *skb,
1075 enum ctattr_expect type) 1075 enum ctattr_expect type)
1076{ 1076{
1077 struct nfattr *nest_parms = NFA_NEST(skb, type); 1077 struct nfattr *nest_parms = NFA_NEST(skb, type);
1078 1078
1079 if (ctnetlink_dump_tuples(skb, tuple) < 0) 1079 if (ctnetlink_dump_tuples(skb, tuple) < 0)
1080 goto nfattr_failure; 1080 goto nfattr_failure;
1081 1081
@@ -1085,7 +1085,7 @@ ctnetlink_exp_dump_tuple(struct sk_buff *skb,
1085 1085
1086nfattr_failure: 1086nfattr_failure:
1087 return -1; 1087 return -1;
1088} 1088}
1089 1089
1090static inline int 1090static inline int
1091ctnetlink_exp_dump_mask(struct sk_buff *skb, 1091ctnetlink_exp_dump_mask(struct sk_buff *skb,
@@ -1120,7 +1120,7 @@ nfattr_failure:
1120 1120
1121static inline int 1121static inline int
1122ctnetlink_exp_dump_expect(struct sk_buff *skb, 1122ctnetlink_exp_dump_expect(struct sk_buff *skb,
1123 const struct nf_conntrack_expect *exp) 1123 const struct nf_conntrack_expect *exp)
1124{ 1124{
1125 struct nf_conn *master = exp->master; 1125 struct nf_conn *master = exp->master;
1126 __be32 timeout = htonl((exp->timeout.expires - jiffies) / HZ); 1126 __be32 timeout = htonl((exp->timeout.expires - jiffies) / HZ);
@@ -1134,20 +1134,20 @@ ctnetlink_exp_dump_expect(struct sk_buff *skb,
1134 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 1134 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
1135 CTA_EXPECT_MASTER) < 0) 1135 CTA_EXPECT_MASTER) < 0)
1136 goto nfattr_failure; 1136 goto nfattr_failure;
1137 1137
1138 NFA_PUT(skb, CTA_EXPECT_TIMEOUT, sizeof(timeout), &timeout); 1138 NFA_PUT(skb, CTA_EXPECT_TIMEOUT, sizeof(timeout), &timeout);
1139 NFA_PUT(skb, CTA_EXPECT_ID, sizeof(u_int32_t), &id); 1139 NFA_PUT(skb, CTA_EXPECT_ID, sizeof(u_int32_t), &id);
1140 1140
1141 return 0; 1141 return 0;
1142 1142
1143nfattr_failure: 1143nfattr_failure:
1144 return -1; 1144 return -1;
1145} 1145}
1146 1146
1147static int 1147static int
1148ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq, 1148ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
1149 int event, 1149 int event,
1150 int nowait, 1150 int nowait,
1151 const struct nf_conntrack_expect *exp) 1151 const struct nf_conntrack_expect *exp)
1152{ 1152{
1153 struct nlmsghdr *nlh; 1153 struct nlmsghdr *nlh;
@@ -1250,7 +1250,7 @@ ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
1250 goto out; 1250 goto out;
1251 *id = exp->id; 1251 *id = exp->id;
1252 } 1252 }
1253out: 1253out:
1254 read_unlock_bh(&nf_conntrack_lock); 1254 read_unlock_bh(&nf_conntrack_lock);
1255 1255
1256 return skb->len; 1256 return skb->len;
@@ -1262,7 +1262,7 @@ static const size_t cta_min_exp[CTA_EXPECT_MAX] = {
1262}; 1262};
1263 1263
1264static int 1264static int
1265ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, 1265ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
1266 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) 1266 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1267{ 1267{
1268 struct nf_conntrack_tuple tuple; 1268 struct nf_conntrack_tuple tuple;
@@ -1279,7 +1279,7 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
1279 u32 rlen; 1279 u32 rlen;
1280 1280
1281 if ((*errp = netlink_dump_start(ctnl, skb, nlh, 1281 if ((*errp = netlink_dump_start(ctnl, skb, nlh,
1282 ctnetlink_exp_dump_table, 1282 ctnetlink_exp_dump_table,
1283 ctnetlink_done)) != 0) 1283 ctnetlink_done)) != 0)
1284 return -EINVAL; 1284 return -EINVAL;
1285 rlen = NLMSG_ALIGN(nlh->nlmsg_len); 1285 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
@@ -1307,14 +1307,14 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
1307 nf_conntrack_expect_put(exp); 1307 nf_conntrack_expect_put(exp);
1308 return -ENOENT; 1308 return -ENOENT;
1309 } 1309 }
1310 } 1310 }
1311 1311
1312 err = -ENOMEM; 1312 err = -ENOMEM;
1313 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); 1313 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1314 if (!skb2) 1314 if (!skb2)
1315 goto out; 1315 goto out;
1316 1316
1317 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid, 1317 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid,
1318 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, 1318 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,
1319 1, exp); 1319 1, exp);
1320 if (err <= 0) 1320 if (err <= 0)
@@ -1332,7 +1332,7 @@ out:
1332} 1332}
1333 1333
1334static int 1334static int
1335ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, 1335ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
1336 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) 1336 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1337{ 1337{
1338 struct nf_conntrack_expect *exp, *tmp; 1338 struct nf_conntrack_expect *exp, *tmp;
@@ -1366,7 +1366,7 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
1366 1366
1367 /* after list removal, usage count == 1 */ 1367 /* after list removal, usage count == 1 */
1368 nf_conntrack_unexpect_related(exp); 1368 nf_conntrack_unexpect_related(exp);
1369 /* have to put what we 'get' above. 1369 /* have to put what we 'get' above.
1370 * after this line usage count == 0 */ 1370 * after this line usage count == 0 */
1371 nf_conntrack_expect_put(exp); 1371 nf_conntrack_expect_put(exp);
1372 } else if (cda[CTA_EXPECT_HELP_NAME-1]) { 1372 } else if (cda[CTA_EXPECT_HELP_NAME-1]) {
@@ -1449,7 +1449,7 @@ ctnetlink_create_expect(struct nfattr *cda[], u_int8_t u3)
1449 err = -ENOMEM; 1449 err = -ENOMEM;
1450 goto out; 1450 goto out;
1451 } 1451 }
1452 1452
1453 exp->expectfn = NULL; 1453 exp->expectfn = NULL;
1454 exp->flags = 0; 1454 exp->flags = 0;
1455 exp->master = ct; 1455 exp->master = ct;
@@ -1460,7 +1460,7 @@ ctnetlink_create_expect(struct nfattr *cda[], u_int8_t u3)
1460 err = nf_conntrack_expect_related(exp); 1460 err = nf_conntrack_expect_related(exp);
1461 nf_conntrack_expect_put(exp); 1461 nf_conntrack_expect_put(exp);
1462 1462
1463out: 1463out:
1464 nf_ct_put(nf_ct_tuplehash_to_ctrack(h)); 1464 nf_ct_put(nf_ct_tuplehash_to_ctrack(h));
1465 return err; 1465 return err;
1466} 1466}
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index c59df3bc2bbd..115bcb5d5a7c 100644
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -520,7 +520,7 @@ conntrack_pptp_help(struct sk_buff **pskb, unsigned int protoff,
520 tcph = skb_header_pointer(*pskb, nexthdr_off, sizeof(_tcph), &_tcph); 520 tcph = skb_header_pointer(*pskb, nexthdr_off, sizeof(_tcph), &_tcph);
521 BUG_ON(!tcph); 521 BUG_ON(!tcph);
522 nexthdr_off += tcph->doff * 4; 522 nexthdr_off += tcph->doff * 4;
523 datalen = tcplen - tcph->doff * 4; 523 datalen = tcplen - tcph->doff * 4;
524 524
525 pptph = skb_header_pointer(*pskb, nexthdr_off, sizeof(_pptph), &_pptph); 525 pptph = skb_header_pointer(*pskb, nexthdr_off, sizeof(_pptph), &_pptph);
526 if (!pptph) { 526 if (!pptph) {
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 76e263668222..0133afa2c7ef 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -1,9 +1,9 @@
1/* 1/*
2 * Connection tracking protocol helper module for SCTP. 2 * Connection tracking protocol helper module for SCTP.
3 * 3 *
4 * SCTP is defined in RFC 2960. References to various sections in this code 4 * SCTP is defined in RFC 2960. References to various sections in this code
5 * are to this RFC. 5 * are to this RFC.
6 * 6 *
7 * This program is free software; you can redistribute it and/or modify 7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as 8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation. 9 * published by the Free Software Foundation.
@@ -45,7 +45,7 @@
45static DEFINE_RWLOCK(sctp_lock); 45static DEFINE_RWLOCK(sctp_lock);
46 46
47/* FIXME: Examine ipfilter's timeouts and conntrack transitions more 47/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
48 closely. They're more complex. --RR 48 closely. They're more complex. --RR
49 49
50 And so for me for SCTP :D -Kiran */ 50 And so for me for SCTP :D -Kiran */
51 51
@@ -94,32 +94,32 @@ static unsigned int * sctp_timeouts[]
94#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT 94#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
95#define sIV SCTP_CONNTRACK_MAX 95#define sIV SCTP_CONNTRACK_MAX
96 96
97/* 97/*
98 These are the descriptions of the states: 98 These are the descriptions of the states:
99 99
100NOTE: These state names are tantalizingly similar to the states of an 100NOTE: These state names are tantalizingly similar to the states of an
101SCTP endpoint. But the interpretation of the states is a little different, 101SCTP endpoint. But the interpretation of the states is a little different,
102considering that these are the states of the connection and not of an end 102considering that these are the states of the connection and not of an end
103point. Please note the subtleties. -Kiran 103point. Please note the subtleties. -Kiran
104 104
105NONE - Nothing so far. 105NONE - Nothing so far.
106COOKIE WAIT - We have seen an INIT chunk in the original direction, or also 106COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
107 an INIT_ACK chunk in the reply direction. 107 an INIT_ACK chunk in the reply direction.
108COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction. 108COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
109ESTABLISHED - We have seen a COOKIE_ACK in the reply direction. 109ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
110SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction. 110SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
111SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin. 111SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
112SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite 112SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
113 to that of the SHUTDOWN chunk. 113 to that of the SHUTDOWN chunk.
114CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of 114CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
115 the SHUTDOWN chunk. Connection is closed. 115 the SHUTDOWN chunk. Connection is closed.
116*/ 116*/
117 117
118/* TODO 118/* TODO
119 - I have assumed that the first INIT is in the original direction. 119 - I have assumed that the first INIT is in the original direction.
120 This messes things when an INIT comes in the reply direction in CLOSED 120 This messes things when an INIT comes in the reply direction in CLOSED
121 state. 121 state.
122 - Check the error type in the reply dir before transitioning from 122 - Check the error type in the reply dir before transitioning from
123cookie echoed to closed. 123cookie echoed to closed.
124 - Sec 5.2.4 of RFC 2960 124 - Sec 5.2.4 of RFC 2960
125 - Multi Homing support. 125 - Multi Homing support.
@@ -237,7 +237,7 @@ static int do_basic_checks(struct nf_conn *conntrack,
237 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 237 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
238 DEBUGP("Chunk Num: %d Type: %d\n", count, sch->type); 238 DEBUGP("Chunk Num: %d Type: %d\n", count, sch->type);
239 239
240 if (sch->type == SCTP_CID_INIT 240 if (sch->type == SCTP_CID_INIT
241 || sch->type == SCTP_CID_INIT_ACK 241 || sch->type == SCTP_CID_INIT_ACK
242 || sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { 242 || sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
243 flag = 1; 243 flag = 1;
@@ -277,42 +277,42 @@ static int new_state(enum ip_conntrack_dir dir,
277 DEBUGP("Chunk type: %d\n", chunk_type); 277 DEBUGP("Chunk type: %d\n", chunk_type);
278 278
279 switch (chunk_type) { 279 switch (chunk_type) {
280 case SCTP_CID_INIT: 280 case SCTP_CID_INIT:
281 DEBUGP("SCTP_CID_INIT\n"); 281 DEBUGP("SCTP_CID_INIT\n");
282 i = 0; break; 282 i = 0; break;
283 case SCTP_CID_INIT_ACK: 283 case SCTP_CID_INIT_ACK:
284 DEBUGP("SCTP_CID_INIT_ACK\n"); 284 DEBUGP("SCTP_CID_INIT_ACK\n");
285 i = 1; break; 285 i = 1; break;
286 case SCTP_CID_ABORT: 286 case SCTP_CID_ABORT:
287 DEBUGP("SCTP_CID_ABORT\n"); 287 DEBUGP("SCTP_CID_ABORT\n");
288 i = 2; break; 288 i = 2; break;
289 case SCTP_CID_SHUTDOWN: 289 case SCTP_CID_SHUTDOWN:
290 DEBUGP("SCTP_CID_SHUTDOWN\n"); 290 DEBUGP("SCTP_CID_SHUTDOWN\n");
291 i = 3; break; 291 i = 3; break;
292 case SCTP_CID_SHUTDOWN_ACK: 292 case SCTP_CID_SHUTDOWN_ACK:
293 DEBUGP("SCTP_CID_SHUTDOWN_ACK\n"); 293 DEBUGP("SCTP_CID_SHUTDOWN_ACK\n");
294 i = 4; break; 294 i = 4; break;
295 case SCTP_CID_ERROR: 295 case SCTP_CID_ERROR:
296 DEBUGP("SCTP_CID_ERROR\n"); 296 DEBUGP("SCTP_CID_ERROR\n");
297 i = 5; break; 297 i = 5; break;
298 case SCTP_CID_COOKIE_ECHO: 298 case SCTP_CID_COOKIE_ECHO:
299 DEBUGP("SCTP_CID_COOKIE_ECHO\n"); 299 DEBUGP("SCTP_CID_COOKIE_ECHO\n");
300 i = 6; break; 300 i = 6; break;
301 case SCTP_CID_COOKIE_ACK: 301 case SCTP_CID_COOKIE_ACK:
302 DEBUGP("SCTP_CID_COOKIE_ACK\n"); 302 DEBUGP("SCTP_CID_COOKIE_ACK\n");
303 i = 7; break; 303 i = 7; break;
304 case SCTP_CID_SHUTDOWN_COMPLETE: 304 case SCTP_CID_SHUTDOWN_COMPLETE:
305 DEBUGP("SCTP_CID_SHUTDOWN_COMPLETE\n"); 305 DEBUGP("SCTP_CID_SHUTDOWN_COMPLETE\n");
306 i = 8; break; 306 i = 8; break;
307 default: 307 default:
308 /* Other chunks like DATA, SACK, HEARTBEAT and 308 /* Other chunks like DATA, SACK, HEARTBEAT and
309 its ACK do not cause a change in state */ 309 its ACK do not cause a change in state */
310 DEBUGP("Unknown chunk type, Will stay in %s\n", 310 DEBUGP("Unknown chunk type, Will stay in %s\n",
311 sctp_conntrack_names[cur_state]); 311 sctp_conntrack_names[cur_state]);
312 return cur_state; 312 return cur_state;
313 } 313 }
314 314
315 DEBUGP("dir: %d cur_state: %s chunk_type: %d new_state: %s\n", 315 DEBUGP("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
316 dir, sctp_conntrack_names[cur_state], chunk_type, 316 dir, sctp_conntrack_names[cur_state], chunk_type,
317 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]); 317 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
318 318
@@ -377,7 +377,7 @@ static int sctp_packet(struct nf_conn *conntrack,
377 /* Sec 8.5.1 (C) */ 377 /* Sec 8.5.1 (C) */
378 if (!(sh->vtag == conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)]) 378 if (!(sh->vtag == conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)])
379 && !(sh->vtag == conntrack->proto.sctp.vtag 379 && !(sh->vtag == conntrack->proto.sctp.vtag
380 [1 - CTINFO2DIR(ctinfo)] 380 [1 - CTINFO2DIR(ctinfo)]
381 && (sch->flags & 1))) { 381 && (sch->flags & 1))) {
382 write_unlock_bh(&sctp_lock); 382 write_unlock_bh(&sctp_lock);
383 return -1; 383 return -1;
@@ -402,17 +402,17 @@ static int sctp_packet(struct nf_conn *conntrack,
402 } 402 }
403 403
404 /* If it is an INIT or an INIT ACK note down the vtag */ 404 /* If it is an INIT or an INIT ACK note down the vtag */
405 if (sch->type == SCTP_CID_INIT 405 if (sch->type == SCTP_CID_INIT
406 || sch->type == SCTP_CID_INIT_ACK) { 406 || sch->type == SCTP_CID_INIT_ACK) {
407 sctp_inithdr_t _inithdr, *ih; 407 sctp_inithdr_t _inithdr, *ih;
408 408
409 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t), 409 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
410 sizeof(_inithdr), &_inithdr); 410 sizeof(_inithdr), &_inithdr);
411 if (ih == NULL) { 411 if (ih == NULL) {
412 write_unlock_bh(&sctp_lock); 412 write_unlock_bh(&sctp_lock);
413 return -1; 413 return -1;
414 } 414 }
415 DEBUGP("Setting vtag %x for dir %d\n", 415 DEBUGP("Setting vtag %x for dir %d\n",
416 ih->init_tag, !CTINFO2DIR(ctinfo)); 416 ih->init_tag, !CTINFO2DIR(ctinfo));
417 conntrack->proto.sctp.vtag[!CTINFO2DIR(ctinfo)] = ih->init_tag; 417 conntrack->proto.sctp.vtag[!CTINFO2DIR(ctinfo)] = ih->init_tag;
418 } 418 }
@@ -466,7 +466,7 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
466 newconntrack = SCTP_CONNTRACK_MAX; 466 newconntrack = SCTP_CONNTRACK_MAX;
467 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 467 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
468 /* Don't need lock here: this conntrack not in circulation yet */ 468 /* Don't need lock here: this conntrack not in circulation yet */
469 newconntrack = new_state(IP_CT_DIR_ORIGINAL, 469 newconntrack = new_state(IP_CT_DIR_ORIGINAL,
470 SCTP_CONNTRACK_NONE, sch->type); 470 SCTP_CONNTRACK_NONE, sch->type);
471 471
472 /* Invalid: delete conntrack */ 472 /* Invalid: delete conntrack */
@@ -481,14 +481,14 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
481 sctp_inithdr_t _inithdr, *ih; 481 sctp_inithdr_t _inithdr, *ih;
482 482
483 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t), 483 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
484 sizeof(_inithdr), &_inithdr); 484 sizeof(_inithdr), &_inithdr);
485 if (ih == NULL) 485 if (ih == NULL)
486 return 0; 486 return 0;
487 487
488 DEBUGP("Setting vtag %x for new conn\n", 488 DEBUGP("Setting vtag %x for new conn\n",
489 ih->init_tag); 489 ih->init_tag);
490 490
491 conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] = 491 conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] =
492 ih->init_tag; 492 ih->init_tag;
493 } else { 493 } else {
494 /* Sec 8.5.1 (A) */ 494 /* Sec 8.5.1 (A) */
@@ -498,7 +498,7 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
498 /* If it is a shutdown ack OOTB packet, we expect a return 498 /* If it is a shutdown ack OOTB packet, we expect a return
499 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */ 499 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
500 else { 500 else {
501 DEBUGP("Setting vtag %x for new conn OOTB\n", 501 DEBUGP("Setting vtag %x for new conn OOTB\n",
502 sh->vtag); 502 sh->vtag);
503 conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag; 503 conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
504 } 504 }
@@ -698,7 +698,7 @@ int __init nf_conntrack_proto_sctp_init(void)
698 cleanup_sctp4: 698 cleanup_sctp4:
699 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4); 699 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
700 out: 700 out:
701 DEBUGP("SCTP conntrack module loading %s\n", 701 DEBUGP("SCTP conntrack module loading %s\n",
702 ret ? "failed": "succeeded"); 702 ret ? "failed": "succeeded");
703 return ret; 703 return ret;
704} 704}
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 6fccdcf43e08..c2884f9db07b 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -55,8 +55,8 @@
55/* Protects conntrack->proto.tcp */ 55/* Protects conntrack->proto.tcp */
56static DEFINE_RWLOCK(tcp_lock); 56static DEFINE_RWLOCK(tcp_lock);
57 57
58/* "Be conservative in what you do, 58/* "Be conservative in what you do,
59 be liberal in what you accept from others." 59 be liberal in what you accept from others."
