diff options
-rw-r--r-- | include/linux/netfilter/nfnetlink.h | 12 | ||||
-rw-r--r-- | include/linux/netfilter/nfnetlink_conntrack.h | 15 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ip_conntrack.h | 8 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ip_conntrack_protocol.h | 3 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ip_conntrack_tuple.h | 2 | ||||
-rw-r--r-- | include/linux/netfilter_ipv4/ip_nat.h | 4 | ||||
-rw-r--r-- | include/linux/netpoll.h | 2 | ||||
-rw-r--r-- | include/net/inet_timewait_sock.h | 3 | ||||
-rw-r--r-- | net/bridge/br_if.c | 2 | ||||
-rw-r--r-- | net/dccp/ccid.h | 4 | ||||
-rw-r--r-- | net/dccp/input.c | 6 | ||||
-rw-r--r-- | net/ipv4/esp4.c | 17 | ||||
-rw-r--r-- | net/ipv4/inet_timewait_sock.c | 1 | ||||
-rw-r--r-- | net/ipv4/netfilter/Kconfig | 8 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_core.c | 13 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_netlink.c | 48 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_proto_icmp.c | 3 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 27 | ||||
-rw-r--r-- | net/ipv4/tcp_output.c | 9 | ||||
-rw-r--r-- | net/ipv6/esp6.c | 18 | ||||
-rw-r--r-- | net/netfilter/nfnetlink.c | 4 |
21 files changed, 159 insertions, 50 deletions
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h index 1d5b10ae2399..f08e870100f4 100644 --- a/include/linux/netfilter/nfnetlink.h +++ b/include/linux/netfilter/nfnetlink.h | |||
@@ -41,11 +41,15 @@ enum nfnetlink_groups { | |||
41 | struct nfattr | 41 | struct nfattr |
42 | { | 42 | { |
43 | u_int16_t nfa_len; | 43 | u_int16_t nfa_len; |
44 | u_int16_t nfa_type; | 44 | u_int16_t nfa_type; /* we use 15 bits for the type, and the highest |
45 | * bit to indicate whether the payload is nested */ | ||
45 | } __attribute__ ((packed)); | 46 | } __attribute__ ((packed)); |
46 | 47 | ||
47 | /* FIXME: Shamelessly copy and pasted from rtnetlink.h, it's time | 48 | /* FIXME: Apart from NFNL_NFA_NESTED shamelessly copy and pasted from |
48 | * to put this in a generic file */ | 49 | * rtnetlink.h, it's time to put this in a generic file */ |
50 | |||
51 | #define NFNL_NFA_NEST 0x8000 | ||
52 | #define NFA_TYPE(attr) ((attr)->nfa_type & 0x7fff) | ||
49 | 53 | ||
50 | #define NFA_ALIGNTO 4 | 54 | #define NFA_ALIGNTO 4 |
51 | #define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1)) | 55 | #define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1)) |
@@ -59,7 +63,7 @@ struct nfattr | |||
59 | #define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0)) | 63 | #define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0)) |
60 | #define NFA_NEST(skb, type) \ | 64 | #define NFA_NEST(skb, type) \ |
61 | ({ struct nfattr *__start = (struct nfattr *) (skb)->tail; \ | 65 | ({ struct nfattr *__start = (struct nfattr *) (skb)->tail; \ |
62 | NFA_PUT(skb, type, 0, NULL); \ | 66 | NFA_PUT(skb, (NFNL_NFA_NEST | type), 0, NULL); \ |
63 | __start; }) | 67 | __start; }) |
64 | #define NFA_NEST_END(skb, start) \ | 68 | #define NFA_NEST_END(skb, start) \ |
65 | ({ (start)->nfa_len = ((skb)->tail - (unsigned char *) (start)); \ | 69 | ({ (start)->nfa_len = ((skb)->tail - (unsigned char *) (start)); \ |
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h index 5c55751c78e4..116fcaced909 100644 --- a/include/linux/netfilter/nfnetlink_conntrack.h +++ b/include/linux/netfilter/nfnetlink_conntrack.h | |||
@@ -70,15 +70,24 @@ enum ctattr_l4proto { | |||
70 | 70 | ||
71 | enum ctattr_protoinfo { | 71 | enum ctattr_protoinfo { |
72 | CTA_PROTOINFO_UNSPEC, | 72 | CTA_PROTOINFO_UNSPEC, |
73 | CTA_PROTOINFO_TCP_STATE, | 73 | CTA_PROTOINFO_TCP, |
74 | __CTA_PROTOINFO_MAX | 74 | __CTA_PROTOINFO_MAX |
75 | }; | 75 | }; |
76 | #define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1) | 76 | #define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1) |
77 | 77 | ||
78 | enum ctattr_protoinfo_tcp { | ||
79 | CTA_PROTOINFO_TCP_UNSPEC, | ||
80 | CTA_PROTOINFO_TCP_STATE, | ||
81 | __CTA_PROTOINFO_TCP_MAX | ||
82 | }; | ||
83 | #define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1) | ||
84 | |||
78 | enum ctattr_counters { | 85 | enum ctattr_counters { |
79 | CTA_COUNTERS_UNSPEC, | 86 | CTA_COUNTERS_UNSPEC, |
80 | CTA_COUNTERS_PACKETS, | 87 | CTA_COUNTERS_PACKETS, /* old 64bit counters */ |
81 | CTA_COUNTERS_BYTES, | 88 | CTA_COUNTERS_BYTES, /* old 64bit counters */ |
89 | CTA_COUNTERS32_PACKETS, | ||
