10 files changed, 61 insertions, 59 deletions
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 3ebbbe7b6d05..5e1e6f2d98c2 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -2725,7 +2725,7 @@ static inline void nf_reset(struct sk_buff *skb)
 static inline void nf_reset_trace(struct sk_buff *skb)
 {
-#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
+#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || defined(CONFIG_NF_TABLES)
        skb->nf_trace = 0;
 #endif
 }
@@ -2742,6 +2742,9 @@ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src)
        dst->nf_bridge  = src->nf_bridge;
        nf_bridge_get(src->nf_bridge);
 #endif
+#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || defined(CONFIG_NF_TABLES)
+        dst->nf_trace = src->nf_trace;
+#endif
 }
 static inline void nf_copy(struct sk_buff *dst, const struct sk_buff *src)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 5976ef0846bd..5d6236d9fdce 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -707,9 +707,6 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
        new->mark               = old->mark;
        new->skb_iif            = old->skb_iif;
        __nf_copy(new, old);
-#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
-        new->nf_trace           = old->nf_trace;
-#endif
 #ifdef CONFIG_NET_SCHED
        new->tc_index           = old->tc_index;
 #ifdef CONFIG_NET_CLS_ACT
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 8971780aec7c..73c6b63bba74 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -422,9 +422,6 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from)
        to->tc_index = from->tc_index;
 #endif
        nf_copy(to, from);
-#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
-        to->nf_trace = from->nf_trace;
-#endif
 #if defined(CONFIG_IP_VS) || defined(CONFIG_IP_VS_MODULE)
        to->ipvs_property = from->ipvs_property;
 #endif
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index d551e31b416e..7c676671329d 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -1198,8 +1198,8 @@ static int snmp_translate(struct nf_conn *ct,
                map.to = NOCT1(&ct->tuplehash[!dir].tuple.dst.u3.ip);
        } else {
                /* DNAT replies */
-                map.from = NOCT1(&ct->tuplehash[dir].tuple.src.u3.ip);
+                map.from = NOCT1(&ct->tuplehash[!dir].tuple.src.u3.ip);
-                map.to = NOCT1(&ct->tuplehash[!dir].tuple.dst.u3.ip);
+                map.to = NOCT1(&ct->tuplehash[dir].tuple.dst.u3.ip);
        }
        if (map.from == map.to)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 070a2fae2375..16f91a2e7888 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -530,9 +530,6 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
        to->tc_index = from->tc_index;
 #endif
        nf_copy(to, from);
-#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
-        to->nf_trace = from->nf_trace;
-#endif
        skb_copy_secmark(to, from);
 }
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index bb322d0beb48..b9f0e0374322 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1310,27 +1310,22 @@ ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
 }
 static int
-ctnetlink_change_nat(struct nf_conn *ct, const struct nlattr * const cda[])
+ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[])
 {
 #ifdef CONFIG_NF_NAT_NEEDED
        int ret;
-        if (cda[CTA_NAT_DST]) {
+        ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
-                ret = ctnetlink_parse_nat_setup(ct,
+                                        cda[CTA_NAT_DST]);
-                                                NF_NAT_MANIP_DST,
+        if (ret < 0)
-                                                cda[CTA_NAT_DST]);
+                return ret;
-                if (ret < 0)
-                        return ret;
+        ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC,
-        }
+                                        cda[CTA_NAT_SRC]);
-        if (cda[CTA_NAT_SRC]) {
+        return ret;
-                ret = ctnetlink_parse_nat_setup(ct,
-                                                NF_NAT_MANIP_SRC,
-                                                cda[CTA_NAT_SRC]);
-                if (ret < 0)
-                        return ret;
-        }
-        return 0;
 #else
+        if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
+                return 0;
        return -EOPNOTSUPP;
 #endif
 }
@@ -1659,11 +1654,9 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
                        goto err2;
        }
-        if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
+        err = ctnetlink_setup_nat(ct, cda);
-                err = ctnetlink_change_nat(ct, cda);
+        if (err < 0)
-                if (err < 0)
+                goto err2;
-                        goto err2;
-        }
        nf_ct_acct_ext_add(ct, GFP_ATOMIC);
        nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index d3f5cd6dd962..52ca952b802c 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -432,15 +432,15 @@ nf_nat_setup_info(struct nf_conn *ct,
 }
 EXPORT_SYMBOL(nf_nat_setup_info);
-unsigned int
+static unsigned int
-nf_nat_alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
+__nf_nat_alloc_null_binding(struct nf_conn *ct, enum nf_nat_manip_type manip)
 {
        /* Force range to this IP; let proto decide mapping for
         * per-proto parts (hence not IP_NAT_RANGE_PROTO_SPECIFIED).
