aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv6
diff options
context:
space:
mode:
Diffstat (limited to 'net/ipv6')
-rw-r--r--net/ipv6/Kconfig1
-rw-r--r--net/ipv6/ah6.c2
-rw-r--r--net/ipv6/esp6.c515
-rw-r--r--net/ipv6/inet6_hashtables.c135
-rw-r--r--net/ipv6/ip6_output.c6
-rw-r--r--net/ipv6/ipcomp6.c7
-rw-r--r--net/ipv6/mip6.c4
-rw-r--r--net/ipv6/netfilter/ip6_queue.c18
-rw-r--r--net/ipv6/netfilter/ip6_tables.c113
-rw-r--r--net/ipv6/netfilter/ip6table_filter.c33
-rw-r--r--net/ipv6/netfilter/ip6table_mangle.c33
-rw-r--r--net/ipv6/netfilter/ip6table_raw.c31
-rw-r--r--net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c7
-rw-r--r--net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c22
-rw-r--r--net/ipv6/netfilter/nf_conntrack_reasm.c16
-rw-r--r--net/ipv6/raw.c5
-rw-r--r--net/ipv6/route.c5
-rw-r--r--net/ipv6/tcp_ipv6.c19
-rw-r--r--net/ipv6/udp.c10
-rw-r--r--net/ipv6/xfrm6_policy.c1
-rw-r--r--net/ipv6/xfrm6_tunnel.c2
21 files changed, 565 insertions, 420 deletions
diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig
index eb0b8085949b..3ffb0323668c 100644
--- a/net/ipv6/Kconfig
+++ b/net/ipv6/Kconfig
@@ -85,6 +85,7 @@ config INET6_ESP
85 depends on IPV6 85 depends on IPV6
86 select XFRM 86 select XFRM
87 select CRYPTO 87 select CRYPTO
88 select CRYPTO_AEAD
88 select CRYPTO_HMAC 89 select CRYPTO_HMAC
89 select CRYPTO_MD5 90 select CRYPTO_MD5
90 select CRYPTO_CBC 91 select CRYPTO_CBC
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
index fb0d07a15e93..379c8e04c36c 100644
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -515,7 +515,7 @@ static void ah6_destroy(struct xfrm_state *x)
515 kfree(ahp); 515 kfree(ahp);
516} 516}
517 517
518static struct xfrm_type ah6_type = 518static const struct xfrm_type ah6_type =
519{ 519{
520 .description = "AH6", 520 .description = "AH6",
521 .owner = THIS_MODULE, 521 .owner = THIS_MODULE,
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 5bd5292ad9fa..8e0f1428c716 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -24,33 +24,124 @@
24 * This file is derived from net/ipv4/esp.c 24 * This file is derived from net/ipv4/esp.c
25 */ 25 */
26 26
27#include <crypto/aead.h>
28#include <crypto/authenc.h>
27#include <linux/err.h> 29#include <linux/err.h>
28#include <linux/module.h> 30#include <linux/module.h>
29#include <net/ip.h> 31#include <net/ip.h>
30#include <net/xfrm.h> 32#include <net/xfrm.h>
31#include <net/esp.h> 33#include <net/esp.h>
32#include <linux/scatterlist.h> 34#include <linux/scatterlist.h>
33#include <linux/crypto.h>
34#include <linux/kernel.h> 35#include <linux/kernel.h>
35#include <linux/pfkeyv2.h> 36#include <linux/pfkeyv2.h>
36#include <linux/random.h> 37#include <linux/random.h>
38#include <linux/slab.h>
37#include <linux/spinlock.h> 39#include <linux/spinlock.h>
38#include <net/icmp.h> 40#include <net/icmp.h>
39#include <net/ipv6.h> 41#include <net/ipv6.h>
40#include <net/protocol.h> 42#include <net/protocol.h>
41#include <linux/icmpv6.h> 43#include <linux/icmpv6.h>
42 44
45struct esp_skb_cb {
46 struct xfrm_skb_cb xfrm;
47 void *tmp;
48};
49
50#define ESP_SKB_CB(__skb) ((struct esp_skb_cb *)&((__skb)->cb[0]))
51
52/*
53 * Allocate an AEAD request structure with extra space for SG and IV.
54 *
55 * For alignment considerations the IV is placed at the front, followed
56 * by the request and finally the SG list.
57 *
58 * TODO: Use spare space in skb for this where possible.
59 */
60static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags)
61{
62 unsigned int len;
63
64 len = crypto_aead_ivsize(aead);
65 if (len) {
66 len += crypto_aead_alignmask(aead) &
67 ~(crypto_tfm_ctx_alignment() - 1);
68 len = ALIGN(len, crypto_tfm_ctx_alignment());
69 }
70
71 len += sizeof(struct aead_givcrypt_request) + crypto_aead_reqsize(aead);
72 len = ALIGN(len, __alignof__(struct scatterlist));
73
74 len += sizeof(struct scatterlist) * nfrags;
75
76 return kmalloc(len, GFP_ATOMIC);
77}
78
79static inline u8 *esp_tmp_iv(struct crypto_aead *aead, void *tmp)
80{
81 return crypto_aead_ivsize(aead) ?
82 PTR_ALIGN((u8 *)tmp, crypto_aead_alignmask(aead) + 1) : tmp;
83}
84
85static inline struct aead_givcrypt_request *esp_tmp_givreq(
86 struct crypto_aead *aead, u8 *iv)
87{
88 struct aead_givcrypt_request *req;
89
90 req = (void *)PTR_ALIGN(iv + crypto_aead_ivsize(aead),
91 crypto_tfm_ctx_alignment());
92 aead_givcrypt_set_tfm(req, aead);
93 return req;
94}
95
96static inline struct aead_request *esp_tmp_req(struct crypto_aead *aead, u8 *iv)
97{
98 struct aead_request *req;
99
100 req = (void *)PTR_ALIGN(iv + crypto_aead_ivsize(aead),
101 crypto_tfm_ctx_alignment());
102 aead_request_set_tfm(req, aead);
103 return req;
104}
105
106static inline struct scatterlist *esp_req_sg(struct crypto_aead *aead,
107 struct aead_request *req)
108{
109 return (void *)ALIGN((unsigned long)(req + 1) +
110 crypto_aead_reqsize(aead),
111 __alignof__(struct scatterlist));
112}
113
114static inline struct scatterlist *esp_givreq_sg(
115 struct crypto_aead *aead, struct aead_givcrypt_request *req)
116{
117 return (void *)ALIGN((unsigned long)(req + 1) +
118 crypto_aead_reqsize(aead),
119 __alignof__(struct scatterlist));
120}
121
122static void esp_output_done(struct crypto_async_request *base, int err)
123{
124 struct sk_buff *skb = base->data;
125
126 kfree(ESP_SKB_CB(skb)->tmp);
127 xfrm_output_resume(skb, err);
128}
129
43static int esp6_output(struct xfrm_state *x, struct sk_buff *skb) 130static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
44{ 131{
45 int err; 132 int err;
46 struct ip_esp_hdr *esph; 133 struct ip_esp_hdr *esph;
47 struct crypto_blkcipher *tfm; 134 struct crypto_aead *aead;
48 struct blkcipher_desc desc; 135 struct aead_givcrypt_request *req;
136 struct scatterlist *sg;
137 struct scatterlist *asg;
49 struct sk_buff *trailer; 138 struct sk_buff *trailer;
139 void *tmp;
50 int blksize; 140 int blksize;
51 int clen; 141 int clen;
52 int alen; 142 int alen;
53 int nfrags; 143 int nfrags;
144 u8 *iv;
54 u8 *tail; 145 u8 *tail;
55 struct esp_data *esp = x->data; 146 struct esp_data *esp = x->data;
56 147
@@ -60,18 +151,26 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
60 /* Round to block size */ 151 /* Round to block size */
61 clen = skb->len; 152 clen = skb->len;
62 153
63 alen = esp->auth.icv_trunc_len; 154 aead = esp->aead;
64 tfm = esp->conf.tfm; 155 alen = crypto_aead_authsize(aead);
65 desc.tfm = tfm; 156
66 desc.flags = 0; 157 blksize = ALIGN(crypto_aead_blocksize(aead), 4);
67 blksize = ALIGN(crypto_blkcipher_blocksize(tfm), 4);
68 clen = ALIGN(clen + 2, blksize); 158 clen = ALIGN(clen + 2, blksize);
69 if (esp->conf.padlen) 159 if (esp->padlen)
70 clen = ALIGN(clen, esp->conf.padlen); 160 clen = ALIGN(clen, esp->padlen);
71 161
72 if ((nfrags = skb_cow_data(skb, clen-skb->len+alen, &trailer)) < 0) { 162 if ((err = skb_cow_data(skb, clen - skb->len + alen, &trailer)) < 0)
73 goto error; 163 goto error;
74 } 164 nfrags = err;
165
166 tmp = esp_alloc_tmp(aead, nfrags + 1);
167 if (!tmp)
168 goto error;
169
170 iv = esp_tmp_iv(aead, tmp);
171 req = esp_tmp_givreq(aead, iv);
172 asg = esp_givreq_sg(aead, req);
173 sg = asg + 1;
75 174
76 /* Fill padding... */ 175 /* Fill padding... */
77 tail = skb_tail_pointer(trailer); 176 tail = skb_tail_pointer(trailer);
@@ -81,86 +180,113 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
81 tail[i] = i + 1; 180 tail[i] = i + 1;
82 } while (0); 181 } while (0);
83 tail[clen-skb->len - 2] = (clen - skb->len) - 2; 182 tail[clen-skb->len - 2] = (clen - skb->len) - 2;
84 pskb_put(skb, trailer, clen - skb->len); 183 tail[clen - skb->len - 1] = *skb_mac_header(skb);
184 pskb_put(skb, trailer, clen - skb->len + alen);
85 185
86 skb_push(skb, -skb_network_offset(skb)); 186 skb_push(skb, -skb_network_offset(skb));
87 esph = ip_esp_hdr(skb); 187 esph = ip_esp_hdr(skb);
88 *(skb_tail_pointer(trailer) - 1) = *skb_mac_header(skb);
89 *skb_mac_header(skb) = IPPROTO_ESP; 188 *skb_mac_header(skb) = IPPROTO_ESP;
90 189
91 esph->spi = x->id.spi; 190 esph->spi = x->id.spi;
92 esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq); 191 esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq);
93 192
94 spin_lock_bh(&x->lock); 193 sg_init_table(sg, nfrags);
194 skb_to_sgvec(skb, sg,
195 esph->enc_data + crypto_aead_ivsize(aead) - skb->data,
196 clen + alen);
197 sg_init_one(asg, esph, sizeof(*esph));
95 198
96 if (esp->conf.ivlen) { 199 aead_givcrypt_set_callback(req, 0, esp_output_done, skb);
97 if (unlikely(!esp->conf.ivinitted)) { 200 aead_givcrypt_set_crypt(req, sg, sg, clen, iv);
98 get_random_bytes(esp->conf.ivec, esp->conf.ivlen); 201 aead_givcrypt_set_assoc(req, asg, sizeof(*esph));
99 esp->conf.ivinitted = 1; 202 aead_givcrypt_set_giv(req, esph->enc_data, XFRM_SKB_CB(skb)->seq);
100 }
101 crypto_blkcipher_set_iv(tfm, esp->conf.ivec, esp->conf.ivlen);
102 }
103 203
104 do { 204 ESP_SKB_CB(skb)->tmp = tmp;
105 struct scatterlist *sg = &esp->sgbuf[0]; 205 err = crypto_aead_givencrypt(req);
206 if (err == -EINPROGRESS)
207 goto error;
106 208
107 if (unlikely(nfrags > ESP_NUM_FAST_SG)) { 209 if (err == -EBUSY)
108 sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC); 210 err = NET_XMIT_DROP;
109 if (!sg) 211
110 goto unlock; 212 kfree(tmp);
111 } 213
112 sg_init_table(sg, nfrags); 214error:
113 skb_to_sgvec(skb, sg, 215 return err;
114 esph->enc_data + 216}
115 esp->conf.ivlen - 217
116 skb->data, clen); 218static int esp_input_done2(struct sk_buff *skb, int err)
117 err = crypto_blkcipher_encrypt(&desc, sg, sg, clen); 219{
118 if (unlikely(sg != &esp->sgbuf[0])) 220 struct xfrm_state *x = xfrm_input_state(skb);
119 kfree(sg); 221 struct esp_data *esp = x->data;
120 } while (0); 222 struct crypto_aead *aead = esp->aead;
223 int alen = crypto_aead_authsize(aead);
224 int hlen = sizeof(struct ip_esp_hdr) + crypto_aead_ivsize(aead);
225 int elen = skb->len - hlen;
226 int hdr_len = skb_network_header_len(skb);
