9 files changed, 40 insertions, 24 deletions
diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
index 956b175523ff..55d15049ab2f 100644
--- a/include/net/netfilter/nf_conntrack_extend.h
+++ b/include/net/netfilter/nf_conntrack_extend.h
@@ -47,8 +47,8 @@ enum nf_ct_ext_id {
 /* Extensions: optional stuff which isn't permanently in struct. */
 struct nf_ct_ext {
        struct rcu_head rcu;
-        u8 offset[NF_CT_EXT_NUM];
+        u16 offset[NF_CT_EXT_NUM];
-        u8 len;
+        u16 len;
        char data[0];
 };
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 0e474b13463b..1059ed3bc255 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1044,10 +1044,9 @@ static int do_replace_finish(struct net *net, struct ebt_replace *repl,
        if (repl->num_counters &&
           copy_to_user(repl->counters, counterstmp,
           repl->num_counters * sizeof(struct ebt_counter))) {
-                ret = -EFAULT;
+                /* Silent error, can't fail, new table is already in place */
+                net_warn_ratelimited("ebtables: counters copy to user failed while replacing table\n");
        }
-        else
-                ret = 0;
        /* decrease module count and free resources */
        EBT_ENTRY_ITERATE(table->entries, table->entries_size,
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 59da7cde0724..f95b6f93814b 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1044,8 +1044,10 @@ static int __do_replace(struct net *net, const char *name,
        xt_free_table_info(oldinfo);
        if (copy_to_user(counters_ptr, counters,
-                         sizeof(struct xt_counters) * num_counters) != 0)
+                         sizeof(struct xt_counters) * num_counters) != 0) {
-                ret = -EFAULT;
+                /* Silent error, can't fail, new table is already in place */
+                net_warn_ratelimited("arptables: counters copy to user failed while replacing table\n");
+        }
        vfree(counters);
        xt_table_unlock(t);
        return ret;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 718dfbd30cbe..99e810f84671 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1231,8 +1231,10 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
        xt_free_table_info(oldinfo);
        if (copy_to_user(counters_ptr, counters,
-                         sizeof(struct xt_counters) * num_counters) != 0)
+                         sizeof(struct xt_counters) * num_counters) != 0) {
-                ret = -EFAULT;
+                /* Silent error, can't fail, new table is already in place */
+                net_warn_ratelimited("iptables: counters copy to user failed while replacing table\n");
+        }
        vfree(counters);
        xt_table_unlock(t);
        return ret;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 710238f58aa9..e080fbbbc0e5 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1241,8 +1241,10 @@ __do_replace(struct net *net, const char *name, unsigned int valid_hooks,
        xt_free_table_info(oldinfo);
        if (copy_to_user(counters_ptr, counters,
-                         sizeof(struct xt_counters) * num_counters) != 0)
+                         sizeof(struct xt_counters) * num_counters) != 0) {
-                ret = -EFAULT;
+                /* Silent error, can't fail, new table is already in place */
+                net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
+        }
        vfree(counters);
        xt_table_unlock(t);
        return ret;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 33045a562297..3fd159db9f06 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -152,8 +152,8 @@ nf_tables_chain_type_lookup(const struct nft_af_info *afi,
 #ifdef CONFIG_MODULES
        if (autoload) {
                nfnl_unlock(NFNL_SUBSYS_NFTABLES);
-                request_module("nft-chain-%u-%*.s", afi->family,
+                request_module("nft-chain-%u-%.*s", afi->family,
-                               nla_len(nla)-1, (const char *)nla_data(nla));
+                               nla_len(nla), (const char *)nla_data(nla));
                nfnl_lock(NFNL_SUBSYS_NFTABLES);
                type = __nf_tables_chain_type_lookup(afi->family, nla);