         * Use reply in case it's already been mangled (eg local packet).
         */
        union nf_inet_addr ip =
-                (HOOK2MANIP(hooknum) == NF_NAT_MANIP_SRC ?
+                (manip == NF_NAT_MANIP_SRC ?
                ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3 :
                ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3);
        struct nf_nat_range range = {
@@ -448,7 +448,13 @@ nf_nat_alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
                .min_addr       = ip,
                .max_addr       = ip,
        };
-        return nf_nat_setup_info(ct, &range, HOOK2MANIP(hooknum));
+        return nf_nat_setup_info(ct, &range, manip);
+}
+unsigned int
+nf_nat_alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
+{
+        return __nf_nat_alloc_null_binding(ct, HOOK2MANIP(hooknum));
 }
 EXPORT_SYMBOL_GPL(nf_nat_alloc_null_binding);
@@ -702,9 +708,9 @@ static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = {
 static int
 nfnetlink_parse_nat(const struct nlattr *nat,
-                    const struct nf_conn *ct, struct nf_nat_range *range)
+                    const struct nf_conn *ct, struct nf_nat_range *range,
+                    const struct nf_nat_l3proto *l3proto)
 {
-        const struct nf_nat_l3proto *l3proto;
        struct nlattr *tb[CTA_NAT_MAX+1];
        int err;
@@ -714,38 +720,46 @@ nfnetlink_parse_nat(const struct nlattr *nat,
        if (err < 0)
                return err;
-        rcu_read_lock();
-        l3proto = __nf_nat_l3proto_find(nf_ct_l3num(ct));
-        if (l3proto == NULL) {
-                err = -EAGAIN;
-                goto out;
-        }
        err = l3proto->nlattr_to_range(tb, range);
        if (err < 0)
-                goto out;
+                return err;
        if (!tb[CTA_NAT_PROTO])
-                goto out;
+                return 0;
-        err = nfnetlink_parse_nat_proto(tb[CTA_NAT_PROTO], ct, range);
+        return nfnetlink_parse_nat_proto(tb[CTA_NAT_PROTO], ct, range);
-out:
-        rcu_read_unlock();
-        return err;
 }
+/* This function is called under rcu_read_lock() */
 static int
 nfnetlink_parse_nat_setup(struct nf_conn *ct,
                          enum nf_nat_manip_type manip,
                          const struct nlattr *attr)
 {
        struct nf_nat_range range;
+        const struct nf_nat_l3proto *l3proto;
        int err;
-        err = nfnetlink_parse_nat(attr, ct, &range);
+        /* Should not happen, restricted to creating new conntracks
+         * via ctnetlink.
+         */
+        if (WARN_ON_ONCE(nf_nat_initialized(ct, manip)))
+                return -EEXIST;
+        /* Make sure that L3 NAT is there by when we call nf_nat_setup_info to
+         * attach the null binding, otherwise this may oops.
