36 files changed, 392 insertions, 248 deletions

diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 70491d9035eb..0c94a1ac2946 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -166,7 +166,7 @@ config IP_PNP_DHCP
 
           If unsure, say Y. Note that if you want to use DHCP, a DHCP server
           must be operating on your network.  Read
-          <file:Documentation/filesystems/nfsroot.txt> for details.
+          <file:Documentation/filesystems/nfs/nfsroot.txt> for details.
 
 config IP_PNP_BOOTP
         bool "IP: BOOTP support"
@@ -181,7 +181,7 @@ config IP_PNP_BOOTP
           does BOOTP itself, providing all necessary information on the kernel
           command line, you can say N here. If unsure, say Y. Note that if you
           want to use BOOTP, a BOOTP server must be operating on your network.
-          Read <file:Documentation/filesystems/nfsroot.txt> for details.
+          Read <file:Documentation/filesystems/nfs/nfsroot.txt> for details.
 
 config IP_PNP_RARP
         bool "IP: RARP support"
@@ -194,7 +194,7 @@ config IP_PNP_RARP
           older protocol which is being obsoleted by BOOTP and DHCP), say Y
           here. Note that if you want to use RARP, a RARP server must be
           operating on your network. Read
-          <file:Documentation/filesystems/nfsroot.txt> for details.
+          <file:Documentation/filesystems/nfs/nfsroot.txt> for details.
 
 # not yet ready..
 #   bool '    IP: ARP support' CONFIG_IP_PNP_ARP
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index c95cd93acf29..1940b4df7699 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -70,6 +70,7 @@
  *                                      bonding can change the skb before
  *                                      sending (e.g. insert 8021q tag).
  *              Harald Welte    :       convert to make use of jenkins hash
+ *              Jesper D. Brouer:       Proxy ARP PVLAN RFC 3069 support.
  */
 
 #include <linux/module.h>
@@ -524,12 +525,15 @@ int arp_bind_neighbour(struct dst_entry *dst)
 /*
  * Check if we can use proxy ARP for this path
  */
-
-static inline int arp_fwd_proxy(struct in_device *in_dev, struct rtable *rt)
+static inline int arp_fwd_proxy(struct in_device *in_dev,
+                                struct net_device *dev, struct rtable *rt)
 {
         struct in_device *out_dev;
         int imi, omi = -1;
 
+        if (rt->u.dst.dev == dev)
+                return 0;
+
         if (!IN_DEV_PROXY_ARP(in_dev))
                 return 0;
 
@@ -548,6 +552,43 @@ static inline int arp_fwd_proxy(struct in_device *in_dev, struct rtable *rt)
 }
 
 /*
+ * Check for RFC3069 proxy arp private VLAN (allow to send back to same dev)
+ *
+ * RFC3069 supports proxy arp replies back to the same interface.  This
+ * is done to support (ethernet) switch features, like RFC 3069, where
+ * the individual ports are not allowed to communicate with each
+ * other, BUT they are allowed to talk to the upstream router.  As
+ * described in RFC 3069, it is possible to allow these hosts to
+ * communicate through the upstream router, by proxy_arp'ing.
+ *
+ * RFC 3069: "VLAN Aggregation for Efficient IP Address Allocation"
+ *
+ *  This technology is known by different names:
+ *    In RFC 3069 it is called VLAN Aggregation.
+ *    Cisco and Allied Telesyn call it Private VLAN.
+ *    Hewlett-Packard call it Source-Port filtering or port-isolation.
+ *    Ericsson call it MAC-Forced Forwarding (RFC Draft).
+ *
+ */
+static inline int arp_fwd_pvlan(struct in_device *in_dev,
+                                struct net_device *dev, struct rtable *rt,
+                                __be32 sip, __be32 tip)
+{
+        /* Private VLAN is only concerned about the same ethernet segment */
+        if (rt->u.dst.dev != dev)
+                return 0;
+
+        /* Don't reply on self probes (often done by windowz boxes)*/
+        if (sip == tip)
+                return 0;
+
+        if (IN_DEV_PROXY_ARP_PVLAN(in_dev))
+                return 1;
+        else
+                return 0;
+}
+
+/*
  *      Interface to link layer: send routine and receive handler.
  */
 
@@ -833,8 +874,11 @@ static int arp_process(struct sk_buff *skb)
                         }
                         goto out;
                 } else if (IN_DEV_FORWARD(in_dev)) {
-                            if (addr_type == RTN_UNICAST  && rt->u.dst.dev != dev &&
-                             (arp_fwd_proxy(in_dev, rt) || pneigh_lookup(&arp_tbl, net, &tip, dev, 0))) {
+                        if (addr_type == RTN_UNICAST  &&
+                            (arp_fwd_proxy(in_dev, dev, rt) ||
+                             arp_fwd_pvlan(in_dev, dev, rt, sip, tip) ||
+                             pneigh_lookup(&arp_tbl, net, &tip, dev, 0)))
+                        {
                                 n = neigh_event_ns(&arp_tbl, sha, &sip, dev);
                                 if (n)
                                         neigh_release(n);
@@ -863,7 +907,8 @@ static int arp_process(struct sk_buff *skb)
                    devices (strip is candidate)
                  */
                 if (n == NULL &&
-                    arp->ar_op == htons(ARPOP_REPLY) &&
+                    (arp->ar_op == htons(ARPOP_REPLY) ||
+                     (arp->ar_op == htons(ARPOP_REQUEST) && tip == sip)) &&
                     inet_addr_type(net, sip) == RTN_UNICAST)
                         n = __neigh_lookup(&arp_tbl, &sip, dev, 1);
         }
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 5cdbc102a418..cd71a3908391 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1397,6 +1397,7 @@ static struct devinet_sysctl_table {
                 DEVINET_SYSCTL_RW_ENTRY(ACCEPT_SOURCE_ROUTE,
                                         "accept_source_route"),
                 DEVINET_SYSCTL_RW_ENTRY(ACCEPT_LOCAL, "accept_local"),
+                DEVINET_SYSCTL_RW_ENTRY(SRC_VMARK, "src_valid_mark"),
                 DEVINET_SYSCTL_RW_ENTRY(PROXY_ARP, "proxy_arp"),
                 DEVINET_SYSCTL_RW_ENTRY(MEDIUM_ID, "medium_id"),
                 DEVINET_SYSCTL_RW_ENTRY(BOOTP_RELAY, "bootp_relay"),
@@ -1407,6 +1408,7 @@ static struct devinet_sysctl_table {
                 DEVINET_SYSCTL_RW_ENTRY(ARP_IGNORE, "arp_ignore"),
                 DEVINET_SYSCTL_RW_ENTRY(ARP_ACCEPT, "arp_accept"),
                 DEVINET_SYSCTL_RW_ENTRY(ARP_NOTIFY, "arp_notify"),
+                DEVINET_SYSCTL_RW_ENTRY(PROXY_ARP_PVLAN, "proxy_arp_pvlan"),
 
                 DEVINET_SYSCTL_FLUSHING_ENTRY(NOXFRM, "disable_xfrm"),
                 DEVINET_SYSCTL_FLUSHING_ENTRY(NOPOLICY, "disable_policy"),
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 3323168ee52d..9b3e28ed5240 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -252,6 +252,8 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
                 no_addr = in_dev->ifa_list == NULL;
                 rpf = IN_DEV_RPFILTER(in_dev);
                 accept_local = IN_DEV_ACCEPT_LOCAL(in_dev);
+                if (mark && !IN_DEV_SRC_VMARK(in_dev))
+                        fl.mark = 0;
         }
         rcu_read_unlock();
 
@@ -881,7 +883,7 @@ static void nl_fib_input(struct sk_buff *skb)
         netlink_unicast(net->ipv4.fibnl, skb, pid, MSG_DONTWAIT);
 }
 
-static int nl_fib_lookup_init(struct net *net)
+static int __net_init nl_fib_lookup_init(struct net *net)
 {
         struct sock *sk;
         sk = netlink_kernel_create(net, NETLINK_FIB_LOOKUP, 0,
@@ -1002,7 +1004,7 @@ fail:
         return err;
 }
 
-static void __net_exit ip_fib_net_exit(struct net *net)
+static void ip_fib_net_exit(struct net *net)
 {
         unsigned int i;
 
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index ed19aa6919c2..1af0ea0fb6a2 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -62,8 +62,8 @@ static DEFINE_SPINLOCK(fib_multipath_lock);
 #define for_nexthops(fi) { int nhsel; const struct fib_nh * nh; \
 for (nhsel=0, nh = (fi)->fib_nh; nhsel < (fi)->fib_nhs; nh++, nhsel++)
 
-#define change_nexthops(fi) { int nhsel; struct fib_nh * nh; \
-for (nhsel=0, nh = (struct fib_nh *)((fi)->fib_nh); nhsel < (fi)->fib_nhs; nh++, nhsel++)
+#define change_nexthops(fi) { int nhsel; struct fib_nh *nexthop_nh; \
+for (nhsel=0, nexthop_nh = (struct fib_nh *)((fi)->fib_nh); nhsel < (fi)->fib_nhs; nexthop_nh++, nhsel++)
 
 #else /* CONFIG_IP_ROUTE_MULTIPATH */
 
@@ -72,7 +72,7 @@ for (nhsel=0, nh = (struct fib_nh *)((fi)->fib_nh); nhsel < (fi)->fib_nhs; nh++,
 #define for_nexthops(fi) { int nhsel = 0; const struct fib_nh * nh = (fi)->fib_nh; \
 for (nhsel=0; nhsel < 1; nhsel++)
 
-#define change_nexthops(fi) { int nhsel = 0; struct fib_nh * nh = (struct fib_nh *)((fi)->fib_nh); \
+#define change_nexthops(fi) { int nhsel = 0; struct fib_nh *nexthop_nh = (struct fib_nh *)((fi)->fib_nh); \
 for (nhsel=0; nhsel < 1; nhsel++)
 