60 If it's non-zero, we mark only out of window RST segments as INVALID. */ 60 If it's non-zero, we mark only out of window RST segments as INVALID. */
61int nf_ct_tcp_be_liberal __read_mostly = 0; 61int nf_ct_tcp_be_liberal __read_mostly = 0;
62 62
@@ -64,8 +64,8 @@ int nf_ct_tcp_be_liberal __read_mostly = 0;
64 connections. */ 64 connections. */
65int nf_ct_tcp_loose __read_mostly = 1; 65int nf_ct_tcp_loose __read_mostly = 1;
66 66
67/* Max number of the retransmitted packets without receiving an (acceptable) 67/* Max number of the retransmitted packets without receiving an (acceptable)
68 ACK from the destination. If this number is reached, a shorter timer 68 ACK from the destination. If this number is reached, a shorter timer
69 will be started. */ 69 will be started. */
70int nf_ct_tcp_max_retrans __read_mostly = 3; 70int nf_ct_tcp_max_retrans __read_mostly = 3;
71 71
@@ -84,7 +84,7 @@ static const char *tcp_conntrack_names[] = {
84 "CLOSE", 84 "CLOSE",
85 "LISTEN" 85 "LISTEN"
86}; 86};
87 87
88#define SECS * HZ 88#define SECS * HZ
89#define MINS * 60 SECS 89#define MINS * 60 SECS
90#define HOURS * 60 MINS 90#define HOURS * 60 MINS
@@ -100,10 +100,10 @@ static unsigned int nf_ct_tcp_timeout_time_wait __read_mostly = 2 MINS;
100static unsigned int nf_ct_tcp_timeout_close __read_mostly = 10 SECS; 100static unsigned int nf_ct_tcp_timeout_close __read_mostly = 10 SECS;
101 101
102/* RFC1122 says the R2 limit should be at least 100 seconds. 102/* RFC1122 says the R2 limit should be at least 100 seconds.
103 Linux uses 15 packets as limit, which corresponds 103 Linux uses 15 packets as limit, which corresponds
104 to ~13-30min depending on RTO. */ 104 to ~13-30min depending on RTO. */
105static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly = 5 MINS; 105static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly = 5 MINS;
106 106
107static unsigned int * tcp_timeouts[] = { 107static unsigned int * tcp_timeouts[] = {
108 NULL, /* TCP_CONNTRACK_NONE */ 108 NULL, /* TCP_CONNTRACK_NONE */
109 &nf_ct_tcp_timeout_syn_sent, /* TCP_CONNTRACK_SYN_SENT, */ 109 &nf_ct_tcp_timeout_syn_sent, /* TCP_CONNTRACK_SYN_SENT, */
@@ -116,7 +116,7 @@ static unsigned int * tcp_timeouts[] = {
116 &nf_ct_tcp_timeout_close, /* TCP_CONNTRACK_CLOSE, */ 116 &nf_ct_tcp_timeout_close, /* TCP_CONNTRACK_CLOSE, */
117 NULL, /* TCP_CONNTRACK_LISTEN */ 117 NULL, /* TCP_CONNTRACK_LISTEN */
118 }; 118 };
119 119
120#define sNO TCP_CONNTRACK_NONE 120#define sNO TCP_CONNTRACK_NONE
121#define sSS TCP_CONNTRACK_SYN_SENT 121#define sSS TCP_CONNTRACK_SYN_SENT
122#define sSR TCP_CONNTRACK_SYN_RECV 122#define sSR TCP_CONNTRACK_SYN_RECV
@@ -139,13 +139,13 @@ enum tcp_bit_set {
139 TCP_RST_SET, 139 TCP_RST_SET,
140 TCP_NONE_SET, 140 TCP_NONE_SET,
141}; 141};
142 142
143/* 143/*
144 * The TCP state transition table needs a few words... 144 * The TCP state transition table needs a few words...
145 * 145 *
146 * We are the man in the middle. All the packets go through us 146 * We are the man in the middle. All the packets go through us
147 * but might get lost in transit to the destination. 147 * but might get lost in transit to the destination.
148 * It is assumed that the destinations can't receive segments 148 * It is assumed that the destinations can't receive segments
149 * we haven't seen. 149 * we haven't seen.
150 * 150 *
151 * The checked segment is in window, but our windows are *not* 151 * The checked segment is in window, but our windows are *not*
@@ -155,11 +155,11 @@ enum tcp_bit_set {
155 * The meaning of the states are: 155 * The meaning of the states are:
156 * 156 *
157 * NONE: initial state 157 * NONE: initial state
158 * SYN_SENT: SYN-only packet seen 158 * SYN_SENT: SYN-only packet seen
159 * SYN_RECV: SYN-ACK packet seen 159 * SYN_RECV: SYN-ACK packet seen
160 * ESTABLISHED: ACK packet seen 160 * ESTABLISHED: ACK packet seen
161 * FIN_WAIT: FIN packet seen 161 * FIN_WAIT: FIN packet seen
162 * CLOSE_WAIT: ACK seen (after FIN) 162 * CLOSE_WAIT: ACK seen (after FIN)
163 * LAST_ACK: FIN seen (after FIN) 163 * LAST_ACK: FIN seen (after FIN)
164 * TIME_WAIT: last ACK seen 164 * TIME_WAIT: last ACK seen
165 * CLOSE: closed connection 165 * CLOSE: closed connection
@@ -167,8 +167,8 @@ enum tcp_bit_set {
167 * LISTEN state is not used. 167 * LISTEN state is not used.
168 * 168 *
169 * Packets marked as IGNORED (sIG): 169 * Packets marked as IGNORED (sIG):
170 * if they may be either invalid or valid 170 * if they may be either invalid or valid
171 * and the receiver may send back a connection 171 * and the receiver may send back a connection
172 * closing RST or a SYN/ACK. 172 * closing RST or a SYN/ACK.
173 * 173 *
174 * Packets marked as INVALID (sIV): 174 * Packets marked as INVALID (sIV):
@@ -185,7 +185,7 @@ static enum tcp_conntrack tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
185 * sSS -> sSS Retransmitted SYN 185 * sSS -> sSS Retransmitted SYN
186 * sSR -> sIG Late retransmitted SYN? 186 * sSR -> sIG Late retransmitted SYN?
187 * sES -> sIG Error: SYNs in window outside the SYN_SENT state 187 * sES -> sIG Error: SYNs in window outside the SYN_SENT state
188 * are errors. Receiver will reply with RST 188 * are errors. Receiver will reply with RST
189 * and close the connection. 189 * and close the connection.
190 * Or we are not in sync and hold a dead connection. 190 * Or we are not in sync and hold a dead connection.
191 * sFW -> sIG 191 * sFW -> sIG
@@ -198,10 +198,10 @@ static enum tcp_conntrack tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
198/*synack*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }, 198/*synack*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV },
199/* 199/*
200 * A SYN/ACK from the client is always invalid: 200 * A SYN/ACK from the client is always invalid:
201 * - either it tries to set up a simultaneous open, which is 201 * - either it tries to set up a simultaneous open, which is
202 * not supported; 202 * not supported;
203 * - or the firewall has just been inserted between the two hosts 203 * - or the firewall has just been inserted between the two hosts
204 * during the session set-up. The SYN will be retransmitted 204 * during the session set-up. The SYN will be retransmitted
205 * by the true client (or it'll time out). 205 * by the true client (or it'll time out).
206 */ 206 */
207/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ 207/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
@@ -213,7 +213,7 @@ static enum tcp_conntrack tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
213 * sSR -> sFW Close started. 213 * sSR -> sFW Close started.
214 * sES -> sFW 214 * sES -> sFW
215 * sFW -> sLA FIN seen in both directions, waiting for 215 * sFW -> sLA FIN seen in both directions, waiting for
216 * the last ACK. 216 * the last ACK.
217 * Migth be a retransmitted FIN as well... 217 * Migth be a retransmitted FIN as well...
218 * sCW -> sLA 218 * sCW -> sLA
219 * sLA -> sLA Retransmitted FIN. Remain in the same state. 219 * sLA -> sLA Retransmitted FIN. Remain in the same state.
@@ -291,7 +291,7 @@ static enum tcp_conntrack tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
291/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ 291/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */
292/*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV }, 292/*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV },
293/*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV } 293/*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
294 } 294 }
295}; 295};
296 296
297static int tcp_pkt_to_tuple(const struct sk_buff *skb, 297static int tcp_pkt_to_tuple(const struct sk_buff *skb,
@@ -352,21 +352,21 @@ static unsigned int get_conntrack_index(const struct tcphdr *tcph)
352 352
353/* TCP connection tracking based on 'Real Stateful TCP Packet Filtering 353/* TCP connection tracking based on 'Real Stateful TCP Packet Filtering
354 in IP Filter' by Guido van Rooij. 354 in IP Filter' by Guido van Rooij.
355 355
356 http://www.nluug.nl/events/sane2000/papers.html 356 http://www.nluug.nl/events/sane2000/papers.html
357 http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz 357 http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz
358 358
359 The boundaries and the conditions are changed according to RFC793: 359 The boundaries and the conditions are changed according to RFC793:
360 the packet must intersect the window (i.e. segments may be 360 the packet must intersect the window (i.e. segments may be
361 after the right or before the left edge) and thus receivers may ACK 361 after the right or before the left edge) and thus receivers may ACK
362 segments after the right edge of the window. 362 segments after the right edge of the window.
363 363
364 td_maxend = max(sack + max(win,1)) seen in reply packets 364 td_maxend = max(sack + max(win,1)) seen in reply packets
365 td_maxwin = max(max(win, 1)) + (sack - ack) seen in sent packets 365 td_maxwin = max(max(win, 1)) + (sack - ack) seen in sent packets
366 td_maxwin += seq + len - sender.td_maxend 366 td_maxwin += seq + len - sender.td_maxend
367 if seq + len > sender.td_maxend 367 if seq + len > sender.td_maxend
368 td_end = max(seq + len) seen in sent packets 368 td_end = max(seq + len) seen in sent packets
369 369
370 I. Upper bound for valid data: seq <= sender.td_maxend 370 I. Upper bound for valid data: seq <= sender.td_maxend
371 II. Lower bound for valid data: seq + len >= sender.td_end - receiver.td_maxwin 371 II. Lower bound for valid data: seq + len >= sender.td_end - receiver.td_maxwin
372 III. Upper bound for valid ack: sack <= receiver.td_end 372 III. Upper bound for valid ack: sack <= receiver.td_end
@@ -374,8 +374,8 @@ static unsigned int get_conntrack_index(const struct tcphdr *tcph)
374 374
375 where sack is the highest right edge of sack block found in the packet. 375 where sack is the highest right edge of sack block found in the packet.
376 376
377 The upper bound limit for a valid ack is not ignored - 377 The upper bound limit for a valid ack is not ignored -
378 we doesn't have to deal with fragments. 378 we doesn't have to deal with fragments.
