22 files changed, 143 insertions, 127 deletions

diff --git a/include/net/arp.h b/include/net/arp.h
index 752eb47b2678..c236270ec95e 100644
--- a/include/net/arp.h
+++ b/include/net/arp.h
@@ -13,15 +13,17 @@ extern int	arp_find(unsigned char *haddr, struct sk_buff *skb);
 extern int      arp_ioctl(struct net *net, unsigned int cmd, void __user *arg);
 extern void     arp_send(int type, int ptype, __be32 dest_ip,
                          struct net_device *dev, __be32 src_ip,
-                         unsigned char *dest_hw, unsigned char *src_hw, unsigned char *th);
+                         const unsigned char *dest_hw,
+                         const unsigned char *src_hw, const unsigned char *th);
 extern int      arp_bind_neighbour(struct dst_entry *dst);
 extern int      arp_mc_map(__be32 addr, u8 *haddr, struct net_device *dev, int dir);
 extern void     arp_ifdown(struct net_device *dev);
 
 extern struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip,
                                   struct net_device *dev, __be32 src_ip,
-                                  unsigned char *dest_hw, unsigned char *src_hw,
-                                  unsigned char *target_hw);
+                                  const unsigned char *dest_hw,
+                                  const unsigned char *src_hw,
+                                  const unsigned char *target_hw);
 extern void arp_xmit(struct sk_buff *skb);
 
 extern struct neigh_ops arp_broken_ops;
diff --git a/include/net/esp.h b/include/net/esp.h
index c05f529bff28..d58451331dbd 100644
--- a/include/net/esp.h
+++ b/include/net/esp.h
@@ -1,58 +1,20 @@
 #ifndef _NET_ESP_H
 #define _NET_ESP_H
 
-#include <linux/crypto.h>
-#include <net/xfrm.h>
-#include <linux/scatterlist.h>
+#include <linux/skbuff.h>
 
-#define ESP_NUM_FAST_SG         4
+struct crypto_aead;
 
-struct esp_data
-{
-        struct scatterlist              sgbuf[ESP_NUM_FAST_SG];
-
-        /* Confidentiality */
-        struct {
-                int                     padlen;         /* 0..255 */
-                /* ivlen is offset from enc_data, where encrypted data start.
-                 * It is logically different of crypto_tfm_alg_ivsize(tfm).
-                 * We assume that it is either zero (no ivec), or
-                 * >= crypto_tfm_alg_ivsize(tfm). */
-                int                     ivlen;
-                int                     ivinitted;
-                u8                      *ivec;          /* ivec buffer */
-                struct crypto_blkcipher *tfm;           /* crypto handle */
-        } conf;
-
-        /* Integrity. It is active when icv_full_len != 0 */
-        struct {
-                u8                      *work_icv;
-                int                     icv_full_len;
-                int                     icv_trunc_len;
-                struct crypto_hash      *tfm;
-        } auth;
+struct esp_data {
+        /* 0..255 */
+        int padlen;
+
+        /* Confidentiality & Integrity */
+        struct crypto_aead *aead;
 };
 
 extern void *pskb_put(struct sk_buff *skb, struct sk_buff *tail, int len);
 
-static inline int esp_mac_digest(struct esp_data *esp, struct sk_buff *skb,
-                                 int offset, int len)
-{
-        struct hash_desc desc;
-        int err;
-
-        desc.tfm = esp->auth.tfm;
-        desc.flags = 0;
-
-        err = crypto_hash_init(&desc);
-        if (unlikely(err))
-                return err;
-        err = skb_icv_walk(skb, &desc, offset, len, crypto_hash_update);
-        if (unlikely(err))
-                return err;
-        return crypto_hash_final(&desc, esp->auth.work_icv);
-}
-
 struct ip_esp_hdr;
 
 static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb)
diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h
index 668056b4bb0b..fdff630708ce 100644
--- a/include/net/inet6_hashtables.h
+++ b/include/net/inet6_hashtables.h
@@ -57,34 +57,37 @@ extern void __inet6_hash(struct inet_hashinfo *hashinfo, struct sock *sk);
  *
  * The sockhash lock must be held as a reader here.
  */
-extern struct sock *__inet6_lookup_established(struct inet_hashinfo *hashinfo,
+extern struct sock *__inet6_lookup_established(struct net *net,
+                                           struct inet_hashinfo *hashinfo,
                                            const struct in6_addr *saddr,
                                            const __be16 sport,
                                            const struct in6_addr *daddr,
                                            const u16 hnum,
                                            const int dif);
 