90 | CTA_COUNTERS32_BYTES, | ||
82 | __CTA_COUNTERS_MAX | 91 | __CTA_COUNTERS_MAX |
83 | }; | 92 | }; |
84 | #define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1) | 93 | #define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1) |
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h index 4ced38736813..d078bb91d9e5 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack.h +++ b/include/linux/netfilter_ipv4/ip_conntrack.h | |||
@@ -117,6 +117,10 @@ enum ip_conntrack_events | |||
117 | /* NAT info */ | 117 | /* NAT info */ |
118 | IPCT_NATINFO_BIT = 10, | 118 | IPCT_NATINFO_BIT = 10, |
119 | IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), | 119 | IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), |
120 | |||
121 | /* Counter highest bit has been set */ | ||
122 | IPCT_COUNTER_FILLING_BIT = 11, | ||
123 | IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT), | ||
120 | }; | 124 | }; |
121 | 125 | ||
122 | enum ip_conntrack_expect_events { | 126 | enum ip_conntrack_expect_events { |
@@ -192,8 +196,8 @@ do { \ | |||
192 | 196 | ||
193 | struct ip_conntrack_counter | 197 | struct ip_conntrack_counter |
194 | { | 198 | { |
195 | u_int64_t packets; | 199 | u_int32_t packets; |
196 | u_int64_t bytes; | 200 | u_int32_t bytes; |
197 | }; | 201 | }; |
198 | 202 | ||
199 | struct ip_conntrack_helper; | 203 | struct ip_conntrack_helper; |
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h index b6b99be8632a..2c76b879e3dc 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h | |||
@@ -52,6 +52,9 @@ struct ip_conntrack_protocol | |||
52 | int (*to_nfattr)(struct sk_buff *skb, struct nfattr *nfa, | 52 | int (*to_nfattr)(struct sk_buff *skb, struct nfattr *nfa, |
53 | const struct ip_conntrack *ct); | 53 | const struct ip_conntrack *ct); |
54 | 54 | ||
55 | /* convert nfnetlink attributes to protoinfo */ | ||
56 | int (*from_nfattr)(struct nfattr *tb[], struct ip_conntrack *ct); | ||
57 | |||
55 | int (*tuple_to_nfattr)(struct sk_buff *skb, | 58 | int (*tuple_to_nfattr)(struct sk_buff *skb, |
56 | const struct ip_conntrack_tuple *t); | 59 | const struct ip_conntrack_tuple *t); |
57 | int (*nfattr_to_tuple)(struct nfattr *tb[], | 60 | int (*nfattr_to_tuple)(struct nfattr *tb[], |
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_tuple.h b/include/linux/netfilter_ipv4/ip_conntrack_tuple.h index 20e43f018b7c..3232db11a4e5 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_tuple.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_tuple.h | |||
@@ -1,6 +1,8 @@ | |||
1 | #ifndef _IP_CONNTRACK_TUPLE_H | 1 | #ifndef _IP_CONNTRACK_TUPLE_H |
2 | #define _IP_CONNTRACK_TUPLE_H | 2 | #define _IP_CONNTRACK_TUPLE_H |
3 | 3 | ||
4 | #include <linux/types.h> | ||
5 | |||
4 | /* A `tuple' is a structure containing the information to uniquely | 6 | /* A `tuple' is a structure containing the information to uniquely |
5 | identify a connection. ie. if two packets have the same tuple, they | 7 | identify a connection. ie. if two packets have the same tuple, they |
6 | are in the same connection; if not, they are not. | 8 | are in the same connection; if not, they are not. |
diff --git a/include/linux/netfilter_ipv4/ip_nat.h b/include/linux/netfilter_ipv4/ip_nat.h index e201ec6e9905..41a107de17cf 100644 --- a/include/linux/netfilter_ipv4/ip_nat.h +++ b/include/linux/netfilter_ipv4/ip_nat.h | |||
@@ -58,10 +58,6 @@ extern rwlock_t ip_nat_lock; | |||
58 | struct ip_nat_info | 58 | struct ip_nat_info |
59 | { | 59 | { |
60 | struct list_head bysource; | 60 | struct list_head bysource; |
61 | |||
62 | /* Helper (NULL if none). */ | ||
63 | struct ip_nat_helper *helper; | ||
64 | |||
65 | struct ip_nat_seq seq[IP_CT_DIR_MAX]; | 61 | struct ip_nat_seq seq[IP_CT_DIR_MAX]; |
66 | }; | 62 | }; |
67 | 63 | ||
diff --git a/include/linux/netpoll.h b/include/linux/netpoll.h index 5ade54a78dbb..ca5a8733000f 100644 --- a/include/linux/netpoll.h +++ b/include/linux/netpoll.h | |||
@@ -86,7 +86,7 @@ static inline void netpoll_poll_unlock(void *have) | |||
86 | 86 | ||
87 | #else | 87 | #else |
88 | #define netpoll_rx(a) 0 | 88 | #define netpoll_rx(a) 0 |
89 | #define netpoll_poll_lock(a) 0 | 89 | #define netpoll_poll_lock(a) NULL |
90 | #define netpoll_poll_unlock(a) | 90 | #define netpoll_poll_unlock(a) |
91 | #endif | 91 | #endif |
92 | 92 | ||
diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h index 4ade56ef3a4d..28f7b2103505 100644 --- a/include/net/inet_timewait_sock.h +++ b/include/net/inet_timewait_sock.h | |||
@@ -19,6 +19,7 @@ | |||
19 | 19 | ||
20 | #include <linux/ip.h> | 20 | #include <linux/ip.h> |
21 | #include <linux/list.h> | 21 | #include <linux/list.h> |
22 | #include <linux/module.h> | ||
22 | #include <linux/timer.h> | 23 | #include <linux/timer.h> |
23 | #include <linux/types.h> | 24 | #include <linux/types.h> |
24 | #include <linux/workqueue.h> | 25 | #include <linux/workqueue.h> |
@@ -193,11 +194,13 @@ static inline u32 inet_rcv_saddr(const struct sock *sk) | |||
193 | static inline void inet_twsk_put(struct inet_timewait_sock *tw) | 194 | static inline void inet_twsk_put(struct inet_timewait_sock *tw) |
194 | { | 195 | { |
195 | if (atomic_dec_and_test(&tw->tw_refcnt)) { | 196 | if (atomic_dec_and_test(&tw->tw_refcnt)) { |
197 | struct module *owner = tw->tw_prot->owner; | ||
196 | #ifdef SOCK_REFCNT_DEBUG | 198 | #ifdef SOCK_REFCNT_DEBUG |
197 | printk(KERN_DEBUG "%s timewait_sock %p released\n", | 199 | printk(KERN_DEBUG "%s timewait_sock %p released\n", |
198 | tw->tw_prot->name, tw); | 200 | tw->tw_prot->name, tw); |
199 | #endif | 201 | #endif |
200 | kmem_cache_free(tw->tw_prot->twsk_slab, tw); | 202 | kmem_cache_free(tw->tw_prot->twsk_slab, tw); |
203 | module_put(owner); | ||
201 | } | 204 | } |
202 | } | 205 | } |
203 | 206 | ||
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c index 91bb895375f4..defcf6a8607c 100644 --- a/net/bridge/br_if.c +++ b/net/bridge/br_if.c | |||
@@ -79,7 +79,6 @@ static void destroy_nbp(struct net_bridge_port *p) | |||
79 | { | 79 | { |
80 | struct net_device *dev = p->dev; | 80 | struct net_device *dev = p->dev; |
81 | 81 | ||
82 | dev->br_port = NULL; | ||
83 | p->br = NULL; | 82 | p->br = NULL; |
84 | p->dev = NULL; | 83 | p->dev = NULL; |
85 | dev_put(dev); | 84 | dev_put(dev); |
@@ -100,6 +99,7 @@ static void del_nbp(struct net_bridge_port *p) | |||
100 | struct net_bridge *br = p->br; | 99 | struct net_bridge *br = p->br; |
101 | struct net_device *dev = p->dev; | 100 | struct net_device *dev = p->dev; |
102 | 101 | ||
102 | dev->br_port = NULL; | ||
103 | dev_set_promiscuity(dev, -1); | 103 | dev_set_promiscuity(dev, -1); |
104 | 104 | ||
105 | spin_lock_bh(&br->lock); | 105 | spin_lock_bh(&br->lock); |
diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h index 21e55142dcd3..c37eeeaf5c6e 100644 --- a/net/dccp/ccid.h +++ b/net/dccp/ccid.h | |||
@@ -110,14 +110,14 @@ static inline int ccid_hc_tx_init(struct ccid *ccid, struct sock *sk) | |||
110 | 110 | ||
111 | static inline void ccid_hc_rx_exit(struct ccid *ccid, struct sock *sk) | 111 | static inline void ccid_hc_rx_exit(struct ccid *ccid, struct sock *sk) |
112 | { | 112 | { |
113 | if (ccid->ccid_hc_rx_exit != NULL && | 113 | if (ccid != NULL && ccid->ccid_hc_rx_exit != NULL && |
114 | dccp_sk(sk)->dccps_hc_rx_ccid_private != NULL) | 114 | dccp_sk(sk)->dccps_hc_rx_ccid_private != NULL) |
115 | ccid->ccid_hc_rx_exit(sk); | 115 | ccid->ccid_hc_rx_exit(sk); |
116 | } | 116 | } |
117 | 117 | ||
118 | static inline void ccid_hc_tx_exit(struct ccid *ccid, struct sock *sk) | 118 | static inline void ccid_hc_tx_exit(struct ccid *ccid, struct sock *sk) |
119 | { | 119 | { |
120 | if (ccid->ccid_hc_tx_exit != NULL && | 120 | if (ccid != NULL && ccid->ccid_hc_tx_exit != NULL && |
121 | dccp_sk(sk)->dccps_hc_tx_ccid_private != NULL) | 121 | dccp_sk(sk)->dccps_hc_tx_ccid_private != NULL) |
122 | ccid->ccid_hc_tx_exit(sk); | 122 | ccid->ccid_hc_tx_exit(sk); |
123 | } | 123 | } |
diff --git a/net/dccp/input.c b/net/dccp/input.c index 1b6b2cb12376..3454d5941900 100644 --- a/net/dccp/input.c +++ b/net/dccp/input.c | |||
@@ -375,6 +375,9 @@ static int dccp_rcv_respond_partopen_state_process(struct sock *sk, | |||
375 | case DCCP_PKT_RESET: | 375 | case DCCP_PKT_RESET: |
376 | inet_csk_clear_xmit_timer(sk, ICSK_TIME_DACK); | 376 | inet_csk_clear_xmit_timer(sk, ICSK_TIME_DACK); |
377 | break; | 377 | break; |
378 | case DCCP_PKT_DATA: | ||
379 | if (sk->sk_state == DCCP_RESPOND) | ||
380 | break; | ||
378 | case DCCP_PKT_DATAACK: | 381 | case DCCP_PKT_DATAACK: |
379 | case DCCP_PKT_ACK: | 382 | case DCCP_PKT_ACK: |
380 | /* | 383 | /* |
@@ -393,7 +396,8 @@ static int dccp_rcv_respond_partopen_state_process(struct sock *sk, | |||