379*/ 379*/
380 380
381static inline __u32 segment_seq_plus_len(__u32 seq, 381static inline __u32 segment_seq_plus_len(__u32 seq,
@@ -388,19 +388,19 @@ static inline __u32 segment_seq_plus_len(__u32 seq,
388 return (seq + len - dataoff - tcph->doff*4 388 return (seq + len - dataoff - tcph->doff*4
389 + (tcph->syn ? 1 : 0) + (tcph->fin ? 1 : 0)); 389 + (tcph->syn ? 1 : 0) + (tcph->fin ? 1 : 0));
390} 390}
391 391
392/* Fixme: what about big packets? */ 392/* Fixme: what about big packets? */
393#define MAXACKWINCONST 66000 393#define MAXACKWINCONST 66000
394#define MAXACKWINDOW(sender) \ 394#define MAXACKWINDOW(sender) \
395 ((sender)->td_maxwin > MAXACKWINCONST ? (sender)->td_maxwin \ 395 ((sender)->td_maxwin > MAXACKWINCONST ? (sender)->td_maxwin \
396 : MAXACKWINCONST) 396 : MAXACKWINCONST)
397 397
398/* 398/*
399 * Simplified tcp_parse_options routine from tcp_input.c 399 * Simplified tcp_parse_options routine from tcp_input.c
400 */ 400 */
401static void tcp_options(const struct sk_buff *skb, 401static void tcp_options(const struct sk_buff *skb,
402 unsigned int dataoff, 402 unsigned int dataoff,
403 struct tcphdr *tcph, 403 struct tcphdr *tcph,
404 struct ip_ct_tcp_state *state) 404 struct ip_ct_tcp_state *state)
405{ 405{
406 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)]; 406 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
@@ -414,7 +414,7 @@ static void tcp_options(const struct sk_buff *skb,
414 length, buff); 414 length, buff);
415 BUG_ON(ptr == NULL); 415 BUG_ON(ptr == NULL);
416 416
417 state->td_scale = 417 state->td_scale =
418 state->flags = 0; 418 state->flags = 0;
419 419
420 while (length > 0) { 420 while (length > 0) {
@@ -434,7 +434,7 @@ static void tcp_options(const struct sk_buff *skb,
434 if (opsize > length) 434 if (opsize > length)
435 break; /* don't parse partial options */ 435 break; /* don't parse partial options */
436 436
437 if (opcode == TCPOPT_SACK_PERM 437 if (opcode == TCPOPT_SACK_PERM
438 && opsize == TCPOLEN_SACK_PERM) 438 && opsize == TCPOLEN_SACK_PERM)
439 state->flags |= IP_CT_TCP_FLAG_SACK_PERM; 439 state->flags |= IP_CT_TCP_FLAG_SACK_PERM;
440 else if (opcode == TCPOPT_WINDOW 440 else if (opcode == TCPOPT_WINDOW
@@ -457,7 +457,7 @@ static void tcp_options(const struct sk_buff *skb,
457static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, 457static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
458 struct tcphdr *tcph, __u32 *sack) 458 struct tcphdr *tcph, __u32 *sack)
459{ 459{
460 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)]; 460 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
461 unsigned char *ptr; 461 unsigned char *ptr;
462 int length = (tcph->doff*4) - sizeof(struct tcphdr); 462 int length = (tcph->doff*4) - sizeof(struct tcphdr);
463 __u32 tmp; 463 __u32 tmp;
@@ -472,10 +472,10 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
472 /* Fast path for timestamp-only option */ 472 /* Fast path for timestamp-only option */
473 if (length == TCPOLEN_TSTAMP_ALIGNED*4 473 if (length == TCPOLEN_TSTAMP_ALIGNED*4
474 && *(__be32 *)ptr == 474 && *(__be32 *)ptr ==
475 __constant_htonl((TCPOPT_NOP << 24) 475 __constant_htonl((TCPOPT_NOP << 24)
476 | (TCPOPT_NOP << 16) 476 | (TCPOPT_NOP << 16)
477 | (TCPOPT_TIMESTAMP << 8) 477 | (TCPOPT_TIMESTAMP << 8)
478 | TCPOLEN_TIMESTAMP)) 478 | TCPOLEN_TIMESTAMP))
479 return; 479 return;
480 480
481 while (length > 0) { 481 while (length > 0) {
@@ -495,15 +495,15 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
495 if (opsize > length) 495 if (opsize > length)
496 break; /* don't parse partial options */ 496 break; /* don't parse partial options */
497 497
498 if (opcode == TCPOPT_SACK 498 if (opcode == TCPOPT_SACK
499 && opsize >= (TCPOLEN_SACK_BASE 499 && opsize >= (TCPOLEN_SACK_BASE
500 + TCPOLEN_SACK_PERBLOCK) 500 + TCPOLEN_SACK_PERBLOCK)
501 && !((opsize - TCPOLEN_SACK_BASE) 501 && !((opsize - TCPOLEN_SACK_BASE)
502 % TCPOLEN_SACK_PERBLOCK)) { 502 % TCPOLEN_SACK_PERBLOCK)) {
503 for (i = 0; 503 for (i = 0;
504 i < (opsize - TCPOLEN_SACK_BASE); 504 i < (opsize - TCPOLEN_SACK_BASE);
505 i += TCPOLEN_SACK_PERBLOCK) { 505 i += TCPOLEN_SACK_PERBLOCK) {
506 tmp = ntohl(*((__be32 *)(ptr+i)+1)); 506 tmp = ntohl(*((__be32 *)(ptr+i)+1));
507 507
508 if (after(tmp, *sack)) 508 if (after(tmp, *sack))
509 *sack = tmp; 509 *sack = tmp;
@@ -516,12 +516,12 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
516 } 516 }
517} 517}
518 518
519static int tcp_in_window(struct ip_ct_tcp *state, 519static int tcp_in_window(struct ip_ct_tcp *state,
520 enum ip_conntrack_dir dir, 520 enum ip_conntrack_dir dir,
521 unsigned int index, 521 unsigned int index,
522 const struct sk_buff *skb, 522 const struct sk_buff *skb,
523 unsigned int dataoff, 523 unsigned int dataoff,
524 struct tcphdr *tcph, 524 struct tcphdr *tcph,
525 int pf) 525 int pf)
526{ 526{
527 struct ip_ct_tcp_state *sender = &state->seen[dir]; 527 struct ip_ct_tcp_state *sender = &state->seen[dir];
@@ -543,14 +543,14 @@ static int tcp_in_window(struct ip_ct_tcp *state,
543 DEBUGP("tcp_in_window: START\n"); 543 DEBUGP("tcp_in_window: START\n");
544 DEBUGP("tcp_in_window: src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu " 544 DEBUGP("tcp_in_window: src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu "
545 "seq=%u ack=%u sack=%u win=%u end=%u\n", 545 "seq=%u ack=%u sack=%u win=%u end=%u\n",
546 NIPQUAD(iph->saddr), ntohs(tcph->source), 546 NIPQUAD(iph->saddr), ntohs(tcph->source),
547 NIPQUAD(iph->daddr), ntohs(tcph->dest), 547 NIPQUAD(iph->daddr), ntohs(tcph->dest),
548 seq, ack, sack, win, end); 548 seq, ack, sack, win, end);
549 DEBUGP("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i " 549 DEBUGP("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
550 "receiver end=%u maxend=%u maxwin=%u scale=%i\n", 550 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
551 sender->td_end, sender->td_maxend, sender->td_maxwin, 551 sender->td_end, sender->td_maxend, sender->td_maxwin,
552 sender->td_scale, 552 sender->td_scale,
553 receiver->td_end, receiver->td_maxend, receiver->td_maxwin, 553 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
554 receiver->td_scale); 554 receiver->td_scale);
555 555
556 if (sender->td_end == 0) { 556 if (sender->td_end == 0) {
@@ -561,26 +561,26 @@ static int tcp_in_window(struct ip_ct_tcp *state,
561 /* 561 /*
562 * Outgoing SYN-ACK in reply to a SYN. 562 * Outgoing SYN-ACK in reply to a SYN.
563 */ 563 */
564 sender->td_end = 564 sender->td_end =
565 sender->td_maxend = end; 565 sender->td_maxend = end;
566 sender->td_maxwin = (win == 0 ? 1 : win); 566 sender->td_maxwin = (win == 0 ? 1 : win);
567 567
568 tcp_options(skb, dataoff, tcph, sender); 568 tcp_options(skb, dataoff, tcph, sender);
569 /* 569 /*
570 * RFC 1323: 570 * RFC 1323:
571 * Both sides must send the Window Scale option 571 * Both sides must send the Window Scale option
572 * to enable window scaling in either direction. 572 * to enable window scaling in either direction.
573 */ 573 */
574 if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE 574 if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE
575 && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE)) 575 && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE))
576 sender->td_scale = 576 sender->td_scale =
577 receiver->td_scale = 0; 577 receiver->td_scale = 0;
578 } else { 578 } else {
579 /* 579 /*
580 * We are in the middle of a connection, 580 * We are in the middle of a connection,
581 * its history is lost for us. 581 * its history is lost for us.
582 * Let's try to use the data from the packet. 582 * Let's try to use the data from the packet.
583 */ 583 */
584 sender->td_end = end; 584 sender->td_end = end;
585 sender->td_maxwin = (win == 0 ? 1 : win); 585 sender->td_maxwin = (win == 0 ? 1 : win);
586 sender->td_maxend = end + sender->td_maxwin; 586 sender->td_maxend = end + sender->td_maxwin;
@@ -592,7 +592,7 @@ static int tcp_in_window(struct ip_ct_tcp *state,
592 && after(end, sender->td_end)) { 592 && after(end, sender->td_end)) {
593 /* 593 /*
594 * RFC 793: "if a TCP is reinitialized ... then it need 594 * RFC 793: "if a TCP is reinitialized ... then it need
595 * not wait at all; it must only be sure to use sequence 595 * not wait at all; it must only be sure to use sequence
596 * numbers larger than those recently used." 596 * numbers larger than those recently used."
597 */ 597 */
598 sender->td_end = 598 sender->td_end =
@@ -607,8 +607,8 @@ static int tcp_in_window(struct ip_ct_tcp *state,
607 * If there is no ACK, just pretend it was set and OK. 607 * If there is no ACK, just pretend it was set and OK.
608 */ 608 */
609 ack = sack = receiver->td_end; 609 ack = sack = receiver->td_end;
610 } else if (((tcp_flag_word(tcph) & (TCP_FLAG_ACK|TCP_FLAG_RST)) == 610 } else if (((tcp_flag_word(tcph) & (TCP_FLAG_ACK|TCP_FLAG_RST)) ==
611 (TCP_FLAG_ACK|TCP_FLAG_RST)) 611 (TCP_FLAG_ACK|TCP_FLAG_RST))
612 && (ack == 0)) { 612 && (ack == 0)) {
613 /* 613 /*
614 * Broken TCP stacks, that set ACK in RST packets as well 614 * Broken TCP stacks, that set ACK in RST packets as well
@@ -637,21 +637,21 @@ static int tcp_in_window(struct ip_ct_tcp *state,
637 DEBUGP("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i " 637 DEBUGP("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
638 "receiver end=%u maxend=%u maxwin=%u scale=%i\n", 638 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
639 sender->td_end, sender->td_maxend, sender->td_maxwin, 639 sender->td_end, sender->td_maxend, sender->td_maxwin,
640 sender->td_scale, 640 sender->td_scale,
641 receiver->td_end, receiver->td_maxend, receiver->td_maxwin, 641 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
642 receiver->td_scale); 642 receiver->td_scale);
643 643
644 DEBUGP("tcp_in_window: I=%i II=%i III=%i IV=%i\n", 644 DEBUGP("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
645 before(seq, sender->td_maxend + 1), 645 before(seq, sender->td_maxend + 1),
646 after(end, sender->td_end - receiver->td_maxwin - 1), 646 after(end, sender->td_end - receiver->td_maxwin - 1),
647 before(sack, receiver->td_end + 1), 647 before(sack, receiver->td_end + 1),
648 after(ack, receiver->td_end - MAXACKWINDOW(sender))); 648 after(ack, receiver->td_end - MAXACKWINDOW(sender)));
649 649
650 if (before(seq, sender->td_maxend + 1) && 650 if (before(seq, sender->td_maxend + 1) &&
651 after(end, sender->td_end - receiver->td_maxwin - 1) && 651 after(end, sender->td_end - receiver->td_maxwin - 1) &&
652 before(sack, receiver->td_end + 1) && 652 before(sack, receiver->td_end + 1) &&
653 after(ack, receiver->td_end - MAXACKWINDOW(sender))) { 653 after(ack, receiver->td_end - MAXACKWINDOW(sender))) {
654 /* 654 /*
655 * Take into account window scaling (RFC 1323). 655 * Take into account window scaling (RFC 1323).
656 */ 656 */
657 if (!tcph->syn) 657 if (!tcph->syn)
@@ -676,7 +676,7 @@ static int tcp_in_window(struct ip_ct_tcp *state,
676 receiver->td_maxend++; 676 receiver->td_maxend++;
677 } 677 }
678 678
679 /* 679 /*
680 * Check retransmissions. 680 * Check retransmissions.
681 */ 681 */
682 if (index == TCP_ACK_SET) { 682 if (index == TCP_ACK_SET) {
@@ -712,11 +712,11 @@ static int tcp_in_window(struct ip_ct_tcp *state,
712 : "ACK is over the upper bound (ACKed data not seen yet)" 712 : "ACK is over the upper bound (ACKed data not seen yet)"
713 : "SEQ is under the lower bound (already ACKed data retransmitted)" 713 : "SEQ is under the lower bound (already ACKed data retransmitted)"
714 : "SEQ is over the upper bound (over the window of the receiver)"); 714 : "SEQ is over the upper bound (over the window of the receiver)");
715 } 715 }
716 716
717 DEBUGP("tcp_in_window: res=%i sender end=%u maxend=%u maxwin=%u " 717 DEBUGP("tcp_in_window: res=%i sender end=%u maxend=%u maxwin=%u "
718 "receiver end=%u maxend=%u maxwin=%u\n", 718 "receiver end=%u maxend=%u maxwin=%u\n",
719 res, sender->td_end, sender->td_maxend, sender->td_maxwin, 719 res, sender->td_end, sender->td_maxend, sender->td_maxwin,
720 receiver->td_end, receiver->td_maxend, receiver->td_maxwin); 720 receiver->td_end, receiver->td_maxend, receiver->td_maxwin);
721 721
722 return res; 722 return res;
@@ -727,7 +727,7 @@ static int tcp_in_window(struct ip_ct_tcp *state,
727/* Caller must linearize skb at tcp header. */ 727/* Caller must linearize skb at tcp header. */
728void nf_conntrack_tcp_update(struct sk_buff *skb, 728void nf_conntrack_tcp_update(struct sk_buff *skb,
729 unsigned int dataoff, 729 unsigned int dataoff,
730 struct nf_conn *conntrack, 730 struct nf_conn *conntrack,
731 int dir) 731 int dir)
732{ 732{
733 struct tcphdr *tcph = (void *)skb->data + dataoff; 733 struct tcphdr *tcph = (void *)skb->data + dataoff;
@@ -750,7 +750,7 @@ void nf_conntrack_tcp_update(struct sk_buff *skb,
750 DEBUGP("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i " 750 DEBUGP("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i "
751 "receiver end=%u maxend=%u maxwin=%u scale=%i\n", 751 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
752 sender->td_end, sender->td_maxend, sender->td_maxwin, 752 sender->td_end, sender->td_maxend, sender->td_maxwin,
753 sender->td_scale, 753 sender->td_scale,
754 receiver->td_end, receiver->td_maxend, receiver->td_maxwin, 754 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
755 receiver->td_scale); 755 receiver->td_scale);
756} 756}
@@ -804,8 +804,8 @@ static int tcp_error(struct sk_buff *skb,
804 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 804 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
805 "nf_ct_tcp: short packet "); 805 "nf_ct_tcp: short packet ");
806 return -NF_ACCEPT; 806 return -NF_ACCEPT;
807 } 807 }
808 808
809 /* Not whole TCP header or malformed packet */ 809 /* Not whole TCP header or malformed packet */
810 if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) { 810 if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) {
811 if (LOG_INVALID(IPPROTO_TCP)) 811 if (LOG_INVALID(IPPROTO_TCP))
@@ -813,7 +813,7 @@ static int tcp_error(struct sk_buff *skb,
813 "nf_ct_tcp: truncated/malformed packet "); 813 "nf_ct_tcp: truncated/malformed packet ");
814 return -NF_ACCEPT; 814 return -NF_ACCEPT;
815 } 815 }
816 816
817 /* Checksum invalid? Ignore. 817 /* Checksum invalid? Ignore.
818 * We skip checking packets on the outgoing path 818 * We skip checking packets on the outgoing path
819 * because the checksum is assumed to be correct. 819 * because the checksum is assumed to be correct.
@@ -870,28 +870,28 @@ static int tcp_packet(struct nf_conn *conntrack,
870 * 870 *
871 * a) SYN in ORIGINAL 871 * a) SYN in ORIGINAL
872 * b) SYN/ACK in REPLY 872 * b) SYN/ACK in REPLY
873 * c) ACK in reply direction after initial SYN in original. 873 * c) ACK in reply direction after initial SYN in original.
874 */ 874 */
875 if (index == TCP_SYNACK_SET 875 if (index == TCP_SYNACK_SET
876 && conntrack->proto.tcp.last_index == TCP_SYN_SET 876 && conntrack->proto.tcp.last_index == TCP_SYN_SET
877 && conntrack->proto.tcp.last_dir != dir 877 && conntrack->proto.tcp.last_dir != dir
878 && ntohl(th->ack_seq) == 878 && ntohl(th->ack_seq) ==
879 conntrack->proto.tcp.last_end) { 879 conntrack->proto.tcp.last_end) {
880 /* This SYN/ACK acknowledges a SYN that we earlier 880 /* This SYN/ACK acknowledges a SYN that we earlier
881 * ignored as invalid. This means that the client and 881 * ignored as invalid. This means that the client and
882 * the server are both in sync, while the firewall is 882 * the server are both in sync, while the firewall is
883 * not. We kill this session and block the SYN/ACK so 883 * not. We kill this session and block the SYN/ACK so
884 * that the client cannot but retransmit its SYN and 884 * that the client cannot but retransmit its SYN and
885 * thus initiate a clean new session. 885 * thus initiate a clean new session.
886 */ 886 */
887 write_unlock_bh(&tcp_lock); 887 write_unlock_bh(&tcp_lock);
888 if (LOG_INVALID(IPPROTO_TCP)) 888 if (LOG_INVALID(IPPROTO_TCP))
889 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 889 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
890 "nf_ct_tcp: killing out of sync session "); 890 "nf_ct_tcp: killing out of sync session ");
891 if (del_timer(&conntrack->timeout)) 891 if (del_timer(&conntrack->timeout))
892 conntrack->timeout.function((unsigned long) 892 conntrack->timeout.function((unsigned long)
893 conntrack); 893 conntrack);
894 return -NF_DROP; 894 return -NF_DROP;
895 } 895 }
896 conntrack->proto.tcp.last_index = index; 896 conntrack->proto.tcp.last_index = index;
897 conntrack->proto.tcp.last_dir = dir; 897 conntrack->proto.tcp.last_dir = dir;
@@ -921,13 +921,13 @@ static int tcp_packet(struct nf_conn *conntrack,
921 IP_CT_TCP_FLAG_CLOSE_INIT) 921 IP_CT_TCP_FLAG_CLOSE_INIT)
922 || after(ntohl(th->seq), 922 || after(ntohl(th->seq),
923 conntrack->proto.tcp.seen[dir].td_end)) { 923 conntrack->proto.tcp.seen[dir].td_end)) {
924 /* Attempt to reopen a closed connection. 924 /* Attempt to reopen a closed connection.
