aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/bridge/br_netfilter.c32
-rw-r--r--net/bridge/br_stp.c2
-rw-r--r--net/bridge/br_stp_if.c3
-rw-r--r--net/bridge/netfilter/ebtables.c16
-rw-r--r--net/ipv4/inetpeer.c81
-rw-r--r--net/ipv4/route.c12
-rw-r--r--net/ipv4/tcp_input.c4
-rw-r--r--net/ipv6/addrconf.c4
-rw-r--r--net/netfilter/nf_conntrack_core.c8
-rw-r--r--net/netfilter/nf_conntrack_netlink.c3
-rw-r--r--net/openvswitch/actions.c44
-rw-r--r--net/openvswitch/datapath.c3
12 files changed, 164 insertions, 48 deletions
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 84122472656c..dec4f3817133 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -62,6 +62,15 @@ static int brnf_filter_pppoe_tagged __read_mostly = 0;
62#define brnf_filter_pppoe_tagged 0 62#define brnf_filter_pppoe_tagged 0
63#endif 63#endif
64 64
65#define IS_IP(skb) \
66 (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_IP))
67
68#define IS_IPV6(skb) \
69 (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_IPV6))
70
71#define IS_ARP(skb) \
72 (!vlan_tx_tag_present(skb) && skb->protocol == htons(ETH_P_ARP))
73
65static inline __be16 vlan_proto(const struct sk_buff *skb) 74static inline __be16 vlan_proto(const struct sk_buff *skb)
66{ 75{
67 if (vlan_tx_tag_present(skb)) 76 if (vlan_tx_tag_present(skb))
@@ -639,8 +648,7 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
639 return NF_DROP; 648 return NF_DROP;
640 br = p->br; 649 br = p->br;
641 650
642 if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) || 651 if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb)) {
643 IS_PPPOE_IPV6(skb)) {
644 if (!brnf_call_ip6tables && !br->nf_call_ip6tables) 652 if (!brnf_call_ip6tables && !br->nf_call_ip6tables)
645 return NF_ACCEPT; 653 return NF_ACCEPT;
646 654
@@ -651,8 +659,7 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
651 if (!brnf_call_iptables && !br->nf_call_iptables) 659 if (!brnf_call_iptables && !br->nf_call_iptables)
652 return NF_ACCEPT; 660 return NF_ACCEPT;
653 661
654 if (skb->protocol != htons(ETH_P_IP) && !IS_VLAN_IP(skb) && 662 if (!IS_IP(skb) && !IS_VLAN_IP(skb) && !IS_PPPOE_IP(skb))
655 !IS_PPPOE_IP(skb))
656 return NF_ACCEPT; 663 return NF_ACCEPT;
657 664
658 nf_bridge_pull_encap_header_rcsum(skb); 665 nf_bridge_pull_encap_header_rcsum(skb);
@@ -701,7 +708,7 @@ static int br_nf_forward_finish(struct sk_buff *skb)
701 struct nf_bridge_info *nf_bridge = skb->nf_bridge; 708 struct nf_bridge_info *nf_bridge = skb->nf_bridge;
702 struct net_device *in; 709 struct net_device *in;
703 710
704 if (skb->protocol != htons(ETH_P_ARP) && !IS_VLAN_ARP(skb)) { 711 if (!IS_ARP(skb) && !IS_VLAN_ARP(skb)) {
705 in = nf_bridge->physindev; 712 in = nf_bridge->physindev;
706 if (nf_bridge->mask & BRNF_PKT_TYPE) { 713 if (nf_bridge->mask & BRNF_PKT_TYPE) {
707 skb->pkt_type = PACKET_OTHERHOST; 714 skb->pkt_type = PACKET_OTHERHOST;
@@ -718,6 +725,7 @@ static int br_nf_forward_finish(struct sk_buff *skb)
718 return 0; 725 return 0;
719} 726}
720 727
728
721/* This is the 'purely bridged' case. For IP, we pass the packet to 729/* This is the 'purely bridged' case. For IP, we pass the packet to