-extern struct sock *inet6_lookup_listener(struct inet_hashinfo *hashinfo,
+extern struct sock *inet6_lookup_listener(struct net *net,
+                                          struct inet_hashinfo *hashinfo,
                                           const struct in6_addr *daddr,
                                           const unsigned short hnum,
                                           const int dif);
 
-static inline struct sock *__inet6_lookup(struct inet_hashinfo *hashinfo,
+static inline struct sock *__inet6_lookup(struct net *net,
+                                          struct inet_hashinfo *hashinfo,
                                           const struct in6_addr *saddr,
                                           const __be16 sport,
                                           const struct in6_addr *daddr,
                                           const u16 hnum,
                                           const int dif)
 {
-        struct sock *sk = __inet6_lookup_established(hashinfo, saddr, sport,
-                                                     daddr, hnum, dif);
+        struct sock *sk = __inet6_lookup_established(net, hashinfo, saddr,
+                                                sport, daddr, hnum, dif);
         if (sk)
                 return sk;
 
-        return inet6_lookup_listener(hashinfo, daddr, hnum, dif);
+        return inet6_lookup_listener(net, hashinfo, daddr, hnum, dif);
 }
 
-extern struct sock *inet6_lookup(struct inet_hashinfo *hashinfo,
+extern struct sock *inet6_lookup(struct net *net, struct inet_hashinfo *hashinfo,
                                  const struct in6_addr *saddr, const __be16 sport,
                                  const struct in6_addr *daddr, const __be16 dport,
                                  const int dif);
diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h
index 761bdc01425d..c23c4ed30724 100644
--- a/include/net/inet_hashtables.h
+++ b/include/net/inet_hashtables.h
@@ -74,6 +74,7 @@ struct inet_ehash_bucket {
  * ports are created in O(1) time?  I thought so. ;-)   -DaveM
  */
 struct inet_bind_bucket {
+        struct net              *ib_net;
         unsigned short          port;
         signed short            fastreuse;
         struct hlist_node       node;
@@ -194,6 +195,7 @@ static inline void inet_ehash_locks_free(struct inet_hashinfo *hashinfo)
 
 extern struct inet_bind_bucket *
                     inet_bind_bucket_create(struct kmem_cache *cachep,
+                                            struct net *net,
                                             struct inet_bind_hashbucket *head,
                                             const unsigned short snum);
 extern void inet_bind_bucket_destroy(struct kmem_cache *cachep,
@@ -300,15 +302,17 @@ out:
                 wake_up(&hashinfo->lhash_wait);
 }
 
-extern struct sock *__inet_lookup_listener(struct inet_hashinfo *hashinfo,
+extern struct sock *__inet_lookup_listener(struct net *net,
+                                           struct inet_hashinfo *hashinfo,
                                            const __be32 daddr,
                                            const unsigned short hnum,
                                            const int dif);
 
-static inline struct sock *inet_lookup_listener(struct inet_hashinfo *hashinfo,
-                                                __be32 daddr, __be16 dport, int dif)
+static inline struct sock *inet_lookup_listener(struct net *net,
+                struct inet_hashinfo *hashinfo,
+                __be32 daddr, __be16 dport, int dif)
 {
-        return __inet_lookup_listener(hashinfo, daddr, ntohs(dport), dif);
+        return __inet_lookup_listener(net, hashinfo, daddr, ntohs(dport), dif);
 }
 
