14 files changed, 99 insertions, 50 deletions

diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index e0cc9a7db2b5..7bdf6ffe2b49 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -250,6 +250,7 @@ struct inet6_skb_parm {
 
 #define IP6SKB_XFRM_TRANSFORMED 1
 #define IP6SKB_FORWARDED        2
+#define IP6SKB_REROUTED         4
 };
 
 #define IP6CB(skb)      ((struct inet6_skb_parm*)((skb)->cb))
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index 9365227dbaf6..a38d6bd6fde6 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -4,6 +4,8 @@
 /*
  * 'kernel.h' contains some often-used function prototypes etc
  */
+#define __ALIGN_KERNEL(x, a)            __ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1)
+#define __ALIGN_KERNEL_MASK(x, mask)    (((x) + (mask)) & ~(mask))
 
 #ifdef __KERNEL__
 
@@ -37,8 +39,8 @@ extern const char linux_proc_banner[];
 
 #define STACK_MAGIC     0xdeadbeef
 
-#define ALIGN(x,a)              __ALIGN_MASK(x,(typeof(x))(a)-1)
-#define __ALIGN_MASK(x,mask)    (((x)+(mask))&~(mask))
+#define ALIGN(x, a)             __ALIGN_KERNEL((x), (a))
+#define __ALIGN_MASK(x, mask)   __ALIGN_KERNEL_MASK((x), (mask))
 #define PTR_ALIGN(p, a)         ((typeof(p))ALIGN((unsigned long)(p), (a)))
 #define IS_ALIGNED(x, a)                (((x) & ((typeof(x))(a) - 1)) == 0)
 
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index a5a63e41b8af..48767cd16453 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -16,6 +16,7 @@ header-y += xt_RATEEST.h
 header-y += xt_SECMARK.h
 header-y += xt_TCPMSS.h
 header-y += xt_TCPOPTSTRIP.h
+header-y += xt_TEE.h
 header-y += xt_TPROXY.h
 header-y += xt_comment.h
 header-y += xt_connbytes.h
diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/linux/netfilter/nf_conntrack_tuple_common.h
index 8e145f0d61cb..2ea22b018a87 100644
--- a/include/linux/netfilter/nf_conntrack_tuple_common.h
+++ b/include/linux/netfilter/nf_conntrack_tuple_common.h
@@ -1,8 +1,7 @@
 #ifndef _NF_CONNTRACK_TUPLE_COMMON_H
 #define _NF_CONNTRACK_TUPLE_COMMON_H
 
-enum ip_conntrack_dir
-{
+enum ip_conntrack_dir {
         IP_CT_DIR_ORIGINAL,
         IP_CT_DIR_REPLY,
         IP_CT_DIR_MAX
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 84c7c928e9eb..50c867256ca3 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -1,6 +1,6 @@
 #ifndef _X_TABLES_H
 #define _X_TABLES_H
-
+#include <linux/kernel.h>
 #include <linux/types.h>
 
 #define XT_FUNCTION_MAXNAMELEN 30
@@ -93,7 +93,7 @@ struct _xt_align {
         __u64 u64;
 };
 
-#define XT_ALIGN(s) ALIGN((s), __alignof__(struct _xt_align))
+#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
 
 /* Standard return verdict, or do jump. */
 #define XT_STANDARD_TARGET ""
@@ -197,6 +197,7 @@ struct xt_counters_info {
  * @family:     Actual NFPROTO_* through which the function is invoked
  *              (helpful when match->family == NFPROTO_UNSPEC)
  * @hotdrop:    drop packet if we had inspection problems
+ * Network namespace obtainable using dev_net(in/out)
  */
 struct xt_match_param {
         const struct net_device *in, *out;
@@ -213,12 +214,14 @@ struct xt_match_param {
  * struct xt_mtchk_param - parameters for match extensions'
  * checkentry functions
  *
+ * @net:        network namespace through which the check was invoked
  * @table:      table the rule is tried to be inserted into
  * @entryinfo:  the family-specific rule data
- *              (struct ipt_ip, ip6t_ip, ebt_entry)
+ *              (struct ipt_ip, ip6t_ip, arpt_arp or (note) ebt_entry)
  * @match:      struct xt_match through which this function was invoked
  * @matchinfo:  per-match data
  * @hook_mask:  via which hooks the new rule is reachable
+ * Other fields as above.
  */
 struct xt_mtchk_param {
         struct net *net;
@@ -230,7 +233,10 @@ struct xt_mtchk_param {
         u_int8_t family;
 };
 
