aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Documentation/feature-removal-schedule.txt16
-rw-r--r--drivers/net/tg3.c116
-rw-r--r--include/linux/netfilter_bridge.h2
-rw-r--r--net/bridge/br_netfilter.c5
-rw-r--r--net/ipv4/ip_input.c2
-rw-r--r--net/ipv4/ipmr.c19
-rw-r--r--net/ipv4/netfilter/ip_conntrack_helper_h323.c2
-rw-r--r--net/ipv4/netfilter/ip_conntrack_standalone.c4
-rw-r--r--net/ipv4/netfilter/ip_nat_snmp_basic.c4
-rw-r--r--net/ipv4/raw.c1
-rw-r--r--net/ipv6/ip6_input.c2
-rw-r--r--net/ipv6/raw.c1
-rw-r--r--net/netfilter/Kconfig4
-rw-r--r--net/netfilter/nf_conntrack_standalone.c4
-rw-r--r--net/netfilter/nf_queue.c9
-rw-r--r--net/netfilter/xt_physdev.c15
-rw-r--r--net/netfilter/xt_pkttype.c12
17 files changed, 167 insertions, 51 deletions
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index 9d3a0775a11d..87851efb0228 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -258,3 +258,19 @@ Why: These drivers never compiled since they were added to the kernel
258Who: Jean Delvare <khali@linux-fr.org> 258Who: Jean Delvare <khali@linux-fr.org>
259 259
260--------------------------- 260---------------------------
261
262What: Bridge netfilter deferred IPv4/IPv6 output hook calling
263When: January 2007
264Why: The deferred output hooks are a layering violation causing unusual
265 and broken behaviour on bridge devices. Examples of things they
266 break include QoS classifation using the MARK or CLASSIFY targets,
267 the IPsec policy match and connection tracking with VLANs on a
268 bridge. Their only use is to enable bridge output port filtering
269 within iptables with the physdev match, which can also be done by
270 combining iptables and ebtables using netfilter marks. Until it
271 will get removed the hook deferral is disabled by default and is
272 only enabled when needed.
273
274Who: Patrick McHardy <kaber@trash.net>
275
276---------------------------
diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c
index ce6f3be86da0..1b8138f641e3 100644
--- a/drivers/net/tg3.c
+++ b/drivers/net/tg3.c
@@ -68,8 +68,8 @@
68 68
69#define DRV_MODULE_NAME "tg3" 69#define DRV_MODULE_NAME "tg3"
70#define PFX DRV_MODULE_NAME ": " 70#define PFX DRV_MODULE_NAME ": "
71#define DRV_MODULE_VERSION "3.62" 71#define DRV_MODULE_VERSION "3.63"
72#define DRV_MODULE_RELDATE "June 30, 2006" 72#define DRV_MODULE_RELDATE "July 25, 2006"
73 73
74#define TG3_DEF_MAC_MODE 0 74#define TG3_DEF_MAC_MODE 0
75#define TG3_DEF_RX_MODE 0 75#define TG3_DEF_RX_MODE 0
@@ -3590,6 +3590,28 @@ static irqreturn_t tg3_test_isr(int irq, void *dev_id,
3590static int tg3_init_hw(struct tg3 *, int); 3590static int tg3_init_hw(struct tg3 *, int);
3591static int tg3_halt(struct tg3 *, int, int); 3591static int tg3_halt(struct tg3 *, int, int);
3592 3592
3593/* Restart hardware after configuration changes, self-test, etc.
3594 * Invoked with tp->lock held.
