aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/netfilter/nfnetlink.h12
-rw-r--r--include/linux/netfilter/nfnetlink_conntrack.h15
-rw-r--r--include/linux/netfilter_ipv4/ip_conntrack.h8
-rw-r--r--include/linux/netfilter_ipv4/ip_conntrack_protocol.h3
-rw-r--r--include/linux/netfilter_ipv4/ip_conntrack_tuple.h2
-rw-r--r--include/linux/netfilter_ipv4/ip_nat.h4
-rw-r--r--include/linux/netpoll.h2
-rw-r--r--include/net/inet_timewait_sock.h3
-rw-r--r--net/bridge/br_if.c2
-rw-r--r--net/dccp/ccid.h4
-rw-r--r--net/dccp/input.c6
-rw-r--r--net/ipv4/esp4.c17
-rw-r--r--net/ipv4/inet_timewait_sock.c1
-rw-r--r--net/ipv4/netfilter/Kconfig8
-rw-r--r--net/ipv4/netfilter/ip_conntrack_core.c13
-rw-r--r--net/ipv4/netfilter/ip_conntrack_netlink.c48
-rw-r--r--net/ipv4/netfilter/ip_conntrack_proto_icmp.c3
-rw-r--r--net/ipv4/netfilter/ip_conntrack_proto_tcp.c27
-rw-r--r--net/ipv4/tcp_output.c9
-rw-r--r--net/ipv6/esp6.c18
-rw-r--r--net/netfilter/nfnetlink.c4
21 files changed, 159 insertions, 50 deletions
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 1d5b10ae2399..f08e870100f4 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -41,11 +41,15 @@ enum nfnetlink_groups {
41struct nfattr 41struct nfattr
42{ 42{
43 u_int16_t nfa_len; 43 u_int16_t nfa_len;
44 u_int16_t nfa_type; 44 u_int16_t nfa_type; /* we use 15 bits for the type, and the highest
45 * bit to indicate whether the payload is nested */
45} __attribute__ ((packed)); 46} __attribute__ ((packed));
46 47
47/* FIXME: Shamelessly copy and pasted from rtnetlink.h, it's time 48/* FIXME: Apart from NFNL_NFA_NESTED shamelessly copy and pasted from
48 * to put this in a generic file */ 49 * rtnetlink.h, it's time to put this in a generic file */
50
51#define NFNL_NFA_NEST 0x8000
52#define NFA_TYPE(attr) ((attr)->nfa_type & 0x7fff)
49 53
50#define NFA_ALIGNTO 4 54#define NFA_ALIGNTO 4
51#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1)) 55#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1))
@@ -59,7 +63,7 @@ struct nfattr
59#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0)) 63#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0))
60#define NFA_NEST(skb, type) \ 64#define NFA_NEST(skb, type) \
61({ struct nfattr *__start = (struct nfattr *) (skb)->tail; \ 65({ struct nfattr *__start = (struct nfattr *) (skb)->tail; \
62 NFA_PUT(skb, type, 0, NULL); \ 66 NFA_PUT(skb, (NFNL_NFA_NEST | type), 0, NULL); \
63 __start; }) 67 __start; })
64#define NFA_NEST_END(skb, start) \ 68#define NFA_NEST_END(skb, start) \
65({ (start)->nfa_len = ((skb)->tail - (unsigned char *) (start)); \ 69({ (start)->nfa_len = ((skb)->tail - (unsigned char *) (start)); \
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
index 5c55751c78e4..116fcaced909 100644
--- a/include/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/linux/netfilter/nfnetlink_conntrack.h
@@ -70,15 +70,24 @@ enum ctattr_l4proto {
70 70
71enum ctattr_protoinfo { 71enum ctattr_protoinfo {
72 CTA_PROTOINFO_UNSPEC, 72 CTA_PROTOINFO_UNSPEC,
73 CTA_PROTOINFO_TCP_STATE, 73 CTA_PROTOINFO_TCP,
74 __CTA_PROTOINFO_MAX 74 __CTA_PROTOINFO_MAX
75}; 75};
76#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1) 76#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1)
77 77
78enum ctattr_protoinfo_tcp {
79 CTA_PROTOINFO_TCP_UNSPEC,
80 CTA_PROTOINFO_TCP_STATE,
81 __CTA_PROTOINFO_TCP_MAX
82};
83#define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1)
84
78enum ctattr_counters { 85enum ctattr_counters {
79 CTA_COUNTERS_UNSPEC, 86 CTA_COUNTERS_UNSPEC,
80 CTA_COUNTERS_PACKETS, 87 CTA_COUNTERS_PACKETS, /* old 64bit counters */
81 CTA_COUNTERS_BYTES, 88 CTA_COUNTERS_BYTES, /* old 64bit counters */
89 CTA_COUNTERS32_PACKETS,
90 CTA_COUNTERS32_BYTES,
82 __CTA_COUNTERS_MAX 91 __CTA_COUNTERS_MAX
83}; 92};
84#define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1) 93#define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1)
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