+         */
+        l3proto = __nf_nat_l3proto_find(nf_ct_l3num(ct));
+        if (l3proto == NULL)
+                return -EAGAIN;
+        /* No NAT information has been passed, allocate the null-binding */
+        if (attr == NULL)
+                return __nf_nat_alloc_null_binding(ct, manip);
+        err = nfnetlink_parse_nat(attr, ct, &range, l3proto);
        if (err < 0)
                return err;
-        if (nf_nat_initialized(ct, manip))
-                return -EEXIST;
        return nf_nat_setup_info(ct, &range, manip);
 }
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index e8254ad2e5a9..425cf39af890 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -116,7 +116,7 @@ static void nft_meta_get_eval(const struct nft_expr *expr,
                                 skb->sk->sk_socket->file->f_cred->fsgid);
                read_unlock_bh(&skb->sk->sk_callback_lock);
                break;
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
        case NFT_META_RTCLASSID: {
                const struct dst_entry *dst = skb_dst(skb);
@@ -199,7 +199,7 @@ static int nft_meta_init_validate_get(uint32_t key)
        case NFT_META_OIFTYPE:
        case NFT_META_SKUID:
        case NFT_META_SKGID:
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
        case NFT_META_RTCLASSID:
 #endif
 #ifdef CONFIG_NETWORK_SECMARK
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index a2aeb318678f..85daa84bfdfe 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -135,7 +135,8 @@ nft_payload_select_ops(const struct nft_ctx *ctx,
        if (len == 0 || len > FIELD_SIZEOF(struct nft_data, data))
                return ERR_PTR(-EINVAL);
-        if (len <= 4 && IS_ALIGNED(offset, len) && base != NFT_PAYLOAD_LL_HEADER)
+        if (len <= 4 && is_power_of_2(len) && IS_ALIGNED(offset, len) &&
+            base != NFT_PAYLOAD_LL_HEADER)
                return &nft_payload_fast_ops;
        else
                return &nft_payload_ops;
diff --git a/net/netfilter/nft_reject_inet.c b/net/netfilter/nft_reject_inet.c
index 8a310f239c93..b718a52a4654 100644
--- a/net/netfilter/nft_reject_inet.c
+++ b/net/netfilter/nft_reject_inet.c
@@ -21,9 +21,9 @@ static void nft_reject_inet_eval(const struct nft_expr *expr,
 {
        switch (pkt->ops->pf) {
        case NFPROTO_IPV4:
-                nft_reject_ipv4_eval(expr, data, pkt);
+                return nft_reject_ipv4_eval(expr, data, pkt);
        case NFPROTO_IPV6:
-                nft_reject_ipv6_eval(expr, data, pkt);
+                return nft_reject_ipv6_eval(expr, data, pkt);
        }
 }

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 3ebbbe7b6d05..5e1e6f2d98c2 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h
@@ -2725,7 +2725,7 @@ static inline void nf_reset(struct sk_buff *skb)
2725		2725
2726	static inline void nf_reset_trace(struct sk_buff *skb)	2726	static inline void nf_reset_trace(struct sk_buff *skb)
2727	{	2727	{
2728	#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)	2728	#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) \|\| defined(CONFIG_NF_TABLES)
2729	skb->nf_trace = 0;	2729	skb->nf_trace = 0;
2730	#endif	2730	#endif
2731	}	2731	}
@@ -2742,6 +2742,9 @@ static inline void __nf_copy(struct sk_buff dst, const struct sk_buff src)
2742	dst->nf_bridge = src->nf_bridge;	2742	dst->nf_bridge = src->nf_bridge;
2743	nf_bridge_get(src->nf_bridge);	2743	nf_bridge_get(src->nf_bridge);
2744	#endif	2744	#endif
		2745	#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) \|\| defined(CONFIG_NF_TABLES)
		2746	dst->nf_trace = src->nf_trace;
		2747	#endif
2745	}	2748	}
2746		2749
2747	static inline void nf_copy(struct sk_buff dst, const struct sk_buff src)	2750	static inline void nf_copy(struct sk_buff dst, const struct sk_buff src)


diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 5976ef0846bd..5d6236d9fdce 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c
@@ -707,9 +707,6 @@ static void __copy_skb_header(struct sk_buff new, const struct sk_buff old)
707	new->mark = old->mark;	707	new->mark = old->mark;
708	new->skb_iif = old->skb_iif;	708	new->skb_iif = old->skb_iif;
709	__nf_copy(new, old);	709	__nf_copy(new, old);
710	#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
711	new->nf_trace = old->nf_trace;
712	#endif
713	#ifdef CONFIG_NET_SCHED	710	#ifdef CONFIG_NET_SCHED
714	new->tc_index = old->tc_index;	711	new->tc_index = old->tc_index;
715	#ifdef CONFIG_NET_CLS_ACT	712	#ifdef CONFIG_NET_CLS_ACT


diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 8971780aec7c..73c6b63bba74 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c