227 int padlen;
228 u8 nexthdr[2];
229
230 kfree(ESP_SKB_CB(skb)->tmp);
121 231
122 if (unlikely(err)) 232 if (unlikely(err))
123 goto unlock; 233 goto out;
124 234
125 if (esp->conf.ivlen) { 235 if (skb_copy_bits(skb, skb->len - alen - 2, nexthdr, 2))
126 memcpy(esph->enc_data, esp->conf.ivec, esp->conf.ivlen); 236 BUG();
127 crypto_blkcipher_get_iv(tfm, esp->conf.ivec, esp->conf.ivlen);
128 }
129 237
130 if (esp->auth.icv_full_len) { 238 err = -EINVAL;
131 err = esp_mac_digest(esp, skb, (u8 *)esph - skb->data, 239 padlen = nexthdr[0];
132 sizeof(*esph) + esp->conf.ivlen + clen); 240 if (padlen + 2 + alen >= elen) {
133 memcpy(pskb_put(skb, trailer, alen), esp->auth.work_icv, alen); 241 LIMIT_NETDEBUG(KERN_WARNING "ipsec esp packet is garbage "
242 "padlen=%d, elen=%d\n", padlen + 2, elen - alen);
243 goto out;
134 } 244 }
135 245
136unlock: 246 /* ... check padding bits here. Silly. :-) */
137 spin_unlock_bh(&x->lock);
138 247
139error: 248 pskb_trim(skb, skb->len - alen - padlen - 2);
249 __skb_pull(skb, hlen);
250 skb_set_transport_header(skb, -hdr_len);
251
252 err = nexthdr[1];
253
254 /* RFC4303: Drop dummy packets without any error */
255 if (err == IPPROTO_NONE)
256 err = -EINVAL;
257
258out:
140 return err; 259 return err;
141} 260}
142 261
262static void esp_input_done(struct crypto_async_request *base, int err)
263{
264 struct sk_buff *skb = base->data;
265
266 xfrm_input_resume(skb, esp_input_done2(skb, err));
267}
268
143static int esp6_input(struct xfrm_state *x, struct sk_buff *skb) 269static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
144{ 270{
145 struct ipv6hdr *iph;
146 struct ip_esp_hdr *esph; 271 struct ip_esp_hdr *esph;
147 struct esp_data *esp = x->data; 272 struct esp_data *esp = x->data;
148 struct crypto_blkcipher *tfm = esp->conf.tfm; 273 struct crypto_aead *aead = esp->aead;
149 struct blkcipher_desc desc = { .tfm = tfm }; 274 struct aead_request *req;
150 struct sk_buff *trailer; 275 struct sk_buff *trailer;
151 int blksize = ALIGN(crypto_blkcipher_blocksize(tfm), 4); 276 int elen = skb->len - sizeof(*esph) - crypto_aead_ivsize(aead);
152 int alen = esp->auth.icv_trunc_len;
153 int elen = skb->len - sizeof(*esph) - esp->conf.ivlen - alen;
154 int hdr_len = skb_network_header_len(skb);
155 int nfrags; 277 int nfrags;
156 int ret = 0; 278 int ret = 0;
279 void *tmp;
280 u8 *iv;
281 struct scatterlist *sg;
282 struct scatterlist *asg;
157 283
158 if (!pskb_may_pull(skb, sizeof(*esph))) { 284 if (!pskb_may_pull(skb, sizeof(*esph))) {
159 ret = -EINVAL; 285 ret = -EINVAL;
160 goto out; 286 goto out;
161 } 287 }
162 288
163 if (elen <= 0 || (elen & (blksize-1))) { 289 if (elen <= 0) {
164 ret = -EINVAL; 290 ret = -EINVAL;
165 goto out; 291 goto out;
166 } 292 }
@@ -170,86 +296,38 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
170 goto out; 296 goto out;
171 } 297 }
172 298
173 skb->ip_summed = CHECKSUM_NONE; 299 ret = -ENOMEM;
174 300 tmp = esp_alloc_tmp(aead, nfrags + 1);
175 spin_lock(&x->lock); 301 if (!tmp)
176 302 goto out;
177 /* If integrity check is required, do this. */
178 if (esp->auth.icv_full_len) {
179 u8 sum[alen];
180
181 ret = esp_mac_digest(esp, skb, 0, skb->len - alen);
182 if (ret)
183 goto unlock;
184 303
185 if (skb_copy_bits(skb, skb->len - alen, sum, alen)) 304 ESP_SKB_CB(skb)->tmp = tmp;
186 BUG(); 305 iv = esp_tmp_iv(aead, tmp);
306 req = esp_tmp_req(aead, iv);
307 asg = esp_req_sg(aead, req);
308 sg = asg + 1;
187 309
188 if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) { 310 skb->ip_summed = CHECKSUM_NONE;
189 ret = -EBADMSG;
190 goto unlock;
191 }
192 }
193 311
194 esph = (struct ip_esp_hdr *)skb->data; 312 esph = (struct ip_esp_hdr *)skb->data;
195 iph = ipv6_hdr(skb);
196 313
197 /* Get ivec. This can be wrong, check against another impls. */ 314 /* Get ivec. This can be wrong, check against another impls. */
198 if (esp->conf.ivlen) 315 iv = esph->enc_data;
199 crypto_blkcipher_set_iv(tfm, esph->enc_data, esp->conf.ivlen);
200
201 {
202 struct scatterlist *sg = &esp->sgbuf[0];
203
204 if (unlikely(nfrags > ESP_NUM_FAST_SG)) {
205 sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC);
206 if (!sg) {
207 ret = -ENOMEM;
208 goto unlock;
209 }
210 }
211 sg_init_table(sg, nfrags);
212 skb_to_sgvec(skb, sg,
213 sizeof(*esph) + esp->conf.ivlen,
214 elen);
215 ret = crypto_blkcipher_decrypt(&desc, sg, sg, elen);
216 if (unlikely(sg != &esp->sgbuf[0]))
217 kfree(sg);
218 }
219 316
220unlock: 317 sg_init_table(sg, nfrags);
221 spin_unlock(&x->lock); 318 skb_to_sgvec(skb, sg, sizeof(*esph) + crypto_aead_ivsize(aead), elen);
319 sg_init_one(asg, esph, sizeof(*esph));
222 320
223 if (unlikely(ret)) 321 aead_request_set_callback(req, 0, esp_input_done, skb);
224 goto out; 322 aead_request_set_crypt(req, sg, sg, elen, iv);
225 323 aead_request_set_assoc(req, asg, sizeof(*esph));
226 {
227 u8 nexthdr[2];
228 u8 padlen;
229
230 if (skb_copy_bits(skb, skb->len-alen-2, nexthdr, 2))
231 BUG();
232
233 padlen = nexthdr[0];
234 if (padlen+2 >= elen) {
235 LIMIT_NETDEBUG(KERN_WARNING "ipsec esp packet is garbage padlen=%d, elen=%d\n", padlen+2, elen);
236 ret = -EINVAL;
237 goto out;
238 }
239 /* ... check padding bits here. Silly. :-) */
240 324
241 /* RFC4303: Drop dummy packets without any error */ 325 ret = crypto_aead_decrypt(req);
242 if (nexthdr[1] == IPPROTO_NONE) { 326 if (ret == -EINPROGRESS)
243 ret = -EINVAL; 327 goto out;
244 goto out;
245 }
246 328
247 pskb_trim(skb, skb->len - alen - padlen - 2); 329 ret = esp_input_done2(skb, ret);
248 ret = nexthdr[1];
249 }
250 330
251 __skb_pull(skb, sizeof(*esph) + esp->conf.ivlen);
252 skb_set_transport_header(skb, -hdr_len);
253out: 331out:
254 return ret; 332 return ret;
255} 333}
@@ -257,11 +335,11 @@ out:
257static u32 esp6_get_mtu(struct xfrm_state *x, int mtu) 335static u32 esp6_get_mtu(struct xfrm_state *x, int mtu)
258{ 336{
259 struct esp_data *esp = x->data; 337 struct esp_data *esp = x->data;
260 u32 blksize = ALIGN(crypto_blkcipher_blocksize(esp->conf.tfm), 4); 338 u32 blksize = ALIGN(crypto_aead_blocksize(esp->aead), 4);
261 u32 align = max_t(u32, blksize, esp->conf.padlen); 339 u32 align = max_t(u32, blksize, esp->padlen);
262 u32 rem; 340 u32 rem;
263 341
264 mtu -= x->props.header_len + esp->auth.icv_trunc_len; 342 mtu -= x->props.header_len + crypto_aead_authsize(esp->aead);
265 rem = mtu & (align - 1); 343 rem = mtu & (align - 1);
266 mtu &= ~(align - 1); 344 mtu &= ~(align - 1);
267 345
@@ -300,81 +378,146 @@ static void esp6_destroy(struct xfrm_state *x)
300 if (!esp) 378 if (!esp)
301 return; 379 return;
302 380
303 crypto_free_blkcipher(esp->conf.tfm); 381 crypto_free_aead(esp->aead);
304 esp->conf.tfm = NULL;
305 kfree(esp->conf.ivec);
306 esp->conf.ivec = NULL;
307 crypto_free_hash(esp->auth.tfm);
308 esp->auth.tfm = NULL;
309 kfree(esp->auth.work_icv);
310 esp->auth.work_icv = NULL;
311 kfree(esp); 382 kfree(esp);
312} 383}
313 384
314static int esp6_init_state(struct xfrm_state *x) 385static int esp_init_aead(struct xfrm_state *x)
386{
387 struct esp_data *esp = x->data;
388 struct crypto_aead *aead;
389 int err;
390
391 aead = crypto_alloc_aead(x->aead->alg_name, 0, 0);
392 err = PTR_ERR(aead);
393 if (IS_ERR(aead))
394 goto error;
395
396 esp->aead = aead;
397
398 err = crypto_aead_setkey(aead, x->aead->alg_key,
399 (x->aead->alg_key_len + 7) / 8);
400 if (err)
401 goto error;
402
403 err = crypto_aead_setauthsize(aead, x->aead->alg_icv_len / 8);
404 if (err)
405 goto error;
406
407error:
408 return err;
409}
410
411static int esp_init_authenc(struct xfrm_state *x)
315{ 412{
316 struct esp_data *esp = NULL; 413 struct esp_data *esp = x->data;
317 struct crypto_blkcipher *tfm; 414 struct crypto_aead *aead;
415 struct crypto_authenc_key_param *param;
416 struct rtattr *rta;
417 char *key;
418 char *p;
419 char authenc_name[CRYPTO_MAX_ALG_NAME];
420 unsigned int keylen;
421 int err;
318 422
423 err = -EINVAL;
319 if (x->ealg == NULL) 424 if (x->ealg == NULL)
320 goto error; 425 goto error;
321 426
322 if (x->encap) 427 err = -ENAMETOOLONG;
428 if (snprintf(authenc_name, CRYPTO_MAX_ALG_NAME, "authenc(%s,%s)",
429 x->aalg ? x->aalg->alg_name : "digest_null",
430 x->ealg->alg_name) >= CRYPTO_MAX_ALG_NAME)
323 goto error; 431 goto error;
324 432
325 esp = kzalloc(sizeof(*esp), GFP_KERNEL); 433 aead = crypto_alloc_aead(authenc_name, 0, 0);
326 if (esp == NULL) 434 err = PTR_ERR(aead);
327 return -ENOMEM; 435 if (IS_ERR(aead))
436 goto error;
437
438 esp->aead = aead;
439
440 keylen = (x->aalg ? (x->aalg->alg_key_len + 7) / 8 : 0) +
441 (x->ealg->alg_key_len + 7) / 8 + RTA_SPACE(sizeof(*param));
442 err = -ENOMEM;
443 key = kmalloc(keylen, GFP_KERNEL);
444 if (!key)
445 goto error;
446
447 p = key;
448 rta = (void *)p;
449 rta->rta_type = CRYPTO_AUTHENC_KEYA_PARAM;
450 rta->rta_len = RTA_LENGTH(sizeof(*param));
451 param = RTA_DATA(rta);
452 p += RTA_SPACE(sizeof(*param));
328 453
329 if (x->aalg) { 454 if (x->aalg) {
330 struct xfrm_algo_desc *aalg_desc; 455 struct xfrm_algo_desc *aalg_desc;
331 struct crypto_hash *hash;
332
333 hash = crypto_alloc_hash(x->aalg->alg_name, 0,
334 CRYPTO_ALG_ASYNC);
335 if (IS_ERR(hash))
336 goto error;
337 456
338 esp->auth.tfm = hash; 457 memcpy(p, x->aalg->alg_key, (x->aalg->alg_key_len + 7) / 8);
339 if (crypto_hash_setkey(hash, x->aalg->alg_key, 458 p += (x->aalg->alg_key_len + 7) / 8;
340 (x->aalg->alg_key_len + 7) / 8))
341 goto error;
342 459
343 aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0); 460 aalg_desc = xfrm_aalg_get_byname(x->aalg->alg_name, 0);
344 BUG_ON(!aalg_desc); 461 BUG_ON(!aalg_desc);
345 462
463 err = -EINVAL;
346 if (aalg_desc->uinfo.auth.icv_fullbits/8 != 464 if (aalg_desc->uinfo.auth.icv_fullbits/8 !=
347 crypto_hash_digestsize(hash)) { 465 crypto_aead_authsize(aead)) {
348 NETDEBUG(KERN_INFO "ESP: %s digestsize %u != %hu\n", 466 NETDEBUG(KERN_INFO "ESP: %s digestsize %u != %hu\n",
