5 files changed, 54 insertions, 62 deletions

diff --git a/include/linux/dccp.h b/include/linux/dccp.h
index 2d7671c92c0b..d6f4ec467a4b 100644
--- a/include/linux/dccp.h
+++ b/include/linux/dccp.h
@@ -169,6 +169,12 @@ enum {
         DCCPO_MAX_CCID_SPECIFIC = 255,
 };
 
+/* DCCP CCIDS */
+enum {
+        DCCPC_CCID2 = 2,
+        DCCPC_CCID3 = 3,
+};
+
 /* DCCP features */
 enum {
         DCCPF_RESERVED = 0,
@@ -320,7 +326,7 @@ static inline unsigned int dccp_hdr_len(const struct sk_buff *skb)
 /* initial values for each feature */
 #define DCCPF_INITIAL_SEQUENCE_WINDOW           100
 #define DCCPF_INITIAL_ACK_RATIO                 2
-#define DCCPF_INITIAL_CCID                      2
+#define DCCPF_INITIAL_CCID                      DCCPC_CCID2
 #define DCCPF_INITIAL_SEND_ACK_VECTOR           1
 /* FIXME: for now we're default to 1 but it should really be 0 */
 #define DCCPF_INITIAL_SEND_NDP_COUNT            1
@@ -404,6 +410,7 @@ struct dccp_service_list {
 };
 
 #define DCCP_SERVICE_INVALID_VALUE htonl((__u32)-1)
+#define DCCP_SERVICE_CODE_IS_ABSENT              0
 
 static inline int dccp_list_has_service(const struct dccp_service_list *sl,
                                         const __be32 service)
@@ -484,11 +491,6 @@ static inline struct dccp_minisock *dccp_msk(const struct sock *sk)
         return (struct dccp_minisock *)&dccp_sk(sk)->dccps_minisock;
 }
 
-static inline int dccp_service_not_initialized(const struct sock *sk)
-{
-        return dccp_sk(sk)->dccps_service == DCCP_SERVICE_INVALID_VALUE;
-}
-
 static inline const char *dccp_role(const struct sock *sk)
 {
         switch (dccp_sk(sk)->dccps_role) {
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index 9a285cecf249..312bd2ffee33 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -10,6 +10,8 @@ header-y += xt_connmark.h
 header-y += xt_CONNMARK.h
 header-y += xt_conntrack.h
 header-y += xt_dccp.h
+header-y += xt_dscp.h
+header-y += xt_DSCP.h
 header-y += xt_esp.h
 header-y += xt_helper.h
 header-y += xt_length.h
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h
index 59406e0dc5b2..2d72496c2029 100644
--- a/include/net/cipso_ipv4.h
+++ b/include/net/cipso_ipv4.h
@@ -130,8 +130,9 @@ extern int cipso_v4_rbm_strictvalid;
 int cipso_v4_doi_add(struct cipso_v4_doi *doi_def);
 int cipso_v4_doi_remove(u32 doi, void (*callback) (struct rcu_head * head));
 struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi);
-struct sk_buff *cipso_v4_doi_dump_all(size_t headroom);
-struct sk_buff *cipso_v4_doi_dump(u32 doi, size_t headroom);
+int cipso_v4_doi_walk(u32 *skip_cnt,
+                     int (*callback) (struct cipso_v4_doi *doi_def, void *arg),
+                     void *cb_arg);
 int cipso_v4_doi_domhsh_add(struct cipso_v4_doi *doi_def, const char *domain);
 int cipso_v4_doi_domhsh_remove(struct cipso_v4_doi *doi_def,
                                const char *domain);
@@ -152,14 +153,11 @@ static inline struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi)
         return NULL;
 }
 
-static inline struct sk_buff *cipso_v4_doi_dump_all(size_t headroom)
+static inline int cipso_v4_doi_walk(u32 *skip_cnt,
+                     int (*callback) (struct cipso_v4_doi *doi_def, void *arg),
+                     void *cb_arg)
 {
-        return NULL;
-}
-
-static inline struct sk_buff *cipso_v4_doi_dump(u32 doi, size_t headroom)
-{
-        return NULL;
+        return 0;
 }
 
 static inline int cipso_v4_doi_domhsh_add(struct cipso_v4_doi *doi_def,
@@ -205,6 +203,7 @@ void cipso_v4_error(struct sk_buff *skb, int error, u32 gateway);
 int cipso_v4_socket_setattr(const struct socket *sock,
                             const struct cipso_v4_doi *doi_def,
                             const struct netlbl_lsm_secattr *secattr);
+int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr);
 int cipso_v4_socket_getattr(const struct socket *sock,
                             struct netlbl_lsm_secattr *secattr);
 int cipso_v4_skbuff_getattr(const struct sk_buff *skb,
@@ -225,6 +224,12 @@ static inline int cipso_v4_socket_setattr(const struct socket *sock,
         return -ENOSYS;
 }
 