 /* Socket demux engine toys. */
@@ -342,26 +346,26 @@ typedef __u64 __bitwise __addrpair;
                                    (((__force __u64)(__be32)(__daddr)) << 32) | \
                                    ((__force __u64)(__be32)(__saddr)));
 #endif /* __BIG_ENDIAN */
-#define INET_MATCH(__sk, __hash, __cookie, __saddr, __daddr, __ports, __dif)\
-        (((__sk)->sk_hash == (__hash))                          &&      \
+#define INET_MATCH(__sk, __net, __hash, __cookie, __saddr, __daddr, __ports, __dif)\
+        (((__sk)->sk_hash == (__hash)) && ((__sk)->sk_net == (__net))   &&      \
          ((*((__addrpair *)&(inet_sk(__sk)->daddr))) == (__cookie))     &&      \
          ((*((__portpair *)&(inet_sk(__sk)->dport))) == (__ports))      &&      \
          (!((__sk)->sk_bound_dev_if) || ((__sk)->sk_bound_dev_if == (__dif))))
-#define INET_TW_MATCH(__sk, __hash, __cookie, __saddr, __daddr, __ports, __dif)\
-        (((__sk)->sk_hash == (__hash))                          &&      \
+#define INET_TW_MATCH(__sk, __net, __hash, __cookie, __saddr, __daddr, __ports, __dif)\
+        (((__sk)->sk_hash == (__hash)) && ((__sk)->sk_net == (__net))   &&      \
          ((*((__addrpair *)&(inet_twsk(__sk)->tw_daddr))) == (__cookie)) &&     \
          ((*((__portpair *)&(inet_twsk(__sk)->tw_dport))) == (__ports)) &&      \
          (!((__sk)->sk_bound_dev_if) || ((__sk)->sk_bound_dev_if == (__dif))))
 #else /* 32-bit arch */
 #define INET_ADDR_COOKIE(__name, __saddr, __daddr)
-#define INET_MATCH(__sk, __hash, __cookie, __saddr, __daddr, __ports, __dif)    \
-        (((__sk)->sk_hash == (__hash))                          &&      \
+#define INET_MATCH(__sk, __net, __hash, __cookie, __saddr, __daddr, __ports, __dif)     \
+        (((__sk)->sk_hash == (__hash)) && ((__sk)->sk_net == (__net))   &&      \
          (inet_sk(__sk)->daddr          == (__saddr))           &&      \
          (inet_sk(__sk)->rcv_saddr      == (__daddr))           &&      \
          ((*((__portpair *)&(inet_sk(__sk)->dport))) == (__ports))      &&      \
          (!((__sk)->sk_bound_dev_if) || ((__sk)->sk_bound_dev_if == (__dif))))
-#define INET_TW_MATCH(__sk, __hash,__cookie, __saddr, __daddr, __ports, __dif)  \
-        (((__sk)->sk_hash == (__hash))                          &&      \
+#define INET_TW_MATCH(__sk, __net, __hash,__cookie, __saddr, __daddr, __ports, __dif)   \
+        (((__sk)->sk_hash == (__hash)) && ((__sk)->sk_net == (__net))   &&      \
          (inet_twsk(__sk)->tw_daddr     == (__saddr))           &&      \
          (inet_twsk(__sk)->tw_rcv_saddr == (__daddr))           &&      \
          ((*((__portpair *)&(inet_twsk(__sk)->tw_dport))) == (__ports)) &&      \
@@ -374,32 +378,36 @@ typedef __u64 __bitwise __addrpair;
  *
  * Local BH must be disabled here.
  */
-extern struct sock * __inet_lookup_established(struct inet_hashinfo *hashinfo,
+extern struct sock * __inet_lookup_established(struct net *net,
+                struct inet_hashinfo *hashinfo,
                 const __be32 saddr, const __be16 sport,
                 const __be32 daddr, const u16 hnum, const int dif);
 
 static inline struct sock *
-        inet_lookup_established(struct inet_hashinfo *hashinfo,
+        inet_lookup_established(struct net *net, struct inet_hashinfo *hashinfo,
                                 const __be32 saddr, const __be16 sport,
                                 const __be32 daddr, const __be16 dport,
                                 const int dif)
 {
-        return __inet_lookup_established(hashinfo, saddr, sport, daddr,
+        return __inet_lookup_established(net, hashinfo, saddr, sport, daddr,
                                          ntohs(dport), dif);
 }
 
-static inline struct sock *__inet_lookup(struct inet_hashinfo *hashinfo,
+static inline struct sock *__inet_lookup(struct net *net,
+                                         struct inet_hashinfo *hashinfo,
                                          const __be32 saddr, const __be16 sport,
                                          const __be32 daddr, const __be16 dport,
                                          const int dif)
 {
         u16 hnum = ntohs(dport);
-        struct sock *sk = __inet_lookup_established(hashinfo, saddr, sport, daddr,
-                                                    hnum, dif);
-        return sk ? : __inet_lookup_listener(hashinfo, daddr, hnum, dif);
+        struct sock *sk = __inet_lookup_established(net, hashinfo,
+                                saddr, sport, daddr, hnum, dif);
+
+        return sk ? : __inet_lookup_listener(net, hashinfo, daddr, hnum, dif);
 }
 