349 x->aalg->alg_name, 467 x->aalg->alg_name,
350 crypto_hash_digestsize(hash), 468 crypto_aead_authsize(aead),
351 aalg_desc->uinfo.auth.icv_fullbits/8); 469 aalg_desc->uinfo.auth.icv_fullbits/8);
352 goto error; 470 goto free_key;
353 } 471 }
354 472
355 esp->auth.icv_full_len = aalg_desc->uinfo.auth.icv_fullbits/8; 473 err = crypto_aead_setauthsize(
356 esp->auth.icv_trunc_len = aalg_desc->uinfo.auth.icv_truncbits/8; 474 aead, aalg_desc->uinfo.auth.icv_truncbits / 8);
357 475 if (err)
358 esp->auth.work_icv = kmalloc(esp->auth.icv_full_len, GFP_KERNEL); 476 goto free_key;
359 if (!esp->auth.work_icv)
360 goto error;
361 }
362 tfm = crypto_alloc_blkcipher(x->ealg->alg_name, 0, CRYPTO_ALG_ASYNC);
363 if (IS_ERR(tfm))
364 goto error;
365 esp->conf.tfm = tfm;
366 esp->conf.ivlen = crypto_blkcipher_ivsize(tfm);
367 esp->conf.padlen = 0;
368 if (esp->conf.ivlen) {
369 esp->conf.ivec = kmalloc(esp->conf.ivlen, GFP_KERNEL);
370 if (unlikely(esp->conf.ivec == NULL))
371 goto error;
372 esp->conf.ivinitted = 0;
373 } 477 }
374 if (crypto_blkcipher_setkey(tfm, x->ealg->alg_key, 478
375 (x->ealg->alg_key_len + 7) / 8)) 479 param->enckeylen = cpu_to_be32((x->ealg->alg_key_len + 7) / 8);
480 memcpy(p, x->ealg->alg_key, (x->ealg->alg_key_len + 7) / 8);
481
482 err = crypto_aead_setkey(aead, key, keylen);
483
484free_key:
485 kfree(key);
486
487error:
488 return err;
489}
490
491static int esp6_init_state(struct xfrm_state *x)
492{
493 struct esp_data *esp;
494 struct crypto_aead *aead;
495 u32 align;
496 int err;
497
498 if (x->encap)
499 return -EINVAL;
500
501 esp = kzalloc(sizeof(*esp), GFP_KERNEL);
502 if (esp == NULL)
503 return -ENOMEM;
504
505 x->data = esp;
506
507 if (x->aead)
508 err = esp_init_aead(x);
509 else
510 err = esp_init_authenc(x);
511
512 if (err)
376 goto error; 513 goto error;
377 x->props.header_len = sizeof(struct ip_esp_hdr) + esp->conf.ivlen; 514
515 aead = esp->aead;
516
517 esp->padlen = 0;
518
519 x->props.header_len = sizeof(struct ip_esp_hdr) +
520 crypto_aead_ivsize(aead);
378 switch (x->props.mode) { 521 switch (x->props.mode) {
379 case XFRM_MODE_BEET: 522 case XFRM_MODE_BEET:
380 case XFRM_MODE_TRANSPORT: 523 case XFRM_MODE_TRANSPORT:
@@ -385,17 +528,17 @@ static int esp6_init_state(struct xfrm_state *x)
385 default: 528 default:
386 goto error; 529 goto error;
387 } 530 }
388 x->data = esp; 531
389 return 0; 532 align = ALIGN(crypto_aead_blocksize(aead), 4);
533 if (esp->padlen)
534 align = max_t(u32, align, esp->padlen);
535 x->props.trailer_len = align + 1 + crypto_aead_authsize(esp->aead);
390 536
391error: 537error:
392 x->data = esp; 538 return err;
393 esp6_destroy(x);
394 x->data = NULL;
395 return -EINVAL;
396} 539}
397 540
398static struct xfrm_type esp6_type = 541static const struct xfrm_type esp6_type =
399{ 542{
400 .description = "ESP6", 543 .description = "ESP6",
401 .owner = THIS_MODULE, 544 .owner = THIS_MODULE,
diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c
index a66a7d8e2811..d325a9958909 100644
--- a/net/ipv6/inet6_hashtables.c
+++ b/net/ipv6/inet6_hashtables.c
@@ -54,7 +54,8 @@ EXPORT_SYMBOL(__inet6_hash);
54 * 54 *
55 * The sockhash lock must be held as a reader here. 55 * The sockhash lock must be held as a reader here.
56 */ 56 */
57struct sock *__inet6_lookup_established(struct inet_hashinfo *hashinfo, 57struct sock *__inet6_lookup_established(struct net *net,
58 struct inet_hashinfo *hashinfo,
58 const struct in6_addr *saddr, 59 const struct in6_addr *saddr,
59 const __be16 sport, 60 const __be16 sport,
60 const struct in6_addr *daddr, 61 const struct in6_addr *daddr,
@@ -75,22 +76,13 @@ struct sock *__inet6_lookup_established(struct inet_hashinfo *hashinfo,
75 read_lock(lock); 76 read_lock(lock);
76 sk_for_each(sk, node, &head->chain) { 77 sk_for_each(sk, node, &head->chain) {
77 /* For IPV6 do the cheaper port and family tests first. */ 78 /* For IPV6 do the cheaper port and family tests first. */
78 if (INET6_MATCH(sk, hash, saddr, daddr, ports, dif)) 79 if (INET6_MATCH(sk, net, hash, saddr, daddr, ports, dif))
79 goto hit; /* You sunk my battleship! */ 80 goto hit; /* You sunk my battleship! */
80 } 81 }
81 /* Must check for a TIME_WAIT'er before going to listener hash. */ 82 /* Must check for a TIME_WAIT'er before going to listener hash. */
82 sk_for_each(sk, node, &head->twchain) { 83 sk_for_each(sk, node, &head->twchain) {
83 const struct inet_timewait_sock *tw = inet_twsk(sk); 84 if (INET6_TW_MATCH(sk, net, hash, saddr, daddr, ports, dif))
84 85 goto hit;
85 if(*((__portpair *)&(tw->tw_dport)) == ports &&
86 sk->sk_family == PF_INET6) {
87 const struct inet6_timewait_sock *tw6 = inet6_twsk(sk);
88
89 if (ipv6_addr_equal(&tw6->tw_v6_daddr, saddr) &&
90 ipv6_addr_equal(&tw6->tw_v6_rcv_saddr, daddr) &&
91 (!sk->sk_bound_dev_if || sk->sk_bound_dev_if == dif))
92 goto hit;
93 }
94 } 86 }
95 read_unlock(lock); 87 read_unlock(lock);
96 return NULL; 88 return NULL;
@@ -102,9 +94,9 @@ hit:
102} 94}
103EXPORT_SYMBOL(__inet6_lookup_established); 95EXPORT_SYMBOL(__inet6_lookup_established);
104 96
105struct sock *inet6_lookup_listener(struct inet_hashinfo *hashinfo, 97struct sock *inet6_lookup_listener(struct net *net,
106 const struct in6_addr *daddr, 98 struct inet_hashinfo *hashinfo, const struct in6_addr *daddr,
107 const unsigned short hnum, const int dif) 99 const unsigned short hnum, const int dif)
108{ 100{
109 struct sock *sk; 101 struct sock *sk;
110 const struct hlist_node *node; 102 const struct hlist_node *node;
@@ -113,7 +105,8 @@ struct sock *inet6_lookup_listener(struct inet_hashinfo *hashinfo,
113 105
114 read_lock(&hashinfo->lhash_lock); 106 read_lock(&hashinfo->lhash_lock);
115 sk_for_each(sk, node, &hashinfo->listening_hash[inet_lhashfn(hnum)]) { 107 sk_for_each(sk, node, &hashinfo->listening_hash[inet_lhashfn(hnum)]) {
116 if (inet_sk(sk)->num == hnum && sk->sk_family == PF_INET6) { 108 if (sk->sk_net == net && inet_sk(sk)->num == hnum &&
109 sk->sk_family == PF_INET6) {
117 const struct ipv6_pinfo *np = inet6_sk(sk); 110 const struct ipv6_pinfo *np = inet6_sk(sk);
118 111
119 score = 1; 112 score = 1;
@@ -145,7 +138,7 @@ struct sock *inet6_lookup_listener(struct inet_hashinfo *hashinfo,
145 138
146EXPORT_SYMBOL_GPL(inet6_lookup_listener); 139EXPORT_SYMBOL_GPL(inet6_lookup_listener);
147 140
148struct sock *inet6_lookup(struct inet_hashinfo *hashinfo, 141struct sock *inet6_lookup(struct net *net, struct inet_hashinfo *hashinfo,
149 const struct in6_addr *saddr, const __be16 sport, 142 const struct in6_addr *saddr, const __be16 sport,
150 const struct in6_addr *daddr, const __be16 dport, 143 const struct in6_addr *daddr, const __be16 dport,
151 const int dif) 144 const int dif)
@@ -153,7 +146,7 @@ struct sock *inet6_lookup(struct inet_hashinfo *hashinfo,
153 struct sock *sk; 146 struct sock *sk;
154 147
155 local_bh_disable(); 148 local_bh_disable();
156 sk = __inet6_lookup(hashinfo, saddr, sport, daddr, ntohs(dport), dif); 149 sk = __inet6_lookup(net, hashinfo, saddr, sport, daddr, ntohs(dport), dif);
157 local_bh_enable(); 150 local_bh_enable();
158 151
159 return sk; 152 return sk;
@@ -179,21 +172,16 @@ static int __inet6_check_established(struct inet_timewait_death_row *death_row,
179 struct sock *sk2; 172 struct sock *sk2;
180 const struct hlist_node *node; 173 const struct hlist_node *node;
181 struct inet_timewait_sock *tw; 174 struct inet_timewait_sock *tw;
175 struct net *net = sk->sk_net;
182 176
183 prefetch(head->chain.first); 177 prefetch(head->chain.first);
184 write_lock(lock); 178 write_lock(lock);
185 179
186 /* Check TIME-WAIT sockets first. */ 180 /* Check TIME-WAIT sockets first. */
187 sk_for_each(sk2, node, &head->twchain) { 181 sk_for_each(sk2, node, &head->twchain) {
188 const struct inet6_timewait_sock *tw6 = inet6_twsk(sk2);
189
190 tw = inet_twsk(sk2); 182 tw = inet_twsk(sk2);
191 183
192 if(*((__portpair *)&(tw->tw_dport)) == ports && 184 if (INET6_TW_MATCH(sk2, net, hash, saddr, daddr, ports, dif)) {
193 sk2->sk_family == PF_INET6 &&
194 ipv6_addr_equal(&tw6->tw_v6_daddr, saddr) &&
195 ipv6_addr_equal(&tw6->tw_v6_rcv_saddr, daddr) &&
196 (!sk2->sk_bound_dev_if || sk2->sk_bound_dev_if == dif)) {
197 if (twsk_unique(sk, sk2, twp)) 185 if (twsk_unique(sk, sk2, twp))
198 goto unique; 186 goto unique;
199 else 187 else
@@ -204,7 +192,7 @@ static int __inet6_check_established(struct inet_timewait_death_row *death_row,
204 192
205 /* And established part... */ 193 /* And established part... */
206 sk_for_each(sk2, node, &head->chain) { 194 sk_for_each(sk2, node, &head->chain) {
207 if (INET6_MATCH(sk2, hash, saddr, daddr, ports, dif)) 195 if (INET6_MATCH(sk2, net, hash, saddr, daddr, ports, dif))
208 goto not_unique; 196 goto not_unique;
209 } 197 }
210 198
@@ -248,97 +236,8 @@ static inline u32 inet6_sk_port_offset(const struct sock *sk)
248int inet6_hash_connect(struct inet_timewait_death_row *death_row, 236int inet6_hash_connect(struct inet_timewait_death_row *death_row,
249 struct sock *sk) 237 struct sock *sk)
250{ 238{
251 struct inet_hashinfo *hinfo = death_row->hashinfo; 239 return __inet_hash_connect(death_row, sk,
252 const unsigned short snum = inet_sk(sk)->num; 240 __inet6_check_established, __inet6_hash);
253 struct inet_bind_hashbucket *head;
254 struct inet_bind_bucket *tb;
255 int ret;
256
257 if (snum == 0) {
258 int i, port, low, high, remaining;
259 static u32 hint;
260 const u32 offset = hint + inet6_sk_port_offset(sk);
261 struct hlist_node *node;
262 struct inet_timewait_sock *tw = NULL;
263
264 inet_get_local_port_range(&low, &high);
265 remaining = (high - low) + 1;
266
267 local_bh_disable();
268 for (i = 1; i <= remaining; i++) {
269 port = low + (i + offset) % remaining;
270 head = &hinfo->bhash[inet_bhashfn(port, hinfo->bhash_size)];
271 spin_lock(&head->lock);
272
273 /* Does not bother with rcv_saddr checks,
274 * because the established check is already
275 * unique enough.