3595 */
3596static int tg3_restart_hw(struct tg3 *tp, int reset_phy)
3597{
3598 int err;
3599
3600 err = tg3_init_hw(tp, reset_phy);
3601 if (err) {
3602 printk(KERN_ERR PFX "%s: Failed to re-initialize device, "
3603 "aborting.\n", tp->dev->name);
3604 tg3_halt(tp, RESET_KIND_SHUTDOWN, 1);
3605 tg3_full_unlock(tp);
3606 del_timer_sync(&tp->timer);
3607 tp->irq_sync = 0;
3608 netif_poll_enable(tp->dev);
3609 dev_close(tp->dev);
3610 tg3_full_lock(tp, 0);
3611 }
3612 return err;
3613}
3614
3593#ifdef CONFIG_NET_POLL_CONTROLLER 3615#ifdef CONFIG_NET_POLL_CONTROLLER
3594static void tg3_poll_controller(struct net_device *dev) 3616static void tg3_poll_controller(struct net_device *dev)
3595{ 3617{
@@ -3630,13 +3652,15 @@ static void tg3_reset_task(void *_data)
3630 } 3652 }
3631 3653
3632 tg3_halt(tp, RESET_KIND_SHUTDOWN, 0); 3654 tg3_halt(tp, RESET_KIND_SHUTDOWN, 0);
3633 tg3_init_hw(tp, 1); 3655 if (tg3_init_hw(tp, 1))
3656 goto out;
3634 3657
3635 tg3_netif_start(tp); 3658 tg3_netif_start(tp);
3636 3659
3637 if (restart_timer) 3660 if (restart_timer)
3638 mod_timer(&tp->timer, jiffies + 1); 3661 mod_timer(&tp->timer, jiffies + 1);
3639 3662
3663out:
3640 tp->tg3_flags &= ~TG3_FLAG_IN_RESET_TASK; 3664 tp->tg3_flags &= ~TG3_FLAG_IN_RESET_TASK;
3641 3665
3642 tg3_full_unlock(tp); 3666 tg3_full_unlock(tp);
@@ -4124,6 +4148,7 @@ static inline void tg3_set_mtu(struct net_device *dev, struct tg3 *tp,
4124static int tg3_change_mtu(struct net_device *dev, int new_mtu) 4148static int tg3_change_mtu(struct net_device *dev, int new_mtu)
4125{ 4149{
4126 struct tg3 *tp = netdev_priv(dev); 4150 struct tg3 *tp = netdev_priv(dev);
4151 int err;
4127 4152
4128 if (new_mtu < TG3_MIN_MTU || new_mtu > TG3_MAX_MTU(tp)) 4153 if (new_mtu < TG3_MIN_MTU || new_mtu > TG3_MAX_MTU(tp))
4129 return -EINVAL; 4154 return -EINVAL;
@@ -4144,13 +4169,14 @@ static int tg3_change_mtu(struct net_device *dev, int new_mtu)
4144 4169
4145 tg3_set_mtu(dev, tp, new_mtu); 4170 tg3_set_mtu(dev, tp, new_mtu);
4146 4171
4147 tg3_init_hw(tp, 0); 4172 err = tg3_restart_hw(tp, 0);
4148 4173
4149 tg3_netif_start(tp); 4174 if (!err)
4175 tg3_netif_start(tp);
4150 4176
4151 tg3_full_unlock(tp); 4177 tg3_full_unlock(tp);
4152 4178
4153 return 0; 4179 return err;
4154} 4180}
4155 4181
4156/* Free up pending packets in all rx/tx rings. 4182/* Free up pending packets in all rx/tx rings.
@@ -4232,7 +4258,7 @@ static void tg3_free_rings(struct tg3 *tp)
4232 * end up in the driver. tp->{tx,}lock are held and thus 4258 * end up in the driver. tp->{tx,}lock are held and thus
4233 * we may not sleep. 4259 * we may not sleep.
4234 */ 4260 */
4235static void tg3_init_rings(struct tg3 *tp) 4261static int tg3_init_rings(struct tg3 *tp)
4236{ 4262{
4237 u32 i; 4263 u32 i;
4238 4264
@@ -4281,18 +4307,38 @@ static void tg3_init_rings(struct tg3 *tp)
4281 4307
4282 /* Now allocate fresh SKBs for each rx ring. */ 4308 /* Now allocate fresh SKBs for each rx ring. */