index 4ced38736813..d078bb91d9e5 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -117,6 +117,10 @@ enum ip_conntrack_events
117 /* NAT info */ 117 /* NAT info */
118 IPCT_NATINFO_BIT = 10, 118 IPCT_NATINFO_BIT = 10,
119 IPCT_NATINFO = (1 << IPCT_NATINFO_BIT), 119 IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
120
121 /* Counter highest bit has been set */
122 IPCT_COUNTER_FILLING_BIT = 11,
123 IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT),
120}; 124};
121 125
122enum ip_conntrack_expect_events { 126enum ip_conntrack_expect_events {
@@ -192,8 +196,8 @@ do { \
192 196
193struct ip_conntrack_counter 197struct ip_conntrack_counter
194{ 198{
195 u_int64_t packets; 199 u_int32_t packets;
196 u_int64_t bytes; 200 u_int32_t bytes;
197}; 201};
198 202
199struct ip_conntrack_helper; 203struct ip_conntrack_helper;
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h
index b6b99be8632a..2c76b879e3dc 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h
@@ -52,6 +52,9 @@ struct ip_conntrack_protocol
52 int (*to_nfattr)(struct sk_buff *skb, struct nfattr *nfa, 52 int (*to_nfattr)(struct sk_buff *skb, struct nfattr *nfa,
53 const struct ip_conntrack *ct); 53 const struct ip_conntrack *ct);
54 54
55 /* convert nfnetlink attributes to protoinfo */
56 int (*from_nfattr)(struct nfattr *tb[], struct ip_conntrack *ct);
57
55 int (*tuple_to_nfattr)(struct sk_buff *skb, 58 int (*tuple_to_nfattr)(struct sk_buff *skb,
56 const struct ip_conntrack_tuple *t); 59 const struct ip_conntrack_tuple *t);
57 int (*nfattr_to_tuple)(struct nfattr *tb[], 60 int (*nfattr_to_tuple)(struct nfattr *tb[],
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_tuple.h b/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
index 20e43f018b7c..3232db11a4e5 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
@@ -1,6 +1,8 @@
1#ifndef _IP_CONNTRACK_TUPLE_H 1#ifndef _IP_CONNTRACK_TUPLE_H
2#define _IP_CONNTRACK_TUPLE_H 2#define _IP_CONNTRACK_TUPLE_H
3 3
4#include <linux/types.h>
5
4/* A `tuple' is a structure containing the information to uniquely 6/* A `tuple' is a structure containing the information to uniquely
5 identify a connection. ie. if two packets have the same tuple, they 7 identify a connection. ie. if two packets have the same tuple, they
6 are in the same connection; if not, they are not. 8 are in the same connection; if not, they are not.
diff --git a/include/linux/netfilter_ipv4/ip_nat.h b/include/linux/netfilter_ipv4/ip_nat.h
index e201ec6e9905..41a107de17cf 100644
--- a/include/linux/netfilter_ipv4/ip_nat.h
+++ b/include/linux/netfilter_ipv4/ip_nat.h
@@ -58,10 +58,6 @@ extern rwlock_t ip_nat_lock;
58struct ip_nat_info 58struct ip_nat_info
59{ 59{
60 struct list_head bysource; 60 struct list_head bysource;
61
62 /* Helper (NULL if none). */
63 struct ip_nat_helper *helper;
64
65 struct ip_nat_seq seq[IP_CT_DIR_MAX]; 61 struct ip_nat_seq seq[IP_CT_DIR_MAX];
66}; 62};
67 63
diff --git a/include/linux/netpoll.h b/include/linux/netpoll.h
index 5ade54a78dbb..ca5a8733000f 100644
--- a/include/linux/netpoll.h
+++ b/include/linux/netpoll.h
@@ -86,7 +86,7 @@ static inline void netpoll_poll_unlock(void *have)
86 86
87#else 87#else
88#define netpoll_rx(a) 0 88#define netpoll_rx(a) 0
89#define netpoll_poll_lock(a) 0 89#define netpoll_poll_lock(a) NULL
90#define netpoll_poll_unlock(a) 90#define netpoll_poll_unlock(a)
91#endif 91#endif
92 92
diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h
index 4ade56ef3a4d..28f7b2103505 100644
--- a/include/net/inet_timewait_sock.h
+++ b/include/net/inet_timewait_sock.h
@@ -19,6 +19,7 @@
19 19
20#include <linux/ip.h> 20#include <linux/ip.h>
21#include <linux/list.h> 21#include <linux/list.h>
22#include <linux/module.h>
22#include <linux/timer.h> 23#include <linux/timer.h>
23#include <linux/types.h> 24#include <linux/types.h>
24#include <linux/workqueue.h> 25#include <linux/workqueue.h>