 #endif /* CONFIG_IP_ROUTE_MULTIPATH */
@@ -145,9 +145,9 @@ void free_fib_info(struct fib_info *fi)
                 return;
         }
         change_nexthops(fi) {
-                if (nh->nh_dev)
-                        dev_put(nh->nh_dev);
-                nh->nh_dev = NULL;
+                if (nexthop_nh->nh_dev)
+                        dev_put(nexthop_nh->nh_dev);
+                nexthop_nh->nh_dev = NULL;
         } endfor_nexthops(fi);
         fib_info_cnt--;
         release_net(fi->fib_net);
@@ -162,9 +162,9 @@ void fib_release_info(struct fib_info *fi)
                 if (fi->fib_prefsrc)
                         hlist_del(&fi->fib_lhash);
                 change_nexthops(fi) {
-                        if (!nh->nh_dev)
+                        if (!nexthop_nh->nh_dev)
                                 continue;
-                        hlist_del(&nh->nh_hash);
+                        hlist_del(&nexthop_nh->nh_hash);
                 } endfor_nexthops(fi)
                 fi->fib_dead = 1;
                 fib_info_put(fi);
@@ -395,19 +395,20 @@ static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh,
                 if (!rtnh_ok(rtnh, remaining))
                         return -EINVAL;
 
-                nh->nh_flags = (cfg->fc_flags & ~0xFF) | rtnh->rtnh_flags;
-                nh->nh_oif = rtnh->rtnh_ifindex;
-                nh->nh_weight = rtnh->rtnh_hops + 1;
+                nexthop_nh->nh_flags =
+                        (cfg->fc_flags & ~0xFF) | rtnh->rtnh_flags;
+                nexthop_nh->nh_oif = rtnh->rtnh_ifindex;
+                nexthop_nh->nh_weight = rtnh->rtnh_hops + 1;
 
                 attrlen = rtnh_attrlen(rtnh);
                 if (attrlen > 0) {
                         struct nlattr *nla, *attrs = rtnh_attrs(rtnh);
 
                         nla = nla_find(attrs, attrlen, RTA_GATEWAY);
-                        nh->nh_gw = nla ? nla_get_be32(nla) : 0;
+                        nexthop_nh->nh_gw = nla ? nla_get_be32(nla) : 0;
 #ifdef CONFIG_NET_CLS_ROUTE
                         nla = nla_find(attrs, attrlen, RTA_FLOW);
-                        nh->nh_tclassid = nla ? nla_get_u32(nla) : 0;
+                        nexthop_nh->nh_tclassid = nla ? nla_get_u32(nla) : 0;
 #endif
                 }
 
@@ -527,10 +528,6 @@ static int fib_check_nh(struct fib_config *cfg, struct fib_info *fi,
         if (nh->nh_gw) {
                 struct fib_result res;
 
-#ifdef CONFIG_IP_ROUTE_PERVASIVE
-                if (nh->nh_flags&RTNH_F_PERVASIVE)
-                        return 0;
-#endif
                 if (nh->nh_flags&RTNH_F_ONLINK) {
                         struct net_device *dev;
 
@@ -738,7 +735,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
 
         fi->fib_nhs = nhs;
         change_nexthops(fi) {
-                nh->nh_parent = fi;
+                nexthop_nh->nh_parent = fi;
         } endfor_nexthops(fi)
 
         if (cfg->fc_mx) {
@@ -808,7 +805,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
                         goto failure;
         } else {
                 change_nexthops(fi) {
-                        if ((err = fib_check_nh(cfg, fi, nh)) != 0)
+                        if ((err = fib_check_nh(cfg, fi, nexthop_nh)) != 0)
                                 goto failure;
                 } endfor_nexthops(fi)
         }
@@ -843,11 +840,11 @@ link_it:
                 struct hlist_head *head;
                 unsigned int hash;
 
-                if (!nh->nh_dev)
+                if (!nexthop_nh->nh_dev)
                         continue;
-                hash = fib_devindex_hashfn(nh->nh_dev->ifindex);
+                hash = fib_devindex_hashfn(nexthop_nh->nh_dev->ifindex);
                 head = &fib_info_devhash[hash];
-                hlist_add_head(&nh->nh_hash, head);
+                hlist_add_head(&nexthop_nh->nh_hash, head);
         } endfor_nexthops(fi)
         spin_unlock_bh(&fib_info_lock);
         return fi;
@@ -1080,21 +1077,21 @@ int fib_sync_down_dev(struct net_device *dev, int force)
                 prev_fi = fi;
                 dead = 0;
                 change_nexthops(fi) {
-                        if (nh->nh_flags&RTNH_F_DEAD)
+                        if (nexthop_nh->nh_flags&RTNH_F_DEAD)
                                 dead++;
-                        else if (nh->nh_dev == dev &&
-                                        nh->nh_scope != scope) {
-                                nh->nh_flags |= RTNH_F_DEAD;
+                        else if (nexthop_nh->nh_dev == dev &&
+                                 nexthop_nh->nh_scope != scope) {
+                                nexthop_nh->nh_flags |= RTNH_F_DEAD;
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
                                 spin_lock_bh(&fib_multipath_lock);
-                                fi->fib_power -= nh->nh_power;
-                                nh->nh_power = 0;
+                                fi->fib_power -= nexthop_nh->nh_power;
+                                nexthop_nh->nh_power = 0;
                                 spin_unlock_bh(&fib_multipath_lock);
 #endif
                                 dead++;
                         }
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
-                        if (force > 1 && nh->nh_dev == dev) {
+                        if (force > 1 && nexthop_nh->nh_dev == dev) {
                                 dead = fi->fib_nhs;
                                 break;
                         }
@@ -1144,18 +1141,20 @@ int fib_sync_up(struct net_device *dev)
                 prev_fi = fi;
                 alive = 0;
                 change_nexthops(fi) {
-                        if (!(nh->nh_flags&RTNH_F_DEAD)) {
+                        if (!(nexthop_nh->nh_flags&RTNH_F_DEAD)) {
                                 alive++;
                                 continue;
                         }
-                        if (nh->nh_dev == NULL || !(nh->nh_dev->flags&IFF_UP))
+                        if (nexthop_nh->nh_dev == NULL ||
+                            !(nexthop_nh->nh_dev->flags&IFF_UP))
                                 continue;
-                        if (nh->nh_dev != dev || !__in_dev_get_rtnl(dev))
+                        if (nexthop_nh->nh_dev != dev ||
+                            !__in_dev_get_rtnl(dev))
                                 continue;
                         alive++;
                         spin_lock_bh(&fib_multipath_lock);
-                        nh->nh_power = 0;
-                        nh->nh_flags &= ~RTNH_F_DEAD;
+                        nexthop_nh->nh_power = 0;
+                        nexthop_nh->nh_flags &= ~RTNH_F_DEAD;
                         spin_unlock_bh(&fib_multipath_lock);
                 } endfor_nexthops(fi)
 
@@ -1182,9 +1181,9 @@ void fib_select_multipath(const struct flowi *flp, struct fib_result *res)
         if (fi->fib_power <= 0) {
                 int power = 0;
                 change_nexthops(fi) {
-                        if (!(nh->nh_flags&RTNH_F_DEAD)) {
-                                power += nh->nh_weight;
-                                nh->nh_power = nh->nh_weight;
+                        if (!(nexthop_nh->nh_flags&RTNH_F_DEAD)) {
+                                power += nexthop_nh->nh_weight;
+                                nexthop_nh->nh_power = nexthop_nh->nh_weight;
                         }
                 } endfor_nexthops(fi);
                 fi->fib_power = power;
@@ -1204,9 +1203,10 @@ void fib_select_multipath(const struct flowi *flp, struct fib_result *res)
         w = jiffies % fi->fib_power;
 
         change_nexthops(fi) {
-                if (!(nh->nh_flags&RTNH_F_DEAD) && nh->nh_power) {
-                        if ((w -= nh->nh_power) <= 0) {
-                                nh->nh_power--;
+                if (!(nexthop_nh->nh_flags&RTNH_F_DEAD) &&
+                    nexthop_nh->nh_power) {
+                        if ((w -= nexthop_nh->nh_power) <= 0) {
+                                nexthop_nh->nh_power--;
                                 fi->fib_power--;
                                 res->nh_sel = nhsel;
                                 spin_unlock_bh(&fib_multipath_lock);
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index fe11f60ce41b..4b4c2bcd15db 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -114,7 +114,7 @@ struct icmp_bxm {
 /* An array of errno for error messages from dest unreach. */
 /* RFC 1122: 3.2.2.1 States that NET_UNREACH, HOST_UNREACH and SR_FAILED MUST be considered 'transient errs'. */
 
-struct icmp_err icmp_err_convert[] = {
+const struct icmp_err icmp_err_convert[] = {
         {
                 .errno = ENETUNREACH,   /* ICMP_NET_UNREACH */
                 .fatal = 0,
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 76c08402c933..d28363998743 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -1799,7 +1799,7 @@ int ip_mc_join_group(struct sock *sk , struct ip_mreqn *imr)
         iml->next = inet->mc_list;
         iml->sflist = NULL;
         iml->sfmode = MCAST_EXCLUDE;
-        inet->mc_list = iml;
+        rcu_assign_pointer(inet->mc_list, iml);
         ip_mc_inc_group(in_dev, addr);
         err = 0;
 done:
@@ -1807,24 +1807,46 @@ done:
         return err;
 }
 
+static void ip_sf_socklist_reclaim(struct rcu_head *rp)
+{
+        struct ip_sf_socklist *psf;
+
+        psf = container_of(rp, struct ip_sf_socklist, rcu);
+        /* sk_omem_alloc should have been decreased by the caller*/
+        kfree(psf);
+}
+
 static int ip_mc_leave_src(struct sock *sk, struct ip_mc_socklist *iml,
                            struct in_device *in_dev)
 {
+        struct ip_sf_socklist *psf = iml->sflist;
         int err;
 
-        if (iml->sflist == NULL) {
+        if (psf == NULL) {
                 /* any-source empty exclude case */
                 return ip_mc_del_src(in_dev, &iml->multi.imr_multiaddr.s_addr,
                         iml->sfmode, 0, NULL, 0);
         }
         err = ip_mc_del_src(in_dev, &iml->multi.imr_multiaddr.s_addr,
-                        iml->sfmode, iml->sflist->sl_count,
-                        iml->sflist->sl_addr, 0);
-        sock_kfree_s(sk, iml->sflist, IP_SFLSIZE(iml->sflist->sl_max));
-        iml->sflist = NULL;
+                        iml->sfmode, psf->sl_count, psf->sl_addr, 0);
+        rcu_assign_pointer(iml->sflist, NULL);
+        /* decrease mem now to avoid the memleak warning */
+        atomic_sub(IP_SFLSIZE(psf->sl_max), &sk->sk_omem_alloc);
+        call_rcu(&psf->rcu, ip_sf_socklist_reclaim);
         return err;
 }
 