925 * Delete this connection and look up again. */ 925 * Delete this connection and look up again. */
926 write_unlock_bh(&tcp_lock); 926 write_unlock_bh(&tcp_lock);
927 if (del_timer(&conntrack->timeout)) 927 if (del_timer(&conntrack->timeout))
928 conntrack->timeout.function((unsigned long) 928 conntrack->timeout.function((unsigned long)
929 conntrack); 929 conntrack);
930 return -NF_REPEAT; 930 return -NF_REPEAT;
931 } else { 931 } else {
932 write_unlock_bh(&tcp_lock); 932 write_unlock_bh(&tcp_lock);
933 if (LOG_INVALID(IPPROTO_TCP)) 933 if (LOG_INVALID(IPPROTO_TCP))
@@ -938,9 +938,9 @@ static int tcp_packet(struct nf_conn *conntrack,
938 case TCP_CONNTRACK_CLOSE: 938 case TCP_CONNTRACK_CLOSE:
939 if (index == TCP_RST_SET 939 if (index == TCP_RST_SET
940 && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status) 940 && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)
941 && conntrack->proto.tcp.last_index == TCP_SYN_SET) 941 && conntrack->proto.tcp.last_index == TCP_SYN_SET)
942 || (!test_bit(IPS_ASSURED_BIT, &conntrack->status) 942 || (!test_bit(IPS_ASSURED_BIT, &conntrack->status)
943 && conntrack->proto.tcp.last_index == TCP_ACK_SET)) 943 && conntrack->proto.tcp.last_index == TCP_ACK_SET))
944 && ntohl(th->ack_seq) == conntrack->proto.tcp.last_end) { 944 && ntohl(th->ack_seq) == conntrack->proto.tcp.last_end) {
945 /* RST sent to invalid SYN or ACK we had let through 945 /* RST sent to invalid SYN or ACK we had let through
946 * at a) and c) above: 946 * at a) and c) above:
@@ -1005,8 +1005,8 @@ static int tcp_packet(struct nf_conn *conntrack,
1005 && (old_state == TCP_CONNTRACK_SYN_RECV 1005 && (old_state == TCP_CONNTRACK_SYN_RECV
1006 || old_state == TCP_CONNTRACK_ESTABLISHED) 1006 || old_state == TCP_CONNTRACK_ESTABLISHED)
1007 && new_state == TCP_CONNTRACK_ESTABLISHED) { 1007 && new_state == TCP_CONNTRACK_ESTABLISHED) {
1008 /* Set ASSURED if we see see valid ack in ESTABLISHED 1008 /* Set ASSURED if we see see valid ack in ESTABLISHED
1009 after SYN_RECV or a valid answer for a picked up 1009 after SYN_RECV or a valid answer for a picked up
1010 connection. */ 1010 connection. */
1011 set_bit(IPS_ASSURED_BIT, &conntrack->status); 1011 set_bit(IPS_ASSURED_BIT, &conntrack->status);
1012 nf_conntrack_event_cache(IPCT_STATUS, skb); 1012 nf_conntrack_event_cache(IPCT_STATUS, skb);
@@ -1015,7 +1015,7 @@ static int tcp_packet(struct nf_conn *conntrack,
1015 1015
1016 return NF_ACCEPT; 1016 return NF_ACCEPT;
1017} 1017}
1018 1018
1019/* Called when a new connection for this protocol found. */ 1019/* Called when a new connection for this protocol found. */
1020static int tcp_new(struct nf_conn *conntrack, 1020static int tcp_new(struct nf_conn *conntrack,
1021 const struct sk_buff *skb, 1021 const struct sk_buff *skb,
@@ -1071,7 +1071,7 @@ static int tcp_new(struct nf_conn *conntrack,
1071 if (conntrack->proto.tcp.seen[0].td_maxwin == 0) 1071 if (conntrack->proto.tcp.seen[0].td_maxwin == 0)
1072 conntrack->proto.tcp.seen[0].td_maxwin = 1; 1072 conntrack->proto.tcp.seen[0].td_maxwin = 1;
1073 conntrack->proto.tcp.seen[0].td_maxend = 1073 conntrack->proto.tcp.seen[0].td_maxend =
1074 conntrack->proto.tcp.seen[0].td_end + 1074 conntrack->proto.tcp.seen[0].td_end +
1075 conntrack->proto.tcp.seen[0].td_maxwin; 1075 conntrack->proto.tcp.seen[0].td_maxwin;
1076 conntrack->proto.tcp.seen[0].td_scale = 0; 1076 conntrack->proto.tcp.seen[0].td_scale = 0;
1077 1077
@@ -1081,20 +1081,20 @@ static int tcp_new(struct nf_conn *conntrack,
1081 conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM | 1081 conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM |
1082 IP_CT_TCP_FLAG_BE_LIBERAL; 1082 IP_CT_TCP_FLAG_BE_LIBERAL;
1083 } 1083 }
1084 1084
1085 conntrack->proto.tcp.seen[1].td_end = 0; 1085 conntrack->proto.tcp.seen[1].td_end = 0;
1086 conntrack->proto.tcp.seen[1].td_maxend = 0; 1086 conntrack->proto.tcp.seen[1].td_maxend = 0;
1087 conntrack->proto.tcp.seen[1].td_maxwin = 1; 1087 conntrack->proto.tcp.seen[1].td_maxwin = 1;
1088 conntrack->proto.tcp.seen[1].td_scale = 0; 1088 conntrack->proto.tcp.seen[1].td_scale = 0;
1089 1089
1090 /* tcp_packet will set them */ 1090 /* tcp_packet will set them */
1091 conntrack->proto.tcp.state = TCP_CONNTRACK_NONE; 1091 conntrack->proto.tcp.state = TCP_CONNTRACK_NONE;
1092 conntrack->proto.tcp.last_index = TCP_NONE_SET; 1092 conntrack->proto.tcp.last_index = TCP_NONE_SET;
1093 1093
1094 DEBUGP("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i " 1094 DEBUGP("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i "
1095 "receiver end=%u maxend=%u maxwin=%u scale=%i\n", 1095 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
1096 sender->td_end, sender->td_maxend, sender->td_maxwin, 1096 sender->td_end, sender->td_maxend, sender->td_maxwin,
1097 sender->td_scale, 1097 sender->td_scale,
1098 receiver->td_end, receiver->td_maxend, receiver->td_maxwin, 1098 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
1099 receiver->td_scale); 1099 receiver->td_scale);
1100 return 1; 1100 return 1;
@@ -1110,7 +1110,7 @@ static int tcp_to_nfattr(struct sk_buff *skb, struct nfattr *nfa,
1110 const struct nf_conn *ct) 1110 const struct nf_conn *ct)
1111{ 1111{
1112 struct nfattr *nest_parms; 1112 struct nfattr *nest_parms;
1113 1113
1114 read_lock_bh(&tcp_lock); 1114 read_lock_bh(&tcp_lock);
1115 nest_parms = NFA_NEST(skb, CTA_PROTOINFO_TCP); 1115 nest_parms = NFA_NEST(skb, CTA_PROTOINFO_TCP);
1116 NFA_PUT(skb, CTA_PROTOINFO_TCP_STATE, sizeof(u_int8_t), 1116 NFA_PUT(skb, CTA_PROTOINFO_TCP_STATE, sizeof(u_int8_t),
@@ -1140,7 +1140,7 @@ static int nfattr_to_tcp(struct nfattr *cda[], struct nf_conn *ct)
1140 if (!attr) 1140 if (!attr)
1141 return 0; 1141 return 0;
1142 1142
1143 nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr); 1143 nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr);
1144 1144
1145 if (nfattr_bad_size(tb, CTA_PROTOINFO_TCP_MAX, cta_min_tcp)) 1145 if (nfattr_bad_size(tb, CTA_PROTOINFO_TCP_MAX, cta_min_tcp))
1146 return -EINVAL; 1146 return -EINVAL;
@@ -1149,7 +1149,7 @@ static int nfattr_to_tcp(struct nfattr *cda[], struct nf_conn *ct)
1149 return -EINVAL; 1149 return -EINVAL;
1150 1150
1151 write_lock_bh(&tcp_lock); 1151 write_lock_bh(&tcp_lock);
1152 ct->proto.tcp.state = 1152 ct->proto.tcp.state =
1153 *(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]); 1153 *(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]);
1154 write_unlock_bh(&tcp_lock); 1154 write_unlock_bh(&tcp_lock);
1155 1155
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 9dec11534678..7aaa8c91b293 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -341,7 +341,7 @@ int ct_sip_get_info(struct nf_conn *ct,
341 continue; 341 continue;
342 } 342 }
343 aux = ct_sip_search(hnfo->ln_str, dptr, hnfo->ln_strlen, 343 aux = ct_sip_search(hnfo->ln_str, dptr, hnfo->ln_strlen,
344 ct_sip_lnlen(dptr, limit), 344 ct_sip_lnlen(dptr, limit),
345 hnfo->case_sensitive); 345 hnfo->case_sensitive);
346 if (!aux) { 346 if (!aux) {
347 DEBUGP("'%s' not found in '%s'.\n", hnfo->ln_str, 347 DEBUGP("'%s' not found in '%s'.\n", hnfo->ln_str,
@@ -451,12 +451,12 @@ static int sip_help(struct sk_buff **pskb,
451 451
452 /* We'll drop only if there are parse problems. */ 452 /* We'll drop only if there are parse problems. */
453 if (!parse_addr(ct, dptr + matchoff, NULL, &addr, 453 if (!parse_addr(ct, dptr + matchoff, NULL, &addr,
454 dptr + datalen)) { 454 dptr + datalen)) {
455 ret = NF_DROP; 455 ret = NF_DROP;
456 goto out; 456 goto out;
457 } 457 }
458 if (ct_sip_get_info(ct, dptr, datalen, &matchoff, &matchlen, 458 if (ct_sip_get_info(ct, dptr, datalen, &matchoff, &matchlen,
459 POS_MEDIA) > 0) { 459 POS_MEDIA) > 0) {
460 460
461 port = simple_strtoul(dptr + matchoff, NULL, 10); 461 port = simple_strtoul(dptr + matchoff, NULL, 10);
462 if (port < 1024) { 462 if (port < 1024) {
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 04ac12431db7..a0bba481d70d 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -472,7 +472,7 @@ static int __init nf_conntrack_standalone_init(void)
472static void __exit nf_conntrack_standalone_fini(void) 472static void __exit nf_conntrack_standalone_fini(void)
473{ 473{
474#ifdef CONFIG_SYSCTL 474#ifdef CONFIG_SYSCTL
475 unregister_sysctl_table(nf_ct_sysctl_header); 475 unregister_sysctl_table(nf_ct_sysctl_header);
476#endif 476#endif
477#ifdef CONFIG_PROC_FS 477#ifdef CONFIG_PROC_FS
478 remove_proc_entry("nf_conntrack", proc_net_stat); 478 remove_proc_entry("nf_conntrack", proc_net_stat);
diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack_tftp.c
index f5bffe24b0a5..37c4542e3112 100644
--- a/net/netfilter/nf_conntrack_tftp.c
+++ b/net/netfilter/nf_conntrack_tftp.c
@@ -31,7 +31,7 @@ MODULE_PARM_DESC(ports, "Port numbers of TFTP servers");
31 31
32#if 0 32#if 0
33#define DEBUGP(format, args...) printk("%s:%s:" format, \ 33#define DEBUGP(format, args...) printk("%s:%s:" format, \
34 __FILE__, __FUNCTION__ , ## args) 34 __FILE__, __FUNCTION__ , ## args)
35#else 35#else
36#define DEBUGP(format, args...) 36#define DEBUGP(format, args...)
37#endif 37#endif
diff --git a/net/netfilter/nf_internals.h b/net/netfilter/nf_internals.h
index a981971ce1d5..0df7fff196a7 100644
--- a/net/netfilter/nf_internals.h
+++ b/net/netfilter/nf_internals.h
@@ -24,7 +24,7 @@ extern unsigned int nf_iterate(struct list_head *head,
24 24
25/* nf_queue.c */ 25/* nf_queue.c */
26extern int nf_queue(struct sk_buff *skb, 26extern int nf_queue(struct sk_buff *skb,
27 struct list_head *elem, 27 struct list_head *elem,
28 int pf, unsigned int hook, 28 int pf, unsigned int hook,
29 struct net_device *indev, 29 struct net_device *indev,
30 struct net_device *outdev, 30 struct net_device *outdev,
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index c48aab50341d..91b220cf5a1f 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -41,7 +41,7 @@ int nf_log_register(int pf, struct nf_logger *logger)
41 41
42 mutex_unlock(&nf_log_mutex); 42 mutex_unlock(&nf_log_mutex);
43 return ret; 43 return ret;
44} 44}
45EXPORT_SYMBOL(nf_log_register); 45EXPORT_SYMBOL(nf_log_register);
46 46
47void nf_log_unregister_pf(int pf) 47void nf_log_unregister_pf(int pf)
@@ -83,7 +83,7 @@ void nf_log_packet(int pf,
83 va_list args; 83 va_list args;
84 char prefix[NF_LOG_PREFIXLEN]; 84 char prefix[NF_LOG_PREFIXLEN];
85 struct nf_logger *logger; 85 struct nf_logger *logger;
86 86
87 rcu_read_lock(); 87 rcu_read_lock();
88 logger = rcu_dereference(nf_loggers[pf]); 88 logger = rcu_dereference(nf_loggers[pf]);
89 if (logger) { 89 if (logger) {
@@ -136,7 +136,7 @@ static int seq_show(struct seq_file *s, void *v)
136 136
137 if (!logger) 137 if (!logger)
138 return seq_printf(s, "%2lld NONE\n", *pos); 138 return seq_printf(s, "%2lld NONE\n", *pos);
139 139
140 return seq_printf(s, "%2lld %s\n", *pos, logger->name); 140 return seq_printf(s, "%2lld %s\n", *pos, logger->name);
141} 141}
142 142
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index e136fea1db22..b1f2ace96f6d 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -10,7 +10,7 @@
10 10
11#include "nf_internals.h" 11#include "nf_internals.h"
12 12
13/* 13/*
14 * A queue handler may be registered for each protocol. Each is protected by 14 * A queue handler may be registered for each protocol. Each is protected by
15 * long term mutex. The handler must provide an an outfn() to accept packets 15 * long term mutex. The handler must provide an an outfn() to accept packets
16 * for queueing and must reinject all packets it receives, no matter what. 16 * for queueing and must reinject all packets it receives, no matter what.
@@ -22,7 +22,7 @@ static DEFINE_RWLOCK(queue_handler_lock);
22/* return EBUSY when somebody else is registered, return EEXIST if the 22/* return EBUSY when somebody else is registered, return EEXIST if the
23 * same handler is registered, return 0 in case of success. */ 23 * same handler is registered, return 0 in case of success. */
24int nf_register_queue_handler(int pf, struct nf_queue_handler *qh) 24int nf_register_queue_handler(int pf, struct nf_queue_handler *qh)
25{ 25{
26 int ret; 26 int ret;
27 27
28 if (pf >= NPROTO) 28 if (pf >= NPROTO)
@@ -52,7 +52,7 @@ int nf_unregister_queue_handler(int pf)
52 write_lock_bh(&queue_handler_lock); 52 write_lock_bh(&queue_handler_lock);
53 queue_handler[pf] = NULL; 53 queue_handler[pf] = NULL;
54 write_unlock_bh(&queue_handler_lock); 54 write_unlock_bh(&queue_handler_lock);
55 55
56 return 0; 56 return 0;
57} 57}
58EXPORT_SYMBOL(nf_unregister_queue_handler); 58EXPORT_SYMBOL(nf_unregister_queue_handler);
@@ -70,8 +70,8 @@ void nf_unregister_queue_handlers(struct nf_queue_handler *qh)
70} 70}
71EXPORT_SYMBOL_GPL(nf_unregister_queue_handlers); 71EXPORT_SYMBOL_GPL(nf_unregister_queue_handlers);
72 72
73/* 73/*
74 * Any packet that leaves via this function must come back 74 * Any packet that leaves via this function must come back
75 * through nf_reinject(). 75 * through nf_reinject().