@@ -193,11 +194,13 @@ static inline u32 inet_rcv_saddr(const struct sock *sk)
193static inline void inet_twsk_put(struct inet_timewait_sock *tw) 194static inline void inet_twsk_put(struct inet_timewait_sock *tw)
194{ 195{
195 if (atomic_dec_and_test(&tw->tw_refcnt)) { 196 if (atomic_dec_and_test(&tw->tw_refcnt)) {
197 struct module *owner = tw->tw_prot->owner;
196#ifdef SOCK_REFCNT_DEBUG 198#ifdef SOCK_REFCNT_DEBUG
197 printk(KERN_DEBUG "%s timewait_sock %p released\n", 199 printk(KERN_DEBUG "%s timewait_sock %p released\n",
198 tw->tw_prot->name, tw); 200 tw->tw_prot->name, tw);
199#endif 201#endif
200 kmem_cache_free(tw->tw_prot->twsk_slab, tw); 202 kmem_cache_free(tw->tw_prot->twsk_slab, tw);
203 module_put(owner);
201 } 204 }
202} 205}
203 206
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index 91bb895375f4..defcf6a8607c 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -79,7 +79,6 @@ static void destroy_nbp(struct net_bridge_port *p)
79{ 79{
80 struct net_device *dev = p->dev; 80 struct net_device *dev = p->dev;
81 81
82 dev->br_port = NULL;
83 p->br = NULL; 82 p->br = NULL;
84 p->dev = NULL; 83 p->dev = NULL;
85 dev_put(dev); 84 dev_put(dev);
@@ -100,6 +99,7 @@ static void del_nbp(struct net_bridge_port *p)
100 struct net_bridge *br = p->br; 99 struct net_bridge *br = p->br;
101 struct net_device *dev = p->dev; 100 struct net_device *dev = p->dev;
102 101
102 dev->br_port = NULL;
103 dev_set_promiscuity(dev, -1); 103 dev_set_promiscuity(dev, -1);
104 104
105 spin_lock_bh(&br->lock); 105 spin_lock_bh(&br->lock);
diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
index 21e55142dcd3..c37eeeaf5c6e 100644
--- a/net/dccp/ccid.h
+++ b/net/dccp/ccid.h
@@ -110,14 +110,14 @@ static inline int ccid_hc_tx_init(struct ccid *ccid, struct sock *sk)
110 110
111static inline void ccid_hc_rx_exit(struct ccid *ccid, struct sock *sk) 111static inline void ccid_hc_rx_exit(struct ccid *ccid, struct sock *sk)
112{ 112{
113 if (ccid->ccid_hc_rx_exit != NULL && 113 if (ccid != NULL && ccid->ccid_hc_rx_exit != NULL &&
114 dccp_sk(sk)->dccps_hc_rx_ccid_private != NULL) 114 dccp_sk(sk)->dccps_hc_rx_ccid_private != NULL)
115 ccid->ccid_hc_rx_exit(sk); 115 ccid->ccid_hc_rx_exit(sk);
116} 116}
117 117
118static inline void ccid_hc_tx_exit(struct ccid *ccid, struct sock *sk) 118static inline void ccid_hc_tx_exit(struct ccid *ccid, struct sock *sk)
119{ 119{
120 if (ccid->ccid_hc_tx_exit != NULL && 120 if (ccid != NULL && ccid->ccid_hc_tx_exit != NULL &&
121 dccp_sk(sk)->dccps_hc_tx_ccid_private != NULL) 121 dccp_sk(sk)->dccps_hc_tx_ccid_private != NULL)
122 ccid->ccid_hc_tx_exit(sk); 122 ccid->ccid_hc_tx_exit(sk);
123} 123}
diff --git a/net/dccp/input.c b/net/dccp/input.c
index 1b6b2cb12376..3454d5941900 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -375,6 +375,9 @@ static int dccp_rcv_respond_partopen_state_process(struct sock *sk,
375 case DCCP_PKT_RESET: 375 case DCCP_PKT_RESET:
376 inet_csk_clear_xmit_timer(sk, ICSK_TIME_DACK); 376 inet_csk_clear_xmit_timer(sk, ICSK_TIME_DACK);
377 break; 377 break;
378 case DCCP_PKT_DATA:
379 if (sk->sk_state == DCCP_RESPOND)
380 break;
378 case DCCP_PKT_DATAACK: 381 case DCCP_PKT_DATAACK:
379 case DCCP_PKT_ACK: 382 case DCCP_PKT_ACK:
380 /* 383 /*
@@ -393,7 +396,8 @@ static int dccp_rcv_respond_partopen_state_process(struct sock *sk,
393 dccp_sk(sk)->dccps_osr = DCCP_SKB_CB(skb)->dccpd_seq; 396 dccp_sk(sk)->dccps_osr = DCCP_SKB_CB(skb)->dccpd_seq;
394 dccp_set_state(sk, DCCP_OPEN); 397 dccp_set_state(sk, DCCP_OPEN);
395 398
396 if (dh->dccph_type == DCCP_PKT_DATAACK) { 399 if (dh->dccph_type == DCCP_PKT_DATAACK ||
400 dh->dccph_type == DCCP_PKT_DATA) {
397 dccp_rcv_established(sk, skb, dh, len); 401 dccp_rcv_established(sk, skb, dh, len);
398 queued = 1; /* packet was queued 402 queued = 1; /* packet was queued
399 (by dccp_rcv_established) */ 403 (by dccp_rcv_established) */