+
+static void ip_mc_socklist_reclaim(struct rcu_head *rp)
+{
+        struct ip_mc_socklist *iml;
+
+        iml = container_of(rp, struct ip_mc_socklist, rcu);
+        /* sk_omem_alloc should have been decreased by the caller*/
+        kfree(iml);
+}
+
+
 /*
  *      Ask a socket to leave a group.
  */
@@ -1854,12 +1876,14 @@ int ip_mc_leave_group(struct sock *sk, struct ip_mreqn *imr)
 
                 (void) ip_mc_leave_src(sk, iml, in_dev);
 
-                *imlp = iml->next;
+                rcu_assign_pointer(*imlp, iml->next);
 
                 if (in_dev)
                         ip_mc_dec_group(in_dev, group);
                 rtnl_unlock();
-                sock_kfree_s(sk, iml, sizeof(*iml));
+                /* decrease mem now to avoid the memleak warning */
+                atomic_sub(sizeof(*iml), &sk->sk_omem_alloc);
+                call_rcu(&iml->rcu, ip_mc_socklist_reclaim);
                 return 0;
         }
         if (!in_dev)
@@ -1974,9 +1998,12 @@ int ip_mc_source(int add, int omode, struct sock *sk, struct
                 if (psl) {
                         for (i=0; i<psl->sl_count; i++)
                                 newpsl->sl_addr[i] = psl->sl_addr[i];
-                        sock_kfree_s(sk, psl, IP_SFLSIZE(psl->sl_max));
+                        /* decrease mem now to avoid the memleak warning */
+                        atomic_sub(IP_SFLSIZE(psl->sl_max), &sk->sk_omem_alloc);
+                        call_rcu(&psl->rcu, ip_sf_socklist_reclaim);
                 }
-                pmc->sflist = psl = newpsl;
+                rcu_assign_pointer(pmc->sflist, newpsl);
+                psl = newpsl;
         }
         rv = 1; /* > 0 for insert logic below if sl_count is 0 */
         for (i=0; i<psl->sl_count; i++) {
@@ -2072,11 +2099,13 @@ int ip_mc_msfilter(struct sock *sk, struct ip_msfilter *msf, int ifindex)
         if (psl) {
                 (void) ip_mc_del_src(in_dev, &msf->imsf_multiaddr, pmc->sfmode,
                         psl->sl_count, psl->sl_addr, 0);
-                sock_kfree_s(sk, psl, IP_SFLSIZE(psl->sl_max));
+                /* decrease mem now to avoid the memleak warning */
+                atomic_sub(IP_SFLSIZE(psl->sl_max), &sk->sk_omem_alloc);
+                call_rcu(&psl->rcu, ip_sf_socklist_reclaim);
         } else
                 (void) ip_mc_del_src(in_dev, &msf->imsf_multiaddr, pmc->sfmode,
                         0, NULL, 0);
-        pmc->sflist = newpsl;
+        rcu_assign_pointer(pmc->sflist, newpsl);
         pmc->sfmode = msf->imsf_fmode;
         err = 0;
 done:
@@ -2209,30 +2238,40 @@ int ip_mc_sf_allow(struct sock *sk, __be32 loc_addr, __be32 rmt_addr, int dif)
         struct ip_mc_socklist *pmc;
         struct ip_sf_socklist *psl;
         int i;
+        int ret;
 
+        ret = 1;
         if (!ipv4_is_multicast(loc_addr))
-                return 1;
+                goto out;
 
-        for (pmc=inet->mc_list; pmc; pmc=pmc->next) {
+        rcu_read_lock();
+        for (pmc=rcu_dereference(inet->mc_list); pmc; pmc=rcu_dereference(pmc->next)) {
                 if (pmc->multi.imr_multiaddr.s_addr == loc_addr &&
                     pmc->multi.imr_ifindex == dif)
                         break;
         }
+        ret = inet->mc_all;
         if (!pmc)
-                return inet->mc_all;
+                goto unlock;
         psl = pmc->sflist;
+        ret = (pmc->sfmode == MCAST_EXCLUDE);
         if (!psl)
-                return pmc->sfmode == MCAST_EXCLUDE;
+                goto unlock;
 
         for (i=0; i<psl->sl_count; i++) {
                 if (psl->sl_addr[i] == rmt_addr)
                         break;
         }
+        ret = 0;
         if (pmc->sfmode == MCAST_INCLUDE && i >= psl->sl_count)
-                return 0;
+                goto unlock;
         if (pmc->sfmode == MCAST_EXCLUDE && i < psl->sl_count)
-                return 0;
-        return 1;
+                goto unlock;
+        ret = 1;
+unlock:
+        rcu_read_unlock();
+out:
+        return ret;
 }
 
 /*
@@ -2251,7 +2290,7 @@ void ip_mc_drop_socket(struct sock *sk)
         rtnl_lock();
         while ((iml = inet->mc_list) != NULL) {
                 struct in_device *in_dev;
-                inet->mc_list = iml->next;
+                rcu_assign_pointer(inet->mc_list, iml->next);
 
                 in_dev = inetdev_by_index(net, iml->multi.imr_ifindex);
                 (void) ip_mc_leave_src(sk, iml, in_dev);
@@ -2259,7 +2298,9 @@ void ip_mc_drop_socket(struct sock *sk)
                         ip_mc_dec_group(in_dev, iml->multi.imr_multiaddr.s_addr);
                         in_dev_put(in_dev);
                 }
-                sock_kfree_s(sk, iml, sizeof(*iml));
+                /* decrease mem now to avoid the memleak warning */
+                atomic_sub(sizeof(*iml), &sk->sk_omem_alloc);
+                call_rcu(&iml->rcu, ip_mc_socklist_reclaim);
         }
         rtnl_unlock();
 }
@@ -2603,7 +2644,7 @@ static const struct file_operations igmp_mcf_seq_fops = {
         .release        =       seq_release_net,
 };
 
-static int igmp_net_init(struct net *net)
+static int __net_init igmp_net_init(struct net *net)
 {
         struct proc_dir_entry *pde;
 
@@ -2621,7 +2662,7 @@ out_igmp:
         return -ENOMEM;
 }
 
-static void igmp_net_exit(struct net *net)
+static void __net_exit igmp_net_exit(struct net *net)
 {
         proc_net_remove(net, "mcfilter");
         proc_net_remove(net, "igmp");
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index ee16475f8fc3..8da6429269dd 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -529,6 +529,8 @@ void inet_csk_reqsk_queue_prune(struct sock *parent,
                                 syn_ack_recalc(req, thresh, max_retries,
                                                queue->rskq_defer_accept,
                                                &expire, &resend);
+                                if (req->rsk_ops->syn_ack_timeout)
+                                        req->rsk_ops->syn_ack_timeout(parent, req);
                                 if (!expire &&
                                     (!resend ||
                                      !req->rsk_ops->rtx_syn_ack(parent, req, NULL) ||
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index bdb78dd180ce..1aaa8110d84b 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -368,7 +368,7 @@ static int inet_diag_bc_run(const void *bc, int len,
                         yes = entry->sport >= op[1].no;
                         break;
                 case INET_DIAG_BC_S_LE:
-                        yes = entry->dport <= op[1].no;
+                        yes = entry->sport <= op[1].no;
                         break;
                 case INET_DIAG_BC_D_GE:
                         yes = entry->dport >= op[1].no;
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 86964b353c31..b59430bc041c 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -32,6 +32,8 @@
 #include <linux/netdevice.h>
 #include <linux/jhash.h>
 #include <linux/random.h>
+#include <net/route.h>
+#include <net/dst.h>
 #include <net/sock.h>
 #include <net/ip.h>
 #include <net/icmp.h>
@@ -205,11 +207,34 @@ static void ip_expire(unsigned long arg)
         if ((qp->q.last_in & INET_FRAG_FIRST_IN) && qp->q.fragments != NULL) {
                 struct sk_buff *head = qp->q.fragments;
 
-                /* Send an ICMP "Fragment Reassembly Timeout" message. */
                 rcu_read_lock();
                 head->dev = dev_get_by_index_rcu(net, qp->iif);
-                if (head->dev)
-                        icmp_send(head, ICMP_TIME_EXCEEDED, ICMP_EXC_FRAGTIME, 0);
+                if (!head->dev)
+                        goto out_rcu_unlock;
+
+                /*
+                 * Only search router table for the head fragment,
+                 * when defraging timeout at PRE_ROUTING HOOK.
+                 */
+                if (qp->user == IP_DEFRAG_CONNTRACK_IN && !skb_dst(head)) {
+                        const struct iphdr *iph = ip_hdr(head);
+                        int err = ip_route_input(head, iph->daddr, iph->saddr,
+                                                 iph->tos, head->dev);
+                        if (unlikely(err))
+                                goto out_rcu_unlock;
+
+                        /*
+                         * Only an end host needs to send an ICMP
+                         * "Fragment Reassembly Timeout" message, per RFC792.
+                         */
+                        if (skb_rtable(head)->rt_type != RTN_LOCAL)
+                                goto out_rcu_unlock;
+
+                }
+
+                /* Send an ICMP "Fragment Reassembly Timeout" message. */
+                icmp_send(head, ICMP_TIME_EXCEEDED, ICMP_EXC_FRAGTIME, 0);
+out_rcu_unlock:
                 rcu_read_unlock();
         }
 out:
@@ -646,7 +671,7 @@ static struct ctl_table ip4_frags_ctl_table[] = {
         { }
 };
 
-static int ip4_frags_ns_ctl_register(struct net *net)
+static int __net_init ip4_frags_ns_ctl_register(struct net *net)
 {
         struct ctl_table *table;
         struct ctl_table_header *hdr;
@@ -676,7 +701,7 @@ err_alloc:
         return -ENOMEM;
 }
 
-static void ip4_frags_ns_ctl_unregister(struct net *net)
+static void __net_exit ip4_frags_ns_ctl_unregister(struct net *net)
 {
         struct ctl_table *table;
 