-static inline struct sock *inet_lookup(struct inet_hashinfo *hashinfo,
+static inline struct sock *inet_lookup(struct net *net,
+                                       struct inet_hashinfo *hashinfo,
                                        const __be32 saddr, const __be16 sport,
                                        const __be32 daddr, const __be16 dport,
                                        const int dif)
@@ -407,12 +415,17 @@ static inline struct sock *inet_lookup(struct inet_hashinfo *hashinfo,
         struct sock *sk;
 
         local_bh_disable();
-        sk = __inet_lookup(hashinfo, saddr, sport, daddr, dport, dif);
+        sk = __inet_lookup(net, hashinfo, saddr, sport, daddr, dport, dif);
         local_bh_enable();
 
         return sk;
 }
 
+extern int __inet_hash_connect(struct inet_timewait_death_row *death_row,
+                struct sock *sk,
+                int (*check_established)(struct inet_timewait_death_row *,
+                        struct sock *, __u16, struct inet_timewait_sock **),
+                void (*hash)(struct inet_hashinfo *, struct sock *));
 extern int inet_hash_connect(struct inet_timewait_death_row *death_row,
                              struct sock *sk);
 #endif /* _INET_HASHTABLES_H */
diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
index 9daa60b544ba..90d1175f63de 100644
--- a/include/net/ip_fib.h
+++ b/include/net/ip_fib.h
@@ -69,6 +69,7 @@ struct fib_nh {
 struct fib_info {
         struct hlist_node       fib_hash;
         struct hlist_node       fib_lhash;
+        struct net              *fib_net;
         int                     fib_treeref;
         atomic_t                fib_clntref;
         int                     fib_dead;
@@ -218,7 +219,8 @@ extern void fib_select_default(struct net *net, const struct flowi *flp,
 
 /* Exported by fib_semantics.c */
 extern int ip_fib_check_default(__be32 gw, struct net_device *dev);
-extern int fib_sync_down(__be32 local, struct net_device *dev, int force);
+extern int fib_sync_down_dev(struct net_device *dev, int force);
+extern int fib_sync_down_addr(struct net *net, __be32 local);
 extern int fib_sync_up(struct net_device *dev);
 extern __be32  __fib_res_prefsrc(struct fib_result *res);
 extern void fib_select_multipath(const struct flowi *flp, struct fib_result *res);
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index b8c1d60ba9e4..28738b7d53eb 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -12,6 +12,7 @@
 #include <net/netns/packet.h>
 #include <net/netns/ipv4.h>
 #include <net/netns/ipv6.h>
+#include <net/netns/x_tables.h>
 
 struct proc_dir_entry;
 struct net_device;
@@ -56,6 +57,9 @@ struct net {
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
         struct netns_ipv6       ipv6;
 #endif
+#ifdef CONFIG_NETFILTER
+        struct netns_xt         xt;
+#endif
 };
 
 #ifdef CONFIG_NET
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 857d89951790..90b3e7f5df5f 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -129,6 +129,8 @@ struct nf_conn
 
         /* Extensions */
         struct nf_ct_ext *ext;
+
+        struct rcu_head rcu;
 };
 
 static inline struct nf_conn *
@@ -143,7 +145,7 @@ nf_ct_tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash)
 
 /* Alter reply tuple (maybe alter helper). */
 extern void
-nf_conntrack_alter_reply(struct nf_conn *conntrack,
+nf_conntrack_alter_reply(struct nf_conn *ct,
                          const struct nf_conntrack_tuple *newreply);
 
 /* Is this tuple taken? (ignoring any belonging to the given
@@ -171,13 +173,12 @@ static inline void nf_ct_put(struct nf_conn *ct)
 extern int nf_ct_l3proto_try_module_get(unsigned short l3proto);
 extern void nf_ct_l3proto_module_put(unsigned short l3proto);
 
