15 files changed, 47 insertions, 29 deletions
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 14e6d32002c4..1afd18c855ec 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -76,6 +76,10 @@ enum ip_conntrack_status {
        /* Conntrack is a template */
        IPS_TEMPLATE_BIT = 11,
        IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
+        /* Conntrack is a fake untracked entry */
+        IPS_UNTRACKED_BIT = 12,
+        IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
 };
 /* Connection tracking event types */
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index bde095f7e845..3bc38c70bbbe 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -261,7 +261,13 @@ extern s16 (*nf_ct_nat_offset)(const struct nf_conn *ct,
                               u32 seq);
 /* Fake conntrack entry for untracked connections */
-extern struct nf_conn nf_conntrack_untracked;
+static inline struct nf_conn *nf_ct_untracked_get(void)
+{
+        extern struct nf_conn nf_conntrack_untracked;
+        return &nf_conntrack_untracked;
+}
+extern void nf_ct_untracked_status_or(unsigned long bits);
 /* Iterate over all conntracks: if iter returns true, it's deleted. */
 extern void
@@ -289,9 +295,9 @@ static inline int nf_ct_is_dying(struct nf_conn *ct)
        return test_bit(IPS_DYING_BIT, &ct->status);
 }
-static inline int nf_ct_is_untracked(const struct sk_buff *skb)
+static inline int nf_ct_is_untracked(const struct nf_conn *ct)
 {
-        return (skb->nfct == &nf_conntrack_untracked.ct_general);
+        return test_bit(IPS_UNTRACKED_BIT, &ct->status);
 }
 extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp);
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index 3d7524fba194..aced085132e7 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -60,7 +60,7 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb)
        struct nf_conn *ct = (struct nf_conn *)skb->nfct;
        int ret = NF_ACCEPT;
-        if (ct && ct != &nf_conntrack_untracked) {
+        if (ct && !nf_ct_is_untracked(ct)) {
                if (!nf_ct_is_confirmed(ct))
                        ret = __nf_conntrack_confirm(skb);
                if (likely(ret == NF_ACCEPT))
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 4f8bddb760c9..c7719b283ada 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -742,7 +742,7 @@ static int __init nf_nat_init(void)
        spin_unlock_bh(&nf_nat_lock);
        /* Initialize fake conntrack so that NAT will skip it */
-        nf_conntrack_untracked.status |= IPS_NAT_DONE_MASK;
+        nf_ct_untracked_status_or(IPS_NAT_DONE_MASK);
        l3proto = nf_ct_l3proto_find_get((u_int16_t)AF_INET);
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index beb25819c9c9..6723c682250d 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -98,7 +98,7 @@ nf_nat_fn(unsigned int hooknum,
                return NF_ACCEPT;
        /* Don't try to NAT if this packet is not conntracked */
-        if (ct == &nf_conntrack_untracked)
+        if (nf_ct_is_untracked(ct))
                return NF_ACCEPT;
        nat = nfct_nat(ct);
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 9be81776415e..1df3c8b6bf47 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -208,7 +208,7 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl,
        type = icmp6h->icmp6_type - 130;
        if (type >= 0 && type < sizeof(noct_valid_new) &&
            noct_valid_new[type]) {
-                skb->nfct = &nf_conntrack_untracked.ct_general;
+                skb->nfct = &nf_ct_untracked_get()->ct_general;
                skb->nfctinfo = IP_CT_NEW;
                nf_conntrack_get(skb->nfct);
                return NF_ACCEPT;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index eeeb8bc73982..6c1da212380d 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -62,7 +62,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_htable_size);
 unsigned int nf_conntrack_max __read_mostly;
 EXPORT_SYMBOL_GPL(nf_conntrack_max);
-struct nf_conn nf_conntrack_untracked __read_mostly;
+struct nf_conn nf_conntrack_untracked;
 EXPORT_SYMBOL_GPL(nf_conntrack_untracked);
 static int nf_conntrack_hash_rnd_initted;
@@ -1321,6 +1321,12 @@ EXPORT_SYMBOL_GPL(nf_conntrack_set_hashsize);
 module_param_call(hashsize, nf_conntrack_set_hashsize, param_get_uint,
                  &nf_conntrack_htable_size, 0600);
+void nf_ct_untracked_status_or(unsigned long bits)
+{
+        nf_conntrack_untracked.status |= bits;
+}
+EXPORT_SYMBOL_GPL(nf_ct_untracked_status_or);
 static int nf_conntrack_init_init_net(void)
 {
        int max_factor = 8;
@@ -1368,8 +1374,7 @@ static int nf_conntrack_init_init_net(void)
 #endif
        atomic_set(&nf_conntrack_untracked.ct_general.use, 1);
        /*  - and look it like as a confirmed connection */
-        set_bit(IPS_CONFIRMED_BIT, &nf_conntrack_untracked.status);
+        nf_ct_untracked_status_or(IPS_CONFIRMED | IPS_UNTRACKED);
        return 0;
 #ifdef CONFIG_NF_CONNTRACK_ZONES
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index c42ff6aa441d..5bae1cd15eea 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -480,7 +480,7 @@ ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
        int err;
        /* ignore our fake conntrack entry */