393 | dccp_sk(sk)->dccps_osr = DCCP_SKB_CB(skb)->dccpd_seq; | 396 | dccp_sk(sk)->dccps_osr = DCCP_SKB_CB(skb)->dccpd_seq; |
394 | dccp_set_state(sk, DCCP_OPEN); | 397 | dccp_set_state(sk, DCCP_OPEN); |
395 | 398 | ||
396 | if (dh->dccph_type == DCCP_PKT_DATAACK) { | 399 | if (dh->dccph_type == DCCP_PKT_DATAACK || |
400 | dh->dccph_type == DCCP_PKT_DATA) { | ||
397 | dccp_rcv_established(sk, skb, dh, len); | 401 | dccp_rcv_established(sk, skb, dh, len); |
398 | queued = 1; /* packet was queued | 402 | queued = 1; /* packet was queued |
399 | (by dccp_rcv_established) */ | 403 | (by dccp_rcv_established) */ |
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 1b5a09d1b90b..1b18ce66e7b7 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c | |||
@@ -5,6 +5,7 @@ | |||
5 | #include <net/esp.h> | 5 | #include <net/esp.h> |
6 | #include <asm/scatterlist.h> | 6 | #include <asm/scatterlist.h> |
7 | #include <linux/crypto.h> | 7 | #include <linux/crypto.h> |
8 | #include <linux/kernel.h> | ||
8 | #include <linux/pfkeyv2.h> | 9 | #include <linux/pfkeyv2.h> |
9 | #include <linux/random.h> | 10 | #include <linux/random.h> |
10 | #include <net/icmp.h> | 11 | #include <net/icmp.h> |
@@ -42,10 +43,10 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) | |||
42 | esp = x->data; | 43 | esp = x->data; |
43 | alen = esp->auth.icv_trunc_len; | 44 | alen = esp->auth.icv_trunc_len; |
44 | tfm = esp->conf.tfm; | 45 | tfm = esp->conf.tfm; |
45 | blksize = (crypto_tfm_alg_blocksize(tfm) + 3) & ~3; | 46 | blksize = ALIGN(crypto_tfm_alg_blocksize(tfm), 4); |
46 | clen = (clen + 2 + blksize-1)&~(blksize-1); | 47 | clen = ALIGN(clen + 2, blksize); |
47 | if (esp->conf.padlen) | 48 | if (esp->conf.padlen) |
48 | clen = (clen + esp->conf.padlen-1)&~(esp->conf.padlen-1); | 49 | clen = ALIGN(clen, esp->conf.padlen); |
49 | 50 | ||
50 | if ((nfrags = skb_cow_data(skb, clen-skb->len+alen, &trailer)) < 0) | 51 | if ((nfrags = skb_cow_data(skb, clen-skb->len+alen, &trailer)) < 0) |
51 | goto error; | 52 | goto error; |
@@ -143,7 +144,7 @@ static int esp_input(struct xfrm_state *x, struct xfrm_decap_state *decap, struc | |||
143 | struct ip_esp_hdr *esph; | 144 | struct ip_esp_hdr *esph; |
144 | struct esp_data *esp = x->data; | 145 | struct esp_data *esp = x->data; |
145 | struct sk_buff *trailer; | 146 | struct sk_buff *trailer; |
146 | int blksize = crypto_tfm_alg_blocksize(esp->conf.tfm); | 147 | int blksize = ALIGN(crypto_tfm_alg_blocksize(esp->conf.tfm), 4); |
147 | int alen = esp->auth.icv_trunc_len; | 148 | int alen = esp->auth.icv_trunc_len; |
148 | int elen = skb->len - sizeof(struct ip_esp_hdr) - esp->conf.ivlen - alen; | 149 | int elen = skb->len - sizeof(struct ip_esp_hdr) - esp->conf.ivlen - alen; |
149 | int nfrags; | 150 | int nfrags; |
@@ -304,16 +305,16 @@ static int esp_post_input(struct xfrm_state *x, struct xfrm_decap_state *decap, | |||
304 | static u32 esp4_get_max_size(struct xfrm_state *x, int mtu) | 305 | static u32 esp4_get_max_size(struct xfrm_state *x, int mtu) |
305 | { | 306 | { |
306 | struct esp_data *esp = x->data; | 307 | struct esp_data *esp = x->data; |
307 | u32 blksize = crypto_tfm_alg_blocksize(esp->conf.tfm); | 308 | u32 blksize = ALIGN(crypto_tfm_alg_blocksize(esp->conf.tfm), 4); |
308 | 309 | ||
309 | if (x->props.mode) { | 310 | if (x->props.mode) { |
310 | mtu = (mtu + 2 + blksize-1)&~(blksize-1); | 311 | mtu = ALIGN(mtu + 2, blksize); |
311 | } else { | 312 | } else { |
312 | /* The worst case. */ | 313 | /* The worst case. */ |
313 | mtu += 2 + blksize; | 314 | mtu = ALIGN(mtu + 2, 4) + blksize - 4; |
314 | } | 315 | } |
315 | if (esp->conf.padlen) | 316 | if (esp->conf.padlen) |
316 | mtu = (mtu + esp->conf.padlen-1)&~(esp->conf.padlen-1); | 317 | mtu = ALIGN(mtu, esp->conf.padlen); |
317 | 318 | ||
318 | return mtu + x->props.header_len + esp->auth.icv_trunc_len; | 319 | return mtu + x->props.header_len + esp->auth.icv_trunc_len; |
319 | } | 320 | } |
diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c index f9076ef3a1a8..a010e9a68811 100644 --- a/net/ipv4/inet_timewait_sock.c +++ b/net/ipv4/inet_timewait_sock.c | |||
@@ -111,6 +111,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk, const int stat | |||
111 | tw->tw_prot = sk->sk_prot_creator; | 111 | tw->tw_prot = sk->sk_prot_creator; |
112 | atomic_set(&tw->tw_refcnt, 1); | 112 | atomic_set(&tw->tw_refcnt, 1); |
113 | inet_twsk_dead_node_init(tw); | 113 | inet_twsk_dead_node_init(tw); |