76 */ 76 */
77static int __nf_queue(struct sk_buff *skb, 77static int __nf_queue(struct sk_buff *skb,
@@ -115,7 +115,7 @@ static int __nf_queue(struct sk_buff *skb,
115 return 1; 115 return 1;
116 } 116 }
117 117
118 *info = (struct nf_info) { 118 *info = (struct nf_info) {
119 (struct nf_hook_ops *)elem, pf, hook, indev, outdev, okfn }; 119 (struct nf_hook_ops *)elem, pf, hook, indev, outdev, okfn };
120 120
121 /* If it's going away, ignore hook. */ 121 /* If it's going away, ignore hook. */
@@ -226,10 +226,10 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
226 module_put(info->elem->owner); 226 module_put(info->elem->owner);
227 227
228 list_for_each_rcu(i, &nf_hooks[info->pf][info->hook]) { 228 list_for_each_rcu(i, &nf_hooks[info->pf][info->hook]) {
229 if (i == elem) 229 if (i == elem)
230 break; 230 break;
231 } 231 }
232 232
233 if (i == &nf_hooks[info->pf][info->hook]) { 233 if (i == &nf_hooks[info->pf][info->hook]) {
234 /* The module which sent it to userspace is gone. */ 234 /* The module which sent it to userspace is gone. */
235 NFDEBUG("%s: module disappeared, dropping packet.\n", 235 NFDEBUG("%s: module disappeared, dropping packet.\n",
@@ -252,7 +252,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
252 if (verdict == NF_ACCEPT) { 252 if (verdict == NF_ACCEPT) {
253 next_hook: 253 next_hook:
254 verdict = nf_iterate(&nf_hooks[info->pf][info->hook], 254 verdict = nf_iterate(&nf_hooks[info->pf][info->hook],
255 &skb, info->hook, 255 &skb, info->hook,
256 info->indev, info->outdev, &elem, 256 info->indev, info->outdev, &elem,
257 info->okfn, INT_MIN); 257 info->okfn, INT_MIN);
258 } 258 }
diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c
index c2e44e90e437..8b8ece750313 100644
--- a/net/netfilter/nf_sockopt.c
+++ b/net/netfilter/nf_sockopt.c
@@ -32,13 +32,13 @@ int nf_register_sockopt(struct nf_sockopt_ops *reg)
32 list_for_each(i, &nf_sockopts) { 32 list_for_each(i, &nf_sockopts) {
33 struct nf_sockopt_ops *ops = (struct nf_sockopt_ops *)i; 33 struct nf_sockopt_ops *ops = (struct nf_sockopt_ops *)i;
34 if (ops->pf == reg->pf 34 if (ops->pf == reg->pf
35 && (overlap(ops->set_optmin, ops->set_optmax, 35 && (overlap(ops->set_optmin, ops->set_optmax,
36 reg->set_optmin, reg->set_optmax) 36 reg->set_optmin, reg->set_optmax)
37 || overlap(ops->get_optmin, ops->get_optmax, 37 || overlap(ops->get_optmin, ops->get_optmax,
38 reg->get_optmin, reg->get_optmax))) { 38 reg->get_optmin, reg->get_optmax))) {
39 NFDEBUG("nf_sock overlap: %u-%u/%u-%u v %u-%u/%u-%u\n", 39 NFDEBUG("nf_sock overlap: %u-%u/%u-%u v %u-%u/%u-%u\n",
40 ops->set_optmin, ops->set_optmax, 40 ops->set_optmin, ops->set_optmax,
41 ops->get_optmin, ops->get_optmax, 41 ops->get_optmin, ops->get_optmax,
42 reg->set_optmin, reg->set_optmax, 42 reg->set_optmin, reg->set_optmax,
43 reg->get_optmin, reg->get_optmax); 43 reg->get_optmin, reg->get_optmax);
44 ret = -EBUSY; 44 ret = -EBUSY;
@@ -73,7 +73,7 @@ void nf_unregister_sockopt(struct nf_sockopt_ops *reg)
73EXPORT_SYMBOL(nf_unregister_sockopt); 73EXPORT_SYMBOL(nf_unregister_sockopt);
74 74
75/* Call get/setsockopt() */ 75/* Call get/setsockopt() */
76static int nf_sockopt(struct sock *sk, int pf, int val, 76static int nf_sockopt(struct sock *sk, int pf, int val,
77 char __user *opt, int *len, int get) 77 char __user *opt, int *len, int get)
78{ 78{
79 struct list_head *i; 79 struct list_head *i;
@@ -107,7 +107,7 @@ static int nf_sockopt(struct sock *sk, int pf, int val,
107 } 107 }
108 mutex_unlock(&nf_sockopt_mutex); 108 mutex_unlock(&nf_sockopt_mutex);
109 return -ENOPROTOOPT; 109 return -ENOPROTOOPT;
110 110
111 out: 111 out:
112 mutex_lock(&nf_sockopt_mutex); 112 mutex_lock(&nf_sockopt_mutex);
113 ops->use--; 113 ops->use--;
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 52fdfa2686c9..f42bb1366007 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -105,7 +105,7 @@ static inline struct nfnl_callback *
105nfnetlink_find_client(u_int16_t type, struct nfnetlink_subsystem *ss) 105nfnetlink_find_client(u_int16_t type, struct nfnetlink_subsystem *ss)
106{ 106{
107 u_int8_t cb_id = NFNL_MSG_TYPE(type); 107 u_int8_t cb_id = NFNL_MSG_TYPE(type);
108 108
109 if (cb_id >= ss->cb_count) { 109 if (cb_id >= ss->cb_count) {
110 DEBUGP("msgtype %u >= %u, returning\n", type, ss->cb_count); 110 DEBUGP("msgtype %u >= %u, returning\n", type, ss->cb_count);
111 return NULL; 111 return NULL;
@@ -187,7 +187,7 @@ nfnetlink_check_attributes(struct nfnetlink_subsystem *subsys,
187 /* implicit: if nlmsg_len == min_len, we return 0, and an empty 187 /* implicit: if nlmsg_len == min_len, we return 0, and an empty
188 * (zeroed) cda[] array. The message is valid, but empty. */ 188 * (zeroed) cda[] array. The message is valid, but empty. */
189 189
190 return 0; 190 return 0;
191} 191}
192 192
193int nfnetlink_has_listeners(unsigned int group) 193int nfnetlink_has_listeners(unsigned int group)
@@ -268,12 +268,12 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb,
268 } 268 }
269 269
270 { 270 {
271 u_int16_t attr_count = 271 u_int16_t attr_count =
272 ss->cb[NFNL_MSG_TYPE(nlh->nlmsg_type)].attr_count; 272 ss->cb[NFNL_MSG_TYPE(nlh->nlmsg_type)].attr_count;
273 struct nfattr *cda[attr_count]; 273 struct nfattr *cda[attr_count];
274 274
275 memset(cda, 0, sizeof(struct nfattr *) * attr_count); 275 memset(cda, 0, sizeof(struct nfattr *) * attr_count);
276 276
277 err = nfnetlink_check_attributes(ss, nlh, cda); 277 err = nfnetlink_check_attributes(ss, nlh, cda);
278 if (err < 0) 278 if (err < 0)
279 goto err_inval; 279 goto err_inval;
@@ -357,7 +357,7 @@ static int __init nfnetlink_init(void)
357 printk("Netfilter messages via NETLINK v%s.\n", nfversion); 357 printk("Netfilter messages via NETLINK v%s.\n", nfversion);
358 358
359 nfnl = netlink_kernel_create(NETLINK_NETFILTER, NFNLGRP_MAX, 359 nfnl = netlink_kernel_create(NETLINK_NETFILTER, NFNLGRP_MAX,
360 nfnetlink_rcv, THIS_MODULE); 360 nfnetlink_rcv, THIS_MODULE);
361 if (!nfnl) { 361 if (!nfnl) {
362 printk(KERN_ERR "cannot initialize nfnetlink!\n"); 362 printk(KERN_ERR "cannot initialize nfnetlink!\n");
363 return -1; 363 return -1;
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index edbb8ff635cc..b8eab0dbc3dd 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -75,7 +75,7 @@ struct nfulnl_instance {
75 u_int32_t seq; /* instance-local sequential counter */ 75 u_int32_t seq; /* instance-local sequential counter */
76 u_int16_t group_num; /* number of this queue */ 76 u_int16_t group_num; /* number of this queue */
77 u_int16_t flags; 77 u_int16_t flags;
78 u_int8_t copy_mode; 78 u_int8_t copy_mode;
79}; 79};
80 80
81static DEFINE_RWLOCK(instances_lock); 81static DEFINE_RWLOCK(instances_lock);
@@ -146,7 +146,7 @@ instance_create(u_int16_t group_num, int pid)
146 UDEBUG("entering (group_num=%u, pid=%d)\n", group_num, 146 UDEBUG("entering (group_num=%u, pid=%d)\n", group_num,
147 pid); 147 pid);
148 148
149 write_lock_bh(&instances_lock); 149 write_lock_bh(&instances_lock);
150 if (__instance_lookup(group_num)) { 150 if (__instance_lookup(group_num)) {
151 inst = NULL; 151 inst = NULL;
152 UDEBUG("aborting, instance already exists\n"); 152 UDEBUG("aborting, instance already exists\n");
@@ -179,10 +179,10 @@ instance_create(u_int16_t group_num, int pid)
179 if (!try_module_get(THIS_MODULE)) 179 if (!try_module_get(THIS_MODULE))
180 goto out_free; 180 goto out_free;
181 181
182 hlist_add_head(&inst->hlist, 182 hlist_add_head(&inst->hlist,
183 &instance_table[instance_hashfn(group_num)]); 183 &instance_table[instance_hashfn(group_num)]);
184 184
185 UDEBUG("newly added node: %p, next=%p\n", &inst->hlist, 185 UDEBUG("newly added node: %p, next=%p\n", &inst->hlist,
186 inst->hlist.next); 186 inst->hlist.next);
187 187
188 write_unlock_bh(&instances_lock); 188 write_unlock_bh(&instances_lock);
@@ -251,14 +251,14 @@ nfulnl_set_mode(struct nfulnl_instance *inst, u_int8_t mode,
251 int status = 0; 251 int status = 0;
252 252
253 spin_lock_bh(&inst->lock); 253 spin_lock_bh(&inst->lock);
254 254
255 switch (mode) { 255 switch (mode) {
256 case NFULNL_COPY_NONE: 256 case NFULNL_COPY_NONE:
257 case NFULNL_COPY_META: 257 case NFULNL_COPY_META:
258 inst->copy_mode = mode; 258 inst->copy_mode = mode;
259 inst->copy_range = 0; 259 inst->copy_range = 0;
260 break; 260 break;
261 261
262 case NFULNL_COPY_PACKET: 262 case NFULNL_COPY_PACKET:
263 inst->copy_mode = mode; 263 inst->copy_mode = mode;
264 /* we're using struct nfattr which has 16bit nfa_len */ 264 /* we're using struct nfattr which has 16bit nfa_len */
@@ -267,7 +267,7 @@ nfulnl_set_mode(struct nfulnl_instance *inst, u_int8_t mode,
267 else 267 else
268 inst->copy_range = range; 268 inst->copy_range = range;
269 break; 269 break;
270 270
271 default: 271 default:
272 status = -EINVAL; 272 status = -EINVAL;
273 break; 273 break;
@@ -327,7 +327,7 @@ nfulnl_set_flags(struct nfulnl_instance *inst, u_int16_t flags)
327 return 0; 327 return 0;
328} 328}
329 329
330static struct sk_buff *nfulnl_alloc_skb(unsigned int inst_size, 330static struct sk_buff *nfulnl_alloc_skb(unsigned int inst_size,
331 unsigned int pkt_size) 331 unsigned int pkt_size)
332{ 332{
333 struct sk_buff *skb; 333 struct sk_buff *skb;
@@ -387,7 +387,7 @@ __nfulnl_send(struct nfulnl_instance *inst)
387 387
388static void nfulnl_timer(unsigned long data) 388static void nfulnl_timer(unsigned long data)
389{ 389{
390 struct nfulnl_instance *inst = (struct nfulnl_instance *)data; 390 struct nfulnl_instance *inst = (struct nfulnl_instance *)data;
391 391
392 UDEBUG("timer function called, flushing buffer\n"); 392 UDEBUG("timer function called, flushing buffer\n");
393 393
@@ -399,9 +399,9 @@ static void nfulnl_timer(unsigned long data)
399 399
400/* This is an inline function, we don't really care about a long 400/* This is an inline function, we don't really care about a long
401 * list of arguments */ 401 * list of arguments */
402static inline int 402static inline int
403__build_packet_message(struct nfulnl_instance *inst, 403__build_packet_message(struct nfulnl_instance *inst,
404 const struct sk_buff *skb, 404 const struct sk_buff *skb,
405 unsigned int data_len, 405 unsigned int data_len,
406 unsigned int pf, 406 unsigned int pf,
407 unsigned int hooknum, 407 unsigned int hooknum,
@@ -417,9 +417,9 @@ __build_packet_message(struct nfulnl_instance *inst,
417 __be32 tmp_uint; 417 __be32 tmp_uint;
418 418
419 UDEBUG("entered\n"); 419 UDEBUG("entered\n");
420 420
421 old_tail = inst->skb->tail; 421 old_tail = inst->skb->tail;
422 nlh = NLMSG_PUT(inst->skb, 0, 0, 422 nlh = NLMSG_PUT(inst->skb, 0, 0,
423 NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET, 423 NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET,
424 sizeof(struct nfgenmsg)); 424 sizeof(struct nfgenmsg));
425 nfmsg = NLMSG_DATA(nlh); 425 nfmsg = NLMSG_DATA(nlh);
@@ -457,7 +457,7 @@ __build_packet_message(struct nfulnl_instance *inst,
457 NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV, 457 NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV,
458 sizeof(tmp_uint), &tmp_uint); 458 sizeof(tmp_uint), &tmp_uint);
459 if (skb->nf_bridge && skb->nf_bridge->physindev) { 459 if (skb->nf_bridge && skb->nf_bridge->physindev) {
460 tmp_uint = 460 tmp_uint =
461 htonl(skb->nf_bridge->physindev->ifindex); 461 htonl(skb->nf_bridge->physindev->ifindex);
462 NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSINDEV, 462 NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSINDEV,
463 sizeof(tmp_uint), &tmp_uint); 463 sizeof(tmp_uint), &tmp_uint);
@@ -488,7 +488,7 @@ __build_packet_message(struct nfulnl_instance *inst,
488 NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV, 488 NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV,
489 sizeof(tmp_uint), &tmp_uint); 489 sizeof(tmp_uint), &tmp_uint);
490 if (skb->nf_bridge) { 490 if (skb->nf_bridge) {
491 tmp_uint = 491 tmp_uint =
492 htonl(skb->nf_bridge->physoutdev->ifindex); 492 htonl(skb->nf_bridge->physoutdev->ifindex);
493 NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSOUTDEV, 493 NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,
494 sizeof(tmp_uint), &tmp_uint); 494 sizeof(tmp_uint), &tmp_uint);
@@ -558,7 +558,7 @@ __build_packet_message(struct nfulnl_instance *inst,
558 if (skb_copy_bits(skb, 0, NFA_DATA(nfa), data_len)) 558 if (skb_copy_bits(skb, 0, NFA_DATA(nfa), data_len))
559 BUG(); 559 BUG();
560 } 560 }
561 561
562 nlh->nlmsg_len = inst->skb->tail - old_tail; 562 nlh->nlmsg_len = inst->skb->tail - old_tail;
563 return 0; 563 return 0;
564 564
@@ -599,7 +599,7 @@ nfulnl_log_packet(unsigned int pf,
599 unsigned int nlbufsiz; 599 unsigned int nlbufsiz;
600 unsigned int plen; 600 unsigned int plen;
601 601
602 if (li_user && li_user->type == NF_LOG_TYPE_ULOG) 602 if (li_user && li_user->type == NF_LOG_TYPE_ULOG)
603 li = li_user; 603 li = li_user;
604 else 604 else
605 li = &default_loginfo; 605 li = &default_loginfo;
@@ -648,24 +648,24 @@ nfulnl_log_packet(unsigned int pf,
648 /* per-rule qthreshold overrides per-instance */ 648 /* per-rule qthreshold overrides per-instance */
649 if (qthreshold > li->u.ulog.qthreshold) 649 if (qthreshold > li->u.ulog.qthreshold)
650 qthreshold = li->u.ulog.qthreshold; 650 qthreshold = li->u.ulog.qthreshold;
651 651
652 switch (inst->copy_mode) { 652 switch (inst->copy_mode) {
653 case NFULNL_COPY_META: 653 case NFULNL_COPY_META:
654 case NFULNL_COPY_NONE: 654 case NFULNL_COPY_NONE:
655 data_len = 0; 655 data_len = 0;
656 break; 656 break;
657 657
658 case NFULNL_COPY_PACKET: 658 case NFULNL_COPY_PACKET:
659 if (inst->copy_range == 0 659 if (inst->copy_range == 0
660 || inst->copy_range > skb->len) 660 || inst->copy_range > skb->len)
661 data_len = skb->len; 661 data_len = skb->len;
662 else 662 else
663 data_len = inst->copy_range; 663 data_len = inst->copy_range;
664 664
665 size += NFA_SPACE(data_len); 665 size += NFA_SPACE(data_len);
666 UDEBUG("copy_packet, therefore size now %u\n", size); 666 UDEBUG("copy_packet, therefore size now %u\n", size);
667 break; 667 break;
668 668
669 default: 669 default:
670 spin_unlock_bh(&inst->lock); 670 spin_unlock_bh(&inst->lock);
671 instance_put(inst); 671 instance_put(inst);
@@ -991,9 +991,9 @@ static int seq_show(struct seq_file *s, void *v)
991{ 991{
992 const struct nfulnl_instance *inst = v; 992 const struct nfulnl_instance *inst = v;
993 993
994 return seq_printf(s, "%5d %6d %5d %1d %5d %6d %2d\n", 994 return seq_printf(s, "%5d %6d %5d %1d %5d %6d %2d\n",
995 inst->group_num, 995 inst->group_num,
996 inst->peer_pid, inst->qlen, 996 inst->peer_pid, inst->qlen,
997 inst->copy_mode, inst->copy_range, 997 inst->copy_mode, inst->copy_range,
998 inst->flushtimeout, atomic_read(&inst->use)); 998 inst->flushtimeout, atomic_read(&inst->use));
999} 999}
@@ -1041,10 +1041,10 @@ static int __init nfnetlink_log_init(void)
1041#ifdef CONFIG_PROC_FS 1041#ifdef CONFIG_PROC_FS
1042 struct proc_dir_entry *proc_nful; 1042 struct proc_dir_entry *proc_nful;
1043#endif 1043#endif
1044 1044
1045 for (i = 0; i < INSTANCE_BUCKETS; i++) 1045 for (i = 0; i < INSTANCE_BUCKETS; i++)
1046 INIT_HLIST_HEAD(&instance_table[i]); 1046 INIT_HLIST_HEAD(&instance_table[i]);
1047 1047
1048 /* it's not really all that important to have a random value, so 1048 /* it's not really all that important to have a random value, so
1049 * we can do this from the init function, even if there hasn't 1049 * we can do this from the init function, even if there hasn't
1050 * been that much entropy yet */ 1050 * been that much entropy yet */
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 99e516eca41a..d9ce4a71d0f3 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -129,7 +129,7 @@ instance_create(u_int16_t queue_num, int pid)
129 129
130 QDEBUG("entering for queue_num=%u, pid=%d\n", queue_num, pid); 130 QDEBUG("entering for queue_num=%u, pid=%d\n", queue_num, pid);
131 131
132 write_lock_bh(&instances_lock); 132 write_lock_bh(&instances_lock);
133 if (__instance_lookup(queue_num)) { 133 if (__instance_lookup(queue_num)) {
134 inst = NULL; 134 inst = NULL;
135 QDEBUG("aborting, instance already exists\n"); 135 QDEBUG("aborting, instance already exists\n");
@@ -154,7 +154,7 @@ instance_create(u_int16_t queue_num, int pid)
154 if (!try_module_get(THIS_MODULE)) 154 if (!try_module_get(THIS_MODULE))
155 goto out_free; 155 goto out_free;
156 156
157 hlist_add_head(&inst->hlist, 157 hlist_add_head(&inst->hlist,
158 &instance_table[instance_hashfn(queue_num)]); 158 &instance_table[instance_hashfn(queue_num)]);
159 159
160 write_unlock_bh(&instances_lock); 160 write_unlock_bh(&instances_lock);
@@ -239,14 +239,14 @@ __enqueue_entry(struct nfqnl_instance *queue,
239 * entry if cmpfn is NULL. 239 * entry if cmpfn is NULL.