4283 for (i = 0; i < tp->rx_pending; i++) { 4309 for (i = 0; i < tp->rx_pending; i++) {
4284 if (tg3_alloc_rx_skb(tp, RXD_OPAQUE_RING_STD, 4310 if (tg3_alloc_rx_skb(tp, RXD_OPAQUE_RING_STD, -1, i) < 0) {
4285 -1, i) < 0) 4311 printk(KERN_WARNING PFX
4312 "%s: Using a smaller RX standard ring, "
4313 "only %d out of %d buffers were allocated "
4314 "successfully.\n",
4315 tp->dev->name, i, tp->rx_pending);
4316 if (i == 0)
4317 return -ENOMEM;
4318 tp->rx_pending = i;
4286 break; 4319 break;
4320 }
4287 } 4321 }
4288 4322
4289 if (tp->tg3_flags & TG3_FLAG_JUMBO_RING_ENABLE) { 4323 if (tp->tg3_flags & TG3_FLAG_JUMBO_RING_ENABLE) {
4290 for (i = 0; i < tp->rx_jumbo_pending; i++) { 4324 for (i = 0; i < tp->rx_jumbo_pending; i++) {
4291 if (tg3_alloc_rx_skb(tp, RXD_OPAQUE_RING_JUMBO, 4325 if (tg3_alloc_rx_skb(tp, RXD_OPAQUE_RING_JUMBO,
4292 -1, i) < 0) 4326 -1, i) < 0) {
4327 printk(KERN_WARNING PFX
4328 "%s: Using a smaller RX jumbo ring, "
4329 "only %d out of %d buffers were "
4330 "allocated successfully.\n",
4331 tp->dev->name, i, tp->rx_jumbo_pending);
4332 if (i == 0) {
4333 tg3_free_rings(tp);
4334 return -ENOMEM;
4335 }
4336 tp->rx_jumbo_pending = i;
4293 break; 4337 break;
4338 }
4294 } 4339 }
4295 } 4340 }
4341 return 0;
4296} 4342}
4297 4343
4298/* 4344/*
@@ -5815,6 +5861,7 @@ static int tg3_set_mac_addr(struct net_device *dev, void *p)
5815{ 5861{
5816 struct tg3 *tp = netdev_priv(dev); 5862 struct tg3 *tp = netdev_priv(dev);
5817 struct sockaddr *addr = p; 5863 struct sockaddr *addr = p;
5864 int err = 0;
5818 5865
5819 if (!is_valid_ether_addr(addr->sa_data)) 5866 if (!is_valid_ether_addr(addr->sa_data))
5820 return -EINVAL; 5867 return -EINVAL;
@@ -5832,9 +5879,9 @@ static int tg3_set_mac_addr(struct net_device *dev, void *p)
5832 tg3_full_lock(tp, 1); 5879 tg3_full_lock(tp, 1);
5833 5880
5834 tg3_halt(tp, RESET_KIND_SHUTDOWN, 1); 5881 tg3_halt(tp, RESET_KIND_SHUTDOWN, 1);
5835 tg3_init_hw(tp, 0); 5882 err = tg3_restart_hw(tp, 0);
5836 5883 if (!err)
5837 tg3_netif_start(tp); 5884 tg3_netif_start(tp);
5838 tg3_full_unlock(tp); 5885 tg3_full_unlock(tp);
5839 } else { 5886 } else {
5840 spin_lock_bh(&tp->lock); 5887 spin_lock_bh(&tp->lock);
@@ -5842,7 +5889,7 @@ static int tg3_set_mac_addr(struct net_device *dev, void *p)
5842 spin_unlock_bh(&tp->lock); 5889 spin_unlock_bh(&tp->lock);
5843 } 5890 }
5844 5891
5845 return 0; 5892 return err;
5846} 5893}
5847 5894
5848/* tp->lock is held. */ 5895/* tp->lock is held. */
@@ -5942,7 +5989,9 @@ static int tg3_reset_hw(struct tg3 *tp, int reset_phy)
5942 * can only do this after the hardware has been 5989 * can only do this after the hardware has been
5943 * successfully reset. 5990 * successfully reset.
5944 */ 5991 */
5945 tg3_init_rings(tp); 5992 err = tg3_init_rings(tp);
5993 if (err)
5994 return err;
5946 5995
5947 /* This value is determined during the probe time DMA 5996 /* This value is determined during the probe time DMA
5948 * engine test, tg3_test_dma. 5997 * engine test, tg3_test_dma.