@@ -422,9 +422,6 @@ static void ip_copy_metadata(struct sk_buff to, struct sk_buff from)
422	to->tc_index = from->tc_index;	422	to->tc_index = from->tc_index;
423	#endif	423	#endif
424	nf_copy(to, from);	424	nf_copy(to, from);
425	#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
426	to->nf_trace = from->nf_trace;
427	#endif
428	#if defined(CONFIG_IP_VS) \|\| defined(CONFIG_IP_VS_MODULE)	425	#if defined(CONFIG_IP_VS) \|\| defined(CONFIG_IP_VS_MODULE)
429	to->ipvs_property = from->ipvs_property;	426	to->ipvs_property = from->ipvs_property;
430	#endif	427	#endif


diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c index d551e31b416e..7c676671329d 100644 --- a/net/ipv4/netfilter/nf_nat_snmp_basic.c +++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -1198,8 +1198,8 @@ static int snmp_translate(struct nf_conn *ct,
1198	map.to = NOCT1(&ct->tuplehash[!dir].tuple.dst.u3.ip);	1198	map.to = NOCT1(&ct->tuplehash[!dir].tuple.dst.u3.ip);
1199	} else {	1199	} else {
1200	/* DNAT replies */	1200	/* DNAT replies */
1201	map.from = NOCT1(&ct->tuplehash[dir].tuple.src.u3.ip);	1201	map.from = NOCT1(&ct->tuplehash[!dir].tuple.src.u3.ip);
1202	map.to = NOCT1(&ct->tuplehash[!dir].tuple.dst.u3.ip);	1202	map.to = NOCT1(&ct->tuplehash[dir].tuple.dst.u3.ip);
1203	}	1203	}
1204		1204
1205	if (map.from == map.to)	1205	if (map.from == map.to)


diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 070a2fae2375..16f91a2e7888 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c
@@ -530,9 +530,6 @@ static void ip6_copy_metadata(struct sk_buff to, struct sk_buff from)
530	to->tc_index = from->tc_index;	530	to->tc_index = from->tc_index;
531	#endif	531	#endif
532	nf_copy(to, from);	532	nf_copy(to, from);
533	#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
534	to->nf_trace = from->nf_trace;
535	#endif
536	skb_copy_secmark(to, from);	533	skb_copy_secmark(to, from);
537	}	534	}
538		535


diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index bb322d0beb48..b9f0e0374322 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1310,27 +1310,22 @@ ctnetlink_change_status(struct nf_conn ct, const struct nlattr const cda[])
1310	}	1310	}
1311		1311
1312	static int	1312	static int
1313	ctnetlink_change_nat(struct nf_conn ct, const struct nlattr const cda[])	1313	ctnetlink_setup_nat(struct nf_conn ct, const struct nlattr const cda[])
1314	{	1314	{
1315	#ifdef CONFIG_NF_NAT_NEEDED	1315	#ifdef CONFIG_NF_NAT_NEEDED
1316	int ret;	1316	int ret;
1317		1317
1318	if (cda[CTA_NAT_DST]) {	1318	ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
1319	ret = ctnetlink_parse_nat_setup(ct,	1319	cda[CTA_NAT_DST]);
1320	NF_NAT_MANIP_DST,	1320	if (ret < 0)
1321	cda[CTA_NAT_DST]);	1321	return ret;
1322	if (ret < 0)	1322
1323	return ret;	1323	ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC,
1324	}	1324	cda[CTA_NAT_SRC]);
1325	if (cda[CTA_NAT_SRC]) {	1325	return ret;
1326	ret = ctnetlink_parse_nat_setup(ct,
1327	NF_NAT_MANIP_SRC,
1328	cda[CTA_NAT_SRC]);
1329	if (ret < 0)
1330	return ret;
1331	}
1332	return 0;
1333	#else	1326	#else
		1327	if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
		1328	return 0;
1334	return -EOPNOTSUPP;	1329	return -EOPNOTSUPP;
1335	#endif	1330	#endif
1336	}	1331	}
@@ -1659,11 +1654,9 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
1659	goto err2;	1654	goto err2;
1660	}	1655	}
1661		1656
1662	if (cda[CTA_NAT_SRC] \|\| cda[CTA_NAT_DST]) {	1657	err = ctnetlink_setup_nat(ct, cda);
1663	err = ctnetlink_change_nat(ct, cda);	1658	if (err < 0)
1664	if (err < 0)	1659	goto err2;
1665	goto err2;
1666	}
1667		1660
1668	nf_ct_acct_ext_add(ct, GFP_ATOMIC);	1661	nf_ct_acct_ext_add(ct, GFP_ATOMIC);
1669	nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);	1662	nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);


diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c index d3f5cd6dd962..52ca952b802c 100644 --- a/net/netfilter/nf_nat_core.c +++ b/net/netfilter/nf_nat_core.c
@@ -432,15 +432,15 @@ nf_nat_setup_info(struct nf_conn *ct,
432	}	432	}
433	EXPORT_SYMBOL(nf_nat_setup_info);	433	EXPORT_SYMBOL(nf_nat_setup_info);
434		434
435	unsigned int	435	static unsigned int
436	nf_nat_alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)	436	__nf_nat_alloc_null_binding(struct nf_conn *ct, enum nf_nat_manip_type manip)
437	{	437	{
438	/* Force range to this IP; let proto decide mapping for	438	/* Force range to this IP; let proto decide mapping for
439	* per-proto parts (hence not IP_NAT_RANGE_PROTO_SPECIFIED).	439	* per-proto parts (hence not IP_NAT_RANGE_PROTO_SPECIFIED).