240 */ 240 */
241static inline struct nfqnl_queue_entry * 241static inline struct nfqnl_queue_entry *
242__find_entry(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn, 242__find_entry(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn,
243 unsigned long data) 243 unsigned long data)
244{ 244{
245 struct list_head *p; 245 struct list_head *p;
246 246
247 list_for_each_prev(p, &queue->queue_list) { 247 list_for_each_prev(p, &queue->queue_list) {
248 struct nfqnl_queue_entry *entry = (struct nfqnl_queue_entry *)p; 248 struct nfqnl_queue_entry *entry = (struct nfqnl_queue_entry *)p;
249 249
250 if (!cmpfn || cmpfn(entry, data)) 250 if (!cmpfn || cmpfn(entry, data))
251 return entry; 251 return entry;
252 } 252 }
@@ -279,7 +279,7 @@ static inline void
279__nfqnl_flush(struct nfqnl_instance *queue, int verdict) 279__nfqnl_flush(struct nfqnl_instance *queue, int verdict)
280{ 280{
281 struct nfqnl_queue_entry *entry; 281 struct nfqnl_queue_entry *entry;
282 282
283 while ((entry = __find_dequeue_entry(queue, NULL, 0))) 283 while ((entry = __find_dequeue_entry(queue, NULL, 0)))
284 issue_verdict(entry, verdict); 284 issue_verdict(entry, verdict);
285} 285}
@@ -289,14 +289,14 @@ __nfqnl_set_mode(struct nfqnl_instance *queue,
289 unsigned char mode, unsigned int range) 289 unsigned char mode, unsigned int range)
290{ 290{
291 int status = 0; 291 int status = 0;
292 292
293 switch (mode) { 293 switch (mode) {
294 case NFQNL_COPY_NONE: 294 case NFQNL_COPY_NONE:
295 case NFQNL_COPY_META: 295 case NFQNL_COPY_META:
296 queue->copy_mode = mode; 296 queue->copy_mode = mode;
297 queue->copy_range = 0; 297 queue->copy_range = 0;
298 break; 298 break;
299 299
300 case NFQNL_COPY_PACKET: 300 case NFQNL_COPY_PACKET:
301 queue->copy_mode = mode; 301 queue->copy_mode = mode;
302 /* we're using struct nfattr which has 16bit nfa_len */ 302 /* we're using struct nfattr which has 16bit nfa_len */
@@ -305,7 +305,7 @@ __nfqnl_set_mode(struct nfqnl_instance *queue,
305 else 305 else
306 queue->copy_range = range; 306 queue->copy_range = range;
307 break; 307 break;
308 308
309 default: 309 default:
310 status = -EINVAL; 310 status = -EINVAL;
311 311
@@ -318,7 +318,7 @@ find_dequeue_entry(struct nfqnl_instance *queue,
318 nfqnl_cmpfn cmpfn, unsigned long data) 318 nfqnl_cmpfn cmpfn, unsigned long data)
319{ 319{
320 struct nfqnl_queue_entry *entry; 320 struct nfqnl_queue_entry *entry;
321 321
322 spin_lock_bh(&queue->lock); 322 spin_lock_bh(&queue->lock);
323 entry = __find_dequeue_entry(queue, cmpfn, data); 323 entry = __find_dequeue_entry(queue, cmpfn, data);
324 spin_unlock_bh(&queue->lock); 324 spin_unlock_bh(&queue->lock);
@@ -369,13 +369,13 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
369 outdev = entinf->outdev; 369 outdev = entinf->outdev;
370 370
371 spin_lock_bh(&queue->lock); 371 spin_lock_bh(&queue->lock);
372 372
373 switch (queue->copy_mode) { 373 switch (queue->copy_mode) {
374 case NFQNL_COPY_META: 374 case NFQNL_COPY_META:
375 case NFQNL_COPY_NONE: 375 case NFQNL_COPY_NONE:
376 data_len = 0; 376 data_len = 0;
377 break; 377 break;
378 378
379 case NFQNL_COPY_PACKET: 379 case NFQNL_COPY_PACKET:
380 if ((entskb->ip_summed == CHECKSUM_PARTIAL || 380 if ((entskb->ip_summed == CHECKSUM_PARTIAL ||
381 entskb->ip_summed == CHECKSUM_COMPLETE) && 381 entskb->ip_summed == CHECKSUM_COMPLETE) &&
@@ -383,15 +383,15 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
383 spin_unlock_bh(&queue->lock); 383 spin_unlock_bh(&queue->lock);
384 return NULL; 384 return NULL;
385 } 385 }
386 if (queue->copy_range == 0 386 if (queue->copy_range == 0
387 || queue->copy_range > entskb->len) 387 || queue->copy_range > entskb->len)
388 data_len = entskb->len; 388 data_len = entskb->len;
389 else 389 else
390 data_len = queue->copy_range; 390 data_len = queue->copy_range;
391 391
392 size += NFA_SPACE(data_len); 392 size += NFA_SPACE(data_len);
393 break; 393 break;
394 394
395 default: 395 default:
396 *errp = -EINVAL; 396 *errp = -EINVAL;
397 spin_unlock_bh(&queue->lock); 397 spin_unlock_bh(&queue->lock);
@@ -403,9 +403,9 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
403 skb = alloc_skb(size, GFP_ATOMIC); 403 skb = alloc_skb(size, GFP_ATOMIC);
404 if (!skb) 404 if (!skb)
405 goto nlmsg_failure; 405 goto nlmsg_failure;
406 406
407 old_tail= skb->tail; 407 old_tail= skb->tail;
408 nlh = NLMSG_PUT(skb, 0, 0, 408 nlh = NLMSG_PUT(skb, 0, 0,
409 NFNL_SUBSYS_QUEUE << 8 | NFQNL_MSG_PACKET, 409 NFNL_SUBSYS_QUEUE << 8 | NFQNL_MSG_PACKET,
410 sizeof(struct nfgenmsg)); 410 sizeof(struct nfgenmsg));
411 nfmsg = NLMSG_DATA(nlh); 411 nfmsg = NLMSG_DATA(nlh);
@@ -427,9 +427,9 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
427#else 427#else
428 if (entinf->pf == PF_BRIDGE) { 428 if (entinf->pf == PF_BRIDGE) {
429 /* Case 1: indev is physical input device, we need to 429 /* Case 1: indev is physical input device, we need to
430 * look for bridge group (when called from 430 * look for bridge group (when called from
431 * netfilter_bridge) */ 431 * netfilter_bridge) */
432 NFA_PUT(skb, NFQA_IFINDEX_PHYSINDEV, sizeof(tmp_uint), 432 NFA_PUT(skb, NFQA_IFINDEX_PHYSINDEV, sizeof(tmp_uint),
433 &tmp_uint); 433 &tmp_uint);
434 /* this is the bridge group "brX" */ 434 /* this is the bridge group "brX" */
435 tmp_uint = htonl(indev->br_port->br->dev->ifindex); 435 tmp_uint = htonl(indev->br_port->br->dev->ifindex);
@@ -457,7 +457,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
457#else 457#else
458 if (entinf->pf == PF_BRIDGE) { 458 if (entinf->pf == PF_BRIDGE) {
459 /* Case 1: outdev is physical output device, we need to 459 /* Case 1: outdev is physical output device, we need to
460 * look for bridge group (when called from 460 * look for bridge group (when called from
461 * netfilter_bridge) */ 461 * netfilter_bridge) */
462 NFA_PUT(skb, NFQA_IFINDEX_PHYSOUTDEV, sizeof(tmp_uint), 462 NFA_PUT(skb, NFQA_IFINDEX_PHYSOUTDEV, sizeof(tmp_uint),
463 &tmp_uint); 463 &tmp_uint);
@@ -490,7 +490,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
490 struct nfqnl_msg_packet_hw phw; 490 struct nfqnl_msg_packet_hw phw;
491 491
492 int len = entskb->dev->hard_header_parse(entskb, 492 int len = entskb->dev->hard_header_parse(entskb,
493 phw.hw_addr); 493 phw.hw_addr);
494 phw.hw_addrlen = htons(len); 494 phw.hw_addrlen = htons(len);
495 NFA_PUT(skb, NFQA_HWADDR, sizeof(phw), &phw); 495 NFA_PUT(skb, NFQA_HWADDR, sizeof(phw), &phw);
496 } 496 }
@@ -520,7 +520,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
520 if (skb_copy_bits(entskb, 0, NFA_DATA(nfa), data_len)) 520 if (skb_copy_bits(entskb, 0, NFA_DATA(nfa), data_len))
521 BUG(); 521 BUG();
522 } 522 }
523 523
524 nlh->nlmsg_len = skb->tail - old_tail; 524 nlh->nlmsg_len = skb->tail - old_tail;
525 return skb; 525 return skb;
526 526
@@ -535,7 +535,7 @@ nfattr_failure:
535} 535}
536 536
537static int 537static int
538nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info, 538nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info,
539 unsigned int queuenum, void *data) 539 unsigned int queuenum, void *data)
540{ 540{
541 int status = -EINVAL; 541 int status = -EINVAL;
@@ -560,7 +560,7 @@ nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info,
560 entry = kmalloc(sizeof(*entry), GFP_ATOMIC); 560 entry = kmalloc(sizeof(*entry), GFP_ATOMIC);
561 if (entry == NULL) { 561 if (entry == NULL) {
562 if (net_ratelimit()) 562 if (net_ratelimit())
563 printk(KERN_ERR 563 printk(KERN_ERR
564 "nf_queue: OOM in nfqnl_enqueue_packet()\n"); 564 "nf_queue: OOM in nfqnl_enqueue_packet()\n");
565 status = -ENOMEM; 565 status = -ENOMEM;
566 goto err_out_put; 566 goto err_out_put;
@@ -573,18 +573,18 @@ nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info,
573 nskb = nfqnl_build_packet_message(queue, entry, &status); 573 nskb = nfqnl_build_packet_message(queue, entry, &status);
574 if (nskb == NULL) 574 if (nskb == NULL)
575 goto err_out_free; 575 goto err_out_free;
576 576
577 spin_lock_bh(&queue->lock); 577 spin_lock_bh(&queue->lock);
578 578
579 if (!queue->peer_pid) 579 if (!queue->peer_pid)
580 goto err_out_free_nskb; 580 goto err_out_free_nskb;
581 581
582 if (queue->queue_total >= queue->queue_maxlen) { 582 if (queue->queue_total >= queue->queue_maxlen) {
583 queue->queue_dropped++; 583 queue->queue_dropped++;
584 status = -ENOSPC; 584 status = -ENOSPC;
585 if (net_ratelimit()) 585 if (net_ratelimit())
586 printk(KERN_WARNING "nf_queue: full at %d entries, " 586 printk(KERN_WARNING "nf_queue: full at %d entries, "
587 "dropping packets(s). Dropped: %d\n", 587 "dropping packets(s). Dropped: %d\n",
588 queue->queue_total, queue->queue_dropped); 588 queue->queue_total, queue->queue_dropped);
589 goto err_out_free_nskb; 589 goto err_out_free_nskb;
590 } 590 }
@@ -592,7 +592,7 @@ nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info,
592 /* nfnetlink_unicast will either free the nskb or add it to a socket */ 592 /* nfnetlink_unicast will either free the nskb or add it to a socket */
593 status = nfnetlink_unicast(nskb, queue->peer_pid, MSG_DONTWAIT); 593 status = nfnetlink_unicast(nskb, queue->peer_pid, MSG_DONTWAIT);
594 if (status < 0) { 594 if (status < 0) {
595 queue->queue_user_dropped++; 595 queue->queue_user_dropped++;
596 goto err_out_unlock; 596 goto err_out_unlock;
597 } 597 }
598 598
@@ -603,8 +603,8 @@ nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info,
603 return status; 603 return status;
604 604
605err_out_free_nskb: 605err_out_free_nskb:
606 kfree_skb(nskb); 606 kfree_skb(nskb);
607 607
608err_out_unlock: 608err_out_unlock:
609 spin_unlock_bh(&queue->lock); 609 spin_unlock_bh(&queue->lock);
610 610
@@ -629,11 +629,11 @@ nfqnl_mangle(void *data, int data_len, struct nfqnl_queue_entry *e)
629 return -EINVAL; 629 return -EINVAL;
630 if (diff > skb_tailroom(e->skb)) { 630 if (diff > skb_tailroom(e->skb)) {
631 struct sk_buff *newskb; 631 struct sk_buff *newskb;
632 632
633 newskb = skb_copy_expand(e->skb, 633 newskb = skb_copy_expand(e->skb,
634 skb_headroom(e->skb), 634 skb_headroom(e->skb),
635 diff, 635 diff,
636 GFP_ATOMIC); 636 GFP_ATOMIC);
637 if (newskb == NULL) { 637 if (newskb == NULL) {
638 printk(KERN_WARNING "nf_queue: OOM " 638 printk(KERN_WARNING "nf_queue: OOM "
639 "in mangle, dropping packet\n"); 639 "in mangle, dropping packet\n");
@@ -676,7 +676,7 @@ static int
676dev_cmp(struct nfqnl_queue_entry *entry, unsigned long ifindex) 676dev_cmp(struct nfqnl_queue_entry *entry, unsigned long ifindex)
677{ 677{
678 struct nf_info *entinf = entry->info; 678 struct nf_info *entinf = entry->info;
679 679
680 if (entinf->indev) 680 if (entinf->indev)
681 if (entinf->indev->ifindex == ifindex) 681 if (entinf->indev->ifindex == ifindex)
682 return 1; 682 return 1;
@@ -702,7 +702,7 @@ static void
702nfqnl_dev_drop(int ifindex) 702nfqnl_dev_drop(int ifindex)
703{ 703{
704 int i; 704 int i;
705 705
706 QDEBUG("entering for ifindex %u\n", ifindex); 706 QDEBUG("entering for ifindex %u\n", ifindex);
707 707
708 /* this only looks like we have to hold the readlock for a way too long 708 /* this only looks like we have to hold the readlock for a way too long
@@ -717,7 +717,7 @@ nfqnl_dev_drop(int ifindex)
717 717
718 hlist_for_each_entry(inst, tmp, head, hlist) { 718 hlist_for_each_entry(inst, tmp, head, hlist) {
719 struct nfqnl_queue_entry *entry; 719 struct nfqnl_queue_entry *entry;
720 while ((entry = find_dequeue_entry(inst, dev_cmp, 720 while ((entry = find_dequeue_entry(inst, dev_cmp,
721 ifindex)) != NULL) 721 ifindex)) != NULL)
722 issue_verdict(entry, NF_DROP); 722 issue_verdict(entry, NF_DROP);
723 } 723 }
@@ -835,8 +835,8 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
835 835
836 if (nfqa[NFQA_MARK-1]) 836 if (nfqa[NFQA_MARK-1])
837 entry->skb->mark = ntohl(*(__be32 *) 837 entry->skb->mark = ntohl(*(__be32 *)
838 NFA_DATA(nfqa[NFQA_MARK-1])); 838 NFA_DATA(nfqa[NFQA_MARK-1]));
839 839
840 issue_verdict(entry, verdict); 840 issue_verdict(entry, verdict);
841 instance_put(queue); 841 instance_put(queue);
842 return 0; 842 return 0;
@@ -1093,7 +1093,7 @@ static int __init nfnetlink_queue_init(void)
1093#ifdef CONFIG_PROC_FS 1093#ifdef CONFIG_PROC_FS
1094 struct proc_dir_entry *proc_nfqueue; 1094 struct proc_dir_entry *proc_nfqueue;
1095#endif 1095#endif
1096 1096
1097 for (i = 0; i < INSTANCE_BUCKETS; i++) 1097 for (i = 0; i < INSTANCE_BUCKETS; i++)
1098 INIT_HLIST_HEAD(&instance_table[i]); 1098 INIT_HLIST_HEAD(&instance_table[i]);
1099 1099
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 134cc88f8c83..ec607a421a5a 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -305,7 +305,7 @@ int xt_find_revision(int af, const char *name, u8 revision, int target,
305EXPORT_SYMBOL_GPL(xt_find_revision); 305EXPORT_SYMBOL_GPL(xt_find_revision);
306 306
307int xt_check_match(const struct xt_match *match, unsigned short family, 307int xt_check_match(const struct xt_match *match, unsigned short family,
308 unsigned int size, const char *table, unsigned int hook_mask, 308 unsigned int size, const char *table, unsigned int hook_mask,
309 unsigned short proto, int inv_proto) 309 unsigned short proto, int inv_proto)
310{ 310{
311 if (XT_ALIGN(match->matchsize) != size) { 311 if (XT_ALIGN(match->matchsize) != size) {
@@ -377,7 +377,7 @@ int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr,
377 377
378 if (copy_to_user(cm, m, sizeof(*cm)) || 378 if (copy_to_user(cm, m, sizeof(*cm)) ||
379 put_user(msize, &cm->u.user.match_size)) 379 put_user(msize, &cm->u.user.match_size))
380 return -EFAULT; 380 return -EFAULT;
381 381
382 if (match->compat_to_user) { 382 if (match->compat_to_user) {
383 if (match->compat_to_user((void __user *)cm->data, m->data)) 383 if (match->compat_to_user((void __user *)cm->data, m->data))
@@ -432,7 +432,7 @@ int xt_compat_target_offset(struct xt_target *target)
432EXPORT_SYMBOL_GPL(xt_compat_target_offset); 432EXPORT_SYMBOL_GPL(xt_compat_target_offset);
433 433
434void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, 434void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
435 int *size) 435 int *size)
436{ 436{
437 struct xt_target *target = t->u.kernel.target; 437 struct xt_target *target = t->u.kernel.target;
438 struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; 438 struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
@@ -467,7 +467,7 @@ int xt_compat_target_to_user(struct xt_entry_target *t, void __user **dstptr,
467 467
468 if (copy_to_user(ct, t, sizeof(*ct)) || 468 if (copy_to_user(ct, t, sizeof(*ct)) ||
469 put_user(tsize, &ct->u.user.target_size)) 469 put_user(tsize, &ct->u.user.target_size))
470 return -EFAULT; 470 return -EFAULT;
471 471
472 if (target->compat_to_user) { 472 if (target->compat_to_user) {
473 if (target->compat_to_user((void __user *)ct->data, t->data)) 473 if (target->compat_to_user((void __user *)ct->data, t->data))
@@ -710,7 +710,7 @@ static void *xt_tgt_seq_start(struct seq_file *seq, loff_t *pos)
710 710
711 if (mutex_lock_interruptible(&xt[af].mutex) != 0) 711 if (mutex_lock_interruptible(&xt[af].mutex) != 0)
712 return NULL; 712 return NULL;
713 713
714 return xt_get_idx(list, seq, *pos); 714 return xt_get_idx(list, seq, *pos);
715} 715}
716 716
@@ -723,7 +723,7 @@ static void *xt_tgt_seq_next(struct seq_file *seq, void *v, loff_t *pos)
723 723
724 if (af >= NPROTO) 724 if (af >= NPROTO)
725 return NULL; 725 return NULL;
726 726
727 list = type2list(af, type); 727 list = type2list(af, type);
728 if (!list) 728 if (!list)
729 return NULL; 729 return NULL;
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 4007bbefc8ab..30884833e665 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -48,7 +48,7 @@ static struct xt_target xt_classify_target[] = {
48 .table = "mangle", 48 .table = "mangle",
49 .hooks = (1 << NF_IP_LOCAL_OUT) | 49 .hooks = (1 << NF_IP_LOCAL_OUT) |
50 (1 << NF_IP_FORWARD) | 50 (1 << NF_IP_FORWARD) |
51 (1 << NF_IP_POST_ROUTING), 51 (1 << NF_IP_POST_ROUTING),
52 .me = THIS_MODULE, 52 .me = THIS_MODULE,
53 }, 53 },
54 { 54 {
@@ -59,7 +59,7 @@ static struct xt_target xt_classify_target[] = {
59 .table = "mangle", 59 .table = "mangle",
60 .hooks = (1 << NF_IP6_LOCAL_OUT) | 60 .hooks = (1 << NF_IP6_LOCAL_OUT) |
61 (1 << NF_IP6_FORWARD) | 61 (1 << NF_IP6_FORWARD) |
62 (1 << NF_IP6_POST_ROUTING), 62 (1 << NF_IP6_POST_ROUTING),
63 .me = THIS_MODULE, 63 .me = THIS_MODULE,
64 }, 64 },
65}; 65};
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index cfc45af357d5..43817808d865 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -50,11 +50,11 @@ target_v1(struct sk_buff **pskb,
50 case XT_MARK_SET: 50 case XT_MARK_SET:
51 mark = markinfo->mark; 51 mark = markinfo->mark;
52 break; 52 break;
53 53
54 case XT_MARK_AND: 54 case XT_MARK_AND:
55 mark = (*pskb)->mark & markinfo->mark; 55 mark = (*pskb)->mark & markinfo->mark;
56 break; 56 break;
57 57
58 case XT_MARK_OR: 58 case XT_MARK_OR:
59 mark = (*pskb)->mark | markinfo->mark; 59 mark = (*pskb)->mark | markinfo->mark;
60 break; 60 break;
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 39e117502bd7..201155b316e0 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -3,9 +3,9 @@
3 * (C) 2005 by Harald Welte <laforge@netfilter.org> 3 * (C) 2005 by Harald Welte <laforge@netfilter.org>
4 * 4 *
5 * This program is free software; you can redistribute it and/or modify 5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as 6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation. 7 * published by the Free Software Foundation.