722 * netfilter with indev and outdev set to the bridge device, 730 * netfilter with indev and outdev set to the bridge device,
723 * but we are still able to filter on the 'real' indev/outdev 731 * but we are still able to filter on the 'real' indev/outdev
@@ -744,11 +752,9 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
744 if (!parent) 752 if (!parent)
745 return NF_DROP; 753 return NF_DROP;
746 754
747 if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) || 755 if (IS_IP(skb) || IS_VLAN_IP(skb) || IS_PPPOE_IP(skb))
748 IS_PPPOE_IP(skb))
749 pf = PF_INET; 756 pf = PF_INET;
750 else if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) || 757 else if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb))
751 IS_PPPOE_IPV6(skb))
752 pf = PF_INET6; 758 pf = PF_INET6;
753 else 759 else
754 return NF_ACCEPT; 760 return NF_ACCEPT;
@@ -795,7 +801,7 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
795 if (!brnf_call_arptables && !br->nf_call_arptables) 801 if (!brnf_call_arptables && !br->nf_call_arptables)
796 return NF_ACCEPT; 802 return NF_ACCEPT;
797 803
798 if (skb->protocol != htons(ETH_P_ARP)) { 804 if (!IS_ARP(skb)) {
799 if (!IS_VLAN_ARP(skb)) 805 if (!IS_VLAN_ARP(skb))
800 return NF_ACCEPT; 806 return NF_ACCEPT;
801 nf_bridge_pull_encap_header(skb); 807 nf_bridge_pull_encap_header(skb);
@@ -853,11 +859,9 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
853 if (!realoutdev) 859 if (!realoutdev)
854 return NF_DROP; 860 return NF_DROP;
855 861
856 if (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb) || 862 if (IS_IP(skb) || IS_VLAN_IP(skb) || IS_PPPOE_IP(skb))
857 IS_PPPOE_IP(skb))
858 pf = PF_INET; 863 pf = PF_INET;
859 else if (skb->protocol == htons(ETH_P_IPV6) || IS_VLAN_IPV6(skb) || 864 else if (IS_IPV6(skb) || IS_VLAN_IPV6(skb) || IS_PPPOE_IPV6(skb))
860 IS_PPPOE_IPV6(skb))
861 pf = PF_INET6; 865 pf = PF_INET6;
862 else 866 else
863 return NF_ACCEPT; 867 return NF_ACCEPT;
diff --git a/net/bridge/br_stp.c b/net/bridge/br_stp.c
index 6751ed4e0c07..8c836d96ba76 100644
--- a/net/bridge/br_stp.c
+++ b/net/bridge/br_stp.c
@@ -31,7 +31,7 @@ static const char *const br_port_state_names[] = {
31 31
32void br_log_state(const struct net_bridge_port *p) 32void br_log_state(const struct net_bridge_port *p)
33{ 33{
34 br_info(p->br, "port %u(%s) entering %s state\n", 34 br_info(p->br, "port %u(%s) entered %s state\n",
35 (unsigned) p->port_no, p->dev->name, 35 (unsigned) p->port_no, p->dev->name,
36 br_port_state_names[p->state]); 36 br_port_state_names[p->state]);
37} 37}
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index 19308e305d85..f494496373d6 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -98,14 +98,13 @@ void br_stp_disable_port(struct net_bridge_port *p)
98 struct net_bridge *br = p->br; 98 struct net_bridge *br = p->br;
99 int wasroot; 99 int wasroot;
100 100
101 br_log_state(p);
102
103 wasroot = br_is_root_bridge(br); 101 wasroot = br_is_root_bridge(br);
104 br_become_designated_port(p); 102 br_become_designated_port(p);
105 p->state = BR_STATE_DISABLED; 103 p->state = BR_STATE_DISABLED;
106 p->topology_change_ack = 0; 104 p->topology_change_ack = 0;
107 p->config_pending = 0; 105 p->config_pending = 0;