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 1b5a09d1b90b..1b18ce66e7b7 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -5,6 +5,7 @@
5#include <net/esp.h> 5#include <net/esp.h>
6#include <asm/scatterlist.h> 6#include <asm/scatterlist.h>
7#include <linux/crypto.h> 7#include <linux/crypto.h>
8#include <linux/kernel.h>
8#include <linux/pfkeyv2.h> 9#include <linux/pfkeyv2.h>
9#include <linux/random.h> 10#include <linux/random.h>
10#include <net/icmp.h> 11#include <net/icmp.h>
@@ -42,10 +43,10 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
42 esp = x->data; 43 esp = x->data;
43 alen = esp->auth.icv_trunc_len; 44 alen = esp->auth.icv_trunc_len;
44 tfm = esp->conf.tfm; 45 tfm = esp->conf.tfm;
45 blksize = (crypto_tfm_alg_blocksize(tfm) + 3) & ~3; 46 blksize = ALIGN(crypto_tfm_alg_blocksize(tfm), 4);
46 clen = (clen + 2 + blksize-1)&~(blksize-1); 47 clen = ALIGN(clen + 2, blksize);
47 if (esp->conf.padlen) 48 if (esp->conf.padlen)
48 clen = (clen + esp->conf.padlen-1)&~(esp->conf.padlen-1); 49 clen = ALIGN(clen, esp->conf.padlen);
49 50
50 if ((nfrags = skb_cow_data(skb, clen-skb->len+alen, &trailer)) < 0) 51 if ((nfrags = skb_cow_data(skb, clen-skb->len+alen, &trailer)) < 0)
51 goto error; 52 goto error;
@@ -143,7 +144,7 @@ static int esp_input(struct xfrm_state *x, struct xfrm_decap_state *decap, struc
143 struct ip_esp_hdr *esph; 144 struct ip_esp_hdr *esph;
144 struct esp_data *esp = x->data; 145 struct esp_data *esp = x->data;
145 struct sk_buff *trailer; 146 struct sk_buff *trailer;
146 int blksize = crypto_tfm_alg_blocksize(esp->conf.tfm); 147 int blksize = ALIGN(crypto_tfm_alg_blocksize(esp->conf.tfm), 4);
147 int alen = esp->auth.icv_trunc_len; 148 int alen = esp->auth.icv_trunc_len;
148 int elen = skb->len - sizeof(struct ip_esp_hdr) - esp->conf.ivlen - alen; 149 int elen = skb->len - sizeof(struct ip_esp_hdr) - esp->conf.ivlen - alen;
149 int nfrags; 150 int nfrags;
@@ -304,16 +305,16 @@ static int esp_post_input(struct xfrm_state *x, struct xfrm_decap_state *decap,
304static u32 esp4_get_max_size(struct xfrm_state *x, int mtu) 305static u32 esp4_get_max_size(struct xfrm_state *x, int mtu)
305{ 306{
306 struct esp_data *esp = x->data; 307 struct esp_data *esp = x->data;
307 u32 blksize = crypto_tfm_alg_blocksize(esp->conf.tfm); 308 u32 blksize = ALIGN(crypto_tfm_alg_blocksize(esp->conf.tfm), 4);
308 309
309 if (x->props.mode) { 310 if (x->props.mode) {
310 mtu = (mtu + 2 + blksize-1)&~(blksize-1); 311 mtu = ALIGN(mtu + 2, blksize);
311 } else { 312 } else {
312 /* The worst case. */ 313 /* The worst case. */
313 mtu += 2 + blksize; 314 mtu = ALIGN(mtu + 2, 4) + blksize - 4;
314 } 315 }
315 if (esp->conf.padlen) 316 if (esp->conf.padlen)
316 mtu = (mtu + esp->conf.padlen-1)&~(esp->conf.padlen-1); 317 mtu = ALIGN(mtu, esp->conf.padlen);
317 318
318 return mtu + x->props.header_len + esp->auth.icv_trunc_len; 319 return mtu + x->props.header_len + esp->auth.icv_trunc_len;
319} 320}
diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
index f9076ef3a1a8..a010e9a68811 100644
--- a/net/ipv4/inet_timewait_sock.c
+++ b/net/ipv4/inet_timewait_sock.c
@@ -111,6 +111,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk, const int stat
111 tw->tw_prot = sk->sk_prot_creator; 111 tw->tw_prot = sk->sk_prot_creator;
112 atomic_set(&tw->tw_refcnt, 1); 112 atomic_set(&tw->tw_refcnt, 1);
113 inet_twsk_dead_node_init(tw); 113 inet_twsk_dead_node_init(tw);
114 __module_get(tw->tw_prot->owner);
114 } 115 }
115 116
116 return tw; 117 return tw;
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index a7659728e7a0..7d917e4ce1d9 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -139,6 +139,7 @@ config IP_NF_AMANDA
139 139
140config IP_NF_PPTP 140config IP_NF_PPTP
141 tristate 'PPTP protocol support' 141 tristate 'PPTP protocol support'
142 depends on IP_NF_CONNTRACK
142 help 143 help
143 This module adds support for PPTP (Point to Point Tunnelling 144 This module adds support for PPTP (Point to Point Tunnelling