-/* Match destructor parameters */
+/**
+ * struct xt_mdtor_param - match destructor parameters
+ * Fields as above.
+ */
 struct xt_mtdtor_param {
         struct net *net;
         const struct xt_match *match;
@@ -297,7 +303,7 @@ struct xt_match {
                       const struct xt_match_param *);
 
         /* Called when user tries to insert an entry of this type. */
-        bool (*checkentry)(const struct xt_mtchk_param *);
+        int (*checkentry)(const struct xt_mtchk_param *);
 
         /* Called when entry of this type deleted. */
         void (*destroy)(const struct xt_mtdtor_param *);
@@ -309,9 +315,6 @@ struct xt_match {
         /* Set this to THIS_MODULE if you are a module, otherwise NULL */
         struct module *me;
 
-        /* Free to use by each match */
-        unsigned long data;
-
         const char *table;
         unsigned int matchsize;
 #ifdef CONFIG_COMPAT
@@ -328,6 +331,7 @@ struct xt_target {
         struct list_head list;
 
         const char name[XT_FUNCTION_MAXNAMELEN-1];
+        u_int8_t revision;
 
         /* Returns verdict. Argument order changed since 2.6.9, as this
            must now handle non-linear skbs, using skb_copy_bits and
@@ -338,8 +342,8 @@ struct xt_target {
         /* Called when user tries to insert an entry of this type:
            hook_mask is a bitmask of hooks from which it can be
            called. */
-        /* Should return true or false. */
-        bool (*checkentry)(const struct xt_tgchk_param *);
+        /* Should return true or false, or an error code (-Exxxx). */
+        int (*checkentry)(const struct xt_tgchk_param *);
 
         /* Called when entry of this type deleted. */
         void (*destroy)(const struct xt_tgdtor_param *);
@@ -360,7 +364,6 @@ struct xt_target {
         unsigned short proto;
 
         unsigned short family;
-        u_int8_t revision;
 };
 
 /* Furniture shopping... */
@@ -398,6 +401,13 @@ struct xt_table_info {
         unsigned int hook_entry[NF_INET_NUMHOOKS];
         unsigned int underflow[NF_INET_NUMHOOKS];
 
+        /*
+         * Number of user chains. Since tables cannot have loops, at most
+         * @stacksize jumps (number of user chains) can possibly be made.
+         */
+        unsigned int stacksize;
+        unsigned int *stackptr;
+        void ***jumpstack;
         /* ipt_entry tables: one per CPU */
         /* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */
         void *entries[1];
@@ -433,6 +443,8 @@ extern struct xt_table_info *xt_replace_table(struct xt_table *table,
 
 extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
 extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision);
+extern struct xt_match *xt_request_find_match(u8 af, const char *name,
+                                              u8 revision);
 extern struct xt_target *xt_request_find_target(u8 af, const char *name,
                                                 u8 revision);
 extern int xt_find_revision(u8 af, const char *name, u8 revision,
@@ -598,7 +610,7 @@ struct _compat_xt_align {
         compat_u64 u64;
 };
 