@@ -704,7 +729,7 @@ static inline void ip4_frags_ctl_register(void)
 }
 #endif
 
-static int ipv4_frags_init_net(struct net *net)
+static int __net_init ipv4_frags_init_net(struct net *net)
 {
         /*
          * Fragment cache limits. We will commit 256K at one time. Should we
@@ -726,7 +751,7 @@ static int ipv4_frags_init_net(struct net *net)
         return ip4_frags_ns_ctl_register(net);
 }
 
-static void ipv4_frags_exit_net(struct net *net)
+static void __net_exit ipv4_frags_exit_net(struct net *net)
 {
         ip4_frags_ns_ctl_unregister(net);
         inet_frags_exit_net(&net->ipv4.frags, &ip4_frags);
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index f36ce156cac6..7631b20490f5 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -1307,7 +1307,7 @@ static void ipgre_destroy_tunnels(struct ipgre_net *ign, struct list_head *head)
         }
 }
 
-static int ipgre_init_net(struct net *net)
+static int __net_init ipgre_init_net(struct net *net)
 {
         struct ipgre_net *ign = net_generic(net, ipgre_net_id);
         int err;
@@ -1334,7 +1334,7 @@ err_alloc_dev:
         return err;
 }
 
-static void ipgre_exit_net(struct net *net)
+static void __net_exit ipgre_exit_net(struct net *net)
 {
         struct ipgre_net *ign;
         LIST_HEAD(list);
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index e34013a78ef4..3451799e3dbf 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -254,7 +254,7 @@ int ip_mc_output(struct sk_buff *skb)
          */
 
         if (rt->rt_flags&RTCF_MULTICAST) {
-                if ((!sk || inet_sk(sk)->mc_loop)
+                if (sk_mc_loop(sk)
 #ifdef CONFIG_IP_MROUTE
                 /* Small optimization: do not loopback not local frames,
                    which returned after forwarding; they will be  dropped
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index cafad9baff03..644dc43a55de 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -451,7 +451,8 @@ static int do_ip_setsockopt(struct sock *sk, int level,
                              (1<<IP_TTL) | (1<<IP_HDRINCL) |
                              (1<<IP_MTU_DISCOVER) | (1<<IP_RECVERR) |
                              (1<<IP_ROUTER_ALERT) | (1<<IP_FREEBIND) |
-                             (1<<IP_PASSSEC) | (1<<IP_TRANSPARENT))) ||
+                             (1<<IP_PASSSEC) | (1<<IP_TRANSPARENT) |
+                             (1<<IP_MINTTL))) ||
             optname == IP_MULTICAST_TTL ||
             optname == IP_MULTICAST_ALL ||
             optname == IP_MULTICAST_LOOP ||
@@ -936,6 +937,14 @@ mc_msf_out:
                 inet->transparent = !!val;
                 break;
 
+        case IP_MINTTL:
+                if (optlen < 1)
+                        goto e_inval;
+                if (val < 0 || val > 255)
+                        goto e_inval;
+                inet->min_ttl = val;
+                break;
+
         default:
                 err = -ENOPROTOOPT;
                 break;
@@ -1198,6 +1207,9 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
         case IP_TRANSPARENT:
                 val = inet->transparent;
                 break;
+        case IP_MINTTL:
+                val = inet->min_ttl;
+                break;
         default:
                 release_sock(sk);
                 return -ENOPROTOOPT;
diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c
index 38fbf04150ae..b55a0c3df82f 100644
--- a/net/ipv4/ipcomp.c
+++ b/net/ipv4/ipcomp.c
@@ -25,6 +25,7 @@
 
 static void ipcomp4_err(struct sk_buff *skb, u32 info)
 {
+        struct net *net = dev_net(skb->dev);
         __be32 spi;
         struct iphdr *iph = (struct iphdr *)skb->data;
         struct ip_comp_hdr *ipch = (struct ip_comp_hdr *)(skb->data+(iph->ihl<<2));
@@ -35,7 +36,7 @@ static void ipcomp4_err(struct sk_buff *skb, u32 info)
                 return;
 
         spi = htonl(ntohs(ipch->cpi));
-        x = xfrm_state_lookup(&init_net, (xfrm_address_t *)&iph->daddr,
+        x = xfrm_state_lookup(net, (xfrm_address_t *)&iph->daddr,
                               spi, IPPROTO_COMP, AF_INET);
         if (!x)
                 return;
@@ -47,9 +48,10 @@ static void ipcomp4_err(struct sk_buff *skb, u32 info)
 /* We always hold one tunnel user reference to indicate a tunnel */
 static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x)
 {
+        struct net *net = xs_net(x);
         struct xfrm_state *t;
 
-        t = xfrm_state_alloc(&init_net);
+        t = xfrm_state_alloc(net);
         if (t == NULL)
                 goto out;
 
@@ -82,10 +84,11 @@ error:
  */
 static int ipcomp_tunnel_attach(struct xfrm_state *x)
 {
+        struct net *net = xs_net(x);
         int err = 0;
         struct xfrm_state *t;
 
-        t = xfrm_state_lookup(&init_net, (xfrm_address_t *)&x->id.daddr.a4,
+        t = xfrm_state_lookup(net, (xfrm_address_t *)&x->id.daddr.a4,
                               x->props.saddr.a4, IPPROTO_IPIP, AF_INET);
         if (!t) {
                 t = ipcomp_tunnel_create(x);
diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
index 4e08b7f2331c..10a6a604bf32 100644
--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -1446,7 +1446,7 @@ late_initcall(ip_auto_config);
 
 /*
  *  Decode any IP configuration options in the "ip=" or "nfsaddrs=" kernel
- *  command line parameter.  See Documentation/filesystems/nfsroot.txt.
+ *  command line parameter.  See Documentation/filesystems/nfs/nfsroot.txt.
  */
 static int __init ic_proto_name(char *name)
 {
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index eda04fed3379..95db732e542b 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -130,7 +130,6 @@ struct ipip_net {
         struct net_device *fb_tunnel_dev;
 };
 
-static void ipip_fb_tunnel_init(struct net_device *dev);
 static void ipip_tunnel_init(struct net_device *dev);
 static void ipip_tunnel_setup(struct net_device *dev);
 
@@ -730,7 +729,7 @@ static void ipip_tunnel_init(struct net_device *dev)
         ipip_tunnel_bind_dev(dev);
 }
 
-static void ipip_fb_tunnel_init(struct net_device *dev)
+static void __net_init ipip_fb_tunnel_init(struct net_device *dev)
 {
         struct ip_tunnel *tunnel = netdev_priv(dev);
         struct iphdr *iph = &tunnel->parms.iph;
@@ -773,7 +772,7 @@ static void ipip_destroy_tunnels(struct ipip_net *ipn, struct list_head *head)
         }
 }
 
-static int ipip_init_net(struct net *net)
+static int __net_init ipip_init_net(struct net *net)
 {
         struct ipip_net *ipn = net_generic(net, ipip_net_id);
         int err;
@@ -806,7 +805,7 @@ err_alloc_dev:
         return err;
 }
 
-static void ipip_exit_net(struct net *net)
+static void __net_exit ipip_exit_net(struct net *net)
 {
         struct ipip_net *ipn = net_generic(net, ipip_net_id);
         LIST_HEAD(list);
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 06632762ba5f..90203e1b9187 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -925,10 +925,10 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
         if (t && !IS_ERR(t)) {
                 struct arpt_getinfo info;
                 const struct xt_table_info *private = t->private;
-
 #ifdef CONFIG_COMPAT
+                struct xt_table_info tmp;
+
                 if (compat) {
-                        struct xt_table_info tmp;
                         ret = compat_table_info(private, &tmp);
                         xt_compat_flush_offsets(NFPROTO_ARP);
                         private = &tmp;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 572330a552ef..3ce53cf13d5a 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1132,10 +1132,10 @@ static int get_info(struct net *net, void __user *user, int *len, int compat)
         if (t && !IS_ERR(t)) {
                 struct ipt_getinfo info;
                 const struct xt_table_info *private = t->private;
-
 #ifdef CONFIG_COMPAT
+                struct xt_table_info tmp;
+
                 if (compat) {
-                        struct xt_table_info tmp;
                         ret = compat_table_info(private, &tmp);
                         xt_compat_flush_offsets(AF_INET);
                         private = &tmp;
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 549e206cdd42..ea5cea2415c1 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -50,7 +50,7 @@ set_ect_tcp(struct sk_buff *skb, const struct ipt_ECN_info *einfo)
         struct tcphdr _tcph, *tcph;
         __be16 oldval;
 
-        /* Not enought header? */
+        /* Not enough header? */
         tcph = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_tcph), &_tcph);
         if (!tcph)
                 return false;
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index d171b123a656..d1ea38a7c490 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -210,7 +210,7 @@ static ctl_table ip_ct_sysctl_table[] = {
         },
         {
                 .procname       = "ip_conntrack_buckets",
-                .data           = &nf_conntrack_htable_size,
+                .data           = &init_net.ct.htable_size,
                 .maxlen         = sizeof(unsigned int),
                 .mode           = 0444,
                 .proc_handler   = proc_dointvec,
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index 8668a3defda6..2fb7b76da94f 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -32,7 +32,7 @@ static struct hlist_nulls_node *ct_get_first(struct seq_file *seq)
         struct hlist_nulls_node *n;
 
         for (st->bucket = 0;
-             st->bucket < nf_conntrack_htable_size;
+             st->bucket < net->ct.htable_size;
              st->bucket++) {
                 n = rcu_dereference(net->ct.hash[st->bucket].first);
                 if (!is_a_nulls(n))
@@ -50,7 +50,7 @@ static struct hlist_nulls_node *ct_get_next(struct seq_file *seq,
         head = rcu_dereference(head->next);
         while (is_a_nulls(head)) {
                 if (likely(get_nulls_value(head) == st->bucket)) {
-                        if (++st->bucket >= nf_conntrack_htable_size)
+                        if (++st->bucket >= net->ct.htable_size)
                                 return NULL;
                 }
                 head = rcu_dereference(net->ct.hash[st->bucket].first);
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index fa2d6b6fc3e5..331ead3ebd1b 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -14,6 +14,7 @@
 #include <net/route.h>
 #include <net/ip.h>
 
+#include <linux/netfilter_bridge.h>
 #include <linux/netfilter_ipv4.h>
 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
 
@@ -34,6 +35,20 @@ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
         return err;
 }
 