144 Protocol, RFC2637) connection tracking and NAT. 145 Protocol, RFC2637) connection tracking and NAT.
@@ -498,9 +499,14 @@ config IP_NF_TARGET_LOG
498 To compile it as a module, choose M here. If unsure, say N. 499 To compile it as a module, choose M here. If unsure, say N.
499 500
500config IP_NF_TARGET_ULOG 501config IP_NF_TARGET_ULOG
501 tristate "ULOG target support" 502 tristate "ULOG target support (OBSOLETE)"
502 depends on IP_NF_IPTABLES 503 depends on IP_NF_IPTABLES
503 ---help--- 504 ---help---
505
506 This option enables the old IPv4-only "ipt_ULOG" implementation
507 which has been obsoleted by the new "nfnetlink_log" code (see
508 CONFIG_NETFILTER_NETLINK_LOG).
509
504 This option adds a `ULOG' target, which allows you to create rules in 510 This option adds a `ULOG' target, which allows you to create rules in
505 any iptables table. The packet is passed to a userspace logging 511 any iptables table. The packet is passed to a userspace logging
506 daemon using netlink multicast sockets; unlike the LOG target 512 daemon using netlink multicast sockets; unlike the LOG target
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index ea65dd3e517a..07a80b56e8dc 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -1119,7 +1119,7 @@ void __ip_ct_refresh_acct(struct ip_conntrack *ct,
1119 unsigned long extra_jiffies, 1119 unsigned long extra_jiffies,
1120 int do_acct) 1120 int do_acct)
1121{ 1121{
1122 int do_event = 0; 1122 int event = 0;
1123 1123
1124 IP_NF_ASSERT(ct->timeout.data == (unsigned long)ct); 1124 IP_NF_ASSERT(ct->timeout.data == (unsigned long)ct);
1125 IP_NF_ASSERT(skb); 1125 IP_NF_ASSERT(skb);
@@ -1129,13 +1129,13 @@ void __ip_ct_refresh_acct(struct ip_conntrack *ct,
1129 /* If not in hash table, timer will not be active yet */ 1129 /* If not in hash table, timer will not be active yet */
1130 if (!is_confirmed(ct)) { 1130 if (!is_confirmed(ct)) {
1131 ct->timeout.expires = extra_jiffies; 1131 ct->timeout.expires = extra_jiffies;
1132 do_event = 1; 1132 event = IPCT_REFRESH;
1133 } else { 1133 } else {
1134 /* Need del_timer for race avoidance (may already be dying). */ 1134 /* Need del_timer for race avoidance (may already be dying). */
1135 if (del_timer(&ct->timeout)) { 1135 if (del_timer(&ct->timeout)) {
1136 ct->timeout.expires = jiffies + extra_jiffies; 1136 ct->timeout.expires = jiffies + extra_jiffies;
1137 add_timer(&ct->timeout); 1137 add_timer(&ct->timeout);
1138 do_event = 1; 1138 event = IPCT_REFRESH;
1139 } 1139 }
1140 } 1140 }
1141 1141
@@ -1144,14 +1144,17 @@ void __ip_ct_refresh_acct(struct ip_conntrack *ct,
1144 ct->counters[CTINFO2DIR(ctinfo)].packets++; 1144 ct->counters[CTINFO2DIR(ctinfo)].packets++;
1145 ct->counters[CTINFO2DIR(ctinfo)].bytes += 1145 ct->counters[CTINFO2DIR(ctinfo)].bytes +=
1146 ntohs(skb->nh.iph->tot_len); 1146 ntohs(skb->nh.iph->tot_len);
1147 if ((ct->counters[CTINFO2DIR(ctinfo)].packets & 0x80000000)
1148 || (ct->counters[CTINFO2DIR(ctinfo)].bytes & 0x80000000))
1149 event |= IPCT_COUNTER_FILLING;
1147 } 1150 }
1148#endif 1151#endif
1149 1152
1150 write_unlock_bh(&ip_conntrack_lock); 1153 write_unlock_bh(&ip_conntrack_lock);
1151 1154
1152 /* must be unlocked when calling event cache */ 1155 /* must be unlocked when calling event cache */
1153 if (do_event) 1156 if (event)
1154 ip_conntrack_event_cache(IPCT_REFRESH, skb); 1157 ip_conntrack_event_cache(event, skb);
1155} 1158}
1156 1159
1157#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ 1160#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c
index b08a432efcf8..166e6069f121 100644
--- a/net/ipv4/netfilter/ip_conntrack_netlink.c
+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c