-extern struct hlist_head *nf_ct_alloc_hashtable(int *sizep, int *vmalloced);
+extern struct hlist_head *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced);
 extern void nf_ct_free_hashtable(struct hlist_head *hash, int vmalloced,
-                                 int size);
+                                 unsigned int size);
 
 extern struct nf_conntrack_tuple_hash *
-__nf_conntrack_find(const struct nf_conntrack_tuple *tuple,
-                    const struct nf_conn *ignored_conntrack);
+__nf_conntrack_find(const struct nf_conntrack_tuple *tuple);
 
 extern void nf_conntrack_hash_insert(struct nf_conn *ct);
 
@@ -215,9 +216,9 @@ static inline void nf_ct_refresh(struct nf_conn *ct,
 
 /* These are for NAT.  Icky. */
 /* Update TCP window tracking data when NAT mangles the packet */
-extern void nf_conntrack_tcp_update(struct sk_buff *skb,
+extern void nf_conntrack_tcp_update(const struct sk_buff *skb,
                                     unsigned int dataoff,
-                                    struct nf_conn *conntrack,
+                                    struct nf_conn *ct,
                                     int dir);
 
 /* Fake conntrack entry for untracked connections */
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index 7ad0828f05cf..9ee26469c759 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -68,11 +68,11 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb)
 
 int
 print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple,
-            struct nf_conntrack_l3proto *l3proto,
-            struct nf_conntrack_l4proto *proto);
+            const struct nf_conntrack_l3proto *l3proto,
+            const struct nf_conntrack_l4proto *proto);
 
 extern struct hlist_head *nf_conntrack_hash;
-extern rwlock_t nf_conntrack_lock ;
+extern spinlock_t nf_conntrack_lock ;
 extern struct hlist_head unconfirmed;
 
 #endif /* _NF_CONNTRACK_CORE_H */
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 6c3fd254c28e..cb608a1b44e5 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -49,6 +49,8 @@ struct nf_conntrack_expect
         /* Direction relative to the master connection. */
         enum ip_conntrack_dir dir;
 #endif
+
+        struct rcu_head rcu;
 };
 
 #define NF_CT_EXPECT_PERMANENT 0x1
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index 2f3af00643cf..4ca125e9b3ce 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -43,12 +43,8 @@ extern struct nf_conntrack_helper *
 __nf_ct_helper_find(const struct nf_conntrack_tuple *tuple);
 
 extern struct nf_conntrack_helper *
-nf_ct_helper_find_get( const struct nf_conntrack_tuple *tuple);
-
-extern struct nf_conntrack_helper *
 __nf_conntrack_helper_find_byname(const char *name);
 
-extern void nf_ct_helper_put(struct nf_conntrack_helper *helper);
 extern int nf_conntrack_helper_register(struct nf_conntrack_helper *);
 extern void nf_conntrack_helper_unregister(struct nf_conntrack_helper *);
 
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
index d5526bcce147..b886e3ae6cad 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -43,7 +43,7 @@ struct nf_conntrack_l3proto
                            const struct nf_conntrack_tuple *);
 
         /* Returns verdict for packet, or -1 for invalid. */
-        int (*packet)(struct nf_conn *conntrack,
+        int (*packet)(struct nf_conn *ct,
                       const struct sk_buff *skb,
                       enum ip_conntrack_info ctinfo);
 
@@ -51,7 +51,7 @@ struct nf_conntrack_l3proto
          * Called when a new connection for this protocol found;
          * returns TRUE if it's OK.  If so, packet() called next.
          */
-        int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb);
+        int (*new)(struct nf_conn *ct, const struct sk_buff *skb);
 
         /*
          * Called before tracking. 
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index fb50c217ba0a..efc16eccddb1 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -23,9 +23,6 @@ struct nf_conntrack_l4proto
         /* L4 Protocol number. */
         u_int8_t l4proto;
 
-        /* Protocol name */
-        const char *name;
-
         /* Try to fill in the third arg: dataoff is offset past network protocol
            hdr.  Return true if possible. */
         int (*pkt_to_tuple)(const struct sk_buff *skb,
@@ -38,15 +35,8 @@ struct nf_conntrack_l4proto
         int (*invert_tuple)(struct nf_conntrack_tuple *inverse,
                             const struct nf_conntrack_tuple *orig);
 
