6 files changed, 33 insertions, 8 deletions
diff --git a/net/netfilter/ipvs/ip_vs_nfct.c b/net/netfilter/ipvs/ip_vs_nfct.c
index c8beafd401aa..5a355a46d1dc 100644
--- a/net/netfilter/ipvs/ip_vs_nfct.c
+++ b/net/netfilter/ipvs/ip_vs_nfct.c
@@ -63,6 +63,7 @@
 #include <net/ip_vs.h>
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_conntrack_expect.h>
+#include <net/netfilter/nf_conntrack_seqadj.h>
 #include <net/netfilter/nf_conntrack_helper.h>
 #include <net/netfilter/nf_conntrack_zones.h>
@@ -97,6 +98,11 @@ ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp, int outin)
        if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
                return;
+        /* Applications may adjust TCP seqs */
+        if (cp->app && nf_ct_protonum(ct) == IPPROTO_TCP &&
+            !nfct_seqadj(ct) && !nfct_seqadj_ext_add(ct))
+                return;
        /*
         * The connection is not yet in the hashtable, so we update it.
         * CIP->VIP will remain the same, so leave the tuple in
diff --git a/net/netfilter/nf_conntrack_seqadj.c b/net/netfilter/nf_conntrack_seqadj.c
index 17c1bcb182c6..b2d38da67822 100644
--- a/net/netfilter/nf_conntrack_seqadj.c
+++ b/net/netfilter/nf_conntrack_seqadj.c
@@ -36,6 +36,11 @@ int nf_ct_seqadj_set(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
        if (off == 0)
                return 0;
+        if (unlikely(!seqadj)) {
+                WARN(1, "Wrong seqadj usage, missing nfct_seqadj_ext_add()\n");
+                return 0;
+        }
        set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
        spin_lock_bh(&ct->lock);
diff --git a/net/netfilter/nf_conntrack_timestamp.c b/net/netfilter/nf_conntrack_timestamp.c
index 902fb0a6b38a..7a394df0deb7 100644
--- a/net/netfilter/nf_conntrack_timestamp.c
+++ b/net/netfilter/nf_conntrack_timestamp.c
@@ -97,7 +97,6 @@ int nf_conntrack_tstamp_pernet_init(struct net *net)
 void nf_conntrack_tstamp_pernet_fini(struct net *net)
 {
        nf_conntrack_tstamp_fini_sysctl(net);
-        nf_ct_extend_unregister(&tstamp_extend);
 }
 int nf_conntrack_tstamp_init(void)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index f93b7d06f4be..71a9f49a768b 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -312,6 +312,9 @@ static int nf_tables_table_enable(struct nft_table *table)
        int err, i = 0;
        list_for_each_entry(chain, &table->chains, list) {
+                if (!(chain->flags & NFT_BASE_CHAIN))
+                        continue;
                err = nf_register_hook(&nft_base_chain(chain)->ops);
                if (err < 0)
                        goto err;
@@ -321,6 +324,9 @@ static int nf_tables_table_enable(struct nft_table *table)
        return 0;
 err:
        list_for_each_entry(chain, &table->chains, list) {
+                if (!(chain->flags & NFT_BASE_CHAIN))
+                        continue;
                if (i-- <= 0)
                        break;
@@ -333,8 +339,10 @@ static int nf_tables_table_disable(struct nft_table *table)
 {
        struct nft_chain *chain;
-        list_for_each_entry(chain, &table->chains, list)
+        list_for_each_entry(chain, &table->chains, list) {
-                nf_unregister_hook(&nft_base_chain(chain)->ops);
+                if (chain->flags & NFT_BASE_CHAIN)
+                        nf_unregister_hook(&nft_base_chain(chain)->ops);
+        }
        return 0;
 }
@@ -2098,17 +2106,21 @@ static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
                                   struct netlink_callback *cb)
 {
        const struct nft_set *set;
-        unsigned int idx = 0, s_idx = cb->args[0];
+        unsigned int idx, s_idx = cb->args[0];
        struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
        if (cb->args[1])
                return skb->len;
        list_for_each_entry(table, &ctx->afi->tables, list) {
-                if (cur_table && cur_table != table)
+                if (cur_table) {
-                        continue;
+                        if (cur_table != table)
+                                continue;
+                        cur_table = NULL;
+                }
                ctx->table = table;
+                idx = 0;
                list_for_each_entry(set, &ctx->table->sets, list) {
                        if (idx < s_idx)
                                goto cont;
@@ -2370,7 +2382,9 @@ static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
        enum nft_registers dreg;
        dreg = nft_type_to_reg(set->dtype);
-        return nft_validate_data_load(ctx, dreg, &elem->data, set->dtype);
+        return nft_validate_data_load(ctx, dreg, &elem->data,
+                                      set->dtype == NFT_DATA_VERDICT ?
+                                      NFT_DATA_VERDICT : NFT_DATA_VALUE);
 }
 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 3c4b69e5fe17..a155d19a225e 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -1053,6 +1053,7 @@ static void __net_exit nfnl_log_net_exit(struct net *net)
 #ifdef CONFIG_PROC_FS
        remove_proc_entry("nfnetlink_log", net->nf.proc_netfilter);
 #endif
+        nf_log_unset(net, &nfulnl_logger);
 }
 static struct pernet_operations nfnl_log_net_ops = {
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index 8e0bb75e7c51..55c939f5371f 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -31,7 +31,7 @@ static void nft_exthdr_eval(const struct nft_expr *expr,
 {
        struct nft_exthdr *priv = nft_expr_priv(expr);
        struct nft_data *dest = &data[priv->dreg];
-        unsigned int offset;
+        unsigned int offset = 0;
        int err;
        err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);