@@ -177,11 +177,11 @@ ctnetlink_dump_counters(struct sk_buff *skb, const struct ip_conntrack *ct,
177 struct nfattr *nest_count = NFA_NEST(skb, type); 177 struct nfattr *nest_count = NFA_NEST(skb, type);
178 u_int64_t tmp; 178 u_int64_t tmp;
179 179
180 tmp = cpu_to_be64(ct->counters[dir].packets); 180 tmp = htonl(ct->counters[dir].packets);
181 NFA_PUT(skb, CTA_COUNTERS_PACKETS, sizeof(u_int64_t), &tmp); 181 NFA_PUT(skb, CTA_COUNTERS32_PACKETS, sizeof(u_int32_t), &tmp);
182 182
183 tmp = cpu_to_be64(ct->counters[dir].bytes); 183 tmp = htonl(ct->counters[dir].bytes);
184 NFA_PUT(skb, CTA_COUNTERS_BYTES, sizeof(u_int64_t), &tmp); 184 NFA_PUT(skb, CTA_COUNTERS32_BYTES, sizeof(u_int32_t), &tmp);
185 185
186 NFA_NEST_END(skb, nest_count); 186 NFA_NEST_END(skb, nest_count);
187 187
@@ -833,7 +833,8 @@ out:
833static inline int 833static inline int
834ctnetlink_change_status(struct ip_conntrack *ct, struct nfattr *cda[]) 834ctnetlink_change_status(struct ip_conntrack *ct, struct nfattr *cda[])
835{ 835{
836 unsigned long d, status = *(u_int32_t *)NFA_DATA(cda[CTA_STATUS-1]); 836 unsigned long d;
837 unsigned status = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_STATUS-1]));
837 d = ct->status ^ status; 838 d = ct->status ^ status;
838 839
839 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) 840 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
@@ -948,6 +949,31 @@ ctnetlink_change_timeout(struct ip_conntrack *ct, struct nfattr *cda[])
948 return 0; 949 return 0;
949} 950}
950 951
952static inline int
953ctnetlink_change_protoinfo(struct ip_conntrack *ct, struct nfattr *cda[])
954{
955 struct nfattr *tb[CTA_PROTOINFO_MAX], *attr = cda[CTA_PROTOINFO-1];
956 struct ip_conntrack_protocol *proto;
957 u_int16_t npt = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
958 int err = 0;
959
960 if (nfattr_parse_nested(tb, CTA_PROTOINFO_MAX, attr) < 0)
961 goto nfattr_failure;
962
963 proto = ip_conntrack_proto_find_get(npt);
964 if (!proto)
965 return -EINVAL;
966
967 if (proto->from_nfattr)
968 err = proto->from_nfattr(tb, ct);
969 ip_conntrack_proto_put(proto);
970
971 return err;
972
973nfattr_failure:
974 return -ENOMEM;
975}
976
951static int 977static int
952ctnetlink_change_conntrack(struct ip_conntrack *ct, struct nfattr *cda[]) 978ctnetlink_change_conntrack(struct ip_conntrack *ct, struct nfattr *cda[])
953{ 979{
@@ -973,6 +999,12 @@ ctnetlink_change_conntrack(struct ip_conntrack *ct, struct nfattr *cda[])
973 return err; 999 return err;
974 } 1000 }
975 1001
1002 if (cda[CTA_PROTOINFO-1]) {
1003 err = ctnetlink_change_protoinfo(ct, cda);
1004 if (err < 0)
1005 return err;
1006 }
1007
976 DEBUGP("all done\n"); 1008 DEBUGP("all done\n");
977 return 0; 1009 return 0;
978} 1010}
@@ -1002,6 +1034,12 @@ ctnetlink_create_conntrack(struct nfattr *cda[],
1002 if (err < 0) 1034 if (err < 0)
1003 goto err; 1035 goto err;
1004 1036
1037 if (cda[CTA_PROTOINFO-1]) {
1038 err = ctnetlink_change_protoinfo(ct, cda);
1039 if (err < 0)
1040 return err;
1041 }
1042
1005 ct->helper = ip_conntrack_helper_find_get(rtuple); 1043 ct->helper = ip_conntrack_helper_find_get(rtuple);
1006 1044
1007 add_timer(&ct->timeout); 1045 add_timer(&ct->timeout);
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
index 838d1d69b36e..98f0015dd255 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
@@ -296,8 +296,7 @@ static int icmp_nfattr_to_tuple(struct nfattr *tb[],
296 struct ip_conntrack_tuple *tuple) 296 struct ip_conntrack_tuple *tuple)
297{ 297{
298 if (!tb[CTA_PROTO_ICMP_TYPE-1] 298 if (!tb[CTA_PROTO_ICMP_TYPE-1]
299 || !tb[CTA_PROTO_ICMP_CODE-1] 299 || !tb[CTA_PROTO_ICMP_CODE-1])