+static enum ip_defrag_users nf_ct_defrag_user(unsigned int hooknum,
+                                              struct sk_buff *skb)
+{
+#ifdef CONFIG_BRIDGE_NETFILTER
+        if (skb->nf_bridge &&
+            skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)
+                return IP_DEFRAG_CONNTRACK_BRIDGE_IN;
+#endif
+        if (hooknum == NF_INET_PRE_ROUTING)
+                return IP_DEFRAG_CONNTRACK_IN;
+        else
+                return IP_DEFRAG_CONNTRACK_OUT;
+}
+
 static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
                                           struct sk_buff *skb,
                                           const struct net_device *in,
@@ -50,10 +65,8 @@ static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
 #endif
         /* Gather fragments. */
         if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
-                if (nf_ct_ipv4_gather_frags(skb,
-                                            hooknum == NF_INET_PRE_ROUTING ?
-                                            IP_DEFRAG_CONNTRACK_IN :
-                                            IP_DEFRAG_CONNTRACK_OUT))
+                enum ip_defrag_users user = nf_ct_defrag_user(hooknum, skb);
+                if (nf_ct_ipv4_gather_frags(skb, user))
                         return NF_STOLEN;
         }
         return NF_ACCEPT;
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index fe1a64479dd0..26066a2327ad 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -35,9 +35,6 @@ static DEFINE_SPINLOCK(nf_nat_lock);
 
 static struct nf_conntrack_l3proto *l3proto __read_mostly;
 
-/* Calculated at init based on memory size */
-static unsigned int nf_nat_htable_size __read_mostly;
-
 #define MAX_IP_NAT_PROTO 256
 static const struct nf_nat_protocol *nf_nat_protos[MAX_IP_NAT_PROTO]
                                                 __read_mostly;
@@ -72,7 +69,7 @@ EXPORT_SYMBOL_GPL(nf_nat_proto_put);
 
 /* We keep an extra hash for each conntrack, for fast searching. */
 static inline unsigned int
-hash_by_src(const struct nf_conntrack_tuple *tuple)
+hash_by_src(const struct net *net, const struct nf_conntrack_tuple *tuple)
 {
         unsigned int hash;
 
@@ -80,7 +77,7 @@ hash_by_src(const struct nf_conntrack_tuple *tuple)
         hash = jhash_3words((__force u32)tuple->src.u3.ip,
                             (__force u32)tuple->src.u.all,
                             tuple->dst.protonum, 0);
-        return ((u64)hash * nf_nat_htable_size) >> 32;
+        return ((u64)hash * net->ipv4.nat_htable_size) >> 32;
 }
 
 /* Is this tuple already taken? (not by us) */
@@ -147,7 +144,7 @@ find_appropriate_src(struct net *net,
                      struct nf_conntrack_tuple *result,
                      const struct nf_nat_range *range)
 {
-        unsigned int h = hash_by_src(tuple);
+        unsigned int h = hash_by_src(net, tuple);
         const struct nf_conn_nat *nat;
         const struct nf_conn *ct;
         const struct hlist_node *n;
@@ -330,7 +327,7 @@ nf_nat_setup_info(struct nf_conn *ct,
         if (have_to_hash) {
                 unsigned int srchash;
 
-                srchash = hash_by_src(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
+                srchash = hash_by_src(net, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
                 spin_lock_bh(&nf_nat_lock);
                 /* nf_conntrack_alter_reply might re-allocate exntension aera */
                 nat = nfct_nat(ct);
@@ -679,8 +676,10 @@ nfnetlink_parse_nat_setup(struct nf_conn *ct,
 
 static int __net_init nf_nat_net_init(struct net *net)
 {
-        net->ipv4.nat_bysource = nf_ct_alloc_hashtable(&nf_nat_htable_size,
-                                                      &net->ipv4.nat_vmalloced, 0);
+        /* Leave them the same for the moment. */
+        net->ipv4.nat_htable_size = net->ct.htable_size;
+        net->ipv4.nat_bysource = nf_ct_alloc_hashtable(&net->ipv4.nat_htable_size,
+                                                       &net->ipv4.nat_vmalloced, 0);
         if (!net->ipv4.nat_bysource)
                 return -ENOMEM;
         return 0;
@@ -703,7 +702,7 @@ static void __net_exit nf_nat_net_exit(struct net *net)
         nf_ct_iterate_cleanup(net, &clean_nat, NULL);
         synchronize_rcu();
         nf_ct_free_hashtable(net->ipv4.nat_bysource, net->ipv4.nat_vmalloced,
-                             nf_nat_htable_size);
+                             net->ipv4.nat_htable_size);
 }
 
 static struct pernet_operations nf_nat_net_ops = {
@@ -724,9 +723,6 @@ static int __init nf_nat_init(void)
                 return ret;
         }
 
-        /* Leave them the same for the moment. */
-        nf_nat_htable_size = nf_conntrack_htable_size;
-
         ret = register_pernet_subsys(&nf_nat_net_ops);
         if (ret < 0)
                 goto cleanup_extend;
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
index f25542c48b7d..1b09a6dde7c0 100644
--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -127,8 +127,8 @@ static const struct snmp_mib snmp4_ipextstats_list[] = {
         SNMP_MIB_SENTINEL
 };
 
-static struct {
-        char *name;
+static const struct {
+        const char *name;
         int index;
 } icmpmibmap[] = {
         { "DestUnreachs", ICMP_DEST_UNREACH },
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index e446496f564f..b16dfadbe6d6 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -586,7 +586,9 @@ static void __net_exit ip_rt_do_proc_exit(struct net *net)
 {
         remove_proc_entry("rt_cache", net->proc_net_stat);
         remove_proc_entry("rt_cache", net->proc_net);
+#ifdef CONFIG_NET_CLS_ROUTE
         remove_proc_entry("rt_acct", net->proc_net);
+#endif
 }
 
 static struct pernet_operations ip_rt_proc_ops __net_initdata =  {
@@ -1988,8 +1990,13 @@ static int __mkroute_input(struct sk_buff *skb,
         if (skb->protocol != htons(ETH_P_IP)) {
                 /* Not IP (i.e. ARP). Do not create route, if it is
                  * invalid for proxy arp. DNAT routes are always valid.
+                 *
+                 * Proxy arp feature have been extended to allow, ARP
+                 * replies back to the same interface, to support
+                 * Private VLAN switch technologies. See arp.c.
                  */
-                if (out_dev == in_dev) {
+                if (out_dev == in_dev &&
+                    IN_DEV_PROXY_ARP_PVLAN(in_dev) == 0) {
                         err = -EINVAL;
                         goto cleanup;
                 }
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 26399ad2a289..5c24db4a3c91 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -277,6 +277,13 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
 
         NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESRECV);
 
+        /* check for timestamp cookie support */
+        memset(&tcp_opt, 0, sizeof(tcp_opt));
+        tcp_parse_options(skb, &tcp_opt, &hash_location, 0);
+
+        if (tcp_opt.saw_tstamp)
+                cookie_check_timestamp(&tcp_opt);
+
         ret = NULL;
         req = inet_reqsk_alloc(&tcp_request_sock_ops); /* for safety */
         if (!req)
@@ -292,6 +299,12 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
         ireq->loc_addr          = ip_hdr(skb)->daddr;
         ireq->rmt_addr          = ip_hdr(skb)->saddr;
         ireq->ecn_ok            = 0;
+        ireq->snd_wscale        = tcp_opt.snd_wscale;
+        ireq->rcv_wscale        = tcp_opt.rcv_wscale;
+        ireq->sack_ok           = tcp_opt.sack_ok;
+        ireq->wscale_ok         = tcp_opt.wscale_ok;
+        ireq->tstamp_ok         = tcp_opt.saw_tstamp;
+        req->ts_recent          = tcp_opt.saw_tstamp ? tcp_opt.rcv_tsval : 0;
 
         /* We throwed the options of the initial SYN away, so we hope
          * the ACK carries the same options again (see RFC1122 4.2.3.8)
@@ -340,26 +353,13 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
                 }
         }
 
-        /* check for timestamp cookie support */
-        memset(&tcp_opt, 0, sizeof(tcp_opt));
-        tcp_parse_options(skb, &tcp_opt, &hash_location, 0, &rt->u.dst);
-
-        if (tcp_opt.saw_tstamp)
-                cookie_check_timestamp(&tcp_opt);
-
-        ireq->snd_wscale        = tcp_opt.snd_wscale;
-        ireq->rcv_wscale        = tcp_opt.rcv_wscale;
-        ireq->sack_ok           = tcp_opt.sack_ok;
-        ireq->wscale_ok         = tcp_opt.wscale_ok;
-        ireq->tstamp_ok         = tcp_opt.saw_tstamp;
-        req->ts_recent          = tcp_opt.saw_tstamp ? tcp_opt.rcv_tsval : 0;
-
         /* Try to redo what tcp_v4_send_synack did. */
         req->window_clamp = tp->window_clamp ? :dst_metric(&rt->u.dst, RTAX_WINDOW);
 
         tcp_select_initial_window(tcp_full_space(sk), req->mss,
                                   &req->rcv_wnd, &req->window_clamp,
-                                  ireq->wscale_ok, &rcv_wscale);
+                                  ireq->wscale_ok, &rcv_wscale,
+                                  dst_metric(&rt->u.dst, RTAX_INITRWND));
 
         ireq->rcv_wscale  = rcv_wscale;
 
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index b0a26bb25e2e..d5d69ea8f249 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -536,8 +536,7 @@ static inline void skb_entail(struct sock *sk, struct sk_buff *skb)
                 tp->nonagle &= ~TCP_NAGLE_PUSH;
 }
 