@@ -7956,7 +8005,7 @@ static void tg3_get_ringparam(struct net_device *dev, struct ethtool_ringparam *
7956static int tg3_set_ringparam(struct net_device *dev, struct ethtool_ringparam *ering) 8005static int tg3_set_ringparam(struct net_device *dev, struct ethtool_ringparam *ering)
7957{ 8006{
7958 struct tg3 *tp = netdev_priv(dev); 8007 struct tg3 *tp = netdev_priv(dev);
7959 int irq_sync = 0; 8008 int irq_sync = 0, err = 0;
7960 8009
7961 if ((ering->rx_pending > TG3_RX_RING_SIZE - 1) || 8010 if ((ering->rx_pending > TG3_RX_RING_SIZE - 1) ||
7962 (ering->rx_jumbo_pending > TG3_RX_JUMBO_RING_SIZE - 1) || 8011 (ering->rx_jumbo_pending > TG3_RX_JUMBO_RING_SIZE - 1) ||
@@ -7980,13 +8029,14 @@ static int tg3_set_ringparam(struct net_device *dev, struct ethtool_ringparam *e
7980 8029
7981 if (netif_running(dev)) { 8030 if (netif_running(dev)) {
7982 tg3_halt(tp, RESET_KIND_SHUTDOWN, 1); 8031 tg3_halt(tp, RESET_KIND_SHUTDOWN, 1);
7983 tg3_init_hw(tp, 1); 8032 err = tg3_restart_hw(tp, 1);
7984 tg3_netif_start(tp); 8033 if (!err)
8034 tg3_netif_start(tp);
7985 } 8035 }
7986 8036
7987 tg3_full_unlock(tp); 8037 tg3_full_unlock(tp);
7988 8038
7989 return 0; 8039 return err;
7990} 8040}
7991 8041
7992static void tg3_get_pauseparam(struct net_device *dev, struct ethtool_pauseparam *epause) 8042static void tg3_get_pauseparam(struct net_device *dev, struct ethtool_pauseparam *epause)
@@ -8001,7 +8051,7 @@ static void tg3_get_pauseparam(struct net_device *dev, struct ethtool_pauseparam
8001static int tg3_set_pauseparam(struct net_device *dev, struct ethtool_pauseparam *epause) 8051static int tg3_set_pauseparam(struct net_device *dev, struct ethtool_pauseparam *epause)
8002{ 8052{
8003 struct tg3 *tp = netdev_priv(dev); 8053 struct tg3 *tp = netdev_priv(dev);
8004 int irq_sync = 0; 8054 int irq_sync = 0, err = 0;
8005 8055
8006 if (netif_running(dev)) { 8056 if (netif_running(dev)) {
8007 tg3_netif_stop(tp); 8057 tg3_netif_stop(tp);
@@ -8025,13 +8075,14 @@ static int tg3_set_pauseparam(struct net_device *dev, struct ethtool_pauseparam
8025 8075
8026 if (netif_running(dev)) { 8076 if (netif_running(dev)) {
8027 tg3_halt(tp, RESET_KIND_SHUTDOWN, 1); 8077 tg3_halt(tp, RESET_KIND_SHUTDOWN, 1);
8028 tg3_init_hw(tp, 1); 8078 err = tg3_restart_hw(tp, 1);
8029 tg3_netif_start(tp); 8079 if (!err)
8080 tg3_netif_start(tp);
8030 } 8081 }
8031 8082
8032 tg3_full_unlock(tp); 8083 tg3_full_unlock(tp);
8033 8084
8034 return 0; 8085 return err;
8035} 8086}
8036 8087
8037static u32 tg3_get_rx_csum(struct net_device *dev) 8088static u32 tg3_get_rx_csum(struct net_device *dev)
@@ -8666,7 +8717,9 @@ static int tg3_test_loopback(struct tg3 *tp)
8666 if (!netif_running(tp->dev)) 8717 if (!netif_running(tp->dev))
8667 return TG3_LOOPBACK_FAILED; 8718 return TG3_LOOPBACK_FAILED;
8668 8719
8669 tg3_reset_hw(tp, 1); 8720 err = tg3_reset_hw(tp, 1);
8721 if (err)
8722 return TG3_LOOPBACK_FAILED;
8670 8723
8671 if (tg3_run_loopback(tp, TG3_MAC_LOOPBACK)) 8724 if (tg3_run_loopback(tp, TG3_MAC_LOOPBACK))
8672 err |= TG3_MAC_LOOPBACK_FAILED; 8725 err |= TG3_MAC_LOOPBACK_FAILED;
@@ -8740,8 +8793,8 @@ static void tg3_self_test(struct net_device *dev, struct ethtool_test *etest,
8740 tg3_halt(tp, RESET_KIND_SHUTDOWN, 1); 8793 tg3_halt(tp, RESET_KIND_SHUTDOWN, 1);
8741 if (netif_running(dev)) { 8794 if (netif_running(dev)) {
8742 tp->tg3_flags |= TG3_FLAG_INIT_COMPLETE; 8795 tp->tg3_flags |= TG3_FLAG_INIT_COMPLETE;