108 106
107 br_log_state(p);
109 br_ifinfo_notify(RTM_NEWLINK, p); 108 br_ifinfo_notify(RTM_NEWLINK, p);
110 109
111 del_timer(&p->message_age_timer); 110 del_timer(&p->message_age_timer);
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 8aa4ad0e06af..5fe2ff3b01ef 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1335,7 +1335,12 @@ static inline int ebt_make_matchname(const struct ebt_entry_match *m,
1335 const char *base, char __user *ubase) 1335 const char *base, char __user *ubase)
1336{ 1336{
1337 char __user *hlp = ubase + ((char *)m - base); 1337 char __user *hlp = ubase + ((char *)m - base);
1338 if (copy_to_user(hlp, m->u.match->name, EBT_FUNCTION_MAXNAMELEN)) 1338 char name[EBT_FUNCTION_MAXNAMELEN] = {};
1339
1340 /* ebtables expects 32 bytes long names but xt_match names are 29 bytes
1341 long. Copy 29 bytes and fill remaining bytes with zeroes. */
1342 strncpy(name, m->u.match->name, sizeof(name));
1343 if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
1339 return -EFAULT; 1344 return -EFAULT;
1340 return 0; 1345 return 0;
1341} 1346}
@@ -1344,7 +1349,10 @@ static inline int ebt_make_watchername(const struct ebt_entry_watcher *w,
1344 const char *base, char __user *ubase) 1349 const char *base, char __user *ubase)
1345{ 1350{
1346 char __user *hlp = ubase + ((char *)w - base); 1351 char __user *hlp = ubase + ((char *)w - base);
1347 if (copy_to_user(hlp , w->u.watcher->name, EBT_FUNCTION_MAXNAMELEN)) 1352 char name[EBT_FUNCTION_MAXNAMELEN] = {};
1353
1354 strncpy(name, w->u.watcher->name, sizeof(name));
1355 if (copy_to_user(hlp , name, EBT_FUNCTION_MAXNAMELEN))
1348 return -EFAULT; 1356 return -EFAULT;
1349 return 0; 1357 return 0;
1350} 1358}
@@ -1355,6 +1363,7 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
1355 int ret; 1363 int ret;
1356 char __user *hlp; 1364 char __user *hlp;
1357 const struct ebt_entry_target *t; 1365 const struct ebt_entry_target *t;
1366 char name[EBT_FUNCTION_MAXNAMELEN] = {};
1358 1367
1359 if (e->bitmask == 0) 1368 if (e->bitmask == 0)
1360 return 0; 1369 return 0;
@@ -1368,7 +1377,8 @@ ebt_make_names(struct ebt_entry *e, const char *base, char __user *ubase)
1368 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase); 1377 ret = EBT_WATCHER_ITERATE(e, ebt_make_watchername, base, ubase);
1369 if (ret != 0) 1378 if (ret != 0)
1370 return ret; 1379 return ret;
1371 if (copy_to_user(hlp, t->u.target->name, EBT_FUNCTION_MAXNAMELEN)) 1380 strncpy(name, t->u.target->name, sizeof(name));
1381 if (copy_to_user(hlp, name, EBT_FUNCTION_MAXNAMELEN))
1372 return -EFAULT; 1382 return -EFAULT;
1373 return 0; 1383 return 0;
1374} 1384}
diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
index bf4a9c4808e1..d4d61b694fab 100644
--- a/net/ipv4/inetpeer.c
+++ b/net/ipv4/inetpeer.c
@@ -17,6 +17,7 @@
17#include <linux/kernel.h> 17#include <linux/kernel.h>
18#include <linux/mm.h> 18#include <linux/mm.h>
19#include <linux/net.h> 19#include <linux/net.h>
20#include <linux/workqueue.h>
20#include <net/ip.h> 21#include <net/ip.h>
21#include <net/inetpeer.h> 22#include <net/inetpeer.h>
22#include <net/secure_seq.h> 23#include <net/secure_seq.h>
@@ -66,6 +67,11 @@