114 | __module_get(tw->tw_prot->owner); | ||
114 | } | 115 | } |
115 | 116 | ||
116 | return tw; | 117 | return tw; |
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index a7659728e7a0..7d917e4ce1d9 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig | |||
@@ -139,6 +139,7 @@ config IP_NF_AMANDA | |||
139 | 139 | ||
140 | config IP_NF_PPTP | 140 | config IP_NF_PPTP |
141 | tristate 'PPTP protocol support' | 141 | tristate 'PPTP protocol support' |
142 | depends on IP_NF_CONNTRACK | ||
142 | help | 143 | help |
143 | This module adds support for PPTP (Point to Point Tunnelling | 144 | This module adds support for PPTP (Point to Point Tunnelling |
144 | Protocol, RFC2637) connection tracking and NAT. | 145 | Protocol, RFC2637) connection tracking and NAT. |
@@ -498,9 +499,14 @@ config IP_NF_TARGET_LOG | |||
498 | To compile it as a module, choose M here. If unsure, say N. | 499 | To compile it as a module, choose M here. If unsure, say N. |
499 | 500 | ||
500 | config IP_NF_TARGET_ULOG | 501 | config IP_NF_TARGET_ULOG |
501 | tristate "ULOG target support" | 502 | tristate "ULOG target support (OBSOLETE)" |
502 | depends on IP_NF_IPTABLES | 503 | depends on IP_NF_IPTABLES |
503 | ---help--- | 504 | ---help--- |
505 | |||
506 | This option enables the old IPv4-only "ipt_ULOG" implementation | ||
507 | which has been obsoleted by the new "nfnetlink_log" code (see | ||
508 | CONFIG_NETFILTER_NETLINK_LOG). | ||
509 | |||
504 | This option adds a `ULOG' target, which allows you to create rules in | 510 | This option adds a `ULOG' target, which allows you to create rules in |
505 | any iptables table. The packet is passed to a userspace logging | 511 | any iptables table. The packet is passed to a userspace logging |
506 | daemon using netlink multicast sockets; unlike the LOG target | 512 | daemon using netlink multicast sockets; unlike the LOG target |
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c index ea65dd3e517a..07a80b56e8dc 100644 --- a/net/ipv4/netfilter/ip_conntrack_core.c +++ b/net/ipv4/netfilter/ip_conntrack_core.c | |||
@@ -1119,7 +1119,7 @@ void __ip_ct_refresh_acct(struct ip_conntrack *ct, | |||
1119 | unsigned long extra_jiffies, | 1119 | unsigned long extra_jiffies, |
1120 | int do_acct) | 1120 | int do_acct) |
1121 | { | 1121 | { |
1122 | int do_event = 0; | 1122 | int event = 0; |
1123 | 1123 | ||
1124 | IP_NF_ASSERT(ct->timeout.data == (unsigned long)ct); | 1124 | IP_NF_ASSERT(ct->timeout.data == (unsigned long)ct); |
1125 | IP_NF_ASSERT(skb); | 1125 | IP_NF_ASSERT(skb); |
@@ -1129,13 +1129,13 @@ void __ip_ct_refresh_acct(struct ip_conntrack *ct, | |||
1129 | /* If not in hash table, timer will not be active yet */ | 1129 | /* If not in hash table, timer will not be active yet */ |
1130 | if (!is_confirmed(ct)) { | 1130 | if (!is_confirmed(ct)) { |
1131 | ct->timeout.expires = extra_jiffies; | 1131 | ct->timeout.expires = extra_jiffies; |
1132 | do_event = 1; | 1132 | event = IPCT_REFRESH; |
1133 | } else { | 1133 | } else { |
1134 | /* Need del_timer for race avoidance (may already be dying). */ | 1134 | /* Need del_timer for race avoidance (may already be dying). */ |
1135 | if (del_timer(&ct->timeout)) { | 1135 | if (del_timer(&ct->timeout)) { |
1136 | ct->timeout.expires = jiffies + extra_jiffies; | 1136 | ct->timeout.expires = jiffies + extra_jiffies; |
1137 | add_timer(&ct->timeout); | 1137 | add_timer(&ct->timeout); |
1138 | do_event = 1; | 1138 | event = IPCT_REFRESH; |
1139 | } | 1139 | } |
1140 | } | 1140 | } |
1141 | 1141 | ||
@@ -1144,14 +1144,17 @@ void __ip_ct_refresh_acct(struct ip_conntrack *ct, | |||
1144 | ct->counters[CTINFO2DIR(ctinfo)].packets++; | 1144 | ct->counters[CTINFO2DIR(ctinfo)].packets++; |
1145 | ct->counters[CTINFO2DIR(ctinfo)].bytes += | 1145 | ct->counters[CTINFO2DIR(ctinfo)].bytes += |
1146 | ntohs(skb->nh.iph->tot_len); | 1146 | ntohs(skb->nh.iph->tot_len); |
1147 | if ((ct->counters[CTINFO2DIR(ctinfo)].packets & 0x80000000) | ||
1148 | || (ct->counters[CTINFO2DIR(ctinfo)].bytes & 0x80000000)) | ||
1149 | event |= IPCT_COUNTER_FILLING; | ||
1147 | } | 1150 | } |
1148 | #endif | 1151 | #endif |
1149 | 1152 | ||
1150 | write_unlock_bh(&ip_conntrack_lock); | 1153 | write_unlock_bh(&ip_conntrack_lock); |
1151 | 1154 | ||
1152 | /* must be unlocked when calling event cache */ | 1155 | /* must be unlocked when calling event cache */ |