276 */
277 inet_bind_bucket_for_each(tb, node, &head->chain) {
278 if (tb->port == port) {
279 BUG_TRAP(!hlist_empty(&tb->owners));
280 if (tb->fastreuse >= 0)
281 goto next_port;
282 if (!__inet6_check_established(death_row,
283 sk, port,
284 &tw))
285 goto ok;
286 goto next_port;
287 }
288 }
289
290 tb = inet_bind_bucket_create(hinfo->bind_bucket_cachep,
291 head, port);
292 if (!tb) {
293 spin_unlock(&head->lock);
294 break;
295 }
296 tb->fastreuse = -1;
297 goto ok;
298
299 next_port:
300 spin_unlock(&head->lock);
301 }
302 local_bh_enable();
303
304 return -EADDRNOTAVAIL;
305
306ok:
307 hint += i;
308
309 /* Head lock still held and bh's disabled */
310 inet_bind_hash(sk, tb, port);
311 if (sk_unhashed(sk)) {
312 inet_sk(sk)->sport = htons(port);
313 __inet6_hash(hinfo, sk);
314 }
315 spin_unlock(&head->lock);
316
317 if (tw) {
318 inet_twsk_deschedule(tw, death_row);
319 inet_twsk_put(tw);
320 }
321
322 ret = 0;
323 goto out;
324 }
325
326 head = &hinfo->bhash[inet_bhashfn(snum, hinfo->bhash_size)];
327 tb = inet_csk(sk)->icsk_bind_hash;
328 spin_lock_bh(&head->lock);
329
330 if (sk_head(&tb->owners) == sk && sk->sk_bind_node.next == NULL) {
331 __inet6_hash(hinfo, sk);
332 spin_unlock_bh(&head->lock);
333 return 0;
334 } else {
335 spin_unlock(&head->lock);
336 /* No definite answer... Walk to established hash table */
337 ret = __inet6_check_established(death_row, sk, snum, NULL);
338out:
339 local_bh_enable();
340 return ret;
341 }
342} 241}
343 242
344EXPORT_SYMBOL_GPL(inet6_hash_connect); 243EXPORT_SYMBOL_GPL(inet6_hash_connect);
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 15c4f6cee3e6..9ac6ca2521c3 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -257,6 +257,7 @@ int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl,
257 ipv6_addr_copy(&hdr->daddr, first_hop); 257 ipv6_addr_copy(&hdr->daddr, first_hop);
258 258
259 skb->priority = sk->sk_priority; 259 skb->priority = sk->sk_priority;
260 skb->mark = sk->sk_mark;
260 261
261 mtu = dst_mtu(dst); 262 mtu = dst_mtu(dst);
262 if ((skb->len <= mtu) || ipfragok || skb_is_gso(skb)) { 263 if ((skb->len <= mtu) || ipfragok || skb_is_gso(skb)) {
@@ -636,6 +637,7 @@ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
636 637
637 if (skb_shinfo(skb)->frag_list) { 638 if (skb_shinfo(skb)->frag_list) {
638 int first_len = skb_pagelen(skb); 639 int first_len = skb_pagelen(skb);
640 int truesizes = 0;
639 641
640 if (first_len - hlen > mtu || 642 if (first_len - hlen > mtu ||
641 ((first_len - hlen) & 7) || 643 ((first_len - hlen) & 7) ||
@@ -658,7 +660,7 @@ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
658 sock_hold(skb->sk); 660 sock_hold(skb->sk);
659 frag->sk = skb->sk; 661 frag->sk = skb->sk;
660 frag->destructor = sock_wfree; 662 frag->destructor = sock_wfree;
661 skb->truesize -= frag->truesize; 663 truesizes += frag->truesize;
662 } 664 }
663 } 665 }
664 666
@@ -689,6 +691,7 @@ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
689 691
690 first_len = skb_pagelen(skb); 692 first_len = skb_pagelen(skb);
691 skb->data_len = first_len - skb_headlen(skb); 693 skb->data_len = first_len - skb_headlen(skb);
694 skb->truesize -= truesizes;
692 skb->len = first_len; 695 skb->len = first_len;
693 ipv6_hdr(skb)->payload_len = htons(first_len - 696 ipv6_hdr(skb)->payload_len = htons(first_len -
694 sizeof(struct ipv6hdr)); 697 sizeof(struct ipv6hdr));
@@ -1437,6 +1440,7 @@ int ip6_push_pending_frames(struct sock *sk)
1437 ipv6_addr_copy(&hdr->daddr, final_dst); 1440 ipv6_addr_copy(&hdr->daddr, final_dst);
1438 1441
1439 skb->priority = sk->sk_priority; 1442 skb->priority = sk->sk_priority;
1443 skb->mark = sk->sk_mark;
1440 1444
1441 skb->dst = dst_clone(&rt->u.dst); 1445 skb->dst = dst_clone(&rt->u.dst);
1442 IP6_INC_STATS(rt->rt6i_idev, IPSTATS_MIB_OUTREQUESTS); 1446 IP6_INC_STATS(rt->rt6i_idev, IPSTATS_MIB_OUTREQUESTS);
diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index b276d04d6db5..b90039593a7f 100644
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -64,6 +64,7 @@ static LIST_HEAD(ipcomp6_tfms_list);
64 64
65static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb) 65static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb)
66{ 66{
67 int nexthdr;
67 int err = -ENOMEM; 68 int err = -ENOMEM;
68 struct ip_comp_hdr *ipch; 69 struct ip_comp_hdr *ipch;
69 int plen, dlen; 70 int plen, dlen;
@@ -79,6 +80,8 @@ static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb)
79 80
80 /* Remove ipcomp header and decompress original payload */ 81 /* Remove ipcomp header and decompress original payload */
81 ipch = (void *)skb->data; 82 ipch = (void *)skb->data;
83 nexthdr = ipch->nexthdr;
84
82 skb->transport_header = skb->network_header + sizeof(*ipch); 85 skb->transport_header = skb->network_header + sizeof(*ipch);
83 __skb_pull(skb, sizeof(*ipch)); 86 __skb_pull(skb, sizeof(*ipch));
84 87
@@ -108,7 +111,7 @@ static int ipcomp6_input(struct xfrm_state *x, struct sk_buff *skb)
108 skb->truesize += dlen - plen; 111 skb->truesize += dlen - plen;
109 __skb_put(skb, dlen - plen); 112 __skb_put(skb, dlen - plen);
110 skb_copy_to_linear_data(skb, scratch, dlen); 113 skb_copy_to_linear_data(skb, scratch, dlen);
111 err = ipch->nexthdr; 114 err = nexthdr;
112 115
113out_put_cpu: 116out_put_cpu:
114 put_cpu(); 117 put_cpu();
@@ -450,7 +453,7 @@ error:
450 goto out; 453 goto out;
451} 454}
452 455
453static struct xfrm_type ipcomp6_type = 456static const struct xfrm_type ipcomp6_type =
454{ 457{
455 .description = "IPCOMP6", 458 .description = "IPCOMP6",
456 .owner = THIS_MODULE, 459 .owner = THIS_MODULE,
diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c
index 49d396620eac..cd8a5bda13cd 100644
--- a/net/ipv6/mip6.c
+++ b/net/ipv6/mip6.c
@@ -330,7 +330,7 @@ static void mip6_destopt_destroy(struct xfrm_state *x)
330{ 330{
331} 331}
332 332
333static struct xfrm_type mip6_destopt_type = 333static const struct xfrm_type mip6_destopt_type =
334{ 334{
335 .description = "MIP6DESTOPT", 335 .description = "MIP6DESTOPT",
336 .owner = THIS_MODULE, 336 .owner = THIS_MODULE,
@@ -462,7 +462,7 @@ static void mip6_rthdr_destroy(struct xfrm_state *x)
462{ 462{
463} 463}
464 464
465static struct xfrm_type mip6_rthdr_type = 465static const struct xfrm_type mip6_rthdr_type =
466{ 466{
467 .description = "MIP6RT", 467 .description = "MIP6RT",
468 .owner = THIS_MODULE, 468 .owner = THIS_MODULE,
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index 56b4ea6d29ed..e869916b05f1 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -515,6 +515,7 @@ static struct notifier_block ipq_nl_notifier = {
515 .notifier_call = ipq_rcv_nl_event, 515 .notifier_call = ipq_rcv_nl_event,
516}; 516};
517 517
518#ifdef CONFIG_SYSCTL
518static struct ctl_table_header *ipq_sysctl_header; 519static struct ctl_table_header *ipq_sysctl_header;
519 520
520static ctl_table ipq_table[] = { 521static ctl_table ipq_table[] = {
@@ -528,7 +529,9 @@ static ctl_table ipq_table[] = {
528 }, 529 },
529 { .ctl_name = 0 } 530 { .ctl_name = 0 }
530}; 531};
532#endif
531 533
534#ifdef CONFIG_PROC_FS
532static int ip6_queue_show(struct seq_file *m, void *v) 535static int ip6_queue_show(struct seq_file *m, void *v)
533{ 536{
534 read_lock_bh(&queue_lock); 537 read_lock_bh(&queue_lock);
@@ -565,6 +568,7 @@ static const struct file_operations ip6_queue_proc_fops = {
565 .release = single_release, 568 .release = single_release,
566 .owner = THIS_MODULE, 569 .owner = THIS_MODULE,
567}; 570};
571#endif
568 572
569static const struct nf_queue_handler nfqh = { 573static const struct nf_queue_handler nfqh = {
570 .name = "ip6_queue", 574 .name = "ip6_queue",
@@ -574,7 +578,7 @@ static const struct nf_queue_handler nfqh = {
574static int __init ip6_queue_init(void) 578static int __init ip6_queue_init(void)
575{ 579{
576 int status = -ENOMEM; 580 int status = -ENOMEM;
577 struct proc_dir_entry *proc; 581 struct proc_dir_entry *proc __maybe_unused;
578 582
579 netlink_register_notifier(&ipq_nl_notifier); 583 netlink_register_notifier(&ipq_nl_notifier);
580 ipqnl = netlink_kernel_create(&init_net, NETLINK_IP6_FW, 0, 584 ipqnl = netlink_kernel_create(&init_net, NETLINK_IP6_FW, 0,
@@ -584,6 +588,7 @@ static int __init ip6_queue_init(void)
584 goto cleanup_netlink_notifier; 588 goto cleanup_netlink_notifier;
585 } 589 }
586 590
591#ifdef CONFIG_PROC_FS
587 proc = create_proc_entry(IPQ_PROC_FS_NAME, 0, init_net.proc_net); 592 proc = create_proc_entry(IPQ_PROC_FS_NAME, 0, init_net.proc_net);
588 if (proc) { 593 if (proc) {
589 proc->owner = THIS_MODULE; 594 proc->owner = THIS_MODULE;
@@ -592,10 +597,11 @@ static int __init ip6_queue_init(void)
592 printk(KERN_ERR "ip6_queue: failed to create proc entry\n"); 597 printk(KERN_ERR "ip6_queue: failed to create proc entry\n");
593 goto cleanup_ipqnl; 598 goto cleanup_ipqnl;
594 } 599 }
595 600#endif
596 register_netdevice_notifier(&ipq_dev_notifier); 601 register_netdevice_notifier(&ipq_dev_notifier);
602#ifdef CONFIG_SYSCTL
597 ipq_sysctl_header = register_sysctl_paths(net_ipv6_ctl_path, ipq_table); 603 ipq_sysctl_header = register_sysctl_paths(net_ipv6_ctl_path, ipq_table);
598 604#endif
599 status = nf_register_queue_handler(PF_INET6, &nfqh); 605 status = nf_register_queue_handler(PF_INET6, &nfqh);
600 if (status < 0) { 606 if (status < 0) {
601 printk(KERN_ERR "ip6_queue: failed to register queue handler\n"); 607 printk(KERN_ERR "ip6_queue: failed to register queue handler\n");
@@ -604,11 +610,13 @@ static int __init ip6_queue_init(void)
604 return status; 610 return status;
605 611
606cleanup_sysctl: 612cleanup_sysctl:
613#ifdef CONFIG_SYSCTL
607 unregister_sysctl_table(ipq_sysctl_header); 614 unregister_sysctl_table(ipq_sysctl_header);
615#endif
608 unregister_netdevice_notifier(&ipq_dev_notifier); 616 unregister_netdevice_notifier(&ipq_dev_notifier);
609 proc_net_remove(&init_net, IPQ_PROC_FS_NAME); 617 proc_net_remove(&init_net, IPQ_PROC_FS_NAME);
610 618
611cleanup_ipqnl: 619cleanup_ipqnl: __maybe_unused
612 netlink_kernel_release(ipqnl); 620 netlink_kernel_release(ipqnl);
613 mutex_lock(&ipqnl_mutex); 621 mutex_lock(&ipqnl_mutex);
614 mutex_unlock(&ipqnl_mutex); 622 mutex_unlock(&ipqnl_mutex);
@@ -624,7 +632,9 @@ static void __exit ip6_queue_fini(void)
624 synchronize_net(); 632 synchronize_net();