-#define COMPAT_XT_ALIGN(s) ALIGN((s), __alignof__(struct _compat_xt_align))
+#define COMPAT_XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _compat_xt_align))
 
 extern void xt_compat_lock(u_int8_t af);
 extern void xt_compat_unlock(u_int8_t af);
diff --git a/include/linux/netfilter/xt_CONNMARK.h b/include/linux/netfilter/xt_CONNMARK.h
index 0a8545866752..2f2e48ec8023 100644
--- a/include/linux/netfilter/xt_CONNMARK.h
+++ b/include/linux/netfilter/xt_CONNMARK.h
@@ -1,26 +1,6 @@
 #ifndef _XT_CONNMARK_H_target
 #define _XT_CONNMARK_H_target
 
-#include <linux/types.h>
-
-/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
- * by Henrik Nordstrom <hno@marasystems.com>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- */
-
-enum {
-        XT_CONNMARK_SET = 0,
-        XT_CONNMARK_SAVE,
-        XT_CONNMARK_RESTORE
-};
-
-struct xt_connmark_tginfo1 {
-        __u32 ctmark, ctmask, nfmask;
-        __u8 mode;
-};
+#include <linux/netfilter/xt_connmark.h>
 
 #endif /*_XT_CONNMARK_H_target*/
diff --git a/include/linux/netfilter/xt_MARK.h b/include/linux/netfilter/xt_MARK.h
index bc9561bdef79..41c456deba22 100644
--- a/include/linux/netfilter/xt_MARK.h
+++ b/include/linux/netfilter/xt_MARK.h
@@ -1,10 +1,6 @@
 #ifndef _XT_MARK_H_target
 #define _XT_MARK_H_target
 
-#include <linux/types.h>
-
-struct xt_mark_tginfo2 {
-        __u32 mark, mask;
-};
+#include <linux/netfilter/xt_mark.h>
 
 #endif /*_XT_MARK_H_target */
diff --git a/include/linux/netfilter/xt_TEE.h b/include/linux/netfilter/xt_TEE.h
new file mode 100644
index 000000000000..5c21d5c829af
--- /dev/null
+++ b/include/linux/netfilter/xt_TEE.h
@@ -0,0 +1,12 @@
+#ifndef _XT_TEE_TARGET_H
+#define _XT_TEE_TARGET_H
+
+struct xt_tee_tginfo {
+        union nf_inet_addr gw;
+        char oif[16];
+
+        /* used internally by the kernel */
+        struct xt_tee_priv *priv __attribute__((aligned(8)));
+};
+
+#endif /* _XT_TEE_TARGET_H */
diff --git a/include/linux/netfilter/xt_connmark.h b/include/linux/netfilter/xt_connmark.h
index 619e47cde01a..efc17a8305fb 100644
--- a/include/linux/netfilter/xt_connmark.h
+++ b/include/linux/netfilter/xt_connmark.h
@@ -12,6 +12,17 @@
  * (at your option) any later version.
  */
 
+enum {
+        XT_CONNMARK_SET = 0,
+        XT_CONNMARK_SAVE,
+        XT_CONNMARK_RESTORE
+};
+
+struct xt_connmark_tginfo1 {
+        __u32 ctmark, ctmask, nfmask;
+        __u8 mode;
+};
+
 struct xt_connmark_mtinfo1 {
         __u32 mark, mask;
         __u8 invert;
diff --git a/include/linux/netfilter/xt_mark.h b/include/linux/netfilter/xt_mark.h
index 6607c8f38ea5..ecadc40d5cde 100644
--- a/include/linux/netfilter/xt_mark.h
+++ b/include/linux/netfilter/xt_mark.h
@@ -3,6 +3,10 @@
 
 #include <linux/types.h>
 
+struct xt_mark_tginfo2 {
+        __u32 mark, mask;
+};
+
 struct xt_mark_mtinfo1 {
         __u32 mark, mask;
         __u8 invert;
diff --git a/include/linux/netfilter/xt_recent.h b/include/linux/netfilter/xt_recent.h
index d2c276609925..83318e01425e 100644
--- a/include/linux/netfilter/xt_recent.h
+++ b/include/linux/netfilter/xt_recent.h
@@ -9,6 +9,7 @@ enum {
         XT_RECENT_UPDATE   = 1 << 2,
         XT_RECENT_REMOVE   = 1 << 3,
         XT_RECENT_TTL      = 1 << 4,
+        XT_RECENT_REAP     = 1 << 5,
 