1153 | if (do_event) | 1156 | if (event) |
1154 | ip_conntrack_event_cache(IPCT_REFRESH, skb); | 1157 | ip_conntrack_event_cache(event, skb); |
1155 | } | 1158 | } |
1156 | 1159 | ||
1157 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ | 1160 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ |
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c index b08a432efcf8..166e6069f121 100644 --- a/net/ipv4/netfilter/ip_conntrack_netlink.c +++ b/net/ipv4/netfilter/ip_conntrack_netlink.c | |||
@@ -177,11 +177,11 @@ ctnetlink_dump_counters(struct sk_buff *skb, const struct ip_conntrack *ct, | |||
177 | struct nfattr *nest_count = NFA_NEST(skb, type); | 177 | struct nfattr *nest_count = NFA_NEST(skb, type); |
178 | u_int64_t tmp; | 178 | u_int64_t tmp; |
179 | 179 | ||
180 | tmp = cpu_to_be64(ct->counters[dir].packets); | 180 | tmp = htonl(ct->counters[dir].packets); |
181 | NFA_PUT(skb, CTA_COUNTERS_PACKETS, sizeof(u_int64_t), &tmp); | 181 | NFA_PUT(skb, CTA_COUNTERS32_PACKETS, sizeof(u_int32_t), &tmp); |
182 | 182 | ||
183 | tmp = cpu_to_be64(ct->counters[dir].bytes); | 183 | tmp = htonl(ct->counters[dir].bytes); |
184 | NFA_PUT(skb, CTA_COUNTERS_BYTES, sizeof(u_int64_t), &tmp); | 184 | NFA_PUT(skb, CTA_COUNTERS32_BYTES, sizeof(u_int32_t), &tmp); |
185 | 185 | ||
186 | NFA_NEST_END(skb, nest_count); | 186 | NFA_NEST_END(skb, nest_count); |
187 | 187 | ||
@@ -833,7 +833,8 @@ out: | |||
833 | static inline int | 833 | static inline int |
834 | ctnetlink_change_status(struct ip_conntrack *ct, struct nfattr *cda[]) | 834 | ctnetlink_change_status(struct ip_conntrack *ct, struct nfattr *cda[]) |
835 | { | 835 | { |
836 | unsigned long d, status = *(u_int32_t *)NFA_DATA(cda[CTA_STATUS-1]); | 836 | unsigned long d; |
837 | unsigned status = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_STATUS-1])); | ||
837 | d = ct->status ^ status; | 838 | d = ct->status ^ status; |
838 | 839 | ||
839 | if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) | 840 | if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) |
@@ -948,6 +949,31 @@ ctnetlink_change_timeout(struct ip_conntrack *ct, struct nfattr *cda[]) | |||
948 | return 0; | 949 | return 0; |
949 | } | 950 | } |
950 | 951 | ||
952 | static inline int | ||
953 | ctnetlink_change_protoinfo(struct ip_conntrack *ct, struct nfattr *cda[]) | ||
954 | { | ||
955 | struct nfattr *tb[CTA_PROTOINFO_MAX], *attr = cda[CTA_PROTOINFO-1]; | ||
956 | struct ip_conntrack_protocol *proto; | ||
957 | u_int16_t npt = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum; | ||
958 | int err = 0; | ||
959 | |||
960 | if (nfattr_parse_nested(tb, CTA_PROTOINFO_MAX, attr) < 0) | ||
961 | goto nfattr_failure; | ||
962 | |||
963 | proto = ip_conntrack_proto_find_get(npt); | ||
964 | if (!proto) | ||
965 | return -EINVAL; | ||
966 | |||
967 | if (proto->from_nfattr) | ||
968 | err = proto->from_nfattr(tb, ct); | ||
969 | ip_conntrack_proto_put(proto); | ||
970 | |||
971 | return err; | ||
972 | |||
973 | nfattr_failure: | ||
974 | return -ENOMEM; | ||
975 | } | ||
976 | |||
951 | static int | 977 | static int |
952 | ctnetlink_change_conntrack(struct ip_conntrack *ct, struct nfattr *cda[]) | 978 | ctnetlink_change_conntrack(struct ip_conntrack *ct, struct nfattr *cda[]) |
953 | { | 979 | { |
@@ -973,6 +999,12 @@ ctnetlink_change_conntrack(struct ip_conntrack *ct, struct nfattr *cda[]) | |||
973 | return err; | 999 | return err; |
974 | } | 1000 | } |
975 | 1001 | ||
1002 | if (cda[CTA_PROTOINFO-1]) { | ||
1003 | err = ctnetlink_change_protoinfo(ct, cda); | ||
1004 | if (err < 0) | ||
1005 | return err; | ||
1006 | } | ||
1007 | |||
976 | DEBUGP("all done\n"); | 1008 | DEBUGP("all done\n"); |
977 | return 0; | 1009 | return 0; |
978 | } | 1010 | } |
@@ -1002,6 +1034,12 @@ ctnetlink_create_conntrack(struct nfattr *cda[], | |||
1002 | if (err < 0) | 1034 | if (err < 0) |
1003 | goto err; | 1035 | goto err; |
1004 | 1036 | ||
1037 | if (cda[CTA_PROTOINFO-1]) { | ||
1038 | err = ctnetlink_change_protoinfo(ct, cda); | ||
1039 | if (err < 0) | ||
1040 | return err; | ||
1041 | } | ||
1042 | |||
1005 | ct->helper = ip_conntrack_helper_find_get(rtuple); | 1043 | ct->helper = ip_conntrack_helper_find_get(rtuple); |
1006 | 1044 | ||
1007 | add_timer(&ct->timeout); | 1045 | add_timer(&ct->timeout); |
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c index 838d1d69b36e..98f0015dd255 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c | |||