625 ipq_flush(NULL, 0); 633 ipq_flush(NULL, 0);
626 634
635#ifdef CONFIG_SYSCTL
627 unregister_sysctl_table(ipq_sysctl_header); 636 unregister_sysctl_table(ipq_sysctl_header);
637#endif
628 unregister_netdevice_notifier(&ipq_dev_notifier); 638 unregister_netdevice_notifier(&ipq_dev_notifier);
629 proc_net_remove(&init_net, IPQ_PROC_FS_NAME); 639 proc_net_remove(&init_net, IPQ_PROC_FS_NAME);
630 640
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index dd7860fea61f..bf9bb6e55bb5 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -320,7 +320,7 @@ static void trace_packet(struct sk_buff *skb,
320 unsigned int hook, 320 unsigned int hook,
321 const struct net_device *in, 321 const struct net_device *in,
322 const struct net_device *out, 322 const struct net_device *out,
323 char *tablename, 323 const char *tablename,
324 struct xt_table_info *private, 324 struct xt_table_info *private,
325 struct ip6t_entry *e) 325 struct ip6t_entry *e)
326{ 326{
@@ -1118,7 +1118,7 @@ static int compat_table_info(const struct xt_table_info *info,
1118} 1118}
1119#endif 1119#endif
1120 1120
1121static int get_info(void __user *user, int *len, int compat) 1121static int get_info(struct net *net, void __user *user, int *len, int compat)
1122{ 1122{
1123 char name[IP6T_TABLE_MAXNAMELEN]; 1123 char name[IP6T_TABLE_MAXNAMELEN];
1124 struct xt_table *t; 1124 struct xt_table *t;
@@ -1138,7 +1138,7 @@ static int get_info(void __user *user, int *len, int compat)
1138 if (compat) 1138 if (compat)
1139 xt_compat_lock(AF_INET6); 1139 xt_compat_lock(AF_INET6);
1140#endif 1140#endif
1141 t = try_then_request_module(xt_find_table_lock(AF_INET6, name), 1141 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1142 "ip6table_%s", name); 1142 "ip6table_%s", name);
1143 if (t && !IS_ERR(t)) { 1143 if (t && !IS_ERR(t)) {
1144 struct ip6t_getinfo info; 1144 struct ip6t_getinfo info;
@@ -1178,7 +1178,7 @@ static int get_info(void __user *user, int *len, int compat)
1178} 1178}
1179 1179
1180static int 1180static int
1181get_entries(struct ip6t_get_entries __user *uptr, int *len) 1181get_entries(struct net *net, struct ip6t_get_entries __user *uptr, int *len)
1182{ 1182{
1183 int ret; 1183 int ret;
1184 struct ip6t_get_entries get; 1184 struct ip6t_get_entries get;
@@ -1196,7 +1196,7 @@ get_entries(struct ip6t_get_entries __user *uptr, int *len)
1196 return -EINVAL; 1196 return -EINVAL;
1197 } 1197 }
1198 1198
1199 t = xt_find_table_lock(AF_INET6, get.name); 1199 t = xt_find_table_lock(net, AF_INET6, get.name);
1200 if (t && !IS_ERR(t)) { 1200 if (t && !IS_ERR(t)) {
1201 struct xt_table_info *private = t->private; 1201 struct xt_table_info *private = t->private;
1202 duprintf("t->private->number = %u\n", private->number); 1202 duprintf("t->private->number = %u\n", private->number);
@@ -1217,7 +1217,7 @@ get_entries(struct ip6t_get_entries __user *uptr, int *len)
1217} 1217}
1218 1218
1219static int 1219static int
1220__do_replace(const char *name, unsigned int valid_hooks, 1220__do_replace(struct net *net, const char *name, unsigned int valid_hooks,
1221 struct xt_table_info *newinfo, unsigned int num_counters, 1221 struct xt_table_info *newinfo, unsigned int num_counters,
1222 void __user *counters_ptr) 1222 void __user *counters_ptr)
1223{ 1223{
@@ -1235,7 +1235,7 @@ __do_replace(const char *name, unsigned int valid_hooks,
1235 goto out; 1235 goto out;
1236 } 1236 }
1237 1237
1238 t = try_then_request_module(xt_find_table_lock(AF_INET6, name), 1238 t = try_then_request_module(xt_find_table_lock(net, AF_INET6, name),
1239 "ip6table_%s", name); 1239 "ip6table_%s", name);
1240 if (!t || IS_ERR(t)) { 1240 if (!t || IS_ERR(t)) {
1241 ret = t ? PTR_ERR(t) : -ENOENT; 1241 ret = t ? PTR_ERR(t) : -ENOENT;
@@ -1288,7 +1288,7 @@ __do_replace(const char *name, unsigned int valid_hooks,
1288} 1288}
1289 1289
1290static int 1290static int
1291do_replace(void __user *user, unsigned int len) 1291do_replace(struct net *net, void __user *user, unsigned int len)
1292{ 1292{
1293 int ret; 1293 int ret;
1294 struct ip6t_replace tmp; 1294 struct ip6t_replace tmp;
@@ -1322,7 +1322,7 @@ do_replace(void __user *user, unsigned int len)
1322 1322
1323 duprintf("ip_tables: Translated table\n"); 1323 duprintf("ip_tables: Translated table\n");
1324 1324
1325 ret = __do_replace(tmp.name, tmp.valid_hooks, newinfo, 1325 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1326 tmp.num_counters, tmp.counters); 1326 tmp.num_counters, tmp.counters);
1327 if (ret) 1327 if (ret)
1328 goto free_newinfo_untrans; 1328 goto free_newinfo_untrans;
@@ -1358,7 +1358,8 @@ add_counter_to_entry(struct ip6t_entry *e,
1358} 1358}
1359 1359
1360static int 1360static int
1361do_add_counters(void __user *user, unsigned int len, int compat) 1361do_add_counters(struct net *net, void __user *user, unsigned int len,
1362 int compat)
1362{ 1363{
1363 unsigned int i; 1364 unsigned int i;
1364 struct xt_counters_info tmp; 1365 struct xt_counters_info tmp;
@@ -1410,7 +1411,7 @@ do_add_counters(void __user *user, unsigned int len, int compat)
1410 goto free; 1411 goto free;
1411 } 1412 }
1412 1413
1413 t = xt_find_table_lock(AF_INET6, name); 1414 t = xt_find_table_lock(net, AF_INET6, name);
1414 if (!t || IS_ERR(t)) { 1415 if (!t || IS_ERR(t)) {
1415 ret = t ? PTR_ERR(t) : -ENOENT; 1416 ret = t ? PTR_ERR(t) : -ENOENT;
1416 goto free; 1417 goto free;
@@ -1456,7 +1457,7 @@ struct compat_ip6t_replace {
1456 1457
1457static int 1458static int
1458compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr, 1459compat_copy_entry_to_user(struct ip6t_entry *e, void __user **dstptr,
1459 compat_uint_t *size, struct xt_counters *counters, 1460 unsigned int *size, struct xt_counters *counters,
1460 unsigned int *i) 1461 unsigned int *i)
1461{ 1462{
1462 struct ip6t_entry_target *t; 1463 struct ip6t_entry_target *t;
@@ -1503,7 +1504,7 @@ compat_find_calc_match(struct ip6t_entry_match *m,
1503 const char *name, 1504 const char *name,
1504 const struct ip6t_ip6 *ipv6, 1505 const struct ip6t_ip6 *ipv6,
1505 unsigned int hookmask, 1506 unsigned int hookmask,
1506 int *size, int *i) 1507 int *size, unsigned int *i)
1507{ 1508{
1508 struct xt_match *match; 1509 struct xt_match *match;
1509 1510
@@ -1561,7 +1562,8 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
1561 struct ip6t_entry_target *t; 1562 struct ip6t_entry_target *t;
1562 struct xt_target *target; 1563 struct xt_target *target;
1563 unsigned int entry_offset; 1564 unsigned int entry_offset;
1564 int ret, off, h, j; 1565 unsigned int j;
1566 int ret, off, h;
1565 1567
1566 duprintf("check_compat_entry_size_and_hooks %p\n", e); 1568 duprintf("check_compat_entry_size_and_hooks %p\n", e);
1567 if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 1569 if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0
@@ -1673,7 +1675,8 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
1673static int compat_check_entry(struct ip6t_entry *e, const char *name, 1675static int compat_check_entry(struct ip6t_entry *e, const char *name,
1674 unsigned int *i) 1676 unsigned int *i)
1675{ 1677{
1676 int j, ret; 1678 unsigned int j;
1679 int ret;
1677 1680
1678 j = 0; 1681 j = 0;
1679 ret = IP6T_MATCH_ITERATE(e, check_match, name, &e->ipv6, 1682 ret = IP6T_MATCH_ITERATE(e, check_match, name, &e->ipv6,
@@ -1815,7 +1818,7 @@ out_unlock:
1815} 1818}
1816 1819
1817static int 1820static int
1818compat_do_replace(void __user *user, unsigned int len) 1821compat_do_replace(struct net *net, void __user *user, unsigned int len)
1819{ 1822{
1820 int ret; 1823 int ret;
1821 struct compat_ip6t_replace tmp; 1824 struct compat_ip6t_replace tmp;
@@ -1852,7 +1855,7 @@ compat_do_replace(void __user *user, unsigned int len)
1852 1855
1853 duprintf("compat_do_replace: Translated table\n"); 1856 duprintf("compat_do_replace: Translated table\n");
1854 1857
1855 ret = __do_replace(tmp.name, tmp.valid_hooks, newinfo, 1858 ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1856 tmp.num_counters, compat_ptr(tmp.counters)); 1859 tmp.num_counters, compat_ptr(tmp.counters));
1857 if (ret) 1860 if (ret)
1858 goto free_newinfo_untrans; 1861 goto free_newinfo_untrans;
@@ -1876,11 +1879,11 @@ compat_do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user,
1876 1879
1877 switch (cmd) { 1880 switch (cmd) {
1878 case IP6T_SO_SET_REPLACE: 1881 case IP6T_SO_SET_REPLACE:
1879 ret = compat_do_replace(user, len); 1882 ret = compat_do_replace(sk->sk_net, user, len);
1880 break; 1883 break;
1881 1884
1882 case IP6T_SO_SET_ADD_COUNTERS: 1885 case IP6T_SO_SET_ADD_COUNTERS:
1883 ret = do_add_counters(user, len, 1); 1886 ret = do_add_counters(sk->sk_net, user, len, 1);
1884 break; 1887 break;
1885 1888
1886 default: 1889 default:
@@ -1929,7 +1932,8 @@ compat_copy_entries_to_user(unsigned int total_size, struct xt_table *table,
1929} 1932}
1930 1933
1931static int 1934static int
1932compat_get_entries(struct compat_ip6t_get_entries __user *uptr, int *len) 1935compat_get_entries(struct net *net, struct compat_ip6t_get_entries __user *uptr,
1936 int *len)
1933{ 1937{
1934 int ret; 1938 int ret;
1935 struct compat_ip6t_get_entries get; 1939 struct compat_ip6t_get_entries get;
@@ -1950,7 +1954,7 @@ compat_get_entries(struct compat_ip6t_get_entries __user *uptr, int *len)
1950 } 1954 }
1951 1955
1952 xt_compat_lock(AF_INET6); 1956 xt_compat_lock(AF_INET6);
1953 t = xt_find_table_lock(AF_INET6, get.name); 1957 t = xt_find_table_lock(net, AF_INET6, get.name);
1954 if (t && !IS_ERR(t)) { 1958 if (t && !IS_ERR(t)) {
1955 struct xt_table_info *private = t->private; 1959 struct xt_table_info *private = t->private;
1956 struct xt_table_info info; 1960 struct xt_table_info info;
@@ -1986,10 +1990,10 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
1986 1990
1987 switch (cmd) { 1991 switch (cmd) {
1988 case IP6T_SO_GET_INFO: 1992 case IP6T_SO_GET_INFO:
1989 ret = get_info(user, len, 1); 1993 ret = get_info(sk->sk_net, user, len, 1);
1990 break; 1994 break;
1991 case IP6T_SO_GET_ENTRIES: 1995 case IP6T_SO_GET_ENTRIES:
1992 ret = compat_get_entries(user, len); 1996 ret = compat_get_entries(sk->sk_net, user, len);
1993 break; 1997 break;
1994 default: 1998 default:
1995 ret = do_ip6t_get_ctl(sk, cmd, user, len); 1999 ret = do_ip6t_get_ctl(sk, cmd, user, len);
@@ -2008,11 +2012,11 @@ do_ip6t_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
