4 files changed, 51 insertions, 13 deletions

diff --git a/include/linux/security.h b/include/linux/security.h
index 0f6afc657f77..eee7478cda70 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -989,17 +989,29 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *      tells the LSM to decrement the number of secmark labeling rules loaded
  * @req_classify_flow:
  *      Sets the flow's sid to the openreq sid.
+ * @tun_dev_alloc_security:
+ *      This hook allows a module to allocate a security structure for a TUN
+ *      device.
+ *      @security pointer to a security structure pointer.
+ *      Returns a zero on success, negative values on failure.
+ * @tun_dev_free_security:
+ *      This hook allows a module to free the security structure for a TUN
+ *      device.
+ *      @security pointer to the TUN device's security structure
  * @tun_dev_create:
  *      Check permissions prior to creating a new TUN device.
- * @tun_dev_post_create:
- *      This hook allows a module to update or allocate a per-socket security
- *      structure.
- *      @sk contains the newly created sock structure.
+ * @tun_dev_attach_queue:
+ *      Check permissions prior to attaching to a TUN device queue.
+ *      @security pointer to the TUN device's security structure.
  * @tun_dev_attach:
- *      Check permissions prior to attaching to a persistent TUN device.  This
- *      hook can also be used by the module to update any security state
+ *      This hook can be used by the module to update any security state
  *      associated with the TUN device's sock structure.
  *      @sk contains the existing sock structure.
+ *      @security pointer to the TUN device's security structure.
+ * @tun_dev_open:
+ *      This hook can be used by the module to update any security state
+ *      associated with the TUN device's security structure.
+ *      @security pointer to the TUN devices's security structure.
  *
  * Security hooks for XFRM operations.
  *
@@ -1620,9 +1632,12 @@ struct security_operations {
         void (*secmark_refcount_inc) (void);
         void (*secmark_refcount_dec) (void);
         void (*req_classify_flow) (const struct request_sock *req, struct flowi *fl);
-        int (*tun_dev_create)(void);
-        void (*tun_dev_post_create)(struct sock *sk);
-        int (*tun_dev_attach)(struct sock *sk);
+        int (*tun_dev_alloc_security) (void **security);
+        void (*tun_dev_free_security) (void *security);
+        int (*tun_dev_create) (void);
+        int (*tun_dev_attach_queue) (void *security);
+        int (*tun_dev_attach) (struct sock *sk, void *security);
+        int (*tun_dev_open) (void *security);
 #endif  /* CONFIG_SECURITY_NETWORK */
 
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -2566,9 +2581,12 @@ void security_inet_conn_established(struct sock *sk,
 int security_secmark_relabel_packet(u32 secid);
 void security_secmark_refcount_inc(void);
 void security_secmark_refcount_dec(void);
+int security_tun_dev_alloc_security(void **security);
+void security_tun_dev_free_security(void *security);
 int security_tun_dev_create(void);
-void security_tun_dev_post_create(struct sock *sk);
-int security_tun_dev_attach(struct sock *sk);
+int security_tun_dev_attach_queue(void *security);
+int security_tun_dev_attach(struct sock *sk, void *security);
+int security_tun_dev_open(void *security);
 
 #else   /* CONFIG_SECURITY_NETWORK */
 static inline int security_unix_stream_connect(struct sock *sock,
@@ -2733,16 +2751,31 @@ static inline void security_secmark_refcount_dec(void)
 {
 }
 
+static inline int security_tun_dev_alloc_security(void **security)
+{
+        return 0;
+}
+
+static inline void security_tun_dev_free_security(void *security)
+{
+}
+
 static inline int security_tun_dev_create(void)
 {
         return 0;
 }
 
-static inline void security_tun_dev_post_create(struct sock *sk)
+static inline int security_tun_dev_attach_queue(void *security)
+{
+        return 0;
+}
+
+static inline int security_tun_dev_attach(struct sock *sk, void *security)
 {
+        return 0;
 }
 
-static inline int security_tun_dev_attach(struct sock *sk)
+static inline int security_tun_dev_open(void *security)
 {
         return 0;
 }
diff --git a/include/linux/usb/usbnet.h b/include/linux/usb/usbnet.h
index bd45eb7bedc8..5de7a220e986 100644
--- a/include/linux/usb/usbnet.h
+++ b/include/linux/usb/usbnet.h
@@ -100,6 +100,7 @@ struct driver_info {
 #define FLAG_LINK_INTR  0x0800          /* updates link (carrier) status */
 
 #define FLAG_POINTTOPOINT 0x1000        /* possibly use "usb%d" names */
+#define FLAG_NOARP      0x2000          /* device can't do ARP */
 
 /*
  * Indicates to usbnet, that USB driver accumulates multiple IP packets.
diff --git a/include/net/ip.h b/include/net/ip.h
index 0707fb9551aa..a68f838a132c 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -143,6 +143,8 @@ static inline struct sk_buff *ip_finish_skb(struct sock *sk, struct flowi4 *fl4)
 extern int              ip4_datagram_connect(struct sock *sk, 
                                              struct sockaddr *uaddr, int addr_len);
 
+extern void ip4_datagram_release_cb(struct sock *sk);
+
 struct ip_reply_arg {
         struct kvec iov[1];   
         int         flags;
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index d8f5b9f52169..e98aeb3da033 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -31,6 +31,8 @@ extern void nf_conntrack_cleanup(struct net *net);
 extern int nf_conntrack_proto_init(struct net *net);
 extern void nf_conntrack_proto_fini(struct net *net);
 
+extern void nf_conntrack_cleanup_end(void);
+
 extern bool
 nf_ct_get_tuple(const struct sk_buff *skb,
                 unsigned int nhoff,