-static inline void tcp_mark_urg(struct tcp_sock *tp, int flags,
-                                struct sk_buff *skb)
+static inline void tcp_mark_urg(struct tcp_sock *tp, int flags)
 {
         if (flags & MSG_OOB)
                 tp->snd_up = tp->write_seq;
@@ -546,13 +545,13 @@ static inline void tcp_mark_urg(struct tcp_sock *tp, int flags,
 static inline void tcp_push(struct sock *sk, int flags, int mss_now,
                             int nonagle)
 {
-        struct tcp_sock *tp = tcp_sk(sk);
-
         if (tcp_send_head(sk)) {
-                struct sk_buff *skb = tcp_write_queue_tail(sk);
+                struct tcp_sock *tp = tcp_sk(sk);
+
                 if (!(flags & MSG_MORE) || forced_push(tp))
-                        tcp_mark_push(tp, skb);
-                tcp_mark_urg(tp, flags, skb);
+                        tcp_mark_push(tp, tcp_write_queue_tail(sk));
+
+                tcp_mark_urg(tp, flags);
                 __tcp_push_pending_frames(sk, mss_now,
                                           (flags & MSG_MORE) ? TCP_NAGLE_CORK : nonagle);
         }
@@ -877,12 +876,12 @@ ssize_t tcp_sendpage(struct socket *sock, struct page *page, int offset,
 #define TCP_PAGE(sk)    (sk->sk_sndmsg_page)
 #define TCP_OFF(sk)     (sk->sk_sndmsg_off)
 
-static inline int select_size(struct sock *sk)
+static inline int select_size(struct sock *sk, int sg)
 {
         struct tcp_sock *tp = tcp_sk(sk);
         int tmp = tp->mss_cache;
 
-        if (sk->sk_route_caps & NETIF_F_SG) {
+        if (sg) {
                 if (sk_can_gso(sk))
                         tmp = 0;
                 else {
@@ -906,7 +905,7 @@ int tcp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
         struct sk_buff *skb;
         int iovlen, flags;
         int mss_now, size_goal;
-        int err, copied;
+        int sg, err, copied;
         long timeo;
 
         lock_sock(sk);
@@ -934,6 +933,8 @@ int tcp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
         if (sk->sk_err || (sk->sk_shutdown & SEND_SHUTDOWN))
                 goto out_err;
 
+        sg = sk->sk_route_caps & NETIF_F_SG;
+
         while (--iovlen >= 0) {
                 int seglen = iov->iov_len;
                 unsigned char __user *from = iov->iov_base;
@@ -959,8 +960,9 @@ new_segment:
                                 if (!sk_stream_memory_free(sk))
                                         goto wait_for_sndbuf;
 
-                                skb = sk_stream_alloc_skb(sk, select_size(sk),
-                                                sk->sk_allocation);
+                                skb = sk_stream_alloc_skb(sk,
+                                                          select_size(sk, sg),
+                                                          sk->sk_allocation);
                                 if (!skb)
                                         goto wait_for_memory;
 
@@ -997,9 +999,7 @@ new_segment:
                                         /* We can extend the last page
                                          * fragment. */
                                         merge = 1;
-                                } else if (i == MAX_SKB_FRAGS ||
-                                           (!i &&
-                                           !(sk->sk_route_caps & NETIF_F_SG))) {
+                                } else if (i == MAX_SKB_FRAGS || !sg) {
                                         /* Need to add new fragment and cannot
                                          * do this because interface is non-SG,
                                          * or because all the page slots are
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 12cab7d74dba..28e029632493 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3727,7 +3727,7 @@ old_ack:
  * the fast version below fails.
  */
 void tcp_parse_options(struct sk_buff *skb, struct tcp_options_received *opt_rx,
-                       u8 **hvpp, int estab,  struct dst_entry *dst)
+                       u8 **hvpp, int estab)
 {
         unsigned char *ptr;
         struct tcphdr *th = tcp_hdr(skb);
@@ -3766,8 +3766,7 @@ void tcp_parse_options(struct sk_buff *skb, struct tcp_options_received *opt_rx,
                                 break;
                         case TCPOPT_WINDOW:
                                 if (opsize == TCPOLEN_WINDOW && th->syn &&
-                                    !estab && sysctl_tcp_window_scaling &&
-                                    !dst_feature(dst, RTAX_FEATURE_NO_WSCALE)) {
+                                    !estab && sysctl_tcp_window_scaling) {
                                         __u8 snd_wscale = *(__u8 *)ptr;
                                         opt_rx->wscale_ok = 1;
                                         if (snd_wscale > 14) {
@@ -3783,8 +3782,7 @@ void tcp_parse_options(struct sk_buff *skb, struct tcp_options_received *opt_rx,
                         case TCPOPT_TIMESTAMP:
                                 if ((opsize == TCPOLEN_TIMESTAMP) &&
                                     ((estab && opt_rx->tstamp_ok) ||
-                                     (!estab && sysctl_tcp_timestamps &&
-                                      !dst_feature(dst, RTAX_FEATURE_NO_TSTAMP)))) {
+                                     (!estab && sysctl_tcp_timestamps))) {
                                         opt_rx->saw_tstamp = 1;
                                         opt_rx->rcv_tsval = get_unaligned_be32(ptr);
                                         opt_rx->rcv_tsecr = get_unaligned_be32(ptr + 4);
@@ -3792,8 +3790,7 @@ void tcp_parse_options(struct sk_buff *skb, struct tcp_options_received *opt_rx,
                                 break;
                         case TCPOPT_SACK_PERM:
                                 if (opsize == TCPOLEN_SACK_PERM && th->syn &&
-                                    !estab && sysctl_tcp_sack &&
-                                    !dst_feature(dst, RTAX_FEATURE_NO_SACK)) {
+                                    !estab && sysctl_tcp_sack) {
                                         opt_rx->sack_ok = 1;
                                         tcp_sack_reset(opt_rx);
                                 }
@@ -3878,7 +3875,7 @@ static int tcp_fast_parse_options(struct sk_buff *skb, struct tcphdr *th,
                 if (tcp_parse_aligned_timestamp(tp, th))
                         return 1;
         }
-        tcp_parse_options(skb, &tp->rx_opt, hvpp, 1, NULL);
+        tcp_parse_options(skb, &tp->rx_opt, hvpp, 1);
         return 1;
 }
 
@@ -4133,10 +4130,8 @@ static inline int tcp_sack_extend(struct tcp_sack_block *sp, u32 seq,
 static void tcp_dsack_set(struct sock *sk, u32 seq, u32 end_seq)
 {
         struct tcp_sock *tp = tcp_sk(sk);
-        struct dst_entry *dst = __sk_dst_get(sk);
 
-        if (tcp_is_sack(tp) && sysctl_tcp_dsack &&
-            !dst_feature(dst, RTAX_FEATURE_NO_DSACK)) {
+        if (tcp_is_sack(tp) && sysctl_tcp_dsack) {
                 int mib_idx;
 
                 if (before(seq, tp->rcv_nxt))
@@ -4165,15 +4160,13 @@ static void tcp_dsack_extend(struct sock *sk, u32 seq, u32 end_seq)
 static void tcp_send_dupack(struct sock *sk, struct sk_buff *skb)
 {
         struct tcp_sock *tp = tcp_sk(sk);
-        struct dst_entry *dst = __sk_dst_get(sk);
 
         if (TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq &&
             before(TCP_SKB_CB(skb)->seq, tp->rcv_nxt)) {
                 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_DELAYEDACKLOST);
                 tcp_enter_quickack_mode(sk);
 
-                if (tcp_is_sack(tp) && sysctl_tcp_dsack &&
-                    !dst_feature(dst, RTAX_FEATURE_NO_DSACK)) {
+                if (tcp_is_sack(tp) && sysctl_tcp_dsack) {
                         u32 end_seq = TCP_SKB_CB(skb)->end_seq;
 
                         if (after(TCP_SKB_CB(skb)->end_seq, tp->rcv_nxt))
@@ -5428,11 +5421,10 @@ static int tcp_rcv_synsent_state_process(struct sock *sk, struct sk_buff *skb,
         u8 *hash_location;
         struct inet_connection_sock *icsk = inet_csk(sk);
         struct tcp_sock *tp = tcp_sk(sk);
-        struct dst_entry *dst = __sk_dst_get(sk);
         struct tcp_cookie_values *cvp = tp->cookie_values;
         int saved_clamp = tp->rx_opt.mss_clamp;
 
-        tcp_parse_options(skb, &tp->rx_opt, &hash_location, 0, dst);
+        tcp_parse_options(skb, &tp->rx_opt, &hash_location, 0);
 
         if (th->ack) {
                 /* rfc793:
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 15e96030ce47..c3588b4fd979 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -742,9 +742,9 @@ static void tcp_v4_reqsk_send_ack(struct sock *sk, struct sk_buff *skb,
  *      This still operates on a request_sock only, not on a big
  *      socket.
  */
-static int __tcp_v4_send_synack(struct sock *sk, struct dst_entry *dst,
-                                struct request_sock *req,
-                                struct request_values *rvp)
+static int tcp_v4_send_synack(struct sock *sk, struct dst_entry *dst,
+                              struct request_sock *req,
+                              struct request_values *rvp)
 {
         const struct inet_request_sock *ireq = inet_rsk(req);
         int err = -1;
@@ -775,10 +775,11 @@ static int __tcp_v4_send_synack(struct sock *sk, struct dst_entry *dst,
         return err;
 }
 
-static int tcp_v4_send_synack(struct sock *sk, struct request_sock *req,
+static int tcp_v4_rtx_synack(struct sock *sk, struct request_sock *req,
                               struct request_values *rvp)
 {
-        return __tcp_v4_send_synack(sk, NULL, req, rvp);
+        TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_RETRANSSEGS);
+        return tcp_v4_send_synack(sk, NULL, req, rvp);
 }
 
 /*
@@ -1192,10 +1193,11 @@ static int tcp_v4_inbound_md5_hash(struct sock *sk, struct sk_buff *skb)
 struct request_sock_ops tcp_request_sock_ops __read_mostly = {
         .family         =       PF_INET,
         .obj_size       =       sizeof(struct tcp_request_sock),
-        .rtx_syn_ack    =       tcp_v4_send_synack,
+        .rtx_syn_ack    =       tcp_v4_rtx_synack,
         .send_ack       =       tcp_v4_reqsk_send_ack,
         .destructor     =       tcp_v4_reqsk_destructor,
         .send_reset     =       tcp_v4_send_reset,
+        .syn_ack_timeout =      tcp_syn_ack_timeout,
 };
 
 #ifdef CONFIG_TCP_MD5SIG
@@ -1262,20 +1264,10 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
         tcp_rsk(req)->af_specific = &tcp_request_sock_ipv4_ops;
 #endif
 