2008 2012
2009 switch (cmd) { 2013 switch (cmd) {
2010 case IP6T_SO_SET_REPLACE: 2014 case IP6T_SO_SET_REPLACE:
2011 ret = do_replace(user, len); 2015 ret = do_replace(sk->sk_net, user, len);
2012 break; 2016 break;
2013 2017
2014 case IP6T_SO_SET_ADD_COUNTERS: 2018 case IP6T_SO_SET_ADD_COUNTERS:
2015 ret = do_add_counters(user, len, 0); 2019 ret = do_add_counters(sk->sk_net, user, len, 0);
2016 break; 2020 break;
2017 2021
2018 default: 2022 default:
@@ -2033,11 +2037,11 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2033 2037
2034 switch (cmd) { 2038 switch (cmd) {
2035 case IP6T_SO_GET_INFO: 2039 case IP6T_SO_GET_INFO:
2036 ret = get_info(user, len, 0); 2040 ret = get_info(sk->sk_net, user, len, 0);
2037 break; 2041 break;
2038 2042
2039 case IP6T_SO_GET_ENTRIES: 2043 case IP6T_SO_GET_ENTRIES:
2040 ret = get_entries(user, len); 2044 ret = get_entries(sk->sk_net, user, len);
2041 break; 2045 break;
2042 2046
2043 case IP6T_SO_GET_REVISION_MATCH: 2047 case IP6T_SO_GET_REVISION_MATCH:
@@ -2074,17 +2078,21 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
2074 return ret; 2078 return ret;
2075} 2079}
2076 2080
2077int ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl) 2081struct xt_table *ip6t_register_table(struct net *net, struct xt_table *table,
2082 const struct ip6t_replace *repl)
2078{ 2083{
2079 int ret; 2084 int ret;
2080 struct xt_table_info *newinfo; 2085 struct xt_table_info *newinfo;
2081 struct xt_table_info bootstrap 2086 struct xt_table_info bootstrap
2082 = { 0, 0, 0, { 0 }, { 0 }, { } }; 2087 = { 0, 0, 0, { 0 }, { 0 }, { } };
2083 void *loc_cpu_entry; 2088 void *loc_cpu_entry;
2089 struct xt_table *new_table;
2084 2090
2085 newinfo = xt_alloc_table_info(repl->size); 2091 newinfo = xt_alloc_table_info(repl->size);
2086 if (!newinfo) 2092 if (!newinfo) {
2087 return -ENOMEM; 2093 ret = -ENOMEM;
2094 goto out;
2095 }
2088 2096
2089 /* choose the copy on our node/cpu, but dont care about preemption */ 2097 /* choose the copy on our node/cpu, but dont care about preemption */
2090 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()]; 2098 loc_cpu_entry = newinfo->entries[raw_smp_processor_id()];
@@ -2095,30 +2103,35 @@ int ip6t_register_table(struct xt_table *table, const struct ip6t_replace *repl)
2095 repl->num_entries, 2103 repl->num_entries,
2096 repl->hook_entry, 2104 repl->hook_entry,
2097 repl->underflow); 2105 repl->underflow);
2098 if (ret != 0) { 2106 if (ret != 0)
2099 xt_free_table_info(newinfo); 2107 goto out_free;
2100 return ret;
2101 }
2102 2108
2103 ret = xt_register_table(table, &bootstrap, newinfo); 2109 new_table = xt_register_table(net, table, &bootstrap, newinfo);
2104 if (ret != 0) { 2110 if (IS_ERR(new_table)) {
2105 xt_free_table_info(newinfo); 2111 ret = PTR_ERR(new_table);
2106 return ret; 2112 goto out_free;
2107 } 2113 }
2114 return new_table;
2108 2115
2109 return 0; 2116out_free:
2117 xt_free_table_info(newinfo);
2118out:
2119 return ERR_PTR(ret);
2110} 2120}
2111 2121
2112void ip6t_unregister_table(struct xt_table *table) 2122void ip6t_unregister_table(struct xt_table *table)
2113{ 2123{
2114 struct xt_table_info *private; 2124 struct xt_table_info *private;
2115 void *loc_cpu_entry; 2125 void *loc_cpu_entry;
2126 struct module *table_owner = table->me;
2116 2127
2117 private = xt_unregister_table(table); 2128 private = xt_unregister_table(table);
2118 2129
2119 /* Decrease module usage counts and free resources */ 2130 /* Decrease module usage counts and free resources */
2120 loc_cpu_entry = private->entries[raw_smp_processor_id()]; 2131 loc_cpu_entry = private->entries[raw_smp_processor_id()];
2121 IP6T_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL); 2132 IP6T_ENTRY_ITERATE(loc_cpu_entry, private->size, cleanup_entry, NULL);
2133 if (private->number > private->initial_entries)
2134 module_put(table_owner);
2122 xt_free_table_info(private); 2135 xt_free_table_info(private);
2123} 2136}
2124 2137
@@ -2225,11 +2238,26 @@ static struct xt_match icmp6_matchstruct __read_mostly = {
2225 .family = AF_INET6, 2238 .family = AF_INET6,
2226}; 2239};
2227 2240
2241static int __net_init ip6_tables_net_init(struct net *net)
2242{
2243 return xt_proto_init(net, AF_INET6);
2244}
2245
2246static void __net_exit ip6_tables_net_exit(struct net *net)
2247{
2248 xt_proto_fini(net, AF_INET6);
2249}
2250
2251static struct pernet_operations ip6_tables_net_ops = {
2252 .init = ip6_tables_net_init,
2253 .exit = ip6_tables_net_exit,
2254};
2255
2228static int __init ip6_tables_init(void) 2256static int __init ip6_tables_init(void)
2229{ 2257{
2230 int ret; 2258 int ret;
2231 2259
2232 ret = xt_proto_init(AF_INET6); 2260 ret = register_pernet_subsys(&ip6_tables_net_ops);
2233 if (ret < 0) 2261 if (ret < 0)
2234 goto err1; 2262 goto err1;
2235 2263
@@ -2259,7 +2287,7 @@ err4:
2259err3: 2287err3:
2260 xt_unregister_target(&ip6t_standard_target); 2288 xt_unregister_target(&ip6t_standard_target);
2261err2: 2289err2:
2262 xt_proto_fini(AF_INET6); 2290 unregister_pernet_subsys(&ip6_tables_net_ops);
2263err1: 2291err1:
2264 return ret; 2292 return ret;
2265} 2293}
@@ -2271,7 +2299,8 @@ static void __exit ip6_tables_fini(void)
2271 xt_unregister_match(&icmp6_matchstruct); 2299 xt_unregister_match(&icmp6_matchstruct);
2272 xt_unregister_target(&ip6t_error_target); 2300 xt_unregister_target(&ip6t_error_target);
2273 xt_unregister_target(&ip6t_standard_target); 2301 xt_unregister_target(&ip6t_standard_target);
2274 xt_proto_fini(AF_INET6); 2302
2303 unregister_pernet_subsys(&ip6_tables_net_ops);
2275} 2304}
2276 2305
2277/* 2306/*
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index 87d38d08aad0..2d9cd095a72c 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -26,7 +26,7 @@ static struct
26 struct ip6t_replace repl; 26 struct ip6t_replace repl;
27 struct ip6t_standard entries[3]; 27 struct ip6t_standard entries[3];
28 struct ip6t_error term; 28 struct ip6t_error term;
29} initial_table __initdata = { 29} initial_table __net_initdata = {
30 .repl = { 30 .repl = {
31 .name = "filter", 31 .name = "filter",
32 .valid_hooks = FILTER_VALID_HOOKS, 32 .valid_hooks = FILTER_VALID_HOOKS,
@@ -67,7 +67,7 @@ ip6t_hook(unsigned int hook,
67 const struct net_device *out, 67 const struct net_device *out,
68 int (*okfn)(struct sk_buff *)) 68 int (*okfn)(struct sk_buff *))
69{ 69{
70 return ip6t_do_table(skb, hook, in, out, &packet_filter); 70 return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_filter);
71} 71}
72 72
73static unsigned int 73static unsigned int
@@ -87,7 +87,7 @@ ip6t_local_out_hook(unsigned int hook,
87 } 87 }
88#endif 88#endif
89 89
90 return ip6t_do_table(skb, hook, in, out, &packet_filter); 90 return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_filter);
91} 91}
92 92
93static struct nf_hook_ops ip6t_ops[] __read_mostly = { 93static struct nf_hook_ops ip6t_ops[] __read_mostly = {
@@ -118,6 +118,26 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
118static int forward = NF_ACCEPT; 118static int forward = NF_ACCEPT;
119module_param(forward, bool, 0000); 119module_param(forward, bool, 0000);
120 120
121static int __net_init ip6table_filter_net_init(struct net *net)
122{
123 /* Register table */
124 net->ipv6.ip6table_filter =
125 ip6t_register_table(net, &packet_filter, &initial_table.repl);
126 if (IS_ERR(net->ipv6.ip6table_filter))
127 return PTR_ERR(net->ipv6.ip6table_filter);
128 return 0;
129}
130
131static void __net_exit ip6table_filter_net_exit(struct net *net)
132{
133 ip6t_unregister_table(net->ipv6.ip6table_filter);
134}
135
136static struct pernet_operations ip6table_filter_net_ops = {
137 .init = ip6table_filter_net_init,
138 .exit = ip6table_filter_net_exit,
139};
140
121static int __init ip6table_filter_init(void) 141static int __init ip6table_filter_init(void)
122{ 142{
123 int ret; 143 int ret;
@@ -130,8 +150,7 @@ static int __init ip6table_filter_init(void)
130 /* Entry 1 is the FORWARD hook */ 150 /* Entry 1 is the FORWARD hook */
131 initial_table.entries[1].target.verdict = -forward - 1; 151 initial_table.entries[1].target.verdict = -forward - 1;
132 152
133 /* Register table */ 153 ret = register_pernet_subsys(&ip6table_filter_net_ops);
134 ret = ip6t_register_table(&packet_filter, &initial_table.repl);
135 if (ret < 0) 154 if (ret < 0)
136 return ret; 155 return ret;
137 156
@@ -143,14 +162,14 @@ static int __init ip6table_filter_init(void)
143 return ret; 162 return ret;
144 163
145 cleanup_table: 164 cleanup_table:
146 ip6t_unregister_table(&packet_filter); 165 unregister_pernet_subsys(&ip6table_filter_net_ops);
147 return ret; 166 return ret;
148} 167}
149 168
150static void __exit ip6table_filter_fini(void) 169static void __exit ip6table_filter_fini(void)
151{ 170{
152 nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); 171 nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
153 ip6t_unregister_table(&packet_filter); 172 unregister_pernet_subsys(&ip6table_filter_net_ops);
154} 173}
155 174
156module_init(ip6table_filter_init); 175module_init(ip6table_filter_init);
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index d6082600bc5d..035343a90ffe 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -26,7 +26,7 @@ static struct
26 struct ip6t_replace repl; 26 struct ip6t_replace repl;
27 struct ip6t_standard entries[5]; 27 struct ip6t_standard entries[5];
28 struct ip6t_error term; 28 struct ip6t_error term;
29} initial_table __initdata = { 29} initial_table __net_initdata = {
30 .repl = { 30 .repl = {
31 .name = "mangle", 31 .name = "mangle",
32 .valid_hooks = MANGLE_VALID_HOOKS, 32 .valid_hooks = MANGLE_VALID_HOOKS,
@@ -73,7 +73,7 @@ ip6t_route_hook(unsigned int hook,
73 const struct net_device *out, 73 const struct net_device *out,
74 int (*okfn)(struct sk_buff *)) 74 int (*okfn)(struct sk_buff *))
75{ 75{
76 return ip6t_do_table(skb, hook, in, out, &packet_mangler); 76 return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_mangle);
77} 77}
78 78
79static unsigned int 79static unsigned int
@@ -108,7 +108,7 @@ ip6t_local_hook(unsigned int hook,
108 /* flowlabel and prio (includes version, which shouldn't change either */ 108 /* flowlabel and prio (includes version, which shouldn't change either */
109 flowlabel = *((u_int32_t *)ipv6_hdr(skb)); 109 flowlabel = *((u_int32_t *)ipv6_hdr(skb));