300 || !tb[CTA_PROTO_ICMP_ID-1])
301 return -1; 300 return -1;
302 301
303 tuple->dst.u.icmp.type = 302 tuple->dst.u.icmp.type =
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
index 121760d6cc50..d6701cafbcc2 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
@@ -341,17 +341,43 @@ static int tcp_print_conntrack(struct seq_file *s,
341static int tcp_to_nfattr(struct sk_buff *skb, struct nfattr *nfa, 341static int tcp_to_nfattr(struct sk_buff *skb, struct nfattr *nfa,
342 const struct ip_conntrack *ct) 342 const struct ip_conntrack *ct)
343{ 343{
344 struct nfattr *nest_parms = NFA_NEST(skb, CTA_PROTOINFO_TCP);
345
344 read_lock_bh(&tcp_lock); 346 read_lock_bh(&tcp_lock);
345 NFA_PUT(skb, CTA_PROTOINFO_TCP_STATE, sizeof(u_int8_t), 347 NFA_PUT(skb, CTA_PROTOINFO_TCP_STATE, sizeof(u_int8_t),
346 &ct->proto.tcp.state); 348 &ct->proto.tcp.state);
347 read_unlock_bh(&tcp_lock); 349 read_unlock_bh(&tcp_lock);
348 350
351 NFA_NEST_END(skb, nest_parms);
352
349 return 0; 353 return 0;
350 354
351nfattr_failure: 355nfattr_failure:
352 read_unlock_bh(&tcp_lock); 356 read_unlock_bh(&tcp_lock);
353 return -1; 357 return -1;
354} 358}
359
360static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct)
361{
362 struct nfattr *attr = cda[CTA_PROTOINFO_TCP-1];
363 struct nfattr *tb[CTA_PROTOINFO_TCP_MAX];
364
365 if (nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr) < 0)
366 goto nfattr_failure;
367
368 if (!tb[CTA_PROTOINFO_TCP_STATE-1])
369 return -EINVAL;
370
371 write_lock_bh(&tcp_lock);
372 ct->proto.tcp.state =
373 *(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]);
374 write_unlock_bh(&tcp_lock);
375
376 return 0;
377
378nfattr_failure:
379 return -1;
380}
355#endif 381#endif
356 382
357static unsigned int get_conntrack_index(const struct tcphdr *tcph) 383static unsigned int get_conntrack_index(const struct tcphdr *tcph)
@@ -1123,6 +1149,7 @@ struct ip_conntrack_protocol ip_conntrack_protocol_tcp =
1123#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ 1149#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
1124 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) 1150 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
1125 .to_nfattr = tcp_to_nfattr, 1151 .to_nfattr = tcp_to_nfattr,
1152 .from_nfattr = nfattr_to_tcp,
1126 .tuple_to_nfattr = ip_ct_port_tuple_to_nfattr, 1153 .tuple_to_nfattr = ip_ct_port_tuple_to_nfattr,
1127 .nfattr_to_tuple = ip_ct_port_nfattr_to_tuple, 1154 .nfattr_to_tuple = ip_ct_port_nfattr_to_tuple,
1128#endif 1155#endif
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 8225e4257258..f37a50e55b68 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -435,7 +435,14 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, unsigned int mss
435 int nsize, old_factor; 435 int nsize, old_factor;
436 u16 flags; 436 u16 flags;
437 437
438 BUG_ON(len >= skb->len); 438 if (unlikely(len >= skb->len)) {
439 printk(KERN_DEBUG "TCP: seg_size=%u, mss=%u, seq=%u, "
440 "end_seq=%u, skb->len=%u.\n", len, mss_now,
441 TCP_SKB_CB(skb)->seq, TCP_SKB_CB(skb)->end_seq,
442 skb->len);
443 WARN_ON(1);
444 return 0;
445 }
439 446
440 nsize = skb_headlen(skb) - len; 447 nsize = skb_headlen(skb) - len;
441 if (nsize < 0) 448 if (nsize < 0)
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 9b27460f0cc7..40d9a1935ab5 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -31,6 +31,7 @@
31#include <net/esp.h> 31#include <net/esp.h>
32#include <asm/scatterlist.h> 32#include <asm/scatterlist.h>
33#include <linux/crypto.h> 33#include <linux/crypto.h>
34#include <linux/kernel.h>
34#include <linux/pfkeyv2.h> 35#include <linux/pfkeyv2.h>