         XT_RECENT_SOURCE   = 0,
         XT_RECENT_DEST     = 1,
@@ -16,6 +17,12 @@ enum {
         XT_RECENT_NAME_LEN = 200,
 };
 
+/* Only allowed with --rcheck and --update */
+#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
+
+#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
+                               XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
+
 struct xt_recent_mtinfo {
         __u32 seconds;
         __u32 hit_count;
diff --git a/include/linux/netfilter_bridge.h b/include/linux/netfilter_bridge.h
index f8105e54716a..ea0e44b90432 100644
--- a/include/linux/netfilter_bridge.h
+++ b/include/linux/netfilter_bridge.h
@@ -41,10 +41,10 @@ enum nf_br_hook_priorities {
 
 #define BRNF_PKT_TYPE                   0x01
 #define BRNF_BRIDGED_DNAT               0x02
-#define BRNF_DONT_TAKE_PARENT           0x04
-#define BRNF_BRIDGED                    0x08
-#define BRNF_NF_BRIDGE_PREROUTING       0x10
-
+#define BRNF_BRIDGED                    0x04
+#define BRNF_NF_BRIDGE_PREROUTING       0x08
+#define BRNF_8021Q                      0x10
+#define BRNF_PPPoE                      0x20
 
 /* Only used in br_forward.c */
 extern int nf_bridge_copy_header(struct sk_buff *skb);
@@ -68,6 +68,20 @@ static inline unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb)
         }
 }
 
+extern int br_handle_frame_finish(struct sk_buff *skb);
+/* Only used in br_device.c */
+static inline int br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb)
+{
+        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
+
+        skb_pull(skb, ETH_HLEN);
+        nf_bridge->mask ^= BRNF_BRIDGED_DNAT;
+        skb_copy_to_linear_data_offset(skb, -(ETH_HLEN-ETH_ALEN),
+                                       skb->nf_bridge->data, ETH_HLEN-ETH_ALEN);
+        skb->dev = nf_bridge->physindev;
+        return br_handle_frame_finish(skb);
+}
+
 /* This is called by the IP fragmenting code and it ensures there is
  * enough room for the encapsulating header (if there is one). */
 static inline unsigned int nf_bridge_pad(const struct sk_buff *skb)
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index e5ba03d783c6..18442ff19c07 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -316,10 +316,6 @@ extern int ip6t_ext_hdr(u8 nexthdr);
 extern int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
                          int target, unsigned short *fragoff);
 
-extern int ip6_masked_addrcmp(const struct in6_addr *addr1,
-                              const struct in6_addr *mask,
-                              const struct in6_addr *addr2);
-
 #define IP6T_ALIGN(s) XT_ALIGN(s)
 
 #ifdef CONFIG_COMPAT
diff --git a/include/net/neighbour.h b/include/net/neighbour.h
index da1d58be31b7..eb21340a573b 100644
--- a/include/net/neighbour.h
+++ b/include/net/neighbour.h
@@ -299,6 +299,20 @@ static inline int neigh_event_send(struct neighbour *neigh, struct sk_buff *skb)
         return 0;
 }
 
+#ifdef CONFIG_BRIDGE_NETFILTER
+static inline int neigh_hh_bridge(struct hh_cache *hh, struct sk_buff *skb)
+{
+        unsigned seq, hh_alen;
+
+        do {
+                seq = read_seqbegin(&hh->hh_lock);
+                hh_alen = HH_DATA_ALIGN(ETH_HLEN);
+                memcpy(skb->data - hh_alen, hh->hh_data, ETH_ALEN + hh_alen - ETH_HLEN);
+        } while (read_seqretry(&hh->hh_lock, seq));
+        return 0;
+}
+#endif
+
 static inline int neigh_hh_output(struct hh_cache *hh, struct sk_buff *skb)
 {
         unsigned seq;