110 110
111 ret = ip6t_do_table(skb, hook, in, out, &packet_mangler); 111 ret = ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_mangle);
112 112
113 if (ret != NF_DROP && ret != NF_STOLEN 113 if (ret != NF_DROP && ret != NF_STOLEN
114 && (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) 114 && (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr))
@@ -158,12 +158,31 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
158 }, 158 },
159}; 159};
160 160
161static int __net_init ip6table_mangle_net_init(struct net *net)
162{
163 /* Register table */
164 net->ipv6.ip6table_mangle =
165 ip6t_register_table(net, &packet_mangler, &initial_table.repl);
166 if (IS_ERR(net->ipv6.ip6table_mangle))
167 return PTR_ERR(net->ipv6.ip6table_mangle);
168 return 0;
169}
170
171static void __net_exit ip6table_mangle_net_exit(struct net *net)
172{
173 ip6t_unregister_table(net->ipv6.ip6table_mangle);
174}
175
176static struct pernet_operations ip6table_mangle_net_ops = {
177 .init = ip6table_mangle_net_init,
178 .exit = ip6table_mangle_net_exit,
179};
180
161static int __init ip6table_mangle_init(void) 181static int __init ip6table_mangle_init(void)
162{ 182{
163 int ret; 183 int ret;
164 184
165 /* Register table */ 185 ret = register_pernet_subsys(&ip6table_mangle_net_ops);
166 ret = ip6t_register_table(&packet_mangler, &initial_table.repl);
167 if (ret < 0) 186 if (ret < 0)
168 return ret; 187 return ret;
169 188
@@ -175,14 +194,14 @@ static int __init ip6table_mangle_init(void)
175 return ret; 194 return ret;
176 195
177 cleanup_table: 196 cleanup_table:
178 ip6t_unregister_table(&packet_mangler); 197 unregister_pernet_subsys(&ip6table_mangle_net_ops);
179 return ret; 198 return ret;
180} 199}
181 200
182static void __exit ip6table_mangle_fini(void) 201static void __exit ip6table_mangle_fini(void)
183{ 202{
184 nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); 203 nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
185 ip6t_unregister_table(&packet_mangler); 204 unregister_pernet_subsys(&ip6table_mangle_net_ops);
186} 205}
187 206
188module_init(ip6table_mangle_init); 207module_init(ip6table_mangle_init);
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index eccbaaa104af..5cd84203abfe 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -13,7 +13,7 @@ static struct
13 struct ip6t_replace repl; 13 struct ip6t_replace repl;
14 struct ip6t_standard entries[2]; 14 struct ip6t_standard entries[2];
15 struct ip6t_error term; 15 struct ip6t_error term;
16} initial_table __initdata = { 16} initial_table __net_initdata = {
17 .repl = { 17 .repl = {
18 .name = "raw", 18 .name = "raw",
19 .valid_hooks = RAW_VALID_HOOKS, 19 .valid_hooks = RAW_VALID_HOOKS,
@@ -51,7 +51,7 @@ ip6t_hook(unsigned int hook,
51 const struct net_device *out, 51 const struct net_device *out,
52 int (*okfn)(struct sk_buff *)) 52 int (*okfn)(struct sk_buff *))
53{ 53{
54 return ip6t_do_table(skb, hook, in, out, &packet_raw); 54 return ip6t_do_table(skb, hook, in, out, init_net.ipv6.ip6table_raw);
55} 55}
56 56
57static struct nf_hook_ops ip6t_ops[] __read_mostly = { 57static struct nf_hook_ops ip6t_ops[] __read_mostly = {
@@ -71,12 +71,31 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
71 }, 71 },
72}; 72};
73 73
74static int __net_init ip6table_raw_net_init(struct net *net)
75{
76 /* Register table */
77 net->ipv6.ip6table_raw =
78 ip6t_register_table(net, &packet_raw, &initial_table.repl);
79 if (IS_ERR(net->ipv6.ip6table_raw))
80 return PTR_ERR(net->ipv6.ip6table_raw);
81 return 0;
82}
83
84static void __net_exit ip6table_raw_net_exit(struct net *net)
85{
86 ip6t_unregister_table(net->ipv6.ip6table_raw);
87}
88
89static struct pernet_operations ip6table_raw_net_ops = {
90 .init = ip6table_raw_net_init,
91 .exit = ip6table_raw_net_exit,
92};
93
74static int __init ip6table_raw_init(void) 94static int __init ip6table_raw_init(void)
75{ 95{
76 int ret; 96 int ret;
77 97
78 /* Register table */ 98 ret = register_pernet_subsys(&ip6table_raw_net_ops);
79 ret = ip6t_register_table(&packet_raw, &initial_table.repl);
80 if (ret < 0) 99 if (ret < 0)
81 return ret; 100 return ret;
82 101
@@ -88,14 +107,14 @@ static int __init ip6table_raw_init(void)
88 return ret; 107 return ret;
89 108
90 cleanup_table: 109 cleanup_table:
91 ip6t_unregister_table(&packet_raw); 110 unregister_pernet_subsys(&ip6table_raw_net_ops);
92 return ret; 111 return ret;
93} 112}
94 113
95static void __exit ip6table_raw_fini(void) 114static void __exit ip6table_raw_fini(void)
96{ 115{
97 nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops)); 116 nf_unregister_hooks(ip6t_ops, ARRAY_SIZE(ip6t_ops));
98 ip6t_unregister_table(&packet_raw); 117 unregister_pernet_subsys(&ip6table_raw_net_ops);
99} 118}
100 119
101module_init(ip6table_raw_init); 120module_init(ip6table_raw_init);
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 2d7b0246475d..3717bdf34f6e 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -30,7 +30,8 @@
30static int ipv6_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff, 30static int ipv6_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
31 struct nf_conntrack_tuple *tuple) 31 struct nf_conntrack_tuple *tuple)
32{ 32{
33 u_int32_t _addrs[8], *ap; 33 const u_int32_t *ap;
34 u_int32_t _addrs[8];
34 35
35 ap = skb_header_pointer(skb, nhoff + offsetof(struct ipv6hdr, saddr), 36 ap = skb_header_pointer(skb, nhoff + offsetof(struct ipv6hdr, saddr),
36 sizeof(_addrs), _addrs); 37 sizeof(_addrs), _addrs);
@@ -146,8 +147,8 @@ static unsigned int ipv6_confirm(unsigned int hooknum,
146 int (*okfn)(struct sk_buff *)) 147 int (*okfn)(struct sk_buff *))
147{ 148{
148 struct nf_conn *ct; 149 struct nf_conn *ct;
149 struct nf_conn_help *help; 150 const struct nf_conn_help *help;
150 struct nf_conntrack_helper *helper; 151 const struct nf_conntrack_helper *helper;
151 enum ip_conntrack_info ctinfo; 152 enum ip_conntrack_info ctinfo;
152 unsigned int ret, protoff; 153 unsigned int ret, protoff;
153 unsigned int extoff = (u8 *)(ipv6_hdr(skb) + 1) - skb->data; 154 unsigned int extoff = (u8 *)(ipv6_hdr(skb) + 1) - skb->data;
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index da924c6b5f06..0897d0f4c4a2 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -32,7 +32,8 @@ static int icmpv6_pkt_to_tuple(const struct sk_buff *skb,
32 unsigned int dataoff, 32 unsigned int dataoff,
33 struct nf_conntrack_tuple *tuple) 33 struct nf_conntrack_tuple *tuple)
34{ 34{
35 struct icmp6hdr _hdr, *hp; 35 const struct icmp6hdr *hp;
36 struct icmp6hdr _hdr;
36 37
37 hp = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr); 38 hp = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
38 if (hp == NULL) 39 if (hp == NULL)
@@ -45,7 +46,7 @@ static int icmpv6_pkt_to_tuple(const struct sk_buff *skb,
45} 46}
46 47
47/* Add 1; spaces filled with 0. */ 48/* Add 1; spaces filled with 0. */
48static u_int8_t invmap[] = { 49static const u_int8_t invmap[] = {
49 [ICMPV6_ECHO_REQUEST - 128] = ICMPV6_ECHO_REPLY + 1, 50 [ICMPV6_ECHO_REQUEST - 128] = ICMPV6_ECHO_REPLY + 1,
50 [ICMPV6_ECHO_REPLY - 128] = ICMPV6_ECHO_REQUEST + 1, 51 [ICMPV6_ECHO_REPLY - 128] = ICMPV6_ECHO_REQUEST + 1,
51 [ICMPV6_NI_QUERY - 128] = ICMPV6_NI_QUERY + 1, 52 [ICMPV6_NI_QUERY - 128] = ICMPV6_NI_QUERY + 1,
@@ -101,24 +102,24 @@ static int icmpv6_packet(struct nf_conn *ct,
101} 102}
102 103
103/* Called when a new connection for this protocol found. */ 104/* Called when a new connection for this protocol found. */
104static int icmpv6_new(struct nf_conn *conntrack, 105static int icmpv6_new(struct nf_conn *ct,
105 const struct sk_buff *skb, 106 const struct sk_buff *skb,
106 unsigned int dataoff) 107 unsigned int dataoff)
107{ 108{
108 static u_int8_t valid_new[] = { 109 static const u_int8_t valid_new[] = {
109 [ICMPV6_ECHO_REQUEST - 128] = 1, 110 [ICMPV6_ECHO_REQUEST - 128] = 1,
110 [ICMPV6_NI_QUERY - 128] = 1 111 [ICMPV6_NI_QUERY - 128] = 1
111 }; 112 };
112 int type = conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128; 113 int type = ct->tuplehash[0].tuple.dst.u.icmp.type - 128;
113 114
114 if (type < 0 || type >= sizeof(valid_new) || !valid_new[type]) { 115 if (type < 0 || type >= sizeof(valid_new) || !valid_new[type]) {
115 /* Can't create a new ICMPv6 `conn' with this. */ 116 /* Can't create a new ICMPv6 `conn' with this. */
116 pr_debug("icmpv6: can't create new conn with type %u\n", 117 pr_debug("icmpv6: can't create new conn with type %u\n",
117 type + 128); 118 type + 128);
118 NF_CT_DUMP_TUPLE(&conntrack->tuplehash[0].tuple); 119 NF_CT_DUMP_TUPLE(&ct->tuplehash[0].tuple);
119 return 0; 120 return 0;
120 } 121 }
121 atomic_set(&conntrack->proto.icmp.count, 0); 122 atomic_set(&ct->proto.icmp.count, 0);
122 return 1; 123 return 1;
123} 124}
124 125
@@ -129,8 +130,8 @@ icmpv6_error_message(struct sk_buff *skb,
129 unsigned int hooknum) 130 unsigned int hooknum)
130{ 131{
131 struct nf_conntrack_tuple intuple, origtuple; 132 struct nf_conntrack_tuple intuple, origtuple;
132 struct nf_conntrack_tuple_hash *h; 133 const struct nf_conntrack_tuple_hash *h;
133 struct nf_conntrack_l4proto *inproto; 134 const struct nf_conntrack_l4proto *inproto;
134 135
135 NF_CT_ASSERT(skb->nfct == NULL); 136 NF_CT_ASSERT(skb->nfct == NULL);
136 137
@@ -176,7 +177,8 @@ static int
176icmpv6_error(struct sk_buff *skb, unsigned int dataoff, 177icmpv6_error(struct sk_buff *skb, unsigned int dataoff,
177 enum ip_conntrack_info *ctinfo, int pf, unsigned int hooknum) 178 enum ip_conntrack_info *ctinfo, int pf, unsigned int hooknum)
178{ 179{
179 struct icmp6hdr _ih, *icmp6h; 180 const struct icmp6hdr *icmp6h;
181 struct icmp6hdr _ih;
180 182
181 icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih); 183 icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
182 if (icmp6h == NULL) { 184 if (icmp6h == NULL) {
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 022da6ce4c0f..2a0d698b24d5 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -39,6 +39,7 @@
39#include <net/rawv6.h> 39#include <net/rawv6.h>
40#include <net/ndisc.h> 40#include <net/ndisc.h>
41#include <net/addrconf.h> 41#include <net/addrconf.h>
42#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
42#include <linux/sysctl.h> 43#include <linux/sysctl.h>