35#include <linux/random.h> 36#include <linux/random.h>
36#include <net/icmp.h> 37#include <net/icmp.h>
@@ -66,10 +67,10 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
66 67
67 alen = esp->auth.icv_trunc_len; 68 alen = esp->auth.icv_trunc_len;
68 tfm = esp->conf.tfm; 69 tfm = esp->conf.tfm;
69 blksize = (crypto_tfm_alg_blocksize(tfm) + 3) & ~3; 70 blksize = ALIGN(crypto_tfm_alg_blocksize(tfm), 4);
70 clen = (clen + 2 + blksize-1)&~(blksize-1); 71 clen = ALIGN(clen + 2, blksize);
71 if (esp->conf.padlen) 72 if (esp->conf.padlen)
72 clen = (clen + esp->conf.padlen-1)&~(esp->conf.padlen-1); 73 clen = ALIGN(clen, esp->conf.padlen);
73 74
74 if ((nfrags = skb_cow_data(skb, clen-skb->len+alen, &trailer)) < 0) { 75 if ((nfrags = skb_cow_data(skb, clen-skb->len+alen, &trailer)) < 0) {
75 goto error; 76 goto error;
@@ -133,7 +134,7 @@ static int esp6_input(struct xfrm_state *x, struct xfrm_decap_state *decap, stru
133 struct ipv6_esp_hdr *esph; 134 struct ipv6_esp_hdr *esph;
134 struct esp_data *esp = x->data; 135 struct esp_data *esp = x->data;
135 struct sk_buff *trailer; 136 struct sk_buff *trailer;
136 int blksize = crypto_tfm_alg_blocksize(esp->conf.tfm); 137 int blksize = ALIGN(crypto_tfm_alg_blocksize(esp->conf.tfm), 4);
137 int alen = esp->auth.icv_trunc_len; 138 int alen = esp->auth.icv_trunc_len;
138 int elen = skb->len - sizeof(struct ipv6_esp_hdr) - esp->conf.ivlen - alen; 139 int elen = skb->len - sizeof(struct ipv6_esp_hdr) - esp->conf.ivlen - alen;
139 140
@@ -235,16 +236,17 @@ out_nofree:
235static u32 esp6_get_max_size(struct xfrm_state *x, int mtu) 236static u32 esp6_get_max_size(struct xfrm_state *x, int mtu)
236{ 237{
237 struct esp_data *esp = x->data; 238 struct esp_data *esp = x->data;
238 u32 blksize = crypto_tfm_alg_blocksize(esp->conf.tfm); 239 u32 blksize = ALIGN(crypto_tfm_alg_blocksize(esp->conf.tfm), 4);
239 240
240 if (x->props.mode) { 241 if (x->props.mode) {
241 mtu = (mtu + 2 + blksize-1)&~(blksize-1); 242 mtu = ALIGN(mtu + 2, blksize);
242 } else { 243 } else {
243 /* The worst case. */ 244 /* The worst case. */
244 mtu += 2 + blksize; 245 u32 padsize = ((blksize - 1) & 7) + 1;
246 mtu = ALIGN(mtu + 2, padsize) + blksize - padsize;
245 } 247 }
246 if (esp->conf.padlen) 248 if (esp->conf.padlen)
247 mtu = (mtu + esp->conf.padlen-1)&~(esp->conf.padlen-1); 249 mtu = ALIGN(mtu, esp->conf.padlen);
248 250
249 return mtu + x->props.header_len + esp->auth.icv_full_len; 251 return mtu + x->props.header_len + esp->auth.icv_full_len;
250} 252}
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 1caaca06f698..4bc27a6334c1 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -133,7 +133,7 @@ int nfattr_parse(struct nfattr *tb[], int maxattr, struct nfattr *nfa, int len)
133 memset(tb, 0, sizeof(struct nfattr *) * maxattr); 133 memset(tb, 0, sizeof(struct nfattr *) * maxattr);
134 134
135 while (NFA_OK(nfa, len)) { 135 while (NFA_OK(nfa, len)) {
136 unsigned flavor = nfa->nfa_type; 136 unsigned flavor = NFA_TYPE(nfa);
137 if (flavor && flavor <= maxattr) 137 if (flavor && flavor <= maxattr)
138 tb[flavor-1] = nfa; 138 tb[flavor-1] = nfa;
139 nfa = NFA_NEXT(nfa, len); 139 nfa = NFA_NEXT(nfa, len);
@@ -177,7 +177,7 @@ nfnetlink_check_attributes(struct nfnetlink_subsystem *subsys,
177 int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len); 177 int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len);
178 178
179 while (NFA_OK(attr, attrlen)) { 179 while (NFA_OK(attr, attrlen)) {
180 unsigned flavor = attr->nfa_type; 180 unsigned flavor = NFA_TYPE(attr);
181 if (flavor) { 181 if (flavor) {
182 if (flavor > attr_count) 182 if (flavor > attr_count)
183 return -EINVAL; 183 return -EINVAL;