8743 tg3_init_hw(tp, 1); 8796 if (!tg3_restart_hw(tp, 1))
8744 tg3_netif_start(tp); 8797 tg3_netif_start(tp);
8745 } 8798 }
8746 8799
8747 tg3_full_unlock(tp); 8800 tg3_full_unlock(tp);
@@ -11699,7 +11752,8 @@ static int tg3_suspend(struct pci_dev *pdev, pm_message_t state)
11699 tg3_full_lock(tp, 0); 11752 tg3_full_lock(tp, 0);
11700 11753
11701 tp->tg3_flags |= TG3_FLAG_INIT_COMPLETE; 11754 tp->tg3_flags |= TG3_FLAG_INIT_COMPLETE;
11702 tg3_init_hw(tp, 1); 11755 if (tg3_restart_hw(tp, 1))
11756 goto out;
11703 11757
11704 tp->timer.expires = jiffies + tp->timer_offset; 11758 tp->timer.expires = jiffies + tp->timer_offset;
11705 add_timer(&tp->timer); 11759 add_timer(&tp->timer);
@@ -11707,6 +11761,7 @@ static int tg3_suspend(struct pci_dev *pdev, pm_message_t state)
11707 netif_device_attach(dev); 11761 netif_device_attach(dev);
11708 tg3_netif_start(tp); 11762 tg3_netif_start(tp);
11709 11763
11764out:
11710 tg3_full_unlock(tp); 11765 tg3_full_unlock(tp);
11711 } 11766 }
11712 11767
@@ -11733,16 +11788,19 @@ static int tg3_resume(struct pci_dev *pdev)
11733 tg3_full_lock(tp, 0); 11788 tg3_full_lock(tp, 0);
11734 11789
11735 tp->tg3_flags |= TG3_FLAG_INIT_COMPLETE; 11790 tp->tg3_flags |= TG3_FLAG_INIT_COMPLETE;
11736 tg3_init_hw(tp, 1); 11791 err = tg3_restart_hw(tp, 1);
11792 if (err)
11793 goto out;
11737 11794
11738 tp->timer.expires = jiffies + tp->timer_offset; 11795 tp->timer.expires = jiffies + tp->timer_offset;
11739 add_timer(&tp->timer); 11796 add_timer(&tp->timer);
11740 11797
11741 tg3_netif_start(tp); 11798 tg3_netif_start(tp);
11742 11799
11800out:
11743 tg3_full_unlock(tp); 11801 tg3_full_unlock(tp);
11744 11802
11745 return 0; 11803 return err;
11746} 11804}
11747 11805
11748static struct pci_driver tg3_driver = { 11806static struct pci_driver tg3_driver = {
diff --git a/include/linux/netfilter_bridge.h b/include/linux/netfilter_bridge.h
index 87764022cc67..31f02ba036ce 100644
--- a/include/linux/netfilter_bridge.h
+++ b/include/linux/netfilter_bridge.h
@@ -79,6 +79,8 @@ struct bridge_skb_cb {
79 __u32 ipv4; 79 __u32 ipv4;
80 } daddr; 80 } daddr;
81}; 81};
82
83extern int brnf_deferred_hooks;
82#endif /* CONFIG_BRIDGE_NETFILTER */ 84#endif /* CONFIG_BRIDGE_NETFILTER */
83 85
84#endif /* __KERNEL__ */ 86#endif /* __KERNEL__ */
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index cbc8a389a0a8..05b3de888243 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -61,6 +61,9 @@ static int brnf_filter_vlan_tagged = 1;
61#define brnf_filter_vlan_tagged 1 61#define brnf_filter_vlan_tagged 1
62#endif 62#endif
63 63
64int brnf_deferred_hooks;
65EXPORT_SYMBOL_GPL(brnf_deferred_hooks);
66
64static __be16 inline vlan_proto(const struct sk_buff *skb) 67static __be16 inline vlan_proto(const struct sk_buff *skb)
65{ 68{
66 return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto; 69 return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
@@ -890,6 +893,8 @@ static unsigned int ip_sabotage_out(unsigned int hook, struct sk_buff **pskb,
890 return NF_ACCEPT; 893 return NF_ACCEPT;
891 else if (ip->version == 6 && !brnf_call_ip6tables) 894 else if (ip->version == 6 && !brnf_call_ip6tables)
892 return NF_ACCEPT; 895 return NF_ACCEPT;
896 else if (!brnf_deferred_hooks)
897 return NF_ACCEPT;
893#endif 898#endif
894 if (hook == NF_IP_POST_ROUTING) 899 if (hook == NF_IP_POST_ROUTING)
895 return NF_ACCEPT; 900 return NF_ACCEPT;