440	* Use reply in case it's already been mangled (eg local packet).	440	* Use reply in case it's already been mangled (eg local packet).
441	*/	441	*/
442	union nf_inet_addr ip =	442	union nf_inet_addr ip =
443	(HOOK2MANIP(hooknum) == NF_NAT_MANIP_SRC ?	443	(manip == NF_NAT_MANIP_SRC ?
444	ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3 :	444	ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3 :
445	ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3);	445	ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3);
446	struct nf_nat_range range = {	446	struct nf_nat_range range = {
@@ -448,7 +448,13 @@ nf_nat_alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
448	.min_addr = ip,	448	.min_addr = ip,
449	.max_addr = ip,	449	.max_addr = ip,
450	};	450	};
451	return nf_nat_setup_info(ct, &range, HOOK2MANIP(hooknum));	451	return nf_nat_setup_info(ct, &range, manip);
		452	}
		453
		454	unsigned int
		455	nf_nat_alloc_null_binding(struct nf_conn *ct, unsigned int hooknum)
		456	{
		457	return __nf_nat_alloc_null_binding(ct, HOOK2MANIP(hooknum));
452	}	458	}
453	EXPORT_SYMBOL_GPL(nf_nat_alloc_null_binding);	459	EXPORT_SYMBOL_GPL(nf_nat_alloc_null_binding);
454		460
@@ -702,9 +708,9 @@ static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = {
702		708
703	static int	709	static int
704	nfnetlink_parse_nat(const struct nlattr *nat,	710	nfnetlink_parse_nat(const struct nlattr *nat,
705	const struct nf_conn ct, struct nf_nat_range range)	711	const struct nf_conn ct, struct nf_nat_range range,
		712	const struct nf_nat_l3proto *l3proto)
706	{	713	{
707	const struct nf_nat_l3proto *l3proto;
708	struct nlattr *tb[CTA_NAT_MAX+1];	714	struct nlattr *tb[CTA_NAT_MAX+1];
709	int err;	715	int err;
710		716
@@ -714,38 +720,46 @@ nfnetlink_parse_nat(const struct nlattr *nat,
714	if (err < 0)	720	if (err < 0)
715	return err;	721	return err;
716		722
717	rcu_read_lock();
718	l3proto = __nf_nat_l3proto_find(nf_ct_l3num(ct));
719	if (l3proto == NULL) {
720	err = -EAGAIN;
721	goto out;
722	}
723	err = l3proto->nlattr_to_range(tb, range);	723	err = l3proto->nlattr_to_range(tb, range);
724	if (err < 0)	724	if (err < 0)
725	goto out;	725	return err;
726		726
727	if (!tb[CTA_NAT_PROTO])	727	if (!tb[CTA_NAT_PROTO])
728	goto out;	728	return 0;
729		729
730	err = nfnetlink_parse_nat_proto(tb[CTA_NAT_PROTO], ct, range);	730	return nfnetlink_parse_nat_proto(tb[CTA_NAT_PROTO], ct, range);
731	out:
732	rcu_read_unlock();
733	return err;
734	}	731	}
735		732
		733	/* This function is called under rcu_read_lock() */
736	static int	734	static int
737	nfnetlink_parse_nat_setup(struct nf_conn *ct,	735	nfnetlink_parse_nat_setup(struct nf_conn *ct,
738	enum nf_nat_manip_type manip,	736	enum nf_nat_manip_type manip,
739	const struct nlattr *attr)	737	const struct nlattr *attr)
740	{	738	{
741	struct nf_nat_range range;	739	struct nf_nat_range range;
		740	const struct nf_nat_l3proto *l3proto;
742	int err;	741	int err;
743		742
744	err = nfnetlink_parse_nat(attr, ct, &range);	743	/* Should not happen, restricted to creating new conntracks
		744	* via ctnetlink.
		745	*/
		746	if (WARN_ON_ONCE(nf_nat_initialized(ct, manip)))
		747	return -EEXIST;
		748
		749	/* Make sure that L3 NAT is there by when we call nf_nat_setup_info to
		750	* attach the null binding, otherwise this may oops.