-        ireq = inet_rsk(req);
-        ireq->loc_addr = daddr;
-        ireq->rmt_addr = saddr;
-        ireq->no_srccheck = inet_sk(sk)->transparent;
-        ireq->opt = tcp_v4_save_options(sk, skb);
-
-        dst = inet_csk_route_req(sk, req);
-        if(!dst)
-                goto drop_and_free;
-
         tcp_clear_options(&tmp_opt);
         tmp_opt.mss_clamp = TCP_MSS_DEFAULT;
         tmp_opt.user_mss  = tp->rx_opt.user_mss;
-        tcp_parse_options(skb, &tmp_opt, &hash_location, 0, dst);
+        tcp_parse_options(skb, &tmp_opt, &hash_location, 0);
 
         if (tmp_opt.cookie_plus > 0 &&
             tmp_opt.saw_tstamp &&
@@ -1319,8 +1311,14 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
         tmp_opt.tstamp_ok = tmp_opt.saw_tstamp;
         tcp_openreq_init(req, &tmp_opt, skb);
 
+        ireq = inet_rsk(req);
+        ireq->loc_addr = daddr;
+        ireq->rmt_addr = saddr;
+        ireq->no_srccheck = inet_sk(sk)->transparent;
+        ireq->opt = tcp_v4_save_options(sk, skb);
+
         if (security_inet_conn_request(sk, skb, req))
-                goto drop_and_release;
+                goto drop_and_free;
 
         if (!want_cookie)
                 TCP_ECN_create_request(req, tcp_hdr(skb));
@@ -1345,6 +1343,7 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
                  */
                 if (tmp_opt.saw_tstamp &&
                     tcp_death_row.sysctl_tw_recycle &&
+                    (dst = inet_csk_route_req(sk, req)) != NULL &&
                     (peer = rt_get_peer((struct rtable *)dst)) != NULL &&
                     peer->v4daddr == saddr) {
                         if ((u32)get_seconds() - peer->tcp_ts_stamp < TCP_PAWS_MSL &&
@@ -1376,8 +1375,8 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
         }
         tcp_rsk(req)->snt_isn = isn;
 
-        if (__tcp_v4_send_synack(sk, dst, req,
-                                 (struct request_values *)&tmp_ext) ||
+        if (tcp_v4_send_synack(sk, dst, req,
+                               (struct request_values *)&tmp_ext) ||
             want_cookie)
                 goto drop_and_free;
 
@@ -1652,6 +1651,9 @@ int tcp_v4_rcv(struct sk_buff *skb)
         if (!sk)
                 goto no_tcp_socket;
 
+        if (iph->ttl < inet_sk(sk)->min_ttl)
+                goto discard_and_relse;
+
 process:
         if (sk->sk_state == TCP_TIME_WAIT)
                 goto do_time_wait;
@@ -2428,12 +2430,12 @@ static struct tcp_seq_afinfo tcp4_seq_afinfo = {
         },
 };
 
-static int tcp4_proc_init_net(struct net *net)
+static int __net_init tcp4_proc_init_net(struct net *net)
 {
         return tcp_proc_register(net, &tcp4_seq_afinfo);
 }
 
-static void tcp4_proc_exit_net(struct net *net)
+static void __net_exit tcp4_proc_exit_net(struct net *net)
 {
         tcp_proc_unregister(net, &tcp4_seq_afinfo);
 }
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 87accec8d097..f206ee5dda80 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -95,9 +95,9 @@ tcp_timewait_state_process(struct inet_timewait_sock *tw, struct sk_buff *skb,
         struct tcp_timewait_sock *tcptw = tcp_twsk((struct sock *)tw);
         int paws_reject = 0;
 
+        tmp_opt.saw_tstamp = 0;
         if (th->doff > (sizeof(*th) >> 2) && tcptw->tw_ts_recent_stamp) {
-                tmp_opt.tstamp_ok = 1;
-                tcp_parse_options(skb, &tmp_opt, &hash_location, 1, NULL);
+                tcp_parse_options(skb, &tmp_opt, &hash_location, 0);
 
                 if (tmp_opt.saw_tstamp) {
                         tmp_opt.ts_recent       = tcptw->tw_ts_recent;
@@ -526,9 +526,9 @@ struct sock *tcp_check_req(struct sock *sk, struct sk_buff *skb,
         __be32 flg = tcp_flag_word(th) & (TCP_FLAG_RST|TCP_FLAG_SYN|TCP_FLAG_ACK);
         int paws_reject = 0;
 
-        if ((th->doff > (sizeof(*th) >> 2)) && (req->ts_recent)) {
-                tmp_opt.tstamp_ok = 1;
-                tcp_parse_options(skb, &tmp_opt, &hash_location, 1, NULL);
+        tmp_opt.saw_tstamp = 0;
+        if (th->doff > (sizeof(struct tcphdr)>>2)) {
+                tcp_parse_options(skb, &tmp_opt, &hash_location, 0);
 
                 if (tmp_opt.saw_tstamp) {
                         tmp_opt.ts_recent = req->ts_recent;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 93316a96d820..4a1605d3f909 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -183,7 +183,8 @@ static inline void tcp_event_ack_sent(struct sock *sk, unsigned int pkts)
  */
 void tcp_select_initial_window(int __space, __u32 mss,
                                __u32 *rcv_wnd, __u32 *window_clamp,
-                               int wscale_ok, __u8 *rcv_wscale)
+                               int wscale_ok, __u8 *rcv_wscale,
+                               __u32 init_rcv_wnd)
 {
         unsigned int space = (__space < 0 ? 0 : __space);
 
@@ -232,7 +233,13 @@ void tcp_select_initial_window(int __space, __u32 mss,
                         init_cwnd = 2;
                 else if (mss > 1460)
                         init_cwnd = 3;
-                if (*rcv_wnd > init_cwnd * mss)
+                /* when initializing use the value from init_rcv_wnd
+                 * rather than the default from above
+                 */
+                if (init_rcv_wnd &&
+                    (*rcv_wnd > init_rcv_wnd * mss))
+                        *rcv_wnd = init_rcv_wnd * mss;
+                else if (*rcv_wnd > init_cwnd * mss)
                         *rcv_wnd = init_cwnd * mss;
         }
 
@@ -553,7 +560,6 @@ static unsigned tcp_syn_options(struct sock *sk, struct sk_buff *skb,
                                 struct tcp_md5sig_key **md5) {
         struct tcp_sock *tp = tcp_sk(sk);
         struct tcp_cookie_values *cvp = tp->cookie_values;
-        struct dst_entry *dst = __sk_dst_get(sk);
         unsigned remaining = MAX_TCP_OPTION_SPACE;
         u8 cookie_size = (!tp->rx_opt.cookie_out_never && cvp != NULL) ?
                          tcp_cookie_size_check(cvp->cookie_desired) :
@@ -581,22 +587,18 @@ static unsigned tcp_syn_options(struct sock *sk, struct sk_buff *skb,
         opts->mss = tcp_advertise_mss(sk);
         remaining -= TCPOLEN_MSS_ALIGNED;
 
-        if (likely(sysctl_tcp_timestamps &&
-                   !dst_feature(dst, RTAX_FEATURE_NO_TSTAMP) &&
-                   *md5 == NULL)) {
+        if (likely(sysctl_tcp_timestamps && *md5 == NULL)) {
                 opts->options |= OPTION_TS;
                 opts->tsval = TCP_SKB_CB(skb)->when;
                 opts->tsecr = tp->rx_opt.ts_recent;
                 remaining -= TCPOLEN_TSTAMP_ALIGNED;
         }
-        if (likely(sysctl_tcp_window_scaling &&
-                   !dst_feature(dst, RTAX_FEATURE_NO_WSCALE))) {
+        if (likely(sysctl_tcp_window_scaling)) {
                 opts->ws = tp->rx_opt.rcv_wscale;
                 opts->options |= OPTION_WSCALE;
                 remaining -= TCPOLEN_WSCALE_ALIGNED;
         }
-        if (likely(sysctl_tcp_sack &&
-                   !dst_feature(dst, RTAX_FEATURE_NO_SACK))) {
+        if (likely(sysctl_tcp_sack)) {
                 opts->options |= OPTION_SACK_ADVERTISE;
                 if (unlikely(!(OPTION_TS & opts->options)))
                         remaining -= TCPOLEN_SACKPERM_ALIGNED;
@@ -1799,11 +1801,6 @@ static int tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle,
 void __tcp_push_pending_frames(struct sock *sk, unsigned int cur_mss,
                                int nonagle)
 {
-        struct sk_buff *skb = tcp_send_head(sk);
-
-        if (!skb)
-                return;
-
         /* If we are closed, the bytes will have to remain here.
          * In time closedown will finish, we empty the write queue and
          * all will be happy.
@@ -2427,7 +2424,8 @@ struct sk_buff *tcp_make_synack(struct sock *sk, struct dst_entry *dst,
                         &req->rcv_wnd,
                         &req->window_clamp,
                         ireq->wscale_ok,
-                        &rcv_wscale);
+                        &rcv_wscale,
+                        dst_metric(dst, RTAX_INITRWND));
                 ireq->rcv_wscale = rcv_wscale;
         }
 
@@ -2527,9 +2525,7 @@ static void tcp_connect_init(struct sock *sk)
          * See tcp_input.c:tcp_rcv_state_process case TCP_SYN_SENT.
          */
         tp->tcp_header_len = sizeof(struct tcphdr) +
-                (sysctl_tcp_timestamps &&
-                (!dst_feature(dst, RTAX_FEATURE_NO_TSTAMP) ?
-                  TCPOLEN_TSTAMP_ALIGNED : 0));
+                (sysctl_tcp_timestamps ? TCPOLEN_TSTAMP_ALIGNED : 0);
 
 #ifdef CONFIG_TCP_MD5SIG
         if (tp->af_specific->md5_lookup(sk, sk) != NULL)
@@ -2555,9 +2551,9 @@ static void tcp_connect_init(struct sock *sk)
                                   tp->advmss - (tp->rx_opt.ts_recent_stamp ? tp->tcp_header_len - sizeof(struct tcphdr) : 0),
                                   &tp->rcv_wnd,
                                   &tp->window_clamp,
-                                  (sysctl_tcp_window_scaling &&
-                                   !dst_feature(dst, RTAX_FEATURE_NO_WSCALE)),
-                                  &rcv_wscale);
+                                  sysctl_tcp_window_scaling,
+                                  &rcv_wscale,
+                                  dst_metric(dst, RTAX_INITRWND));
 
         tp->rx_opt.rcv_wscale = rcv_wscale;
         tp->rcv_ssthresh = tp->rcv_wnd;
diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c
index bb110c5ce1d2..9bc805df95d2 100644
--- a/net/ipv4/tcp_probe.c
+++ b/net/ipv4/tcp_probe.c
@@ -39,9 +39,9 @@ static int port __read_mostly = 0;
 MODULE_PARM_DESC(port, "Port to match (0=all)");
 module_param(port, int, 0);
 
