14 files changed, 62 insertions, 22 deletions
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index cbc8a389a0a8..05b3de888243 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -61,6 +61,9 @@ static int brnf_filter_vlan_tagged = 1;
 #define brnf_filter_vlan_tagged 1
 #endif
+int brnf_deferred_hooks;
+EXPORT_SYMBOL_GPL(brnf_deferred_hooks);
 static __be16 inline vlan_proto(const struct sk_buff *skb)
 {
        return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
@@ -890,6 +893,8 @@ static unsigned int ip_sabotage_out(unsigned int hook, struct sk_buff **pskb,
                                return NF_ACCEPT;
                        else if (ip->version == 6 && !brnf_call_ip6tables)
                                return NF_ACCEPT;
+                        else if (!brnf_deferred_hooks)
+                                return NF_ACCEPT;
 #endif
                        if (hook == NF_IP_POST_ROUTING)
                                return NF_ACCEPT;
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index 184c78ca79e6..212734ca238f 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -429,7 +429,7 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt,
        }
        /* Remove any debris in the socket control block */
-        memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
+        memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
        return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL,
                       ip_rcv_finish);
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 9ccacf57f08b..85893eef6b16 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1578,6 +1578,7 @@ int ipmr_get_route(struct sk_buff *skb, struct rtmsg *rtm, int nowait)
        cache = ipmr_cache_find(rt->rt_src, rt->rt_dst);
        if (cache==NULL) {
+                struct sk_buff *skb2;
                struct net_device *dev;
                int vif;
@@ -1591,12 +1592,18 @@ int ipmr_get_route(struct sk_buff *skb, struct rtmsg *rtm, int nowait)
                        read_unlock(&mrt_lock);
                        return -ENODEV;
                }
-                skb->nh.raw = skb_push(skb, sizeof(struct iphdr));
+                skb2 = skb_clone(skb, GFP_ATOMIC);
-                skb->nh.iph->ihl = sizeof(struct iphdr)>>2;
+                if (!skb2) {
-                skb->nh.iph->saddr = rt->rt_src;
+                        read_unlock(&mrt_lock);
-                skb->nh.iph->daddr = rt->rt_dst;
+                        return -ENOMEM;
-                skb->nh.iph->version = 0;
+                }
-                err = ipmr_cache_unresolved(vif, skb);
+                skb2->nh.raw = skb_push(skb2, sizeof(struct iphdr));
+                skb2->nh.iph->ihl = sizeof(struct iphdr)>>2;
+                skb2->nh.iph->saddr = rt->rt_src;
+                skb2->nh.iph->daddr = rt->rt_dst;
+                skb2->nh.iph->version = 0;
+                err = ipmr_cache_unresolved(vif, skb2);
                read_unlock(&mrt_lock);
                return err;
        }
diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323.c b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
index af35235672d5..9a39e2969712 100644
--- a/net/ipv4/netfilter/ip_conntrack_helper_h323.c
+++ b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
@@ -1200,7 +1200,7 @@ static struct ip_conntrack_expect *find_expect(struct ip_conntrack *ct,
        tuple.dst.protonum = IPPROTO_TCP;
        exp = __ip_conntrack_expect_find(&tuple);
-        if (exp->master == ct)
+        if (exp && exp->master == ct)
                return exp;
        return NULL;
 }
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
index 7bd3c22003a2..7a9fa04a467a 100644
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -534,6 +534,8 @@ static struct nf_hook_ops ip_conntrack_ops[] = {
 /* Sysctl support */
+int ip_conntrack_checksum = 1;
 #ifdef CONFIG_SYSCTL
 /* From ip_conntrack_core.c */
@@ -568,8 +570,6 @@ extern unsigned int ip_ct_generic_timeout;
 static int log_invalid_proto_min = 0;
 static int log_invalid_proto_max = 255;
-int ip_conntrack_checksum = 1;
 static struct ctl_table_header *ip_ct_sysctl_header;
 static ctl_table ip_ct_sysctl_table[] = {
diff --git a/net/ipv4/netfilter/ip_nat_snmp_basic.c b/net/ipv4/netfilter/ip_nat_snmp_basic.c
index 0b1b416759cc..18b7fbdccb61 100644
--- a/net/ipv4/netfilter/ip_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c
@@ -1255,9 +1255,9 @@ static int help(struct sk_buff **pskb,
        struct udphdr *udph = (struct udphdr *)((u_int32_t *)iph + iph->ihl);
        /* SNMP replies and originating SNMP traps get mangled */
-        if (udph->source == ntohs(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
+        if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
                return NF_ACCEPT;
-        if (udph->dest == ntohs(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
+        if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
                return NF_ACCEPT;
        /* No NAT? */
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index bd221ec3f81e..62b2762a2420 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -609,6 +609,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
        if (sin) {
                sin->sin_family = AF_INET;
                sin->sin_addr.s_addr = skb->nh.iph->saddr;
+                sin->sin_port = 0;
                memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
        }
        if (inet->cmsg_flags)
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index df8f051c0fce..25c2a9e03895 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -71,6 +71,8 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
                goto out;
        }
+        memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
        /*
         * Store incoming device index. When the packet will
         * be queued, we cannot refer to skb->dev anymore.
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index fa1ce0ae123e..d57e61ce4a7d 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -411,6 +411,7 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk,
        /* Copy the address. */
        if (sin6) {
                sin6->sin6_family = AF_INET6;
+                sin6->sin6_port = 0;
                ipv6_addr_copy(&sin6->sin6_addr, &skb->nh.ipv6h->saddr);
                sin6->sin6_flowinfo = 0;
                sin6->sin6_scope_id = 0;
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 42a178aa30f9..a9894ddfd72a 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -386,8 +386,8 @@ config NETFILTER_XT_MATCH_REALM
          <file:Documentation/modules.txt>.  If unsure, say `N'.
 config NETFILTER_XT_MATCH_SCTP
-        tristate  '"sctp" protocol match support'
+        tristate  '"sctp" protocol match support (EXPERIMENTAL)'
-        depends on NETFILTER_XTABLES
+        depends on NETFILTER_XTABLES && EXPERIMENTAL
        help
          With this option enabled, you will be able to use the 
          `sctp' match in order to match on SCTP source/destination ports
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 5fcab2ef231f..4ef836699962 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -428,6 +428,8 @@ static struct file_operations ct_cpu_seq_fops = {
 /* Sysctl support */
+int nf_conntrack_checksum = 1;
 #ifdef CONFIG_SYSCTL
 /* From nf_conntrack_core.c */
@@ -459,8 +461,6 @@ extern unsigned int nf_ct_generic_timeout;
 static int log_invalid_proto_min = 0;
 static int log_invalid_proto_max = 255;
-int nf_conntrack_checksum = 1;
 static struct ctl_table_header *nf_ct_sysctl_header;
 static ctl_table nf_ct_sysctl_table[] = {
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index bb6fcee452ca..662a869593bf 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -219,21 +219,20 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
        switch (verdict & NF_VERDICT_MASK) {
        case NF_ACCEPT:
+        case NF_STOP:
                info->okfn(skb);
+        case NF_STOLEN:
                break;
        case NF_QUEUE:
                if (!nf_queue(&skb, elem, info->pf, info->hook, 
                              info->indev, info->outdev, info->okfn,
                              verdict >> NF_VERDICT_BITS))
                        goto next_hook;
                break;
+        default:
+                kfree_skb(skb);
        }
        rcu_read_unlock();
-        if (verdict == NF_DROP)
-                kfree_skb(skb);
        kfree(info);
        return;
 }
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 5fe4c9df17f5..a9f4f6f3c628 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -113,6 +113,21 @@ checkentry(const char *tablename,
        if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
            info->bitmask & ~XT_PHYSDEV_OP_MASK)
                return 0;
+        if (brnf_deferred_hooks == 0 &&
+            info->bitmask & XT_PHYSDEV_OP_OUT &&
+            (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
+             info->invert & XT_PHYSDEV_OP_BRIDGED) &&
+            hook_mask & ((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
+                         (1 << NF_IP_POST_ROUTING))) {
+                printk(KERN_WARNING "physdev match: using --physdev-out in the "
+                       "OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
+                       "traffic is deprecated and breaks other things, it will "
+                       "be removed in January 2007. See Documentation/"
+                       "feature-removal-schedule.txt for details. This doesn't "
+                       "affect you in case you're using it for purely bridged "
+                       "traffic.\n");
+                brnf_deferred_hooks = 1;
+        }
        return 1;
 }
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 3ac703b5cb8f..d2f5320a80bf 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -9,6 +9,8 @@
 #include <linux/skbuff.h>
 #include <linux/if_ether.h>
 #include <linux/if_packet.h>
+#include <linux/in.h>
+#include <linux/ip.h>
 #include <linux/netfilter/xt_pkttype.h>
 #include <linux/netfilter/x_tables.h>
@@ -28,9 +30,17 @@ static int match(const struct sk_buff *skb,
      unsigned int protoff,
      int *hotdrop)
 {
+        u_int8_t type;
        const struct xt_pkttype_info *info = matchinfo;
-        return (skb->pkt_type == info->pkttype) ^ info->invert;
+        if (skb->pkt_type == PACKET_LOOPBACK)
+                type = (MULTICAST(skb->nh.iph->daddr)
+                        ? PACKET_MULTICAST
+                        : PACKET_BROADCAST);
+        else
+                type = skb->pkt_type;
+        return (type == info->pkttype) ^ info->invert;
 }
 static struct xt_match pkttype_match = {

diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index cbc8a389a0a8..05b3de888243 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c
@@ -61,6 +61,9 @@ static int brnf_filter_vlan_tagged = 1;
61	#define brnf_filter_vlan_tagged 1	61	#define brnf_filter_vlan_tagged 1
62	#endif	62	#endif
63		63
		64	int brnf_deferred_hooks;
		65	EXPORT_SYMBOL_GPL(brnf_deferred_hooks);
		66
64	static __be16 inline vlan_proto(const struct sk_buff *skb)	67	static __be16 inline vlan_proto(const struct sk_buff *skb)
65	{	68	{
66	return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;	69	return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
@@ -890,6 +893,8 @@ static unsigned int ip_sabotage_out(unsigned int hook, struct sk_buff **pskb,
890	return NF_ACCEPT;	893	return NF_ACCEPT;
891	else if (ip->version == 6 && !brnf_call_ip6tables)	894	else if (ip->version == 6 && !brnf_call_ip6tables)
892	return NF_ACCEPT;	895	return NF_ACCEPT;
		896	else if (!brnf_deferred_hooks)
		897	return NF_ACCEPT;
893	#endif	898	#endif
894	if (hook == NF_IP_POST_ROUTING)	899	if (hook == NF_IP_POST_ROUTING)
895	return NF_ACCEPT;	900	return NF_ACCEPT;


diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c index 184c78ca79e6..212734ca238f 100644 --- a/net/ipv4/ip_input.c +++ b/net/ipv4/ip_input.c
@@ -429,7 +429,7 @@ int ip_rcv(struct sk_buff skb, struct net_device dev, struct packet_type *pt,
429	}	429	}
430		430
431	/* Remove any debris in the socket control block */	431	/* Remove any debris in the socket control block */
432	memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));	432	memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
433		433
434	return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL,	434	return NF_HOOK(PF_INET, NF_IP_PRE_ROUTING, skb, dev, NULL,
435	ip_rcv_finish);	435	ip_rcv_finish);


diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c index 9ccacf57f08b..85893eef6b16 100644 --- a/net/ipv4/ipmr.c +++ b/net/ipv4/ipmr.c
@@ -1578,6 +1578,7 @@ int ipmr_get_route(struct sk_buff skb, struct rtmsg rtm, int nowait)
1578	cache = ipmr_cache_find(rt->rt_src, rt->rt_dst);	1578	cache = ipmr_cache_find(rt->rt_src, rt->rt_dst);
1579		1579
1580	if (cache==NULL) {	1580	if (cache==NULL) {
		1581	struct sk_buff *skb2;
1581	struct net_device *dev;	1582	struct net_device *dev;
1582	int vif;	1583	int vif;
1583		1584
@@ -1591,12 +1592,18 @@ int ipmr_get_route(struct sk_buff skb, struct rtmsg rtm, int nowait)
1591	read_unlock(&mrt_lock);	1592	read_unlock(&mrt_lock);
1592	return -ENODEV;	1593	return -ENODEV;
1593	}	1594	}
1594	skb->nh.raw = skb_push(skb, sizeof(struct iphdr));	1595	skb2 = skb_clone(skb, GFP_ATOMIC);
1595	skb->nh.iph->ihl = sizeof(struct iphdr)>>2;	1596	if (!skb2) {
1596	skb->nh.iph->saddr = rt->rt_src;	1597	read_unlock(&mrt_lock);
1597	skb->nh.iph->daddr = rt->rt_dst;	1598	return -ENOMEM;
1598	skb->nh.iph->version = 0;	1599	}
1599	err = ipmr_cache_unresolved(vif, skb);	1600
		1601	skb2->nh.raw = skb_push(skb2, sizeof(struct iphdr));
		1602	skb2->nh.iph->ihl = sizeof(struct iphdr)>>2;
		1603	skb2->nh.iph->saddr = rt->rt_src;
		1604	skb2->nh.iph->daddr = rt->rt_dst;
		1605	skb2->nh.iph->version = 0;
		1606	err = ipmr_cache_unresolved(vif, skb2);
1600	read_unlock(&mrt_lock);	1607	read_unlock(&mrt_lock);
1601	return err;	1608	return err;
1602	}	1609	}


diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323.c b/net/ipv4/netfilter/ip_conntrack_helper_h323.c index af35235672d5..9a39e2969712 100644 --- a/net/ipv4/netfilter/ip_conntrack_helper_h323.c +++ b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
@@ -1200,7 +1200,7 @@ static struct ip_conntrack_expect find_expect(struct ip_conntrack ct,
1200	tuple.dst.protonum = IPPROTO_TCP;	1200	tuple.dst.protonum = IPPROTO_TCP;
1201		1201
1202	exp = __ip_conntrack_expect_find(&tuple);	1202	exp = __ip_conntrack_expect_find(&tuple);
1203	if (exp->master == ct)	1203	if (exp && exp->master == ct)
1204	return exp;	1204	return exp;
1205	return NULL;	1205	return NULL;
1206	}	1206	}


diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c index 7bd3c22003a2..7a9fa04a467a 100644 --- a/net/ipv4/netfilter/ip_conntrack_standalone.c +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -534,6 +534,8 @@ static struct nf_hook_ops ip_conntrack_ops[] = {
534		534
535	/* Sysctl support */	535	/* Sysctl support */
536		536
		537	int ip_conntrack_checksum = 1;
		538
537	#ifdef CONFIG_SYSCTL	539	#ifdef CONFIG_SYSCTL
538		540
539	/* From ip_conntrack_core.c */	541	/* From ip_conntrack_core.c */
@@ -568,8 +570,6 @@ extern unsigned int ip_ct_generic_timeout;
568	static int log_invalid_proto_min = 0;	570	static int log_invalid_proto_min = 0;
569	static int log_invalid_proto_max = 255;	571	static int log_invalid_proto_max = 255;
570		572
571	int ip_conntrack_checksum = 1;
572
573	static struct ctl_table_header *ip_ct_sysctl_header;	573	static struct ctl_table_header *ip_ct_sysctl_header;
574		574
575	static ctl_table ip_ct_sysctl_table[] = {	575	static ctl_table ip_ct_sysctl_table[] = {


diff --git a/net/ipv4/netfilter/ip_nat_snmp_basic.c b/net/ipv4/netfilter/ip_nat_snmp_basic.c index 0b1b416759cc..18b7fbdccb61 100644 --- a/net/ipv4/netfilter/ip_nat_snmp_basic.c +++ b/net/ipv4/netfilter/ip_nat_snmp_basic.c
@@ -1255,9 +1255,9 @@ static int help(struct sk_buff **pskb,
1255	struct udphdr udph = (struct udphdr )((u_int32_t *)iph + iph->ihl);	1255	struct udphdr udph = (struct udphdr )((u_int32_t *)iph + iph->ihl);
1256		1256
1257	/* SNMP replies and originating SNMP traps get mangled */	1257	/* SNMP replies and originating SNMP traps get mangled */
1258	if (udph->source == ntohs(SNMP_PORT) && dir != IP_CT_DIR_REPLY)	1258	if (udph->source == htons(SNMP_PORT) && dir != IP_CT_DIR_REPLY)
1259	return NF_ACCEPT;	1259	return NF_ACCEPT;
1260	if (udph->dest == ntohs(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)	1260	if (udph->dest == htons(SNMP_TRAP_PORT) && dir != IP_CT_DIR_ORIGINAL)
1261	return NF_ACCEPT;	1261	return NF_ACCEPT;
1262		1262
1263	/* No NAT? */	1263	/* No NAT? */


diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index bd221ec3f81e..62b2762a2420 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c
@@ -609,6 +609,7 @@ static int raw_recvmsg(struct kiocb iocb, struct sock sk, struct msghdr *msg,
609	if (sin) {	609	if (sin) {
610	sin->sin_family = AF_INET;	610	sin->sin_family = AF_INET;
611	sin->sin_addr.s_addr = skb->nh.iph->saddr;	611	sin->sin_addr.s_addr = skb->nh.iph->saddr;
		612	sin->sin_port = 0;
612	memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));	613	memset(&sin->sin_zero, 0, sizeof(sin->sin_zero));
613	}	614	}
614	if (inet->cmsg_flags)	615	if (inet->cmsg_flags)


diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c index df8f051c0fce..25c2a9e03895 100644 --- a/net/ipv6/ip6_input.c +++ b/net/ipv6/ip6_input.c
@@ -71,6 +71,8 @@ int ipv6_rcv(struct sk_buff skb, struct net_device dev, struct packet_type *pt
71	goto out;	71	goto out;
72	}	72	}
73		73
		74	memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
		75
74	/*	76	/*
75	* Store incoming device index. When the packet will	77	* Store incoming device index. When the packet will
76	* be queued, we cannot refer to skb->dev anymore.	78	* be queued, we cannot refer to skb->dev anymore.


diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index fa1ce0ae123e..d57e61ce4a7d 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c
@@ -411,6 +411,7 @@ static int rawv6_recvmsg(struct kiocb iocb, struct sock sk,
411	/* Copy the address. */	411	/* Copy the address. */
412	if (sin6) {	412	if (sin6) {
413	sin6->sin6_family = AF_INET6;	413	sin6->sin6_family = AF_INET6;
		414	sin6->sin6_port = 0;
414	ipv6_addr_copy(&sin6->sin6_addr, &skb->nh.ipv6h->saddr);	415	ipv6_addr_copy(&sin6->sin6_addr, &skb->nh.ipv6h->saddr);
415	sin6->sin6_flowinfo = 0;	416	sin6->sin6_flowinfo = 0;
416	sin6->sin6_scope_id = 0;	417	sin6->sin6_scope_id = 0;


diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 42a178aa30f9..a9894ddfd72a 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -386,8 +386,8 @@ config NETFILTER_XT_MATCH_REALM
386	<file:Documentation/modules.txt>. If unsure, say `N'.	386	<file:Documentation/modules.txt>. If unsure, say `N'.
387		387
388	config NETFILTER_XT_MATCH_SCTP	388	config NETFILTER_XT_MATCH_SCTP
389	tristate '"sctp" protocol match support'	389	tristate '"sctp" protocol match support (EXPERIMENTAL)'
390	depends on NETFILTER_XTABLES	390	depends on NETFILTER_XTABLES && EXPERIMENTAL
391	help	391	help
392	With this option enabled, you will be able to use the	392	With this option enabled, you will be able to use the
393	`sctp' match in order to match on SCTP source/destination ports	393	`sctp' match in order to match on SCTP source/destination ports


diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 5fcab2ef231f..4ef836699962 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c
@@ -428,6 +428,8 @@ static struct file_operations ct_cpu_seq_fops = {
428		428
429	/* Sysctl support */	429	/* Sysctl support */
430		430
		431	int nf_conntrack_checksum = 1;
		432
431	#ifdef CONFIG_SYSCTL	433	#ifdef CONFIG_SYSCTL
432		434
433	/* From nf_conntrack_core.c */	435	/* From nf_conntrack_core.c */
@@ -459,8 +461,6 @@ extern unsigned int nf_ct_generic_timeout;
459	static int log_invalid_proto_min = 0;	461	static int log_invalid_proto_min = 0;
460	static int log_invalid_proto_max = 255;	462	static int log_invalid_proto_max = 255;
461		463
462	int nf_conntrack_checksum = 1;
463
464	static struct ctl_table_header *nf_ct_sysctl_header;	464	static struct ctl_table_header *nf_ct_sysctl_header;
465		465
466	static ctl_table nf_ct_sysctl_table[] = {	466	static ctl_table nf_ct_sysctl_table[] = {


diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c index bb6fcee452ca..662a869593bf 100644 --- a/net/netfilter/nf_queue.c +++ b/net/netfilter/nf_queue.c
@@ -219,21 +219,20 @@ void nf_reinject(struct sk_buff skb, struct nf_info info,
219		219
220	switch (verdict & NF_VERDICT_MASK) {	220	switch (verdict & NF_VERDICT_MASK) {
221	case NF_ACCEPT:	221	case NF_ACCEPT:
		222	case NF_STOP:
222	info->okfn(skb);	223	info->okfn(skb);
		224	case NF_STOLEN:
223	break;	225	break;
224
225	case NF_QUEUE:	226	case NF_QUEUE:
226	if (!nf_queue(&skb, elem, info->pf, info->hook,	227	if (!nf_queue(&skb, elem, info->pf, info->hook,
227	info->indev, info->outdev, info->okfn,	228	info->indev, info->outdev, info->okfn,
228	verdict >> NF_VERDICT_BITS))	229	verdict >> NF_VERDICT_BITS))
229	goto next_hook;	230	goto next_hook;
230	break;	231	break;
		232	default:
		233	kfree_skb(skb);
231	}	234	}
232	rcu_read_unlock();	235	rcu_read_unlock();
233
234	if (verdict == NF_DROP)
235	kfree_skb(skb);
236
237	kfree(info);	236	kfree(info);
238	return;	237	return;
239	}	238	}


diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c index 5fe4c9df17f5..a9f4f6f3c628 100644 --- a/net/netfilter/xt_physdev.c +++ b/net/netfilter/xt_physdev.c
@@ -113,6 +113,21 @@ checkentry(const char *tablename,
113	if (!(info->bitmask & XT_PHYSDEV_OP_MASK) \|\|	113	if (!(info->bitmask & XT_PHYSDEV_OP_MASK) \|\|
114	info->bitmask & ~XT_PHYSDEV_OP_MASK)	114	info->bitmask & ~XT_PHYSDEV_OP_MASK)
115	return 0;	115	return 0;
		116	if (brnf_deferred_hooks == 0 &&
		117	info->bitmask & XT_PHYSDEV_OP_OUT &&
		118	(!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) \|\|
		119	info->invert & XT_PHYSDEV_OP_BRIDGED) &&
		120	hook_mask & ((1 << NF_IP_LOCAL_OUT) \| (1 << NF_IP_FORWARD) \|
		121	(1 << NF_IP_POST_ROUTING))) {
		122	printk(KERN_WARNING "physdev match: using --physdev-out in the "
		123	"OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
		124	"traffic is deprecated and breaks other things, it will "
		125	"be removed in January 2007. See Documentation/"
		126	"feature-removal-schedule.txt for details. This doesn't "
		127	"affect you in case you're using it for purely bridged "
		128	"traffic.\n");
		129	brnf_deferred_hooks = 1;
		130	}
116	return 1;	131	return 1;
117	}	132	}
118		133


diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c index 3ac703b5cb8f..d2f5320a80bf 100644 --- a/net/netfilter/xt_pkttype.c +++ b/net/netfilter/xt_pkttype.c
@@ -9,6 +9,8 @@
9	#include <linux/skbuff.h>	9	#include <linux/skbuff.h>
10	#include <linux/if_ether.h>	10	#include <linux/if_ether.h>
11	#include <linux/if_packet.h>	11	#include <linux/if_packet.h>
		12	#include <linux/in.h>
		13	#include <linux/ip.h>
12		14
13	#include <linux/netfilter/xt_pkttype.h>	15	#include <linux/netfilter/xt_pkttype.h>
14	#include <linux/netfilter/x_tables.h>	16	#include <linux/netfilter/x_tables.h>
@@ -28,9 +30,17 @@ static int match(const struct sk_buff *skb,
28	unsigned int protoff,	30	unsigned int protoff,
29	int *hotdrop)	31	int *hotdrop)
30	{	32	{
		33	u_int8_t type;
31	const struct xt_pkttype_info *info = matchinfo;	34	const struct xt_pkttype_info *info = matchinfo;
32		35
33	return (skb->pkt_type == info->pkttype) ^ info->invert;	36	if (skb->pkt_type == PACKET_LOOPBACK)
		37	type = (MULTICAST(skb->nh.iph->daddr)
		38	? PACKET_MULTICAST
		39	: PACKET_BROADCAST);
		40	else
		41	type = skb->pkt_type;
		42
		43	return (type == info->pkttype) ^ info->invert;
34	}	44	}
35		45
36	static struct xt_match pkttype_match = {	46	static struct xt_match pkttype_match = {