                if (type != NULL)
@@ -1946,7 +1946,8 @@ static const struct nft_set_ops *nft_select_set_ops(const struct nlattr * const
 static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
        [NFTA_SET_TABLE]                = { .type = NLA_STRING },
-        [NFTA_SET_NAME]                 = { .type = NLA_STRING },
+        [NFTA_SET_NAME]                 = { .type = NLA_STRING,
+                                            .len = IFNAMSIZ - 1 },
        [NFTA_SET_FLAGS]                = { .type = NLA_U32 },
        [NFTA_SET_KEY_TYPE]             = { .type = NLA_U32 },
        [NFTA_SET_KEY_LEN]              = { .type = NLA_U32 },
diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
index 9a8e77e7f8d4..f4e833005320 100644
--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
@@ -54,7 +54,8 @@ static struct xt_match cgroup_mt_reg __read_mostly = {
        .matchsize  = sizeof(struct xt_cgroup_info),
        .me         = THIS_MODULE,
        .hooks      = (1 << NF_INET_LOCAL_OUT) |
-                      (1 << NF_INET_POST_ROUTING),
+                      (1 << NF_INET_POST_ROUTING) |
+                      (1 << NF_INET_LOCAL_IN),
 };
 static int __init cgroup_mt_init(void)
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 458464e7bd7a..fbc66bb250d5 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -32,8 +32,14 @@
 #include <net/netfilter/nf_conntrack_tuple.h>
 #include <net/netfilter/nf_conntrack_zones.h>
-#define CONNLIMIT_SLOTS         32
+#define CONNLIMIT_SLOTS         256U
-#define CONNLIMIT_LOCK_SLOTS    32
+#ifdef CONFIG_LOCKDEP
+#define CONNLIMIT_LOCK_SLOTS    8U
+#else
+#define CONNLIMIT_LOCK_SLOTS    256U
+#endif
 #define CONNLIMIT_GC_MAX_NODES  8
 /* we will save the tuples of all connections we care about */
@@ -49,10 +55,11 @@ struct xt_connlimit_rb {
        union nf_inet_addr addr; /* search key */
 };
+static spinlock_t xt_connlimit_locks[CONNLIMIT_LOCK_SLOTS] __cacheline_aligned_in_smp;
 struct xt_connlimit_data {
        struct rb_root climit_root4[CONNLIMIT_SLOTS];
        struct rb_root climit_root6[CONNLIMIT_SLOTS];
-        spinlock_t              locks[CONNLIMIT_LOCK_SLOTS];
 };
 static u_int32_t connlimit_rnd __read_mostly;
@@ -297,11 +304,11 @@ static int count_them(struct net *net,
                root = &data->climit_root4[hash];
        }
-        spin_lock_bh(&data->locks[hash % CONNLIMIT_LOCK_SLOTS]);
+        spin_lock_bh(&xt_connlimit_locks[hash % CONNLIMIT_LOCK_SLOTS]);
        count = count_tree(net, root, tuple, addr, mask, family);
-        spin_unlock_bh(&data->locks[hash % CONNLIMIT_LOCK_SLOTS]);
+        spin_unlock_bh(&xt_connlimit_locks[hash % CONNLIMIT_LOCK_SLOTS]);
        return count;
 }
@@ -377,9 +384,6 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
                return -ENOMEM;
        }
-        for (i = 0; i < ARRAY_SIZE(info->data->locks); ++i)
-                spin_lock_init(&info->data->locks[i]);
        for (i = 0; i < ARRAY_SIZE(info->data->climit_root4); ++i)
                info->data->climit_root4[i] = RB_ROOT;
        for (i = 0; i < ARRAY_SIZE(info->data->climit_root6); ++i)
@@ -435,11 +439,14 @@ static struct xt_match connlimit_mt_reg __read_mostly = {
 static int __init connlimit_mt_init(void)
 {
-        int ret;
+        int ret, i;
        BUILD_BUG_ON(CONNLIMIT_LOCK_SLOTS > CONNLIMIT_SLOTS);
        BUILD_BUG_ON((CONNLIMIT_SLOTS % CONNLIMIT_LOCK_SLOTS) != 0);
+        for (i = 0; i < CONNLIMIT_LOCK_SLOTS; ++i)
+                spin_lock_init(&xt_connlimit_locks[i]);
        connlimit_conn_cachep = kmem_cache_create("xt_connlimit_conn",
                                           sizeof(struct xt_connlimit_conn),
                                           0, 0, NULL);
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
index 7174611bd672..c529161cdbf8 100644
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -422,4 +422,6 @@ module_exit(xt_osf_fini);
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Evgeniy Polyakov <zbr@ioremap.net>");
 MODULE_DESCRIPTION("Passive OS fingerprint matching.");
+MODULE_ALIAS("ipt_osf");
+MODULE_ALIAS("ip6t_osf");
 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_OSF);

diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h index 956b175523ff..55d15049ab2f 100644 --- a/include/net/netfilter/nf_conntrack_extend.h +++ b/include/net/netfilter/nf_conntrack_extend.h
@@ -47,8 +47,8 @@ enum nf_ct_ext_id {
47	/* Extensions: optional stuff which isn't permanently in struct. */	47	/* Extensions: optional stuff which isn't permanently in struct. */
48	struct nf_ct_ext {	48	struct nf_ct_ext {
49	struct rcu_head rcu;	49	struct rcu_head rcu;
50	u8 offset[NF_CT_EXT_NUM];	50	u16 offset[NF_CT_EXT_NUM];
51	u8 len;	51	u16 len;
52	char data[0];	52	char data[0];
53	};	53	};
54		54


diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 0e474b13463b..1059ed3bc255 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c
@@ -1044,10 +1044,9 @@ static int do_replace_finish(struct net net, struct ebt_replace repl,
1044	if (repl->num_counters &&	1044	if (repl->num_counters &&
1045	copy_to_user(repl->counters, counterstmp,	1045	copy_to_user(repl->counters, counterstmp,
1046	repl->num_counters * sizeof(struct ebt_counter))) {	1046	repl->num_counters * sizeof(struct ebt_counter))) {
1047	ret = -EFAULT;	1047	/* Silent error, can't fail, new table is already in place */
		1048	net_warn_ratelimited("ebtables: counters copy to user failed while replacing table\n");
1048	}	1049	}
1049	else
1050	ret = 0;
1051		1050
1052	/* decrease module count and free resources */	1051	/* decrease module count and free resources */
1053	EBT_ENTRY_ITERATE(table->entries, table->entries_size,	1052	EBT_ENTRY_ITERATE(table->entries, table->entries_size,


diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 59da7cde0724..f95b6f93814b 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c
@@ -1044,8 +1044,10 @@ static int __do_replace(struct net net, const char name,
1044		1044
1045	xt_free_table_info(oldinfo);	1045	xt_free_table_info(oldinfo);
1046	if (copy_to_user(counters_ptr, counters,	1046	if (copy_to_user(counters_ptr, counters,
1047	sizeof(struct xt_counters) * num_counters) != 0)	1047	sizeof(struct xt_counters) * num_counters) != 0) {
1048	ret = -EFAULT;	1048	/* Silent error, can't fail, new table is already in place */
		1049	net_warn_ratelimited("arptables: counters copy to user failed while replacing table\n");
		1050	}
1049	vfree(counters);	1051	vfree(counters);
1050	xt_table_unlock(t);	1052	xt_table_unlock(t);
1051	return ret;	1053	return ret;


diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 718dfbd30cbe..99e810f84671 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c
@@ -1231,8 +1231,10 @@ __do_replace(struct net net, const char name, unsigned int valid_hooks,
1231		1231
1232	xt_free_table_info(oldinfo);	1232	xt_free_table_info(oldinfo);
1233	if (copy_to_user(counters_ptr, counters,	1233	if (copy_to_user(counters_ptr, counters,
1234	sizeof(struct xt_counters) * num_counters) != 0)	1234	sizeof(struct xt_counters) * num_counters) != 0) {
1235	ret = -EFAULT;	1235	/* Silent error, can't fail, new table is already in place */
		1236	net_warn_ratelimited("iptables: counters copy to user failed while replacing table\n");
		1237	}
1236	vfree(counters);	1238	vfree(counters);
1237	xt_table_unlock(t);	1239	xt_table_unlock(t);
1238	return ret;	1240	return ret;


diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 710238f58aa9..e080fbbbc0e5 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1241,8 +1241,10 @@ __do_replace(struct net net, const char name, unsigned int valid_hooks,
1241		1241
1242	xt_free_table_info(oldinfo);	1242	xt_free_table_info(oldinfo);
1243	if (copy_to_user(counters_ptr, counters,	1243	if (copy_to_user(counters_ptr, counters,
1244	sizeof(struct xt_counters) * num_counters) != 0)	1244	sizeof(struct xt_counters) * num_counters) != 0) {
1245	ret = -EFAULT;	1245	/* Silent error, can't fail, new table is already in place */
		1246	net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
		1247	}
1246	vfree(counters);	1248	vfree(counters);
1247	xt_table_unlock(t);	1249	xt_table_unlock(t);
1248	return ret;	1250	return ret;


diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 33045a562297..3fd159db9f06 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c
@@ -152,8 +152,8 @@ nf_tables_chain_type_lookup(const struct nft_af_info *afi,
152	#ifdef CONFIG_MODULES	152	#ifdef CONFIG_MODULES
153	if (autoload) {	153	if (autoload) {
154	nfnl_unlock(NFNL_SUBSYS_NFTABLES);	154	nfnl_unlock(NFNL_SUBSYS_NFTABLES);
155	request_module("nft-chain-%u-%*.s", afi->family,	155	request_module("nft-chain-%u-%.*s", afi->family,
156	nla_len(nla)-1, (const char *)nla_data(nla));	156	nla_len(nla), (const char *)nla_data(nla));
157	nfnl_lock(NFNL_SUBSYS_NFTABLES);	157	nfnl_lock(NFNL_SUBSYS_NFTABLES);
158	type = __nf_tables_chain_type_lookup(afi->family, nla);	158	type = __nf_tables_chain_type_lookup(afi->family, nla);
159	if (type != NULL)	159	if (type != NULL)
@@ -1946,7 +1946,8 @@ static const struct nft_set_ops nft_select_set_ops(const struct nlattr const
1946		1946
1947	static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {	1947	static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
1948	[NFTA_SET_TABLE] = { .type = NLA_STRING },	1948	[NFTA_SET_TABLE] = { .type = NLA_STRING },
1949	[NFTA_SET_NAME] = { .type = NLA_STRING },	1949	[NFTA_SET_NAME] = { .type = NLA_STRING,
		1950	.len = IFNAMSIZ - 1 },
1950	[NFTA_SET_FLAGS] = { .type = NLA_U32 },	1951	[NFTA_SET_FLAGS] = { .type = NLA_U32 },
1951	[NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },	1952	[NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
1952	[NFTA_SET_KEY_LEN] = { .type = NLA_U32 },	1953	[NFTA_SET_KEY_LEN] = { .type = NLA_U32 },


diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c index 9a8e77e7f8d4..f4e833005320 100644 --- a/net/netfilter/xt_cgroup.c +++ b/net/netfilter/xt_cgroup.c
@@ -54,7 +54,8 @@ static struct xt_match cgroup_mt_reg __read_mostly = {
54	.matchsize = sizeof(struct xt_cgroup_info),	54	.matchsize = sizeof(struct xt_cgroup_info),
55	.me = THIS_MODULE,	55	.me = THIS_MODULE,
56	.hooks = (1 << NF_INET_LOCAL_OUT) \|	56	.hooks = (1 << NF_INET_LOCAL_OUT) \|
57	(1 << NF_INET_POST_ROUTING),	57	(1 << NF_INET_POST_ROUTING) \|
		58	(1 << NF_INET_LOCAL_IN),
58	};	59	};
59		60
60	static int __init cgroup_mt_init(void)	61	static int __init cgroup_mt_init(void)


diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index 458464e7bd7a..fbc66bb250d5 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c
@@ -32,8 +32,14 @@
32	#include <net/netfilter/nf_conntrack_tuple.h>	32	#include <net/netfilter/nf_conntrack_tuple.h>
33	#include <net/netfilter/nf_conntrack_zones.h>	33	#include <net/netfilter/nf_conntrack_zones.h>
34		34
35	#define CONNLIMIT_SLOTS 32	35	#define CONNLIMIT_SLOTS 256U
36	#define CONNLIMIT_LOCK_SLOTS 32	36
		37	#ifdef CONFIG_LOCKDEP
		38	#define CONNLIMIT_LOCK_SLOTS 8U
		39	#else
		40	#define CONNLIMIT_LOCK_SLOTS 256U
		41	#endif
		42
37	#define CONNLIMIT_GC_MAX_NODES 8	43	#define CONNLIMIT_GC_MAX_NODES 8
38		44
39	/* we will save the tuples of all connections we care about */	45	/* we will save the tuples of all connections we care about */
@@ -49,10 +55,11 @@ struct xt_connlimit_rb {
49	union nf_inet_addr addr; /* search key */	55	union nf_inet_addr addr; /* search key */
50	};	56	};
51		57
		58	static spinlock_t xt_connlimit_locks[CONNLIMIT_LOCK_SLOTS] __cacheline_aligned_in_smp;
		59
52	struct xt_connlimit_data {	60	struct xt_connlimit_data {
53	struct rb_root climit_root4[CONNLIMIT_SLOTS];	61	struct rb_root climit_root4[CONNLIMIT_SLOTS];
54	struct rb_root climit_root6[CONNLIMIT_SLOTS];	62	struct rb_root climit_root6[CONNLIMIT_SLOTS];
55	spinlock_t locks[CONNLIMIT_LOCK_SLOTS];
56	};	63	};
57		64
58	static u_int32_t connlimit_rnd __read_mostly;	65	static u_int32_t connlimit_rnd __read_mostly;
@@ -297,11 +304,11 @@ static int count_them(struct net *net,
297	root = &data->climit_root4[hash];	304	root = &data->climit_root4[hash];
298	}	305	}
299		306
300	spin_lock_bh(&data->locks[hash % CONNLIMIT_LOCK_SLOTS]);	307	spin_lock_bh(&xt_connlimit_locks[hash % CONNLIMIT_LOCK_SLOTS]);
301		308
302	count = count_tree(net, root, tuple, addr, mask, family);	309	count = count_tree(net, root, tuple, addr, mask, family);
303		310
304	spin_unlock_bh(&data->locks[hash % CONNLIMIT_LOCK_SLOTS]);	311	spin_unlock_bh(&xt_connlimit_locks[hash % CONNLIMIT_LOCK_SLOTS]);
305		312
306	return count;	313	return count;
307	}	314	}
@@ -377,9 +384,6 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
377	return -ENOMEM;	384	return -ENOMEM;
378	}	385	}
379		386
380	for (i = 0; i < ARRAY_SIZE(info->data->locks); ++i)
381	spin_lock_init(&info->data->locks[i]);
382
383	for (i = 0; i < ARRAY_SIZE(info->data->climit_root4); ++i)	387	for (i = 0; i < ARRAY_SIZE(info->data->climit_root4); ++i)
384	info->data->climit_root4[i] = RB_ROOT;	388	info->data->climit_root4[i] = RB_ROOT;
385	for (i = 0; i < ARRAY_SIZE(info->data->climit_root6); ++i)	389	for (i = 0; i < ARRAY_SIZE(info->data->climit_root6); ++i)
@@ -435,11 +439,14 @@ static struct xt_match connlimit_mt_reg __read_mostly = {
435		439
436	static int __init connlimit_mt_init(void)	440	static int __init connlimit_mt_init(void)
437	{	441	{
438	int ret;	442	int ret, i;
439		443
440	BUILD_BUG_ON(CONNLIMIT_LOCK_SLOTS > CONNLIMIT_SLOTS);	444	BUILD_BUG_ON(CONNLIMIT_LOCK_SLOTS > CONNLIMIT_SLOTS);
441	BUILD_BUG_ON((CONNLIMIT_SLOTS % CONNLIMIT_LOCK_SLOTS) != 0);	445	BUILD_BUG_ON((CONNLIMIT_SLOTS % CONNLIMIT_LOCK_SLOTS) != 0);
442		446
		447	for (i = 0; i < CONNLIMIT_LOCK_SLOTS; ++i)
		448	spin_lock_init(&xt_connlimit_locks[i]);
		449
443	connlimit_conn_cachep = kmem_cache_create("xt_connlimit_conn",	450	connlimit_conn_cachep = kmem_cache_create("xt_connlimit_conn",
444	sizeof(struct xt_connlimit_conn),	451	sizeof(struct xt_connlimit_conn),
445	0, 0, NULL);	452	0, 0, NULL);


diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c index 7174611bd672..c529161cdbf8 100644 --- a/net/netfilter/xt_osf.c +++ b/net/netfilter/xt_osf.c
@@ -422,4 +422,6 @@ module_exit(xt_osf_fini);
422	MODULE_LICENSE("GPL");	422	MODULE_LICENSE("GPL");
423	MODULE_AUTHOR("Evgeniy Polyakov <zbr@ioremap.net>");	423	MODULE_AUTHOR("Evgeniy Polyakov <zbr@ioremap.net>");
424	MODULE_DESCRIPTION("Passive OS fingerprint matching.");	424	MODULE_DESCRIPTION("Passive OS fingerprint matching.");
		425	MODULE_ALIAS("ipt_osf");
		426	MODULE_ALIAS("ip6t_osf");
425	MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_OSF);	427	MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_OSF);