8 * 8 *
9 */ 9 */
10 10
11#include <linux/module.h> 11#include <linux/module.h>
diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c
index 6d00dcaed238..b874a2008b2b 100644
--- a/net/netfilter/xt_NOTRACK.c
+++ b/net/netfilter/xt_NOTRACK.c
@@ -22,8 +22,8 @@ target(struct sk_buff **pskb,
22 if ((*pskb)->nfct != NULL) 22 if ((*pskb)->nfct != NULL)
23 return XT_CONTINUE; 23 return XT_CONTINUE;
24 24
25 /* Attach fake conntrack entry. 25 /* Attach fake conntrack entry.
26 If there is a real ct entry correspondig to this packet, 26 If there is a real ct entry correspondig to this packet,
27 it'll hang aroun till timing out. We don't deal with it 27 it'll hang aroun till timing out. We don't deal with it
28 for performance reasons. JK */ 28 for performance reasons. JK */
29 nf_ct_untrack(*pskb); 29 nf_ct_untrack(*pskb);
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index f1131c3a9db5..705f0e830a79 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -55,7 +55,7 @@ static int checkentry_selinux(struct xt_secmark_target_info *info)
55{ 55{
56 int err; 56 int err;
57 struct xt_secmark_target_selinux_info *sel = &info->u.sel; 57 struct xt_secmark_target_selinux_info *sel = &info->u.sel;
58 58
59 sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0'; 59 sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0';
60 60
61 err = selinux_string_to_sid(sel->selctx, &sel->selsid); 61 err = selinux_string_to_sid(sel->selctx, &sel->selsid);
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 3dc2357b8de8..2885c378288e 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -51,10 +51,10 @@ match(const struct sk_buff *skb,
51 if (ct == &ip_conntrack_untracked) 51 if (ct == &ip_conntrack_untracked)
52 statebit = XT_CONNTRACK_STATE_UNTRACKED; 52 statebit = XT_CONNTRACK_STATE_UNTRACKED;
53 else if (ct) 53 else if (ct)
54 statebit = XT_CONNTRACK_STATE_BIT(ctinfo); 54 statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
55 else 55 else
56 statebit = XT_CONNTRACK_STATE_INVALID; 56 statebit = XT_CONNTRACK_STATE_INVALID;
57 57
58 if (sinfo->flags & XT_CONNTRACK_STATE) { 58 if (sinfo->flags & XT_CONNTRACK_STATE) {
59 if (ct) { 59 if (ct) {
60 if (test_bit(IPS_SRC_NAT_BIT, &ct->status)) 60 if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
@@ -77,7 +77,7 @@ match(const struct sk_buff *skb,
77 FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum != 77 FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum !=
78 sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum, 78 sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum,
79 XT_CONNTRACK_PROTO)) 79 XT_CONNTRACK_PROTO))
80 return 0; 80 return 0;
81 81
82 if (sinfo->flags & XT_CONNTRACK_ORIGSRC && 82 if (sinfo->flags & XT_CONNTRACK_ORIGSRC &&
83 FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip & 83 FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip &
@@ -147,10 +147,10 @@ match(const struct sk_buff *skb,
147 if (ct == &nf_conntrack_untracked) 147 if (ct == &nf_conntrack_untracked)
148 statebit = XT_CONNTRACK_STATE_UNTRACKED; 148 statebit = XT_CONNTRACK_STATE_UNTRACKED;
149 else if (ct) 149 else if (ct)
150 statebit = XT_CONNTRACK_STATE_BIT(ctinfo); 150 statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
151 else 151 else
152 statebit = XT_CONNTRACK_STATE_INVALID; 152 statebit = XT_CONNTRACK_STATE_INVALID;
153 153
154 if (sinfo->flags & XT_CONNTRACK_STATE) { 154 if (sinfo->flags & XT_CONNTRACK_STATE) {
155 if (ct) { 155 if (ct) {
156 if (test_bit(IPS_SRC_NAT_BIT, &ct->status)) 156 if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
@@ -171,41 +171,41 @@ match(const struct sk_buff *skb,
171 171
172 if (sinfo->flags & XT_CONNTRACK_PROTO && 172 if (sinfo->flags & XT_CONNTRACK_PROTO &&
173 FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum != 173 FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum !=
174 sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum, 174 sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum,
175 XT_CONNTRACK_PROTO)) 175 XT_CONNTRACK_PROTO))
176 return 0; 176 return 0;
177 177
178 if (sinfo->flags & XT_CONNTRACK_ORIGSRC && 178 if (sinfo->flags & XT_CONNTRACK_ORIGSRC &&
179 FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip & 179 FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip &
180 sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) != 180 sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
181 sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip, 181 sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
182 XT_CONNTRACK_ORIGSRC)) 182 XT_CONNTRACK_ORIGSRC))
183 return 0; 183 return 0;
184 184
185 if (sinfo->flags & XT_CONNTRACK_ORIGDST && 185 if (sinfo->flags & XT_CONNTRACK_ORIGDST &&
186 FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip & 186 FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip &
187 sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) != 187 sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
188 sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip, 188 sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
189 XT_CONNTRACK_ORIGDST)) 189 XT_CONNTRACK_ORIGDST))
190 return 0; 190 return 0;
191 191
192 if (sinfo->flags & XT_CONNTRACK_REPLSRC && 192 if (sinfo->flags & XT_CONNTRACK_REPLSRC &&
193 FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip & 193 FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip &
194 sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) != 194 sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) !=
195 sinfo->tuple[IP_CT_DIR_REPLY].src.ip, 195 sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
196 XT_CONNTRACK_REPLSRC)) 196 XT_CONNTRACK_REPLSRC))
197 return 0; 197 return 0;
198 198
199 if (sinfo->flags & XT_CONNTRACK_REPLDST && 199 if (sinfo->flags & XT_CONNTRACK_REPLDST &&
200 FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip & 200 FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip &
201 sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) != 201 sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) !=
202 sinfo->tuple[IP_CT_DIR_REPLY].dst.ip, 202 sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
203 XT_CONNTRACK_REPLDST)) 203 XT_CONNTRACK_REPLDST))
204 return 0; 204 return 0;
205 205
206 if (sinfo->flags & XT_CONNTRACK_STATUS && 206 if (sinfo->flags & XT_CONNTRACK_STATUS &&
207 FWINV((ct->status & sinfo->statusmask) == 0, 207 FWINV((ct->status & sinfo->statusmask) == 0,
208 XT_CONNTRACK_STATUS)) 208 XT_CONNTRACK_STATUS))
209 return 0; 209 return 0;
210 210
211 if(sinfo->flags & XT_CONNTRACK_EXPIRES) { 211 if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 3e6cf430e518..2c9c0dee8aaf 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -26,7 +26,7 @@ MODULE_DESCRIPTION("Match for DCCP protocol packets");
26MODULE_ALIAS("ipt_dccp"); 26MODULE_ALIAS("ipt_dccp");
27 27
28#define DCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \ 28#define DCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \
29 || (!!((invflag) & (option)) ^ (cond))) 29 || (!!((invflag) & (option)) ^ (cond)))
30 30
31static unsigned char *dccp_optbuf; 31static unsigned char *dccp_optbuf;
32static DEFINE_SPINLOCK(dccp_buflock); 32static DEFINE_SPINLOCK(dccp_buflock);
@@ -67,9 +67,9 @@ dccp_find_option(u_int8_t option,
67 return 1; 67 return 1;
68 } 68 }
69 69
70 if (op[i] < 2) 70 if (op[i] < 2)
71 i++; 71 i++;
72 else 72 else
73 i += op[i+1]?:1; 73 i += op[i+1]?:1;
74 } 74 }
75 75
@@ -106,18 +106,18 @@ match(const struct sk_buff *skb,
106 106
107 if (offset) 107 if (offset)
108 return 0; 108 return 0;
109 109
110 dh = skb_header_pointer(skb, protoff, sizeof(_dh), &_dh); 110 dh = skb_header_pointer(skb, protoff, sizeof(_dh), &_dh);
111 if (dh == NULL) { 111 if (dh == NULL) {
112 *hotdrop = 1; 112 *hotdrop = 1;
113 return 0; 113 return 0;
114 } 114 }
115 115
116 return DCCHECK(((ntohs(dh->dccph_sport) >= info->spts[0]) 116 return DCCHECK(((ntohs(dh->dccph_sport) >= info->spts[0])
117 && (ntohs(dh->dccph_sport) <= info->spts[1])), 117 && (ntohs(dh->dccph_sport) <= info->spts[1])),
118 XT_DCCP_SRC_PORTS, info->flags, info->invflags) 118 XT_DCCP_SRC_PORTS, info->flags, info->invflags)
119 && DCCHECK(((ntohs(dh->dccph_dport) >= info->dpts[0]) 119 && DCCHECK(((ntohs(dh->dccph_dport) >= info->dpts[0])
120 && (ntohs(dh->dccph_dport) <= info->dpts[1])), 120 && (ntohs(dh->dccph_dport) <= info->dpts[1])),
121 XT_DCCP_DEST_PORTS, info->flags, info->invflags) 121 XT_DCCP_DEST_PORTS, info->flags, info->invflags)
122 && DCCHECK(match_types(dh, info->typemask), 122 && DCCHECK(match_types(dh, info->typemask),
123 XT_DCCP_TYPE, info->flags, info->invflags) 123 XT_DCCP_TYPE, info->flags, info->invflags)
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 269a1e793478..9f37d593ca38 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -208,7 +208,7 @@ static int htable_create(struct xt_hashlimit_info *minfo, int family)
208 spin_lock_init(&hinfo->lock); 208 spin_lock_init(&hinfo->lock);
209 hinfo->pde = create_proc_entry(minfo->name, 0, 209 hinfo->pde = create_proc_entry(minfo->name, 0,
210 family == AF_INET ? hashlimit_procdir4 : 210 family == AF_INET ? hashlimit_procdir4 :
211 hashlimit_procdir6); 211 hashlimit_procdir6);
212 if (!hinfo->pde) { 212 if (!hinfo->pde) {
213 vfree(hinfo); 213 vfree(hinfo);
214 return -1; 214 return -1;
@@ -240,7 +240,7 @@ static int select_gc(struct xt_hashlimit_htable *ht, struct dsthash_ent *he)
240} 240}
241 241
242static void htable_selective_cleanup(struct xt_hashlimit_htable *ht, 242static void htable_selective_cleanup(struct xt_hashlimit_htable *ht,
243 int (*select)(struct xt_hashlimit_htable *ht, 243 int (*select)(struct xt_hashlimit_htable *ht,
244 struct dsthash_ent *he)) 244 struct dsthash_ent *he))
245{ 245{
246 unsigned int i; 246 unsigned int i;
@@ -279,7 +279,7 @@ static void htable_destroy(struct xt_hashlimit_htable *hinfo)
279 /* remove proc entry */ 279 /* remove proc entry */
280 remove_proc_entry(hinfo->pde->name, 280 remove_proc_entry(hinfo->pde->name,
281 hinfo->family == AF_INET ? hashlimit_procdir4 : 281 hinfo->family == AF_INET ? hashlimit_procdir4 :
282 hashlimit_procdir6); 282 hashlimit_procdir6);
283 htable_selective_cleanup(hinfo, select_all); 283 htable_selective_cleanup(hinfo, select_all);
284 vfree(hinfo); 284 vfree(hinfo);
285} 285}
@@ -483,7 +483,7 @@ hashlimit_match(const struct sk_buff *skb,
483 return 1; 483 return 1;
484 } 484 }
485 485
486 spin_unlock_bh(&hinfo->lock); 486 spin_unlock_bh(&hinfo->lock);
487 487
488 /* default case: we're overlimit, thus don't match */ 488 /* default case: we're overlimit, thus don't match */
489 return 0; 489 return 0;
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 04bc32ba7195..407d1d5da8a1 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -53,7 +53,7 @@ match(const struct sk_buff *skb,
53 struct ip_conntrack *ct; 53 struct ip_conntrack *ct;
54 enum ip_conntrack_info ctinfo; 54 enum ip_conntrack_info ctinfo;
55 int ret = info->invert; 55 int ret = info->invert;
56 56
57 ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo); 57 ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
58 if (!ct) { 58 if (!ct) {
59 DEBUGP("xt_helper: Eek! invalid conntrack?\n"); 59 DEBUGP("xt_helper: Eek! invalid conntrack?\n");
@@ -67,19 +67,19 @@ match(const struct sk_buff *skb,
67 67
68 read_lock_bh(&ip_conntrack_lock); 68 read_lock_bh(&ip_conntrack_lock);
69 if (!ct->master->helper) { 69 if (!ct->master->helper) {
70 DEBUGP("xt_helper: master ct %p has no helper\n", 70 DEBUGP("xt_helper: master ct %p has no helper\n",
71 exp->expectant); 71 exp->expectant);
72 goto out_unlock; 72 goto out_unlock;
73 } 73 }
74 74
75 DEBUGP("master's name = %s , info->name = %s\n", 75 DEBUGP("master's name = %s , info->name = %s\n",
76 ct->master->helper->name, info->name); 76 ct->master->helper->name, info->name);
77 77
78 if (info->name[0] == '\0') 78 if (info->name[0] == '\0')
79 ret ^= 1; 79 ret ^= 1;
80 else 80 else
81 ret ^= !strncmp(ct->master->helper->name, info->name, 81 ret ^= !strncmp(ct->master->helper->name, info->name,
82 strlen(ct->master->helper->name)); 82 strlen(ct->master->helper->name));
83out_unlock: 83out_unlock:
84 read_unlock_bh(&ip_conntrack_lock); 84 read_unlock_bh(&ip_conntrack_lock);
85 return ret; 85 return ret;
@@ -102,7 +102,7 @@ match(const struct sk_buff *skb,
102 struct nf_conn_help *master_help; 102 struct nf_conn_help *master_help;
103 enum ip_conntrack_info ctinfo; 103 enum ip_conntrack_info ctinfo;
104 int ret = info->invert; 104 int ret = info->invert;
105 105
106 ct = nf_ct_get((struct sk_buff *)skb, &ctinfo); 106 ct = nf_ct_get((struct sk_buff *)skb, &ctinfo);
107 if (!ct) { 107 if (!ct) {
108 DEBUGP("xt_helper: Eek! invalid conntrack?\n"); 108 DEBUGP("xt_helper: Eek! invalid conntrack?\n");
@@ -117,19 +117,19 @@ match(const struct sk_buff *skb,
117 read_lock_bh(&nf_conntrack_lock); 117 read_lock_bh(&nf_conntrack_lock);
118 master_help = nfct_help(ct->master); 118 master_help = nfct_help(ct->master);
119 if (!master_help || !master_help->helper) { 119 if (!master_help || !master_help->helper) {
120 DEBUGP("xt_helper: master ct %p has no helper\n", 120 DEBUGP("xt_helper: master ct %p has no helper\n",
121 exp->expectant); 121 exp->expectant);
122 goto out_unlock; 122 goto out_unlock;
123 } 123 }
124 124
125 DEBUGP("master's name = %s , info->name = %s\n", 125 DEBUGP("master's name = %s , info->name = %s\n",
126 ct->master->helper->name, info->name); 126 ct->master->helper->name, info->name);
127 127
128 if (info->name[0] == '\0') 128 if (info->name[0] == '\0')
129 ret ^= 1; 129 ret ^= 1;
130 else 130 else
131 ret ^= !strncmp(master_help->helper->name, info->name, 131 ret ^= !strncmp(master_help->helper->name, info->name,