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index 184c78ca79e6..212734ca238f 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -429,7 +429,7 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt,
429 } 429 }
430 430
431 /* Remove any debris in the socket control block */ 431 /* Remove any debris in the socket control block */
432 memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options)); 432 memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
433 433
434 return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL, 434 return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL,
435 ip_rcv_finish); 435 ip_rcv_finish);
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 9ccacf57f08b..85893eef6b16 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1578,6 +1578,7 @@ int ipmr_get_route(struct sk_buff *skb, struct rtmsg *rtm, int nowait)
1578 cache = ipmr_cache_find(rt->rt_src, rt->rt_dst); 1578 cache = ipmr_cache_find(rt->rt_src, rt->rt_dst);
1579 1579
1580 if (cache==NULL) { 1580 if (cache==NULL) {
1581 struct sk_buff *skb2;
1581 struct net_device *dev; 1582 struct net_device *dev;
1582 int vif; 1583 int vif;
1583 1584
@@ -1591,12 +1592,18 @@ int ipmr_get_route(struct sk_buff *skb, struct rtmsg *rtm, int nowait)
1591 read_unlock(&mrt_lock); 1592 read_unlock(&mrt_lock);
1592 return -ENODEV; 1593 return -ENODEV;
1593 } 1594 }
1594 skb->nh.raw = skb_push(skb, sizeof(struct iphdr)); 1595 skb2 = skb_clone(skb, GFP_ATOMIC);
1595 skb->nh.iph->ihl = sizeof(struct iphdr)>>2; 1596 if (!skb2) {
1596 skb->nh.iph->saddr = rt->rt_src; 1597 read_unlock(&mrt_lock);
1597 skb->nh.iph->daddr = rt->rt_dst; 1598 return -ENOMEM;
1598 skb->nh.iph->version = 0; 1599 }
1599 err = ipmr_cache_unresolved(vif, skb); 1600
1601 skb2->nh.raw = skb_push(skb2, sizeof(struct iphdr));
1602 skb2->nh.iph->ihl = sizeof(struct iphdr)>>2;
1603 skb2->nh.iph->saddr = rt->rt_src;
1604 skb2->nh.iph->daddr = rt->rt_dst;
1605 skb2->nh.iph->version = 0;
1606 err = ipmr_cache_unresolved(vif, skb2);
1600 read_unlock(&mrt_lock); 1607 read_unlock(&mrt_lock);
1601 return err; 1608 return err;
1602 } 1609 }
diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323.c b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
index af35235672d5..9a39e2969712 100644
--- a/net/ipv4/netfilter/ip_conntrack_helper_h323.c
+++ b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
@@ -1200,7 +1200,7 @@ static struct ip_conntrack_expect *find_expect(struct ip_conntrack *ct,
1200 tuple.dst.protonum = IPPROTO_TCP; 1200 tuple.dst.protonum = IPPROTO_TCP;
1201 1201
1202 exp = __ip_conntrack_expect_find(&tuple); 1202 exp = __ip_conntrack_expect_find(&tuple);
1203 if (exp->master == ct) 1203 if (exp && exp->master == ct)
1204 return exp; 1204 return exp;
1205 return NULL; 1205 return NULL;
1206} 1206}
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
index 7bd3c22003a2..7a9fa04a467a 100644
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -534,6 +534,8 @@ static struct nf_hook_ops ip_conntrack_ops[] = {
534 534
535/* Sysctl support */ 535/* Sysctl support */
536 536
537int ip_conntrack_checksum = 1;
538
537#ifdef CONFIG_SYSCTL 539#ifdef CONFIG_SYSCTL
538 540
539/* From ip_conntrack_core.c */ 541/* From ip_conntrack_core.c */
@@ -568,8 +570,6 @@ extern unsigned int ip_ct_generic_timeout;
568static int log_invalid_proto_min = 0; 570static int log_invalid_proto_min = 0;