-        /* Print out the per-protocol part of the tuple. Return like seq_* */
-        int (*print_tuple)(struct seq_file *s,
-                           const struct nf_conntrack_tuple *);
-
-        /* Print out the private part of the conntrack. */
-        int (*print_conntrack)(struct seq_file *s, const struct nf_conn *);
-
         /* Returns verdict for packet, or -1 for invalid. */
-        int (*packet)(struct nf_conn *conntrack,
+        int (*packet)(struct nf_conn *ct,
                       const struct sk_buff *skb,
                       unsigned int dataoff,
                       enum ip_conntrack_info ctinfo,
@@ -55,16 +45,23 @@ struct nf_conntrack_l4proto
 
         /* Called when a new connection for this protocol found;
          * returns TRUE if it's OK.  If so, packet() called next. */
-        int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb,
+        int (*new)(struct nf_conn *ct, const struct sk_buff *skb,
                    unsigned int dataoff);
 
         /* Called when a conntrack entry is destroyed */
-        void (*destroy)(struct nf_conn *conntrack);
+        void (*destroy)(struct nf_conn *ct);
 
         int (*error)(struct sk_buff *skb, unsigned int dataoff,
                      enum ip_conntrack_info *ctinfo,
                      int pf, unsigned int hooknum);
 
+        /* Print out the per-protocol part of the tuple. Return like seq_* */
+        int (*print_tuple)(struct seq_file *s,
+                           const struct nf_conntrack_tuple *);
+
+        /* Print out the private part of the conntrack. */
+        int (*print_conntrack)(struct seq_file *s, const struct nf_conn *);
+
         /* convert protoinfo to nfnetink attributes */
         int (*to_nlattr)(struct sk_buff *skb, struct nlattr *nla,
                          const struct nf_conn *ct);
@@ -87,6 +84,8 @@ struct nf_conntrack_l4proto
         struct ctl_table        *ctl_compat_table;
 #endif
 #endif
+        /* Protocol name */
+        const char *name;
 
         /* Module (if any) which this is connected to. */
         struct module *me;
diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h
index 45cb17cdcfd0..e69ab2e87597 100644
--- a/include/net/netfilter/nf_conntrack_tuple.h
+++ b/include/net/netfilter/nf_conntrack_tuple.h
@@ -132,34 +132,33 @@ struct nf_conntrack_tuple_hash
 
 #endif /* __KERNEL__ */
 
-static inline int nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
-                                        const struct nf_conntrack_tuple *t2)
+static inline int __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
+                                          const struct nf_conntrack_tuple *t2)
 { 
         return (t1->src.u3.all[0] == t2->src.u3.all[0] &&
                 t1->src.u3.all[1] == t2->src.u3.all[1] &&
                 t1->src.u3.all[2] == t2->src.u3.all[2] &&
                 t1->src.u3.all[3] == t2->src.u3.all[3] &&
                 t1->src.u.all == t2->src.u.all &&
-                t1->src.l3num == t2->src.l3num &&
-                t1->dst.protonum == t2->dst.protonum);
+                t1->src.l3num == t2->src.l3num);
 }
 
-static inline int nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1,
-                                        const struct nf_conntrack_tuple *t2)
+static inline int __nf_ct_tuple_dst_equal(const struct nf_conntrack_tuple *t1,
+                                          const struct nf_conntrack_tuple *t2)
 {
         return (t1->dst.u3.all[0] == t2->dst.u3.all[0] &&
                 t1->dst.u3.all[1] == t2->dst.u3.all[1] &&
                 t1->dst.u3.all[2] == t2->dst.u3.all[2] &&
                 t1->dst.u3.all[3] == t2->dst.u3.all[3] &&
                 t1->dst.u.all == t2->dst.u.all &&
-                t1->src.l3num == t2->src.l3num &&
                 t1->dst.protonum == t2->dst.protonum);
 }
 
 static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1,
                                     const struct nf_conntrack_tuple *t2)
 {
-        return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2);
+        return __nf_ct_tuple_src_equal(t1, t2) &&
+               __nf_ct_tuple_dst_equal(t1, t2);
 }
 
 static inline int nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1,
@@ -199,7 +198,7 @@ static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,
                                        const struct nf_conntrack_tuple_mask *mask)
 {
         return nf_ct_tuple_src_mask_cmp(t, tuple, mask) &&
-               nf_ct_tuple_dst_equal(t, tuple);
+               __nf_ct_tuple_dst_equal(t, tuple);
 }
 