@@ -296,8 +296,7 @@ static int icmp_nfattr_to_tuple(struct nfattr *tb[], | |||
296 | struct ip_conntrack_tuple *tuple) | 296 | struct ip_conntrack_tuple *tuple) |
297 | { | 297 | { |
298 | if (!tb[CTA_PROTO_ICMP_TYPE-1] | 298 | if (!tb[CTA_PROTO_ICMP_TYPE-1] |
299 | || !tb[CTA_PROTO_ICMP_CODE-1] | 299 | || !tb[CTA_PROTO_ICMP_CODE-1]) |
300 | || !tb[CTA_PROTO_ICMP_ID-1]) | ||
301 | return -1; | 300 | return -1; |
302 | 301 | ||
303 | tuple->dst.u.icmp.type = | 302 | tuple->dst.u.icmp.type = |
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c index 121760d6cc50..d6701cafbcc2 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c | |||
@@ -341,17 +341,43 @@ static int tcp_print_conntrack(struct seq_file *s, | |||
341 | static int tcp_to_nfattr(struct sk_buff *skb, struct nfattr *nfa, | 341 | static int tcp_to_nfattr(struct sk_buff *skb, struct nfattr *nfa, |
342 | const struct ip_conntrack *ct) | 342 | const struct ip_conntrack *ct) |
343 | { | 343 | { |
344 | struct nfattr *nest_parms = NFA_NEST(skb, CTA_PROTOINFO_TCP); | ||
345 | |||
344 | read_lock_bh(&tcp_lock); | 346 | read_lock_bh(&tcp_lock); |
345 | NFA_PUT(skb, CTA_PROTOINFO_TCP_STATE, sizeof(u_int8_t), | 347 | NFA_PUT(skb, CTA_PROTOINFO_TCP_STATE, sizeof(u_int8_t), |
346 | &ct->proto.tcp.state); | 348 | &ct->proto.tcp.state); |
347 | read_unlock_bh(&tcp_lock); | 349 | read_unlock_bh(&tcp_lock); |
348 | 350 | ||
351 | NFA_NEST_END(skb, nest_parms); | ||
352 | |||
349 | return 0; | 353 | return 0; |
350 | 354 | ||
351 | nfattr_failure: | 355 | nfattr_failure: |
352 | read_unlock_bh(&tcp_lock); | 356 | read_unlock_bh(&tcp_lock); |
353 | return -1; | 357 | return -1; |
354 | } | 358 | } |
359 | |||
360 | static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct) | ||
361 | { | ||
362 | struct nfattr *attr = cda[CTA_PROTOINFO_TCP-1]; | ||
363 | struct nfattr *tb[CTA_PROTOINFO_TCP_MAX]; | ||
364 | |||
365 | if (nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr) < 0) | ||
366 | goto nfattr_failure; | ||
367 | |||
368 | if (!tb[CTA_PROTOINFO_TCP_STATE-1]) | ||
369 | return -EINVAL; | ||
370 | |||
371 | write_lock_bh(&tcp_lock); | ||
372 | ct->proto.tcp.state = | ||
373 | *(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]); | ||
374 | write_unlock_bh(&tcp_lock); | ||
375 | |||
376 | return 0; | ||
377 | |||
378 | nfattr_failure: | ||
379 | return -1; | ||
380 | } | ||
355 | #endif | 381 | #endif |
356 | 382 | ||
357 | static unsigned int get_conntrack_index(const struct tcphdr *tcph) | 383 | static unsigned int get_conntrack_index(const struct tcphdr *tcph) |
@@ -1123,6 +1149,7 @@ struct ip_conntrack_protocol ip_conntrack_protocol_tcp = | |||
1123 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ | 1149 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ |
1124 | defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) | 1150 | defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) |
1125 | .to_nfattr = tcp_to_nfattr, | 1151 | .to_nfattr = tcp_to_nfattr, |
1152 | .from_nfattr = nfattr_to_tcp, | ||
1126 | .tuple_to_nfattr = ip_ct_port_tuple_to_nfattr, | 1153 | .tuple_to_nfattr = ip_ct_port_tuple_to_nfattr, |
1127 | .nfattr_to_tuple = ip_ct_port_nfattr_to_tuple, | 1154 | .nfattr_to_tuple = ip_ct_port_nfattr_to_tuple, |
1128 | #endif | 1155 | #endif |
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index 8225e4257258..f37a50e55b68 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c | |||
@@ -435,7 +435,14 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, unsigned int mss | |||
435 | int nsize, old_factor; | 435 | int nsize, old_factor; |
436 | u16 flags; | 436 | u16 flags; |
437 | 437 | ||
438 | BUG_ON(len >= skb->len); | 438 | if (unlikely(len >= skb->len)) { |
439 | printk(KERN_DEBUG "TCP: seg_size=%u, mss=%u, seq=%u, " | ||
440 | "end_seq=%u, skb->len=%u.\n", len, mss_now, | ||
441 | TCP_SKB_CB(skb)->seq, TCP_SKB_CB(skb)->end_seq, | ||
442 | skb->len); | ||
443 | WARN_ON(1); | ||
444 | return 0; | ||
445 | } | ||
439 | 446 | ||
440 | nsize = skb_headlen(skb) - len; | 447 | nsize = skb_headlen(skb) - len; |
441 | if (nsize < 0) | 448 | if (nsize < 0) |
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 9b27460f0cc7..40d9a1935ab5 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c | |||
@@ -31,6 +31,7 @@ | |||
31 | #include <net/esp.h> | 31 | #include <net/esp.h> |