-static int bufsize __read_mostly = 4096;
+static unsigned int bufsize __read_mostly = 4096;
 MODULE_PARM_DESC(bufsize, "Log buffer size in packets (4096)");
-module_param(bufsize, int, 0);
+module_param(bufsize, uint, 0);
 
 static int full __read_mostly;
 MODULE_PARM_DESC(full, "Full log (1=every ack packet received,  0=only cwnd changes)");
@@ -75,12 +75,12 @@ static struct {
 
 static inline int tcp_probe_used(void)
 {
-        return (tcp_probe.head - tcp_probe.tail) % bufsize;
+        return (tcp_probe.head - tcp_probe.tail) & (bufsize - 1);
 }
 
 static inline int tcp_probe_avail(void)
 {
-        return bufsize - tcp_probe_used();
+        return bufsize - tcp_probe_used() - 1;
 }
 
 /*
@@ -116,7 +116,7 @@ static int jtcp_rcv_established(struct sock *sk, struct sk_buff *skb,
                         p->ssthresh = tcp_current_ssthresh(sk);
                         p->srtt = tp->srtt >> 3;
 
-                        tcp_probe.head = (tcp_probe.head + 1) % bufsize;
+                        tcp_probe.head = (tcp_probe.head + 1) & (bufsize - 1);
                 }
                 tcp_probe.lastcwnd = tp->snd_cwnd;
                 spin_unlock(&tcp_probe.lock);
@@ -149,7 +149,7 @@ static int tcpprobe_open(struct inode * inode, struct file * file)
 static int tcpprobe_sprint(char *tbuf, int n)
 {
         const struct tcp_log *p
-                = tcp_probe.log + tcp_probe.tail % bufsize;
+                = tcp_probe.log + tcp_probe.tail;
         struct timespec tv
                 = ktime_to_timespec(ktime_sub(p->tstamp, tcp_probe.start));
 
@@ -192,7 +192,7 @@ static ssize_t tcpprobe_read(struct file *file, char __user *buf,
                 width = tcpprobe_sprint(tbuf, sizeof(tbuf));
 
                 if (cnt + width < len)
-                        tcp_probe.tail = (tcp_probe.tail + 1) % bufsize;
+                        tcp_probe.tail = (tcp_probe.tail + 1) & (bufsize - 1);
 
                 spin_unlock_bh(&tcp_probe.lock);
 
@@ -222,9 +222,10 @@ static __init int tcpprobe_init(void)
         init_waitqueue_head(&tcp_probe.wait);
         spin_lock_init(&tcp_probe.lock);
 
-        if (bufsize < 0)
+        if (bufsize == 0)
                 return -EINVAL;
 
+        bufsize = roundup_pow_of_two(bufsize);
         tcp_probe.log = kcalloc(bufsize, sizeof(struct tcp_log), GFP_KERNEL);
         if (!tcp_probe.log)
                 goto err0;
@@ -236,7 +237,7 @@ static __init int tcpprobe_init(void)
         if (ret)
                 goto err1;
 
-        pr_info("TCP probe registered (port=%d)\n", port);
+        pr_info("TCP probe registered (port=%d) bufsize=%u\n", port, bufsize);
         return 0;
  err1:
         proc_net_remove(&init_net, procname);
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 8816a20c2597..de7d1bf9114f 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -474,6 +474,12 @@ static void tcp_synack_timer(struct sock *sk)
                                    TCP_TIMEOUT_INIT, TCP_RTO_MAX);
 }
 
+void tcp_syn_ack_timeout(struct sock *sk, struct request_sock *req)
+{
+        NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPTIMEOUTS);
+}
+EXPORT_SYMBOL(tcp_syn_ack_timeout);
+
 void tcp_set_keepalive(struct sock *sk, int val)
 {
         if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 1f9534846ca9..608a5446d05b 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -216,9 +216,8 @@ int udp_lib_get_port(struct sock *sk, unsigned short snum,
                  * force rand to be an odd multiple of UDP_HTABLE_SIZE
                  */
                 rand = (rand | 1) * (udptable->mask + 1);
-                for (last = first + udptable->mask + 1;
-                     first != last;
-                     first++) {
+                last = first + udptable->mask + 1;
+                do {
                         hslot = udp_hashslot(udptable, net, first);
                         bitmap_zero(bitmap, PORTS_PER_CHAIN);
                         spin_lock_bh(&hslot->lock);
@@ -238,7 +237,7 @@ int udp_lib_get_port(struct sock *sk, unsigned short snum,
                                 snum += rand;
                         } while (snum != first);
                         spin_unlock_bh(&hslot->lock);
-                }
+                } while (++first != last);
                 goto fail;
         } else {
                 hslot = udp_hashslot(udptable, net, snum);
@@ -1118,7 +1117,7 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
         struct inet_sock *inet = inet_sk(sk);
         struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name;
         struct sk_buff *skb;
-        unsigned int ulen, copied;
+        unsigned int ulen;
         int peeked;
         int err;
         int is_udplite = IS_UDPLITE(sk);
@@ -1139,10 +1138,9 @@ try_again:
                 goto out;
 
         ulen = skb->len - sizeof(struct udphdr);
-        copied = len;
-        if (copied > ulen)
-                copied = ulen;
-        else if (copied < ulen)
+        if (len > ulen)
+                len = ulen;
+        else if (len < ulen)
                 msg->msg_flags |= MSG_TRUNC;
 
         /*
@@ -1151,14 +1149,14 @@ try_again:
          * coverage checksum (UDP-Lite), do it before the copy.
          */
 
-        if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) {
+        if (len < ulen || UDP_SKB_CB(skb)->partial_cov) {
                 if (udp_lib_checksum_complete(skb))
                         goto csum_copy_err;
         }
 
         if (skb_csum_unnecessary(skb))
                 err = skb_copy_datagram_iovec(skb, sizeof(struct udphdr),
-                                              msg->msg_iov, copied);
+                                              msg->msg_iov, len);
         else {
                 err = skb_copy_and_csum_datagram_iovec(skb,
                                                        sizeof(struct udphdr),
@@ -1187,7 +1185,7 @@ try_again:
         if (inet->cmsg_flags)
                 ip_cmsg_recv(msg, skb);
 
-        err = copied;
+        err = len;
         if (flags & MSG_TRUNC)
                 err = ulen;
 
@@ -2028,12 +2026,12 @@ static struct udp_seq_afinfo udp4_seq_afinfo = {
         },
 };
 
-static int udp4_proc_init_net(struct net *net)
+static int __net_init udp4_proc_init_net(struct net *net)
 {
         return udp_proc_register(net, &udp4_seq_afinfo);
 }
 
-static void udp4_proc_exit_net(struct net *net)
+static void __net_exit udp4_proc_exit_net(struct net *net)
 {
         udp_proc_unregister(net, &udp4_seq_afinfo);
 }
diff --git a/net/ipv4/udplite.c b/net/ipv4/udplite.c
index 66f79513f4a5..6610bf76369f 100644
--- a/net/ipv4/udplite.c
+++ b/net/ipv4/udplite.c
@@ -81,12 +81,12 @@ static struct udp_seq_afinfo udplite4_seq_afinfo = {
         },
 };
 
-static int udplite4_proc_init_net(struct net *net)
+static int __net_init udplite4_proc_init_net(struct net *net)
 {
         return udp_proc_register(net, &udplite4_seq_afinfo);
 }
 
-static void udplite4_proc_exit_net(struct net *net)
+static void __net_exit udplite4_proc_exit_net(struct net *net)
 {
         udp_proc_unregister(net, &udplite4_seq_afinfo);
 }
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 8c08a28d8f83..67107d63c1cd 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -15,7 +15,6 @@
 #include <net/xfrm.h>
 #include <net/ip.h>
 
-static struct dst_ops xfrm4_dst_ops;
 static struct xfrm_policy_afinfo xfrm4_policy_afinfo;
 
 static struct dst_entry *xfrm4_dst_lookup(struct net *net, int tos,
@@ -190,8 +189,10 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 
 static inline int xfrm4_garbage_collect(struct dst_ops *ops)
 {
-        xfrm4_policy_afinfo.garbage_collect(&init_net);
-        return (atomic_read(&xfrm4_dst_ops.entries) > xfrm4_dst_ops.gc_thresh*2);
+        struct net *net = container_of(ops, struct net, xfrm.xfrm4_dst_ops);
+
+        xfrm4_policy_afinfo.garbage_collect(net);
+        return (atomic_read(&ops->entries) > ops->gc_thresh * 2);
 }
 
 static void xfrm4_update_pmtu(struct dst_entry *dst, u32 mtu)
@@ -268,7 +269,7 @@ static struct xfrm_policy_afinfo xfrm4_policy_afinfo = {
 static struct ctl_table xfrm4_policy_table[] = {
         {
                 .procname       = "xfrm4_gc_thresh",
-                .data           = &xfrm4_dst_ops.gc_thresh,
+                .data           = &init_net.xfrm.xfrm4_dst_ops.gc_thresh,
                 .maxlen         = sizeof(int),
                 .mode           = 0644,
                 .proc_handler   = proc_dointvec,
@@ -295,8 +296,6 @@ static void __exit xfrm4_policy_fini(void)
 
 void __init xfrm4_init(int rt_max_size)
 {
-        xfrm4_state_init();
-        xfrm4_policy_init();
         /*
          * Select a default value for the gc_thresh based on the main route
          * table hash size.  It seems to me the worst case scenario is when
@@ -308,6 +307,9 @@ void __init xfrm4_init(int rt_max_size)
          * and start cleaning when were 1/2 full
          */
         xfrm4_dst_ops.gc_thresh = rt_max_size/2;
+
+        xfrm4_state_init();
+        xfrm4_policy_init();
 #ifdef CONFIG_SYSCTL
         sysctl_hdr = register_net_sysctl_table(&init_net, net_ipv4_ctl_path,
                                                 xfrm4_policy_table);