 #endif /* _NF_CONNTRACK_TUPLE_H */
diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
index 037e82403f91..8c6b5ae45534 100644
--- a/include/net/netfilter/nf_log.h
+++ b/include/net/netfilter/nf_log.h
@@ -54,6 +54,6 @@ void nf_log_packet(int pf,
                    const struct net_device *in,
                    const struct net_device *out,
                    const struct nf_loginfo *li,
-                   const char *fmt, ...);
+                   const char *fmt, ...) __attribute__ ((format(printf,7,8)));
 
 #endif /* _NF_LOG_H */
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index 15a0b052df22..a9b4f6086294 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -27,5 +27,11 @@ struct netns_ipv4 {
         struct sock             *fibnl;
 
         struct netns_frags      frags;
+#ifdef CONFIG_NETFILTER
+        struct xt_table         *iptable_filter;
+        struct xt_table         *iptable_mangle;
+        struct xt_table         *iptable_raw;
+        struct xt_table         *arptable_filter;
+#endif
 };
 #endif
diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
index 187c4248df22..1dd7de4e4195 100644
--- a/include/net/netns/ipv6.h
+++ b/include/net/netns/ipv6.h
@@ -31,5 +31,10 @@ struct netns_ipv6 {
         struct ipv6_devconf     *devconf_all;
         struct ipv6_devconf     *devconf_dflt;
         struct netns_frags      frags;
+#ifdef CONFIG_NETFILTER
+        struct xt_table         *ip6table_filter;
+        struct xt_table         *ip6table_mangle;
+        struct xt_table         *ip6table_raw;
+#endif
 };
 #endif
diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
new file mode 100644
index 000000000000..0cb63ed2c1fc
--- /dev/null
+++ b/include/net/netns/x_tables.h
@@ -0,0 +1,10 @@
+#ifndef __NETNS_X_TABLES_H
+#define __NETNS_X_TABLES_H
+
+#include <linux/list.h>
+#include <linux/net.h>
+
+struct netns_xt {
+        struct list_head tables[NPROTO];
+};
+#endif
diff --git a/include/net/pkt_cls.h b/include/net/pkt_cls.h
index 8716eb757d51..d349c66ef828 100644
--- a/include/net/pkt_cls.h
+++ b/include/net/pkt_cls.h
@@ -131,14 +131,14 @@ tcf_exts_exec(struct sk_buff *skb, struct tcf_exts *exts,
 
 extern int tcf_exts_validate(struct tcf_proto *tp, struct nlattr **tb,
                              struct nlattr *rate_tlv, struct tcf_exts *exts,
-                             struct tcf_ext_map *map);
+                             const struct tcf_ext_map *map);
 extern void tcf_exts_destroy(struct tcf_proto *tp, struct tcf_exts *exts);
 extern void tcf_exts_change(struct tcf_proto *tp, struct tcf_exts *dst,
                              struct tcf_exts *src);
 extern int tcf_exts_dump(struct sk_buff *skb, struct tcf_exts *exts,
-                         struct tcf_ext_map *map);
+                         const struct tcf_ext_map *map);
 extern int tcf_exts_dump_stats(struct sk_buff *skb, struct tcf_exts *exts,
-                               struct tcf_ext_map *map);
+                               const struct tcf_ext_map *map);
 
 /**
  * struct tcf_pkt_info - packet information
diff --git a/include/net/raw.h b/include/net/raw.h
index cca81d8b2d8b..1828f81fe374 100644
--- a/include/net/raw.h
+++ b/include/net/raw.h
@@ -41,7 +41,6 @@ extern void raw_proc_exit(void);
 struct raw_iter_state {
         struct seq_net_private p;
         int bucket;
-        unsigned short family;
         struct raw_hashinfo *h;
 };
 
@@ -49,8 +48,8 @@ struct raw_iter_state {
 void *raw_seq_start(struct seq_file *seq, loff_t *pos);
 void *raw_seq_next(struct seq_file *seq, void *v, loff_t *pos);
 void raw_seq_stop(struct seq_file *seq, void *v);
-int raw_seq_open(struct inode *ino, struct file *file, struct raw_hashinfo *h,
-                unsigned short family);
+int raw_seq_open(struct inode *ino, struct file *file,
+                 struct raw_hashinfo *h, const struct seq_operations *ops);
 