569static int log_invalid_proto_max = 255; 571static int log_invalid_proto_max = 255;
570 572
571int ip_conntrack_checksum = 1;
572
573static struct ctl_table_header *ip_ct_sysctl_header; 573static struct ctl_table_header *ip_ct_sysctl_header;
574 574
575static ctl_table ip_ct_sysctl_table[] = { 575static ctl_table ip_ct_sysctl_table[] = {
diff --git a/net/ipv4/netfilter/ip_nat_snmp_basic.c b/net/ipv4/netfilter/ip_nat_snmp_basic.c
index 0b1b416759cc..18b7fbdccb61 100644
--- a/net/ipv4/netfilter/ip_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c
@@ -1255,9 +1255,9 @@ static int help(struct sk_buff **pskb,
1255 struct udphdr *udph = (struct udphdr *)((u_int32_t *)iph + iph->ihl); 1255 struct udphdr *udph = (struct udphdr *)((u_int32_t *)iph + iph->ihl);
1256 1256
1257 /* SNMP replies and originating SNMP traps get mangled */ 1257 /* SNMP replies and originating SNMP traps get mangled */
1258 if (udph->source == ntohs(SNMP_PORT) && dir != IP_CT_DIR_REPLY) 1258 if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
1259 return NF_ACCEPT; 1259 return NF_ACCEPT;
1260 if (udph->dest == ntohs(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL) 1260 if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
1261 return NF_ACCEPT; 1261 return NF_ACCEPT;
1262 1262
1263 /* No NAT? */ 1263 /* No NAT? */
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index bd221ec3f81e..62b2762a2420 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -609,6 +609,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
609 if (sin) { 609 if (sin) {
610 sin->sin_family = AF_INET; 610 sin->sin_family = AF_INET;
611 sin->sin_addr.s_addr = skb->nh.iph->saddr; 611 sin->sin_addr.s_addr = skb->nh.iph->saddr;
612 sin->sin_port = 0;
612 memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); 613 memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
613 } 614 }
614 if (inet->cmsg_flags) 615 if (inet->cmsg_flags)
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index df8f051c0fce..25c2a9e03895 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -71,6 +71,8 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
71 goto out; 71 goto out;
72 } 72 }
73 73
74 memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
75
74 /* 76 /*
75 * Store incoming device index. When the packet will 77 * Store incoming device index. When the packet will
76 * be queued, we cannot refer to skb->dev anymore. 78 * be queued, we cannot refer to skb->dev anymore.
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index fa1ce0ae123e..d57e61ce4a7d 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -411,6 +411,7 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk,
411 /* Copy the address. */ 411 /* Copy the address. */
412 if (sin6) { 412 if (sin6) {
413 sin6->sin6_family = AF_INET6; 413 sin6->sin6_family = AF_INET6;
414 sin6->sin6_port = 0;
414 ipv6_addr_copy(&sin6->sin6_addr, &skb->nh.ipv6h->saddr); 415 ipv6_addr_copy(&sin6->sin6_addr, &skb->nh.ipv6h->saddr);
415 sin6->sin6_flowinfo = 0; 416 sin6->sin6_flowinfo = 0;
416 sin6->sin6_scope_id = 0; 417 sin6->sin6_scope_id = 0;
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 42a178aa30f9..a9894ddfd72a 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -386,8 +386,8 @@ config NETFILTER_XT_MATCH_REALM
386 <file:Documentation/modules.txt>. If unsure, say `N'. 386 <file:Documentation/modules.txt>. If unsure, say `N'.