32 | #include <asm/scatterlist.h> | 32 | #include <asm/scatterlist.h> |
33 | #include <linux/crypto.h> | 33 | #include <linux/crypto.h> |
34 | #include <linux/kernel.h> | ||
34 | #include <linux/pfkeyv2.h> | 35 | #include <linux/pfkeyv2.h> |
35 | #include <linux/random.h> | 36 | #include <linux/random.h> |
36 | #include <net/icmp.h> | 37 | #include <net/icmp.h> |
@@ -66,10 +67,10 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb) | |||
66 | 67 | ||
67 | alen = esp->auth.icv_trunc_len; | 68 | alen = esp->auth.icv_trunc_len; |
68 | tfm = esp->conf.tfm; | 69 | tfm = esp->conf.tfm; |
69 | blksize = (crypto_tfm_alg_blocksize(tfm) + 3) & ~3; | 70 | blksize = ALIGN(crypto_tfm_alg_blocksize(tfm), 4); |
70 | clen = (clen + 2 + blksize-1)&~(blksize-1); | 71 | clen = ALIGN(clen + 2, blksize); |
71 | if (esp->conf.padlen) | 72 | if (esp->conf.padlen) |
72 | clen = (clen + esp->conf.padlen-1)&~(esp->conf.padlen-1); | 73 | clen = ALIGN(clen, esp->conf.padlen); |
73 | 74 | ||
74 | if ((nfrags = skb_cow_data(skb, clen-skb->len+alen, &trailer)) < 0) { | 75 | if ((nfrags = skb_cow_data(skb, clen-skb->len+alen, &trailer)) < 0) { |
75 | goto error; | 76 | goto error; |
@@ -133,7 +134,7 @@ static int esp6_input(struct xfrm_state *x, struct xfrm_decap_state *decap, stru | |||
133 | struct ipv6_esp_hdr *esph; | 134 | struct ipv6_esp_hdr *esph; |
134 | struct esp_data *esp = x->data; | 135 | struct esp_data *esp = x->data; |
135 | struct sk_buff *trailer; | 136 | struct sk_buff *trailer; |
136 | int blksize = crypto_tfm_alg_blocksize(esp->conf.tfm); | 137 | int blksize = ALIGN(crypto_tfm_alg_blocksize(esp->conf.tfm), 4); |
137 | int alen = esp->auth.icv_trunc_len; | 138 | int alen = esp->auth.icv_trunc_len; |
138 | int elen = skb->len - sizeof(struct ipv6_esp_hdr) - esp->conf.ivlen - alen; | 139 | int elen = skb->len - sizeof(struct ipv6_esp_hdr) - esp->conf.ivlen - alen; |
139 | 140 | ||
@@ -235,16 +236,17 @@ out_nofree: | |||
235 | static u32 esp6_get_max_size(struct xfrm_state *x, int mtu) | 236 | static u32 esp6_get_max_size(struct xfrm_state *x, int mtu) |
236 | { | 237 | { |
237 | struct esp_data *esp = x->data; | 238 | struct esp_data *esp = x->data; |
238 | u32 blksize = crypto_tfm_alg_blocksize(esp->conf.tfm); | 239 | u32 blksize = ALIGN(crypto_tfm_alg_blocksize(esp->conf.tfm), 4); |
239 | 240 | ||
240 | if (x->props.mode) { | 241 | if (x->props.mode) { |
241 | mtu = (mtu + 2 + blksize-1)&~(blksize-1); | 242 | mtu = ALIGN(mtu + 2, blksize); |
242 | } else { | 243 | } else { |
243 | /* The worst case. */ | 244 | /* The worst case. */ |
244 | mtu += 2 + blksize; | 245 | u32 padsize = ((blksize - 1) & 7) + 1; |
246 | mtu = ALIGN(mtu + 2, padsize) + blksize - padsize; | ||
245 | } | 247 | } |
246 | if (esp->conf.padlen) | 248 | if (esp->conf.padlen) |
247 | mtu = (mtu + esp->conf.padlen-1)&~(esp->conf.padlen-1); | 249 | mtu = ALIGN(mtu, esp->conf.padlen); |
248 | 250 | ||
249 | return mtu + x->props.header_len + esp->auth.icv_full_len; | 251 | return mtu + x->props.header_len + esp->auth.icv_full_len; |
250 | } | 252 | } |
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index 1caaca06f698..4bc27a6334c1 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c | |||
@@ -133,7 +133,7 @@ int nfattr_parse(struct nfattr *tb[], int maxattr, struct nfattr *nfa, int len) | |||
133 | memset(tb, 0, sizeof(struct nfattr *) * maxattr); | 133 | memset(tb, 0, sizeof(struct nfattr *) * maxattr); |
134 | 134 | ||
135 | while (NFA_OK(nfa, len)) { | 135 | while (NFA_OK(nfa, len)) { |
136 | unsigned flavor = nfa->nfa_type; | 136 | unsigned flavor = NFA_TYPE(nfa); |
137 | if (flavor && flavor <= maxattr) | 137 | if (flavor && flavor <= maxattr) |
138 | tb[flavor-1] = nfa; | 138 | tb[flavor-1] = nfa; |
139 | nfa = NFA_NEXT(nfa, len); | 139 | nfa = NFA_NEXT(nfa, len); |
@@ -177,7 +177,7 @@ nfnetlink_check_attributes(struct nfnetlink_subsystem *subsys, | |||
177 | int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len); | 177 | int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len); |
178 | 178 | ||
179 | while (NFA_OK(attr, attrlen)) { | 179 | while (NFA_OK(attr, attrlen)) { |
180 | unsigned flavor = attr->nfa_type; | 180 | unsigned flavor = NFA_TYPE(attr); |
181 | if (flavor) { | 181 | if (flavor) { |
182 | if (flavor > attr_count) | 182 | if (flavor > attr_count) |
183 | return -EINVAL; | 183 | return -EINVAL; |