+static inline int cipso_v4_sock_getattr(struct sock *sk,
+                                        struct netlbl_lsm_secattr *secattr)
+{
+        return -ENOSYS;
+}
+
 static inline int cipso_v4_socket_getattr(const struct socket *sock,
                                           struct netlbl_lsm_secattr *secattr)
 {
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index dd5780b36919..6692430063fd 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -57,9 +57,8 @@
  * The payload is dependent on the subsystem specified in the
  * 'nlmsghdr->nlmsg_type' and should be defined below, supporting functions
  * should be defined in the corresponding net/netlabel/netlabel_<subsys>.h|c
- * file.  All of the fields in the NetLabel payload are NETLINK attributes, the
- * length of each field is the length of the NETLINK attribute payload, see
- * include/net/netlink.h for more information on NETLINK attributes.
+ * file.  All of the fields in the NetLabel payload are NETLINK attributes, see
+ * the include/net/netlink.h file for more information on NETLINK attributes.
  *
  */
 
@@ -82,50 +81,6 @@
 #define NETLBL_NLTYPE_UNLABELED         5
 #define NETLBL_NLTYPE_UNLABELED_NAME    "NLBL_UNLBL"
 
-/* NetLabel return codes */
-#define NETLBL_E_OK                     0
-
-/*
- * Helper functions
- */
-
-#define NETLBL_LEN_U8                   nla_total_size(sizeof(u8))
-#define NETLBL_LEN_U16                  nla_total_size(sizeof(u16))
-#define NETLBL_LEN_U32                  nla_total_size(sizeof(u32))
-
-/**
- * netlbl_netlink_alloc_skb - Allocate a NETLINK message buffer
- * @head: the amount of headroom in bytes
- * @body: the desired size (minus headroom) in bytes
- * @gfp_flags: the alloc flags to pass to alloc_skb()
- *
- * Description:
- * Allocate a NETLINK message buffer based on the sizes given in @head and
- * @body.  If @head is greater than zero skb_reserve() is called to reserve
- * @head bytes at the start of the buffer.  Returns a valid sk_buff pointer on
- * success, NULL on failure.
- *
- */
-static inline struct sk_buff *netlbl_netlink_alloc_skb(size_t head,
-                                                       size_t body,
-                                                       gfp_t gfp_flags)
-{
-        struct sk_buff *skb;
-
-        skb = alloc_skb(NLMSG_ALIGN(head + body), gfp_flags);
-        if (skb == NULL)
-                return NULL;
-        if (head > 0) {
-                skb_reserve(skb, head);
-                if (skb_tailroom(skb) < body) {
-                        kfree_skb(skb);
-                        return NULL;
-                }
-        }
-
-        return skb;
-}
-
 /*
  * NetLabel - Kernel API for accessing the network packet label mappings.
  *
@@ -238,6 +193,8 @@ static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr,
 #ifdef CONFIG_NETLABEL
 int netlbl_socket_setattr(const struct socket *sock,
                           const struct netlbl_lsm_secattr *secattr);
+int netlbl_sock_getattr(struct sock *sk,
+                        struct netlbl_lsm_secattr *secattr);
 int netlbl_socket_getattr(const struct socket *sock,
                           struct netlbl_lsm_secattr *secattr);
 int netlbl_skbuff_getattr(const struct sk_buff *skb,
@@ -250,6 +207,12 @@ static inline int netlbl_socket_setattr(const struct socket *sock,
         return -ENOSYS;
 }
 
+static inline int netlbl_sock_getattr(struct sock *sk,
+                                      struct netlbl_lsm_secattr *secattr)
+{
+        return -ENOSYS;
+}
+
 static inline int netlbl_socket_getattr(const struct socket *sock,
                                         struct netlbl_lsm_secattr *secattr)
 {
diff --git a/include/net/netlink.h b/include/net/netlink.h
index 11dc2e7f679a..4ab68a7a636a 100644
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -146,11 +146,13 @@
  *   nla_ok(nla, remaining)             does nla fit into remaining bytes?
  *   nla_next(nla, remaining)           get next netlink attribute
  *   nla_validate()                     validate a stream of attributes
+ *   nla_validate_nested()              validate a stream of nested attributes
  *   nla_find()                         find attribute in stream of attributes
  *   nla_find_nested()                  find attribute in nested attributes
  *   nla_parse()                        parse and validate stream of attrs
  *   nla_parse_nested()                 parse nested attribuets
  *   nla_for_each_attr()                loop over all attributes
+ *   nla_for_each_nested()              loop over the nested attributes
  *=========================================================================
  */
 
@@ -950,6 +952,24 @@ static inline int nla_nest_cancel(struct sk_buff *skb, struct nlattr *start)
 }
 
 /**
+ * nla_validate_nested - Validate a stream of nested attributes
+ * @start: container attribute
+ * @maxtype: maximum attribute type to be expected
+ * @policy: validation policy
+ *
+ * Validates all attributes in the nested attribute stream against the
+ * specified policy. Attributes with a type exceeding maxtype will be
+ * ignored. See documenation of struct nla_policy for more details.
+ *
+ * Returns 0 on success or a negative error code.
+ */
+static inline int nla_validate_nested(struct nlattr *start, int maxtype,
+                                      struct nla_policy *policy)
+{
+        return nla_validate(nla_data(start), nla_len(start), maxtype, policy);
+}
+
+/**
  * nla_for_each_attr - iterate over a stream of attributes
  * @pos: loop counter, set to current attribute
  * @head: head of attribute stream