387 387
388config NETFILTER_XT_MATCH_SCTP 388config NETFILTER_XT_MATCH_SCTP
389 tristate '"sctp" protocol match support' 389 tristate '"sctp" protocol match support (EXPERIMENTAL)'
390 depends on NETFILTER_XTABLES 390 depends on NETFILTER_XTABLES && EXPERIMENTAL
391 help 391 help
392 With this option enabled, you will be able to use the 392 With this option enabled, you will be able to use the
393 `sctp' match in order to match on SCTP source/destination ports 393 `sctp' match in order to match on SCTP source/destination ports
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 5fcab2ef231f..4ef836699962 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -428,6 +428,8 @@ static struct file_operations ct_cpu_seq_fops = {
428 428
429/* Sysctl support */ 429/* Sysctl support */
430 430
431int nf_conntrack_checksum = 1;
432
431#ifdef CONFIG_SYSCTL 433#ifdef CONFIG_SYSCTL
432 434
433/* From nf_conntrack_core.c */ 435/* From nf_conntrack_core.c */
@@ -459,8 +461,6 @@ extern unsigned int nf_ct_generic_timeout;
459static int log_invalid_proto_min = 0; 461static int log_invalid_proto_min = 0;
460static int log_invalid_proto_max = 255; 462static int log_invalid_proto_max = 255;
461 463
462int nf_conntrack_checksum = 1;
463
464static struct ctl_table_header *nf_ct_sysctl_header; 464static struct ctl_table_header *nf_ct_sysctl_header;
465 465
466static ctl_table nf_ct_sysctl_table[] = { 466static ctl_table nf_ct_sysctl_table[] = {
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index bb6fcee452ca..662a869593bf 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -219,21 +219,20 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
219 219
220 switch (verdict & NF_VERDICT_MASK) { 220 switch (verdict & NF_VERDICT_MASK) {
221 case NF_ACCEPT: 221 case NF_ACCEPT:
222 case NF_STOP:
222 info->okfn(skb); 223 info->okfn(skb);
224 case NF_STOLEN:
223 break; 225 break;
224
225 case NF_QUEUE: 226 case NF_QUEUE:
226 if (!nf_queue(&skb, elem, info->pf, info->hook, 227 if (!nf_queue(&skb, elem, info->pf, info->hook,
227 info->indev, info->outdev, info->okfn, 228 info->indev, info->outdev, info->okfn,
228 verdict >> NF_VERDICT_BITS)) 229 verdict >> NF_VERDICT_BITS))
229 goto next_hook; 230 goto next_hook;
230 break; 231 break;
232 default:
233 kfree_skb(skb);
231 } 234 }
232 rcu_read_unlock(); 235 rcu_read_unlock();
233
234 if (verdict == NF_DROP)
235 kfree_skb(skb);
236
237 kfree(info); 236 kfree(info);
238 return; 237 return;
239} 238}
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 5fe4c9df17f5..a9f4f6f3c628 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -113,6 +113,21 @@ checkentry(const char *tablename,
113 if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || 113 if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
114 info->bitmask & ~XT_PHYSDEV_OP_MASK) 114 info->bitmask & ~XT_PHYSDEV_OP_MASK)
115 return 0; 115 return 0;
116 if (brnf_deferred_hooks == 0 &&
117 info->bitmask & XT_PHYSDEV_OP_OUT &&
118 (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
119 info->invert & XT_PHYSDEV_OP_BRIDGED) &&
120 hook_mask & ((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
121 (1 << NF_IP_POST_ROUTING))) {
122 printk(KERN_WARNING "physdev match: using --physdev-out in the "
123 "OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
124 "traffic is deprecated and breaks other things, it will "
125 "be removed in January 2007. See Documentation/"
126 "feature-removal-schedule.txt for details. This doesn't "
127 "affect you in case you're using it for purely bridged "
128 "traffic.\n");
129 brnf_deferred_hooks = 1;
130 }
116 return 1; 131 return 1;
117} 132}
118 133
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 3ac703b5cb8f..d2f5320a80bf 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -9,6 +9,8 @@
9#include <linux/skbuff.h> 9#include <linux/skbuff.h>
10#include <linux/if_ether.h> 10#include <linux/if_ether.h>
11#include <linux/if_packet.h> 11#include <linux/if_packet.h>
12#include <linux/in.h>
13#include <linux/ip.h>
12 14
13#include <linux/netfilter/xt_pkttype.h> 15#include <linux/netfilter/xt_pkttype.h>
14#include <linux/netfilter/x_tables.h> 16#include <linux/netfilter/x_tables.h>
@@ -28,9 +30,17 @@ static int match(const struct sk_buff *skb,
28 unsigned int protoff, 30 unsigned int protoff,
29 int *hotdrop) 31 int *hotdrop)
30{ 32{
33 u_int8_t type;
31 const struct xt_pkttype_info *info = matchinfo; 34 const struct xt_pkttype_info *info = matchinfo;
32 35
33 return (skb->pkt_type == info->pkttype) ^ info->invert; 36 if (skb->pkt_type == PACKET_LOOPBACK)
37 type = (MULTICAST(skb->nh.iph->daddr)
38 ? PACKET_MULTICAST
39 : PACKET_BROADCAST);
40 else
41 type = skb->pkt_type;
42
43 return (type == info->pkttype) ^ info->invert;
34} 44}
35 45
36static struct xt_match pkttype_match = { 46static struct xt_match pkttype_match = {