43#include <linux/netfilter.h> 44#include <linux/netfilter.h>
44#include <linux/netfilter_ipv6.h> 45#include <linux/netfilter_ipv6.h>
@@ -680,21 +681,6 @@ void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
680 nf_conntrack_put_reasm(skb); 681 nf_conntrack_put_reasm(skb);
681} 682}
682 683
683int nf_ct_frag6_kfree_frags(struct sk_buff *skb)
684{
685 struct sk_buff *s, *s2;
686
687 for (s = NFCT_FRAG6_CB(skb)->orig; s; s = s2) {
688
689 s2 = s->next;
690 kfree_skb(s);
691 }
692
693 kfree_skb(skb);
694
695 return 0;
696}
697
698int nf_ct_frag6_init(void) 684int nf_ct_frag6_init(void)
699{ 685{
700 nf_frags.hashfn = nf_hashfn; 686 nf_frags.hashfn = nf_hashfn;
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 4d880551fe6a..8897ccf8086a 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -641,6 +641,7 @@ static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
641 skb_reserve(skb, hh_len); 641 skb_reserve(skb, hh_len);
642 642
643 skb->priority = sk->sk_priority; 643 skb->priority = sk->sk_priority;
644 skb->mark = sk->sk_mark;
644 skb->dst = dst_clone(&rt->u.dst); 645 skb->dst = dst_clone(&rt->u.dst);
645 646
646 skb_put(skb, length); 647 skb_put(skb, length);
@@ -767,6 +768,8 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
767 */ 768 */
768 memset(&fl, 0, sizeof(fl)); 769 memset(&fl, 0, sizeof(fl));
769 770
771 fl.mark = sk->sk_mark;
772
770 if (sin6) { 773 if (sin6) {
771 if (addr_len < SIN6_LEN_RFC2133) 774 if (addr_len < SIN6_LEN_RFC2133)
772 return -EINVAL; 775 return -EINVAL;
@@ -1259,7 +1262,7 @@ static const struct seq_operations raw6_seq_ops = {
1259 1262
1260static int raw6_seq_open(struct inode *inode, struct file *file) 1263static int raw6_seq_open(struct inode *inode, struct file *file)
1261{ 1264{
1262 return raw_seq_open(inode, file, &raw_v6_hashinfo, PF_INET6); 1265 return raw_seq_open(inode, file, &raw_v6_hashinfo, &raw6_seq_ops);
1263} 1266}
1264 1267
1265static const struct file_operations raw6_seq_fops = { 1268static const struct file_operations raw6_seq_fops = {
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 4004c5f0b8d7..513f72e3db0d 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -107,6 +107,7 @@ static struct dst_ops ip6_dst_ops = {
107 .update_pmtu = ip6_rt_update_pmtu, 107 .update_pmtu = ip6_rt_update_pmtu,
108 .local_out = ip6_local_out, 108 .local_out = ip6_local_out,
109 .entry_size = sizeof(struct rt6_info), 109 .entry_size = sizeof(struct rt6_info),
110 .entries = ATOMIC_INIT(0),
110}; 111};
111 112
112static void ip6_rt_blackhole_update_pmtu(struct dst_entry *dst, u32 mtu) 113static void ip6_rt_blackhole_update_pmtu(struct dst_entry *dst, u32 mtu)
@@ -120,6 +121,7 @@ static struct dst_ops ip6_dst_blackhole_ops = {
120 .check = ip6_dst_check, 121 .check = ip6_dst_check,
121 .update_pmtu = ip6_rt_blackhole_update_pmtu, 122 .update_pmtu = ip6_rt_blackhole_update_pmtu,
122 .entry_size = sizeof(struct rt6_info), 123 .entry_size = sizeof(struct rt6_info),
124 .entries = ATOMIC_INIT(0),
123}; 125};
124 126
125struct rt6_info ip6_null_entry = { 127struct rt6_info ip6_null_entry = {
@@ -1907,7 +1909,7 @@ static int rt6_mtu_change_route(struct rt6_info *rt, void *p_arg)
1907 */ 1909 */
1908 if (rt->rt6i_dev == arg->dev && 1910 if (rt->rt6i_dev == arg->dev &&
1909 !dst_metric_locked(&rt->u.dst, RTAX_MTU) && 1911 !dst_metric_locked(&rt->u.dst, RTAX_MTU) &&
1910 (dst_mtu(&rt->u.dst) > arg->mtu || 1912 (dst_mtu(&rt->u.dst) >= arg->mtu ||
1911 (dst_mtu(&rt->u.dst) < arg->mtu && 1913 (dst_mtu(&rt->u.dst) < arg->mtu &&
1912 dst_mtu(&rt->u.dst) == idev->cnf.mtu6))) { 1914 dst_mtu(&rt->u.dst) == idev->cnf.mtu6))) {
1913 rt->u.dst.metrics[RTAX_MTU-1] = arg->mtu; 1915 rt->u.dst.metrics[RTAX_MTU-1] = arg->mtu;
@@ -1960,6 +1962,7 @@ static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,
1960 1962
1961 cfg->fc_nlinfo.pid = NETLINK_CB(skb).pid; 1963 cfg->fc_nlinfo.pid = NETLINK_CB(skb).pid;
1962 cfg->fc_nlinfo.nlh = nlh; 1964 cfg->fc_nlinfo.nlh = nlh;
1965 cfg->fc_nlinfo.nl_net = skb->sk->sk_net;
1963 1966
1964 if (tb[RTA_GATEWAY]) { 1967 if (tb[RTA_GATEWAY]) {
1965 nla_memcpy(&cfg->fc_gateway, tb[RTA_GATEWAY], 16); 1968 nla_memcpy(&cfg->fc_gateway, tb[RTA_GATEWAY], 16);
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 00c08399837d..59d0029e93a7 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -330,8 +330,8 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
330 struct tcp_sock *tp; 330 struct tcp_sock *tp;
331 __u32 seq; 331 __u32 seq;
332 332
333 sk = inet6_lookup(&tcp_hashinfo, &hdr->daddr, th->dest, &hdr->saddr, 333 sk = inet6_lookup(skb->dev->nd_net, &tcp_hashinfo, &hdr->daddr,
334 th->source, skb->dev->ifindex); 334 th->dest, &hdr->saddr, th->source, skb->dev->ifindex);
335 335
336 if (sk == NULL) { 336 if (sk == NULL) {
337 ICMP6_INC_STATS_BH(__in6_dev_get(skb->dev), ICMP6_MIB_INERRORS); 337 ICMP6_INC_STATS_BH(__in6_dev_get(skb->dev), ICMP6_MIB_INERRORS);
@@ -1208,9 +1208,9 @@ static struct sock *tcp_v6_hnd_req(struct sock *sk,struct sk_buff *skb)
1208 if (req) 1208 if (req)
1209 return tcp_check_req(sk, skb, req, prev); 1209 return tcp_check_req(sk, skb, req, prev);
1210 1210
1211 nsk = __inet6_lookup_established(&tcp_hashinfo, &ipv6_hdr(skb)->saddr, 1211 nsk = __inet6_lookup_established(sk->sk_net, &tcp_hashinfo,
1212 th->source, &ipv6_hdr(skb)->daddr, 1212 &ipv6_hdr(skb)->saddr, th->source,
1213 ntohs(th->dest), inet6_iif(skb)); 1213 &ipv6_hdr(skb)->daddr, ntohs(th->dest), inet6_iif(skb));
1214 1214
1215 if (nsk) { 1215 if (nsk) {
1216 if (nsk->sk_state != TCP_TIME_WAIT) { 1216 if (nsk->sk_state != TCP_TIME_WAIT) {
@@ -1710,9 +1710,10 @@ static int tcp_v6_rcv(struct sk_buff *skb)
1710 TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(ipv6_hdr(skb)); 1710 TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(ipv6_hdr(skb));
1711 TCP_SKB_CB(skb)->sacked = 0; 1711 TCP_SKB_CB(skb)->sacked = 0;
1712 1712
1713 sk = __inet6_lookup(&tcp_hashinfo, &ipv6_hdr(skb)->saddr, th->source, 1713 sk = __inet6_lookup(skb->dev->nd_net, &tcp_hashinfo,
1714 &ipv6_hdr(skb)->daddr, ntohs(th->dest), 1714 &ipv6_hdr(skb)->saddr, th->source,
1715 inet6_iif(skb)); 1715 &ipv6_hdr(skb)->daddr, ntohs(th->dest),
1716 inet6_iif(skb));
1716 1717
1717 if (!sk) 1718 if (!sk)
1718 goto no_tcp_socket; 1719 goto no_tcp_socket;
@@ -1792,7 +1793,7 @@ do_time_wait:
1792 { 1793 {
1793 struct sock *sk2; 1794 struct sock *sk2;
1794 1795
1795 sk2 = inet6_lookup_listener(&tcp_hashinfo, 1796 sk2 = inet6_lookup_listener(skb->dev->nd_net, &tcp_hashinfo,
1796 &ipv6_hdr(skb)->daddr, 1797 &ipv6_hdr(skb)->daddr,
1797 ntohs(th->dest), inet6_iif(skb)); 1798 ntohs(th->dest), inet6_iif(skb));
1798 if (sk2 != NULL) { 1799 if (sk2 != NULL) {
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index bd4b9df8f614..53739de829db 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -56,7 +56,8 @@ static inline int udp_v6_get_port(struct sock *sk, unsigned short snum)
56 return udp_get_port(sk, snum, ipv6_rcv_saddr_equal); 56 return udp_get_port(sk, snum, ipv6_rcv_saddr_equal);
57} 57}
58 58
59static struct sock *__udp6_lib_lookup(struct in6_addr *saddr, __be16 sport, 59static struct sock *__udp6_lib_lookup(struct net *net,
60 struct in6_addr *saddr, __be16 sport,
60 struct in6_addr *daddr, __be16 dport, 61 struct in6_addr *daddr, __be16 dport,
61 int dif, struct hlist_head udptable[]) 62 int dif, struct hlist_head udptable[])
62{ 63{
@@ -69,7 +70,8 @@ static struct sock *__udp6_lib_lookup(struct in6_addr *saddr, __be16 sport,
69 sk_for_each(sk, node, &udptable[hnum & (UDP_HTABLE_SIZE - 1)]) { 70 sk_for_each(sk, node, &udptable[hnum & (UDP_HTABLE_SIZE - 1)]) {
70 struct inet_sock *inet = inet_sk(sk); 71 struct inet_sock *inet = inet_sk(sk);
71 72
72 if (sk->sk_hash == hnum && sk->sk_family == PF_INET6) { 73 if (sk->sk_net == net && sk->sk_hash == hnum &&
74 sk->sk_family == PF_INET6) {
73 struct ipv6_pinfo *np = inet6_sk(sk); 75 struct ipv6_pinfo *np = inet6_sk(sk);
74 int score = 0; 76 int score = 0;
75 if (inet->dport) { 77 if (inet->dport) {
@@ -233,7 +235,7 @@ void __udp6_lib_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
233 struct sock *sk; 235 struct sock *sk;
234 int err; 236 int err;
235 237
236 sk = __udp6_lib_lookup(daddr, uh->dest, 238 sk = __udp6_lib_lookup(skb->dev->nd_net, daddr, uh->dest,
237 saddr, uh->source, inet6_iif(skb), udptable); 239 saddr, uh->source, inet6_iif(skb), udptable);
238 if (sk == NULL) 240 if (sk == NULL)
239 return; 241 return;
@@ -478,7 +480,7 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct hlist_head udptable[],
478 * check socket cache ... must talk to Alan about his plans 480 * check socket cache ... must talk to Alan about his plans
479 * for sock caches... i'll skip this for now. 481 * for sock caches... i'll skip this for now.
480 */ 482 */
481 sk = __udp6_lib_lookup(saddr, uh->source, 483 sk = __udp6_lib_lookup(skb->dev->nd_net, saddr, uh->source,
482 daddr, uh->dest, inet6_iif(skb), udptable); 484 daddr, uh->dest, inet6_iif(skb), udptable);
483 485
484 if (sk == NULL) { 486 if (sk == NULL) {
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index c25a6b527fc4..7d20199ee1f3 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -272,6 +272,7 @@ static struct dst_ops xfrm6_dst_ops = {
272 .local_out = __ip6_local_out, 272 .local_out = __ip6_local_out,
273 .gc_thresh = 1024, 273 .gc_thresh = 1024,
274 .entry_size = sizeof(struct xfrm_dst), 274 .entry_size = sizeof(struct xfrm_dst),
275 .entries = ATOMIC_INIT(0),
275}; 276};
276 277
277static struct xfrm_policy_afinfo xfrm6_policy_afinfo = { 278static struct xfrm_policy_afinfo xfrm6_policy_afinfo = {
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index fae90ff31087..639fe8a6ff1e 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -319,7 +319,7 @@ static void xfrm6_tunnel_destroy(struct xfrm_state *x)
319 xfrm6_tunnel_free_spi((xfrm_address_t *)&x->props.saddr); 319 xfrm6_tunnel_free_spi((xfrm_address_t *)&x->props.saddr);
320} 320}
321 321
322static struct xfrm_type xfrm6_tunnel_type = { 322static const struct xfrm_type xfrm6_tunnel_type = {
323 .description = "IP6IP6", 323 .description = "IP6IP6",
324 .owner = THIS_MODULE, 324 .owner = THIS_MODULE,
325 .proto = IPPROTO_IPV6, 325 .proto = IPPROTO_IPV6,
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-06 07:09:02 -0500