-        if (ct == &nf_conntrack_untracked)
+        if (nf_ct_is_untracked(ct))
                return 0;
        if (events & (1 << IPCT_DESTROY)) {
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 562bf3266e04..0cb6053f02fd 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -67,7 +67,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par)
                return -EINVAL;
        if (info->flags & XT_CT_NOTRACK) {
-                ct = &nf_conntrack_untracked;
+                ct = nf_ct_untracked_get();
                atomic_inc(&ct->ct_general.use);
                goto out;
        }
@@ -132,7 +132,7 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par)
        struct nf_conn *ct = info->ct;
        struct nf_conn_help *help;
-        if (ct != &nf_conntrack_untracked) {
+        if (!nf_ct_is_untracked(ct)) {
                help = nfct_help(ct);
                if (help)
                        module_put(help->helper->me);
diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c
index 512b9123252f..9d782181b6c8 100644
--- a/net/netfilter/xt_NOTRACK.c
+++ b/net/netfilter/xt_NOTRACK.c
@@ -23,7 +23,7 @@ notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
           If there is a real ct entry correspondig to this packet,
           it'll hang aroun till timing out. We don't deal with it
           for performance reasons. JK */
-        skb->nfct = &nf_conntrack_untracked.ct_general;
+        skb->nfct = &nf_ct_untracked_get()->ct_general;
        skb->nfctinfo = IP_CT_NEW;
        nf_conntrack_get(skb->nfct);
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
index 859d9fd429c8..7a118267c4c4 100644
--- a/net/netfilter/xt_TEE.c
+++ b/net/netfilter/xt_TEE.c
@@ -104,7 +104,7 @@ tee_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 #ifdef WITH_CONNTRACK
        /* Avoid counting cloned packets towards the original connection. */
        nf_conntrack_put(skb->nfct);
-        skb->nfct     = &nf_conntrack_untracked.ct_general;
+        skb->nfct     = &nf_ct_untracked_get()->ct_general;
        skb->nfctinfo = IP_CT_NEW;
        nf_conntrack_get(skb->nfct);
 #endif
@@ -177,7 +177,7 @@ tee_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 #ifdef WITH_CONNTRACK
        nf_conntrack_put(skb->nfct);
-        skb->nfct     = &nf_conntrack_untracked.ct_general;
+        skb->nfct     = &nf_ct_untracked_get()->ct_general;
        skb->nfctinfo = IP_CT_NEW;
        nf_conntrack_get(skb->nfct);
 #endif
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 30b95a1c1c89..f4af1bfafb1c 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -120,7 +120,7 @@ xt_cluster_mt(const struct sk_buff *skb, struct xt_action_param *par)
        if (ct == NULL)
                return false;
-        if (ct == &nf_conntrack_untracked)
+        if (nf_ct_is_untracked(ct))
                return false;
        if (ct->master)
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 39681f10291c..e536710ad916 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -123,11 +123,12 @@ conntrack_mt(const struct sk_buff *skb, struct xt_action_param *par,
        ct = nf_ct_get(skb, &ctinfo);
-        if (ct == &nf_conntrack_untracked)
+        if (ct) {
-                statebit = XT_CONNTRACK_STATE_UNTRACKED;
+                if (nf_ct_is_untracked(ct))
-        else if (ct != NULL)
+                        statebit = XT_CONNTRACK_STATE_UNTRACKED;
-                statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
+                else
-        else
+                        statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
+        } else
                statebit = XT_CONNTRACK_STATE_INVALID;
        if (info->match_flags & XT_CONNTRACK_STATE) {
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 3d54c236a1ba..1ca89908cbad 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -127,7 +127,7 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,
         * reply packet of an established SNAT-ted connection. */
        ct = nf_ct_get(skb, &ctinfo);
-        if (ct && (ct != &nf_conntrack_untracked) &&
+        if (ct && !nf_ct_is_untracked(ct) &&
            ((iph->protocol != IPPROTO_ICMP &&
              ctinfo == IP_CT_IS_REPLY + IP_CT_ESTABLISHED) ||
             (iph->protocol == IPPROTO_ICMP &&
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index e12e053d3782..a507922d80cd 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -26,14 +26,16 @@ state_mt(const struct sk_buff *skb, struct xt_action_param *par)
        const struct xt_state_info *sinfo = par->matchinfo;
        enum ip_conntrack_info ctinfo;
        unsigned int statebit;
+        struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
-        if (nf_ct_is_untracked(skb))
+        if (!ct)
-                statebit = XT_STATE_UNTRACKED;
-        else if (!nf_ct_get(skb, &ctinfo))
                statebit = XT_STATE_INVALID;
-        else
+        else {
-                statebit = XT_STATE_BIT(ctinfo);
+                if (nf_ct_is_untracked(ct))
+                        statebit = XT_STATE_UNTRACKED;
+                else
+                        statebit = XT_STATE_BIT(ctinfo);
+        }
        return (sinfo->statemask & statebit);
 }

diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h index 14e6d32002c4..1afd18c855ec 100644 --- a/include/linux/netfilter/nf_conntrack_common.h +++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -76,6 +76,10 @@ enum ip_conntrack_status {
76	/* Conntrack is a template */	76	/* Conntrack is a template */
77	IPS_TEMPLATE_BIT = 11,	77	IPS_TEMPLATE_BIT = 11,
78	IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),	78	IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
		79
		80	/* Conntrack is a fake untracked entry */
		81	IPS_UNTRACKED_BIT = 12,
		82	IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
79	};	83	};
80		84
81	/* Connection tracking event types */	85	/* Connection tracking event types */


diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index bde095f7e845..3bc38c70bbbe 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h
@@ -261,7 +261,13 @@ extern s16 (nf_ct_nat_offset)(const struct nf_conn ct,
261	u32 seq);	261	u32 seq);
262		262
263	/* Fake conntrack entry for untracked connections */	263	/* Fake conntrack entry for untracked connections */
264	extern struct nf_conn nf_conntrack_untracked;	264	static inline struct nf_conn *nf_ct_untracked_get(void)
		265	{
		266	extern struct nf_conn nf_conntrack_untracked;
		267
		268	return &nf_conntrack_untracked;
		269	}
		270	extern void nf_ct_untracked_status_or(unsigned long bits);
265		271
266	/* Iterate over all conntracks: if iter returns true, it's deleted. */	272	/* Iterate over all conntracks: if iter returns true, it's deleted. */
267	extern void	273	extern void
@@ -289,9 +295,9 @@ static inline int nf_ct_is_dying(struct nf_conn *ct)
289	return test_bit(IPS_DYING_BIT, &ct->status);	295	return test_bit(IPS_DYING_BIT, &ct->status);
290	}	296	}
291		297
292	static inline int nf_ct_is_untracked(const struct sk_buff *skb)	298	static inline int nf_ct_is_untracked(const struct nf_conn *ct)
293	{	299	{
294	return (skb->nfct == &nf_conntrack_untracked.ct_general);	300	return test_bit(IPS_UNTRACKED_BIT, &ct->status);
295	}	301	}
296		302
297	extern int nf_conntrack_set_hashsize(const char val, struct kernel_param kp);	303	extern int nf_conntrack_set_hashsize(const char val, struct kernel_param kp);


diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h index 3d7524fba194..aced085132e7 100644 --- a/include/net/netfilter/nf_conntrack_core.h +++ b/include/net/netfilter/nf_conntrack_core.h
@@ -60,7 +60,7 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb)
60	struct nf_conn ct = (struct nf_conn )skb->nfct;	60	struct nf_conn ct = (struct nf_conn )skb->nfct;
61	int ret = NF_ACCEPT;	61	int ret = NF_ACCEPT;
62		62
63	if (ct && ct != &nf_conntrack_untracked) {	63	if (ct && !nf_ct_is_untracked(ct)) {
64	if (!nf_ct_is_confirmed(ct))	64	if (!nf_ct_is_confirmed(ct))
65	ret = __nf_conntrack_confirm(skb);	65	ret = __nf_conntrack_confirm(skb);
66	if (likely(ret == NF_ACCEPT))	66	if (likely(ret == NF_ACCEPT))


diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c index 4f8bddb760c9..c7719b283ada 100644 --- a/net/ipv4/netfilter/nf_nat_core.c +++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -742,7 +742,7 @@ static int __init nf_nat_init(void)
742	spin_unlock_bh(&nf_nat_lock);	742	spin_unlock_bh(&nf_nat_lock);
743		743
744	/* Initialize fake conntrack so that NAT will skip it */	744	/* Initialize fake conntrack so that NAT will skip it */
745	nf_conntrack_untracked.status \|= IPS_NAT_DONE_MASK;	745	nf_ct_untracked_status_or(IPS_NAT_DONE_MASK);
746		746
747	l3proto = nf_ct_l3proto_find_get((u_int16_t)AF_INET);	747	l3proto = nf_ct_l3proto_find_get((u_int16_t)AF_INET);
748		748


diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c index beb25819c9c9..6723c682250d 100644 --- a/net/ipv4/netfilter/nf_nat_standalone.c +++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -98,7 +98,7 @@ nf_nat_fn(unsigned int hooknum,
98	return NF_ACCEPT;	98	return NF_ACCEPT;
99		99
100	/* Don't try to NAT if this packet is not conntracked */	100	/* Don't try to NAT if this packet is not conntracked */
101	if (ct == &nf_conntrack_untracked)	101	if (nf_ct_is_untracked(ct))
102	return NF_ACCEPT;	102	return NF_ACCEPT;
103		103
104	nat = nfct_nat(ct);	104	nat = nfct_nat(ct);


diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c index 9be81776415e..1df3c8b6bf47 100644 --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -208,7 +208,7 @@ icmpv6_error(struct net net, struct nf_conn tmpl,
208	type = icmp6h->icmp6_type - 130;	208	type = icmp6h->icmp6_type - 130;
209	if (type >= 0 && type < sizeof(noct_valid_new) &&	209	if (type >= 0 && type < sizeof(noct_valid_new) &&
210	noct_valid_new[type]) {	210	noct_valid_new[type]) {
211	skb->nfct = &nf_conntrack_untracked.ct_general;	211	skb->nfct = &nf_ct_untracked_get()->ct_general;
212	skb->nfctinfo = IP_CT_NEW;	212	skb->nfctinfo = IP_CT_NEW;
213	nf_conntrack_get(skb->nfct);	213	nf_conntrack_get(skb->nfct);
214	return NF_ACCEPT;	214	return NF_ACCEPT;


diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index eeeb8bc73982..6c1da212380d 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c
@@ -62,7 +62,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_htable_size);
62	unsigned int nf_conntrack_max __read_mostly;	62	unsigned int nf_conntrack_max __read_mostly;
63	EXPORT_SYMBOL_GPL(nf_conntrack_max);	63	EXPORT_SYMBOL_GPL(nf_conntrack_max);
64		64
65	struct nf_conn nf_conntrack_untracked __read_mostly;	65	struct nf_conn nf_conntrack_untracked;
66	EXPORT_SYMBOL_GPL(nf_conntrack_untracked);	66	EXPORT_SYMBOL_GPL(nf_conntrack_untracked);
67		67
68	static int nf_conntrack_hash_rnd_initted;	68	static int nf_conntrack_hash_rnd_initted;
@@ -1321,6 +1321,12 @@ EXPORT_SYMBOL_GPL(nf_conntrack_set_hashsize);
1321	module_param_call(hashsize, nf_conntrack_set_hashsize, param_get_uint,	1321	module_param_call(hashsize, nf_conntrack_set_hashsize, param_get_uint,
1322	&nf_conntrack_htable_size, 0600);	1322	&nf_conntrack_htable_size, 0600);
1323		1323
		1324	void nf_ct_untracked_status_or(unsigned long bits)
		1325	{
		1326	nf_conntrack_untracked.status \|= bits;
		1327	}
		1328	EXPORT_SYMBOL_GPL(nf_ct_untracked_status_or);
		1329
1324	static int nf_conntrack_init_init_net(void)	1330	static int nf_conntrack_init_init_net(void)
1325	{	1331	{
1326	int max_factor = 8;	1332	int max_factor = 8;
@@ -1368,8 +1374,7 @@ static int nf_conntrack_init_init_net(void)
1368	#endif	1374	#endif
1369	atomic_set(&nf_conntrack_untracked.ct_general.use, 1);	1375	atomic_set(&nf_conntrack_untracked.ct_general.use, 1);
1370	/* - and look it like as a confirmed connection */	1376	/* - and look it like as a confirmed connection */
1371	set_bit(IPS_CONFIRMED_BIT, &nf_conntrack_untracked.status);	1377	nf_ct_untracked_status_or(IPS_CONFIRMED \| IPS_UNTRACKED);
1372
1373	return 0;	1378	return 0;
1374		1379
1375	#ifdef CONFIG_NF_CONNTRACK_ZONES	1380	#ifdef CONFIG_NF_CONNTRACK_ZONES


diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index c42ff6aa441d..5bae1cd15eea 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c
@@ -480,7 +480,7 @@ ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
480	int err;	480	int err;
481		481
482	/* ignore our fake conntrack entry */	482	/* ignore our fake conntrack entry */
483	if (ct == &nf_conntrack_untracked)	483	if (nf_ct_is_untracked(ct))
484	return 0;	484	return 0;
485		485
486	if (events & (1 << IPCT_DESTROY)) {	486	if (events & (1 << IPCT_DESTROY)) {


diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c index 562bf3266e04..0cb6053f02fd 100644 --- a/net/netfilter/xt_CT.c +++ b/net/netfilter/xt_CT.c
@@ -67,7 +67,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par)
67	return -EINVAL;	67	return -EINVAL;
68		68
69	if (info->flags & XT_CT_NOTRACK) {	69	if (info->flags & XT_CT_NOTRACK) {
70	ct = &nf_conntrack_untracked;	70	ct = nf_ct_untracked_get();
71	atomic_inc(&ct->ct_general.use);	71	atomic_inc(&ct->ct_general.use);
72	goto out;	72	goto out;
73	}	73	}
@@ -132,7 +132,7 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par)
132	struct nf_conn *ct = info->ct;	132	struct nf_conn *ct = info->ct;
133	struct nf_conn_help *help;	133	struct nf_conn_help *help;
134		134
135	if (ct != &nf_conntrack_untracked) {	135	if (!nf_ct_is_untracked(ct)) {
136	help = nfct_help(ct);	136	help = nfct_help(ct);
137	if (help)	137	if (help)
138	module_put(help->helper->me);	138	module_put(help->helper->me);


diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c index 512b9123252f..9d782181b6c8 100644 --- a/net/netfilter/xt_NOTRACK.c +++ b/net/netfilter/xt_NOTRACK.c
@@ -23,7 +23,7 @@ notrack_tg(struct sk_buff skb, const struct xt_action_param par)
23	If there is a real ct entry correspondig to this packet,	23	If there is a real ct entry correspondig to this packet,
24	it'll hang aroun till timing out. We don't deal with it	24	it'll hang aroun till timing out. We don't deal with it
25	for performance reasons. JK */	25	for performance reasons. JK */
26	skb->nfct = &nf_conntrack_untracked.ct_general;	26	skb->nfct = &nf_ct_untracked_get()->ct_general;
27	skb->nfctinfo = IP_CT_NEW;	27	skb->nfctinfo = IP_CT_NEW;
28	nf_conntrack_get(skb->nfct);	28	nf_conntrack_get(skb->nfct);
29		29


diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c index 859d9fd429c8..7a118267c4c4 100644 --- a/net/netfilter/xt_TEE.c +++ b/net/netfilter/xt_TEE.c
@@ -104,7 +104,7 @@ tee_tg4(struct sk_buff skb, const struct xt_action_param par)
104	#ifdef WITH_CONNTRACK	104	#ifdef WITH_CONNTRACK
105	/* Avoid counting cloned packets towards the original connection. */	105	/* Avoid counting cloned packets towards the original connection. */
106	nf_conntrack_put(skb->nfct);	106	nf_conntrack_put(skb->nfct);
107	skb->nfct = &nf_conntrack_untracked.ct_general;	107	skb->nfct = &nf_ct_untracked_get()->ct_general;
108	skb->nfctinfo = IP_CT_NEW;	108	skb->nfctinfo = IP_CT_NEW;
109	nf_conntrack_get(skb->nfct);	109	nf_conntrack_get(skb->nfct);
110	#endif	110	#endif
@@ -177,7 +177,7 @@ tee_tg6(struct sk_buff skb, const struct xt_action_param par)
177		177
178	#ifdef WITH_CONNTRACK	178	#ifdef WITH_CONNTRACK
179	nf_conntrack_put(skb->nfct);	179	nf_conntrack_put(skb->nfct);
180	skb->nfct = &nf_conntrack_untracked.ct_general;	180	skb->nfct = &nf_ct_untracked_get()->ct_general;
181	skb->nfctinfo = IP_CT_NEW;	181	skb->nfctinfo = IP_CT_NEW;
182	nf_conntrack_get(skb->nfct);	182	nf_conntrack_get(skb->nfct);
183	#endif	183	#endif


diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c index 30b95a1c1c89..f4af1bfafb1c 100644 --- a/net/netfilter/xt_cluster.c +++ b/net/netfilter/xt_cluster.c
@@ -120,7 +120,7 @@ xt_cluster_mt(const struct sk_buff skb, struct xt_action_param par)
120	if (ct == NULL)	120	if (ct == NULL)
121	return false;	121	return false;
122		122
123	if (ct == &nf_conntrack_untracked)	123	if (nf_ct_is_untracked(ct))
124	return false;	124	return false;
125		125
126	if (ct->master)	126	if (ct->master)


diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c index 39681f10291c..e536710ad916 100644 --- a/net/netfilter/xt_conntrack.c +++ b/net/netfilter/xt_conntrack.c
@@ -123,11 +123,12 @@ conntrack_mt(const struct sk_buff skb, struct xt_action_param par,
123		123
124	ct = nf_ct_get(skb, &ctinfo);	124	ct = nf_ct_get(skb, &ctinfo);
125		125
126	if (ct == &nf_conntrack_untracked)	126	if (ct) {
127	statebit = XT_CONNTRACK_STATE_UNTRACKED;	127	if (nf_ct_is_untracked(ct))
128	else if (ct != NULL)	128	statebit = XT_CONNTRACK_STATE_UNTRACKED;
129	statebit = XT_CONNTRACK_STATE_BIT(ctinfo);	129	else
130	else	130	statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
		131	} else
131	statebit = XT_CONNTRACK_STATE_INVALID;	132	statebit = XT_CONNTRACK_STATE_INVALID;
132		133
133	if (info->match_flags & XT_CONNTRACK_STATE) {	134	if (info->match_flags & XT_CONNTRACK_STATE) {


diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c index 3d54c236a1ba..1ca89908cbad 100644 --- a/net/netfilter/xt_socket.c +++ b/net/netfilter/xt_socket.c
@@ -127,7 +127,7 @@ socket_match(const struct sk_buff skb, struct xt_action_param par,
127	* reply packet of an established SNAT-ted connection. */	127	* reply packet of an established SNAT-ted connection. */
128		128
129	ct = nf_ct_get(skb, &ctinfo);	129	ct = nf_ct_get(skb, &ctinfo);
130	if (ct && (ct != &nf_conntrack_untracked) &&	130	if (ct && !nf_ct_is_untracked(ct) &&
131	((iph->protocol != IPPROTO_ICMP &&	131	((iph->protocol != IPPROTO_ICMP &&
132	ctinfo == IP_CT_IS_REPLY + IP_CT_ESTABLISHED) \|\|	132	ctinfo == IP_CT_IS_REPLY + IP_CT_ESTABLISHED) \|\|
133	(iph->protocol == IPPROTO_ICMP &&	133	(iph->protocol == IPPROTO_ICMP &&


diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c index e12e053d3782..a507922d80cd 100644 --- a/net/netfilter/xt_state.c +++ b/net/netfilter/xt_state.c
@@ -26,14 +26,16 @@ state_mt(const struct sk_buff skb, struct xt_action_param par)
26	const struct xt_state_info *sinfo = par->matchinfo;	26	const struct xt_state_info *sinfo = par->matchinfo;
27	enum ip_conntrack_info ctinfo;	27	enum ip_conntrack_info ctinfo;
28	unsigned int statebit;	28	unsigned int statebit;
		29	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
29		30
30	if (nf_ct_is_untracked(skb))	31	if (!ct)
31	statebit = XT_STATE_UNTRACKED;
32	else if (!nf_ct_get(skb, &ctinfo))
33	statebit = XT_STATE_INVALID;	32	statebit = XT_STATE_INVALID;
34	else	33	else {
35	statebit = XT_STATE_BIT(ctinfo);	34	if (nf_ct_is_untracked(ct))
36		35	statebit = XT_STATE_UNTRACKED;
		36	else
		37	statebit = XT_STATE_BIT(ctinfo);
		38	}
37	return (sinfo->statemask & statebit);	39	return (sinfo->statemask & statebit);
38	}	40	}
39		41