		751	*/
		752	l3proto = __nf_nat_l3proto_find(nf_ct_l3num(ct));
		753	if (l3proto == NULL)
		754	return -EAGAIN;
		755
		756	/* No NAT information has been passed, allocate the null-binding */
		757	if (attr == NULL)
		758	return __nf_nat_alloc_null_binding(ct, manip);
		759
		760	err = nfnetlink_parse_nat(attr, ct, &range, l3proto);
745	if (err < 0)	761	if (err < 0)
746	return err;	762	return err;
747	if (nf_nat_initialized(ct, manip))
748	return -EEXIST;
749		763
750	return nf_nat_setup_info(ct, &range, manip);	764	return nf_nat_setup_info(ct, &range, manip);
751	}	765	}


diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index e8254ad2e5a9..425cf39af890 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c
@@ -116,7 +116,7 @@ static void nft_meta_get_eval(const struct nft_expr *expr,
116	skb->sk->sk_socket->file->f_cred->fsgid);	116	skb->sk->sk_socket->file->f_cred->fsgid);
117	read_unlock_bh(&skb->sk->sk_callback_lock);	117	read_unlock_bh(&skb->sk->sk_callback_lock);
118	break;	118	break;
119	#ifdef CONFIG_NET_CLS_ROUTE	119	#ifdef CONFIG_IP_ROUTE_CLASSID
120	case NFT_META_RTCLASSID: {	120	case NFT_META_RTCLASSID: {
121	const struct dst_entry *dst = skb_dst(skb);	121	const struct dst_entry *dst = skb_dst(skb);
122		122
@@ -199,7 +199,7 @@ static int nft_meta_init_validate_get(uint32_t key)
199	case NFT_META_OIFTYPE:	199	case NFT_META_OIFTYPE:
200	case NFT_META_SKUID:	200	case NFT_META_SKUID:
201	case NFT_META_SKGID:	201	case NFT_META_SKGID:
202	#ifdef CONFIG_NET_CLS_ROUTE	202	#ifdef CONFIG_IP_ROUTE_CLASSID
203	case NFT_META_RTCLASSID:	203	case NFT_META_RTCLASSID:
204	#endif	204	#endif
205	#ifdef CONFIG_NETWORK_SECMARK	205	#ifdef CONFIG_NETWORK_SECMARK


diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c index a2aeb318678f..85daa84bfdfe 100644 --- a/net/netfilter/nft_payload.c +++ b/net/netfilter/nft_payload.c
@@ -135,7 +135,8 @@ nft_payload_select_ops(const struct nft_ctx *ctx,
135	if (len == 0 \|\| len > FIELD_SIZEOF(struct nft_data, data))	135	if (len == 0 \|\| len > FIELD_SIZEOF(struct nft_data, data))
136	return ERR_PTR(-EINVAL);	136	return ERR_PTR(-EINVAL);
137		137
138	if (len <= 4 && IS_ALIGNED(offset, len) && base != NFT_PAYLOAD_LL_HEADER)	138	if (len <= 4 && is_power_of_2(len) && IS_ALIGNED(offset, len) &&
		139	base != NFT_PAYLOAD_LL_HEADER)
139	return &nft_payload_fast_ops;	140	return &nft_payload_fast_ops;
140	else	141	else
141	return &nft_payload_ops;	142	return &nft_payload_ops;


diff --git a/net/netfilter/nft_reject_inet.c b/net/netfilter/nft_reject_inet.c index 8a310f239c93..b718a52a4654 100644 --- a/net/netfilter/nft_reject_inet.c +++ b/net/netfilter/nft_reject_inet.c
@@ -21,9 +21,9 @@ static void nft_reject_inet_eval(const struct nft_expr *expr,
21	{	21	{
22	switch (pkt->ops->pf) {	22	switch (pkt->ops->pf) {
23	case NFPROTO_IPV4:	23	case NFPROTO_IPV4:
24	nft_reject_ipv4_eval(expr, data, pkt);	24	return nft_reject_ipv4_eval(expr, data, pkt);
25	case NFPROTO_IPV6:	25	case NFPROTO_IPV6:
26	nft_reject_ipv6_eval(expr, data, pkt);	26	return nft_reject_ipv6_eval(expr, data, pkt);
27	}	27	}
28	}	28	}
29		29