132 strlen(master_help->helper->name)); 132 strlen(master_help->helper->name));
133out_unlock: 133out_unlock:
134 read_unlock_bh(&nf_conntrack_lock); 134 read_unlock_bh(&nf_conntrack_lock);
135 return ret; 135 return ret;
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index 67fd30d9f303..32fb998d9bac 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -32,7 +32,7 @@ match(const struct sk_buff *skb,
32{ 32{
33 const struct xt_length_info *info = matchinfo; 33 const struct xt_length_info *info = matchinfo;
34 u_int16_t pktlen = ntohs(skb->nh.iph->tot_len); 34 u_int16_t pktlen = ntohs(skb->nh.iph->tot_len);
35 35
36 return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; 36 return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
37} 37}
38 38
@@ -48,7 +48,7 @@ match6(const struct sk_buff *skb,
48{ 48{
49 const struct xt_length_info *info = matchinfo; 49 const struct xt_length_info *info = matchinfo;
50 u_int16_t pktlen = ntohs(skb->nh.ipv6h->payload_len) + sizeof(struct ipv6hdr); 50 u_int16_t pktlen = ntohs(skb->nh.ipv6h->payload_len) + sizeof(struct ipv6hdr);
51 51
52 return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; 52 return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
53} 53}
54 54
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index fda7b7dec27d..6fd8347c0058 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -89,7 +89,7 @@ ipt_limit_match(const struct sk_buff *skb,
89 return 1; 89 return 1;
90 } 90 }
91 91
92 spin_unlock_bh(&limit_lock); 92 spin_unlock_bh(&limit_lock);
93 return 0; 93 return 0;
94} 94}
95 95
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index dfa1ee6914c0..39911dddb011 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -36,10 +36,10 @@ match(const struct sk_buff *skb,
36 36
37static int 37static int
38checkentry(const char *tablename, 38checkentry(const char *tablename,
39 const void *entry, 39 const void *entry,
40 const struct xt_match *match, 40 const struct xt_match *match,
41 void *matchinfo, 41 void *matchinfo,
42 unsigned int hook_mask) 42 unsigned int hook_mask)
43{ 43{
44 const struct xt_mark_info *minfo = matchinfo; 44 const struct xt_mark_info *minfo = matchinfo;
45 45
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index 1602086c7fd6..4dce2a81702a 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -91,7 +91,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
91 } 91 }
92 } 92 }
93 93
94 return minfo->invert; 94 return minfo->invert;
95} 95}
96 96
97static int 97static int
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index b9b3ffc5451d..35a0fe200c39 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -117,7 +117,7 @@ checkentry(const char *tablename,
117 (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) || 117 (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
118 info->invert & XT_PHYSDEV_OP_BRIDGED) && 118 info->invert & XT_PHYSDEV_OP_BRIDGED) &&
119 hook_mask & ((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) | 119 hook_mask & ((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
120 (1 << NF_IP_POST_ROUTING))) { 120 (1 << NF_IP_POST_ROUTING))) {
121 printk(KERN_WARNING "physdev match: using --physdev-out in the " 121 printk(KERN_WARNING "physdev match: using --physdev-out in the "
122 "OUTPUT, FORWARD and POSTROUTING chains for non-bridged " 122 "OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
123 "traffic is not supported anymore.\n"); 123 "traffic is not supported anymore.\n");
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 46bde2b1e1e0..15b45a95ec13 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -109,13 +109,13 @@ match_policy_out(const struct sk_buff *skb, const struct xt_policy_info *info,
109} 109}
110 110
111static int match(const struct sk_buff *skb, 111static int match(const struct sk_buff *skb,
112 const struct net_device *in, 112 const struct net_device *in,
113 const struct net_device *out, 113 const struct net_device *out,
114 const struct xt_match *match, 114 const struct xt_match *match,
115 const void *matchinfo, 115 const void *matchinfo,
116 int offset, 116 int offset,
117 unsigned int protoff, 117 unsigned int protoff,
118 int *hotdrop) 118 int *hotdrop)
119{ 119{
120 const struct xt_policy_info *info = matchinfo; 120 const struct xt_policy_info *info = matchinfo;
121 int ret; 121 int ret;
@@ -134,27 +134,27 @@ static int match(const struct sk_buff *skb,
134} 134}
135 135
136static int checkentry(const char *tablename, const void *ip_void, 136static int checkentry(const char *tablename, const void *ip_void,
137 const struct xt_match *match, 137 const struct xt_match *match,
138 void *matchinfo, unsigned int hook_mask) 138 void *matchinfo, unsigned int hook_mask)
139{ 139{
140 struct xt_policy_info *info = matchinfo; 140 struct xt_policy_info *info = matchinfo;
141 141
142 if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) { 142 if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
143 printk(KERN_ERR "xt_policy: neither incoming nor " 143 printk(KERN_ERR "xt_policy: neither incoming nor "
144 "outgoing policy selected\n"); 144 "outgoing policy selected\n");
145 return 0; 145 return 0;
146 } 146 }
147 /* hook values are equal for IPv4 and IPv6 */ 147 /* hook values are equal for IPv4 and IPv6 */
148 if (hook_mask & (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_LOCAL_IN) 148 if (hook_mask & (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_LOCAL_IN)
149 && info->flags & XT_POLICY_MATCH_OUT) { 149 && info->flags & XT_POLICY_MATCH_OUT) {
150 printk(KERN_ERR "xt_policy: output policy not valid in " 150 printk(KERN_ERR "xt_policy: output policy not valid in "
151 "PRE_ROUTING and INPUT\n"); 151 "PRE_ROUTING and INPUT\n");
152 return 0; 152 return 0;
153 } 153 }
154 if (hook_mask & (1 << NF_IP_POST_ROUTING | 1 << NF_IP_LOCAL_OUT) 154 if (hook_mask & (1 << NF_IP_POST_ROUTING | 1 << NF_IP_LOCAL_OUT)
155 && info->flags & XT_POLICY_MATCH_IN) { 155 && info->flags & XT_POLICY_MATCH_IN) {
156 printk(KERN_ERR "xt_policy: input policy not valid in " 156 printk(KERN_ERR "xt_policy: input policy not valid in "
157 "POST_ROUTING and OUTPUT\n"); 157 "POST_ROUTING and OUTPUT\n");
158 return 0; 158 return 0;
159 } 159 }
160 if (info->len > XT_POLICY_MAX_ELEM) { 160 if (info->len > XT_POLICY_MAX_ELEM) {
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index b75fa2c70e66..bfdde06ca0b7 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -30,8 +30,8 @@ match(const struct sk_buff *skb,
30 q->quota -= skb->len; 30 q->quota -= skb->len;
31 ret ^= 1; 31 ret ^= 1;
32 } else { 32 } else {
33 /* we do not allow even small packets from now on */ 33 /* we do not allow even small packets from now on */
34 q->quota = 0; 34 q->quota = 0;
35 } 35 }
36 spin_unlock_bh(&quota_lock); 36 spin_unlock_bh(&quota_lock);
37 37
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index a80b7d132b65..97ffc2fbc19d 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -35,7 +35,7 @@ match(const struct sk_buff *skb,
35{ 35{
36 const struct xt_realm_info *info = matchinfo; 36 const struct xt_realm_info *info = matchinfo;
37 struct dst_entry *dst = skb->dst; 37 struct dst_entry *dst = skb->dst;
38 38
39 return (info->id == (dst->tclassid & info->mask)) ^ info->invert; 39 return (info->id == (dst->tclassid & info->mask)) ^ info->invert;
40} 40}
41 41
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index 71bf036f833c..f86d8d769d47 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -66,9 +66,9 @@ match_packet(const struct sk_buff *skb,
66 duprintf("Dropping invalid SCTP packet.\n"); 66 duprintf("Dropping invalid SCTP packet.\n");
67 *hotdrop = 1; 67 *hotdrop = 1;
68 return 0; 68 return 0;
69 } 69 }
70 70
71 duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n", 71 duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n",
72 ++i, offset, sch->type, htons(sch->length), sch->flags); 72 ++i, offset, sch->type, htons(sch->length), sch->flags);
73 73
74 offset += (ntohs(sch->length) + 3) & ~3; 74 offset += (ntohs(sch->length) + 3) & ~3;
@@ -78,21 +78,21 @@ match_packet(const struct sk_buff *skb,
78 if (SCTP_CHUNKMAP_IS_SET(chunkmap, sch->type)) { 78 if (SCTP_CHUNKMAP_IS_SET(chunkmap, sch->type)) {
79 switch (chunk_match_type) { 79 switch (chunk_match_type) {
80 case SCTP_CHUNK_MATCH_ANY: 80 case SCTP_CHUNK_MATCH_ANY:
81 if (match_flags(flag_info, flag_count, 81 if (match_flags(flag_info, flag_count,
82 sch->type, sch->flags)) { 82 sch->type, sch->flags)) {
83 return 1; 83 return 1;
84 } 84 }
85 break; 85 break;
86 86
87 case SCTP_CHUNK_MATCH_ALL: 87 case SCTP_CHUNK_MATCH_ALL:
88 if (match_flags(flag_info, flag_count, 88 if (match_flags(flag_info, flag_count,
89 sch->type, sch->flags)) { 89 sch->type, sch->flags)) {
90 SCTP_CHUNKMAP_CLEAR(chunkmapcopy, sch->type); 90 SCTP_CHUNKMAP_CLEAR(chunkmapcopy, sch->type);
91 } 91 }
92 break; 92 break;
93 93
94 case SCTP_CHUNK_MATCH_ONLY: 94 case SCTP_CHUNK_MATCH_ONLY:
95 if (!match_flags(flag_info, flag_count, 95 if (!match_flags(flag_info, flag_count,
96 sch->type, sch->flags)) { 96 sch->type, sch->flags)) {
97 return 0; 97 return 0;
98 } 98 }
@@ -136,24 +136,24 @@ match(const struct sk_buff *skb,
136 duprintf("Dropping non-first fragment.. FIXME\n"); 136 duprintf("Dropping non-first fragment.. FIXME\n");
137 return 0; 137 return 0;
138 } 138 }
139 139
140 sh = skb_header_pointer(skb, protoff, sizeof(_sh), &_sh); 140 sh = skb_header_pointer(skb, protoff, sizeof(_sh), &_sh);
141 if (sh == NULL) { 141 if (sh == NULL) {
142 duprintf("Dropping evil TCP offset=0 tinygram.\n"); 142 duprintf("Dropping evil TCP offset=0 tinygram.\n");
143 *hotdrop = 1; 143 *hotdrop = 1;
144 return 0; 144 return 0;
145 } 145 }
146 duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); 146 duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
147 147
148 return SCCHECK(((ntohs(sh->source) >= info->spts[0]) 148 return SCCHECK(((ntohs(sh->source) >= info->spts[0])
149 && (ntohs(sh->source) <= info->spts[1])), 149 && (ntohs(sh->source) <= info->spts[1])),
150 XT_SCTP_SRC_PORTS, info->flags, info->invflags) 150 XT_SCTP_SRC_PORTS, info->flags, info->invflags)
151 && SCCHECK(((ntohs(sh->dest) >= info->dpts[0]) 151 && SCCHECK(((ntohs(sh->dest) >= info->dpts[0])
152 && (ntohs(sh->dest) <= info->dpts[1])), 152 && (ntohs(sh->dest) <= info->dpts[1])),
153 XT_SCTP_DEST_PORTS, info->flags, info->invflags) 153 XT_SCTP_DEST_PORTS, info->flags, info->invflags)
154 && SCCHECK(match_packet(skb, protoff + sizeof (sctp_sctphdr_t), 154 && SCCHECK(match_packet(skb, protoff + sizeof (sctp_sctphdr_t),
155 info->chunkmap, info->chunk_match_type, 155 info->chunkmap, info->chunk_match_type,
156 info->flag_info, info->flag_count, 156 info->flag_info, info->flag_count,
157 hotdrop), 157 hotdrop),
158 XT_SCTP_CHUNK_TYPES, info->flags, info->invflags); 158 XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
159} 159}
@@ -170,9 +170,9 @@ checkentry(const char *tablename,
170 return !(info->flags & ~XT_SCTP_VALID_FLAGS) 170 return !(info->flags & ~XT_SCTP_VALID_FLAGS)
171 && !(info->invflags & ~XT_SCTP_VALID_FLAGS) 171 && !(info->invflags & ~XT_SCTP_VALID_FLAGS)
172 && !(info->invflags & ~info->flags) 172 && !(info->invflags & ~info->flags)
173 && ((!(info->flags & XT_SCTP_CHUNK_TYPES)) || 173 && ((!(info->flags & XT_SCTP_CHUNK_TYPES)) ||
174 (info->chunk_match_type & 174 (info->chunk_match_type &
175 (SCTP_CHUNK_MATCH_ALL 175 (SCTP_CHUNK_MATCH_ALL
176 | SCTP_CHUNK_MATCH_ANY 176 | SCTP_CHUNK_MATCH_ANY
177 | SCTP_CHUNK_MATCH_ONLY))); 177 | SCTP_CHUNK_MATCH_ONLY)));
178} 178}
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index 4453252400aa..999a005dbd0c 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -1,5 +1,5 @@
1/* String matching match for iptables 1/* String matching match for iptables
2 * 2 *
3 * (C) 2005 Pablo Neira Ayuso <pablo@eurodev.net> 3 * (C) 2005 Pablo Neira Ayuso <pablo@eurodev.net>
4 * 4 *
5 * This program is free software; you can redistribute it and/or modify 5 * This program is free software; you can redistribute it and/or modify
@@ -35,8 +35,8 @@ static int match(const struct sk_buff *skb,
35 35
36 memset(&state, 0, sizeof(struct ts_state)); 36 memset(&state, 0, sizeof(struct ts_state));
37 37
38 return (skb_find_text((struct sk_buff *)skb, conf->from_offset, 38 return (skb_find_text((struct sk_buff *)skb, conf->from_offset,
39 conf->to_offset, conf->config, &state) 39 conf->to_offset, conf->config, &state)
40 != UINT_MAX) ^ conf->invert; 40 != UINT_MAX) ^ conf->invert;
41} 41}
42 42
@@ -55,7 +55,7 @@ static int checkentry(const char *tablename,
55 if (conf->from_offset > conf->to_offset) 55 if (conf->from_offset > conf->to_offset)
56 return 0; 56 return 0;
57 if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0') 57 if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0')
58 return 0; 58 return 0;
59 if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE) 59 if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE)
60 return 0; 60 return 0;
61 ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen, 61 ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen,
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index a3682fe2f192..80571d0749f7 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -64,9 +64,9 @@ match(const struct sk_buff *skb,
64 u_int16_t mssval; 64 u_int16_t mssval;
65 65
66 mssval = (op[i+2] << 8) | op[i+3]; 66 mssval = (op[i+2] << 8) | op[i+3];
67 67
68 return (mssval >= info->mss_min && 68 return (mssval >= info->mss_min &&
69 mssval <= info->mss_max) ^ info->invert; 69 mssval <= info->mss_max) ^ info->invert;
70 } 70 }
71 if (op[i] < 2) 71 if (op[i] < 2)
72 i++; 72 i++;