 #endif
 
diff --git a/include/net/route.h b/include/net/route.h
index 4eabf008413b..eadad5901429 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -27,6 +27,7 @@
 #include <net/dst.h>
 #include <net/inetpeer.h>
 #include <net/flow.h>
+#include <net/sock.h>
 #include <linux/in_route.h>
 #include <linux/rtnetlink.h>
 #include <linux/route.h>
@@ -61,6 +62,7 @@ struct rtable
 
         struct in_device        *idev;
         
+        int                     rt_genid;
         unsigned                rt_flags;
         __u16                   rt_type;
 
@@ -149,6 +151,7 @@ static inline int ip_route_connect(struct rtable **rp, __be32 dst,
                                    int flags)
 {
         struct flowi fl = { .oif = oif,
+                            .mark = sk->sk_mark,
                             .nl_u = { .ip4_u = { .daddr = dst,
                                                  .saddr = src,
                                                  .tos   = tos } },
diff --git a/include/net/sock.h b/include/net/sock.h
index 902324488d0f..e3fb4c047f4c 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -262,6 +262,8 @@ struct sock {
         __u32                   sk_sndmsg_off;
         int                     sk_write_pending;
         void                    *sk_security;
+        __u32                   sk_mark;
+        /* XXX 4 bytes hole on 64 bit */
         void                    (*sk_state_change)(struct sock *sk);
         void                    (*sk_data_ready)(struct sock *sk, int bytes);
         void                    (*sk_write_space)(struct sock *sk);
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 5ebb9ba479b1..ac72116636ca 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -159,6 +159,7 @@ struct xfrm_state
         struct xfrm_algo        *aalg;
         struct xfrm_algo        *ealg;
         struct xfrm_algo        *calg;
+        struct xfrm_algo_aead   *aead;
 
         /* Data for encapsulator */
         struct xfrm_encap_tmpl  *encap;
@@ -201,7 +202,7 @@ struct xfrm_state
 
         /* Reference to data common to all the instances of this
          * transformer. */
-        struct xfrm_type        *type;
+        const struct xfrm_type  *type;
         struct xfrm_mode        *inner_mode;
         struct xfrm_mode        *outer_mode;
 
@@ -278,7 +279,7 @@ struct xfrm_state_afinfo {
         unsigned int            proto;
         unsigned int            eth_proto;
         struct module           *owner;
-        struct xfrm_type        *type_map[IPPROTO_MAX];
+        const struct xfrm_type  *type_map[IPPROTO_MAX];
         struct xfrm_mode        *mode_map[XFRM_MODE_MAX];
         int                     (*init_flags)(struct xfrm_state *x);
         void                    (*init_tempsel)(struct xfrm_state *x, struct flowi *fl,
@@ -321,8 +322,8 @@ struct xfrm_type
         u32                     (*get_mtu)(struct xfrm_state *, int size);
 };
 
-extern int xfrm_register_type(struct xfrm_type *type, unsigned short family);
-extern int xfrm_unregister_type(struct xfrm_type *type, unsigned short family);
+extern int xfrm_register_type(const struct xfrm_type *type, unsigned short family);
+extern int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family);
 
 struct xfrm_mode {
         /*
@@ -1108,6 +1109,10 @@ static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
 /*
  * xfrm algorithm information
  */
+struct xfrm_algo_aead_info {
+        u16 icv_truncbits;
+};
+
 struct xfrm_algo_auth_info {
         u16 icv_truncbits;
         u16 icv_fullbits;
@@ -1127,6 +1132,7 @@ struct xfrm_algo_desc {
         char *compat;
         u8 available:1;
         union {
+                struct xfrm_algo_aead_info aead;
                 struct xfrm_algo_auth_info auth;
                 struct xfrm_algo_encr_info encr;
                 struct xfrm_algo_comp_info comp;
@@ -1343,6 +1349,8 @@ extern struct xfrm_algo_desc *xfrm_calg_get_byid(int alg_id);
 extern struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe);
 extern struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe);
 extern struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe);
+extern struct xfrm_algo_desc *xfrm_aead_get_byname(char *name, int icv_len,
+                                                   int probe);
 
 struct hash_desc;
 struct scatterlist;