66 67
67static struct kmem_cache *peer_cachep __read_mostly; 68static struct kmem_cache *peer_cachep __read_mostly;
68 69
70static LIST_HEAD(gc_list);
71static const int gc_delay = 60 * HZ;
72static struct delayed_work gc_work;
73static DEFINE_SPINLOCK(gc_lock);
74
69#define node_height(x) x->avl_height 75#define node_height(x) x->avl_height
70 76
71#define peer_avl_empty ((struct inet_peer *)&peer_fake_node) 77#define peer_avl_empty ((struct inet_peer *)&peer_fake_node)
@@ -102,6 +108,50 @@ int inet_peer_threshold __read_mostly = 65536 + 128; /* start to throw entries m
102int inet_peer_minttl __read_mostly = 120 * HZ; /* TTL under high load: 120 sec */ 108int inet_peer_minttl __read_mostly = 120 * HZ; /* TTL under high load: 120 sec */
103int inet_peer_maxttl __read_mostly = 10 * 60 * HZ; /* usual time to live: 10 min */ 109int inet_peer_maxttl __read_mostly = 10 * 60 * HZ; /* usual time to live: 10 min */
104 110
111static void inetpeer_gc_worker(struct work_struct *work)
112{
113 struct inet_peer *p, *n;
114 LIST_HEAD(list);
115
116 spin_lock_bh(&gc_lock);
117 list_replace_init(&gc_list, &list);
118 spin_unlock_bh(&gc_lock);
119
120 if (list_empty(&list))
121 return;
122
123 list_for_each_entry_safe(p, n, &list, gc_list) {
124
125 if(need_resched())
126 cond_resched();
127
128 if (p->avl_left != peer_avl_empty) {
129 list_add_tail(&p->avl_left->gc_list, &list);
130 p->avl_left = peer_avl_empty;
131 }
132
133 if (p->avl_right != peer_avl_empty) {
134 list_add_tail(&p->avl_right->gc_list, &list);
135 p->avl_right = peer_avl_empty;
136 }
137
138 n = list_entry(p->gc_list.next, struct inet_peer, gc_list);
139
140 if (!atomic_read(&p->refcnt)) {
141 list_del(&p->gc_list);
142 kmem_cache_free(peer_cachep, p);
143 }
144 }
145
146 if (list_empty(&list))
147 return;
148
149 spin_lock_bh(&gc_lock);
150 list_splice(&list, &gc_list);
151 spin_unlock_bh(&gc_lock);
152
153 schedule_delayed_work(&gc_work, gc_delay);
154}
105 155
106/* Called from ip_output.c:ip_init */ 156/* Called from ip_output.c:ip_init */
107void __init inet_initpeers(void) 157void __init inet_initpeers(void)
@@ -126,6 +176,7 @@ void __init inet_initpeers(void)
126 0, SLAB_HWCACHE_ALIGN | SLAB_PANIC, 176 0, SLAB_HWCACHE_ALIGN | SLAB_PANIC,
127 NULL); 177 NULL);
128 178
179 INIT_DELAYED_WORK_DEFERRABLE(&gc_work, inetpeer_gc_worker);
129} 180}
130 181
131static int addr_compare(const struct inetpeer_addr *a, 182static int addr_compare(const struct inetpeer_addr *a,
@@ -447,9 +498,8 @@ relookup:
447 p->rate_last = 0; 498 p->rate_last = 0;
448 p->pmtu_expires = 0; 499 p->pmtu_expires = 0;
449 p->pmtu_orig = 0; 500 p->pmtu_orig = 0;
450 p->redirect_genid = 0;
451 memset(&p->redirect_learned, 0, sizeof(p->redirect_learned)); 501 memset(&p->redirect_learned, 0, sizeof(p->redirect_learned));
452 502 INIT_LIST_HEAD(&p->gc_list);
453 503
454 /* Link the node. */ 504 /* Link the node. */
455 link_to_pool(p, base); 505 link_to_pool(p, base);
@@ -509,3 +559,30 @@ bool inet_peer_xrlim_allow(struct inet_peer *peer, int timeout)
509 return rc; 559 return rc;
510} 560}
511EXPORT_SYMBOL(inet_peer_xrlim_allow); 561EXPORT_SYMBOL(inet_peer_xrlim_allow);
562
563void inetpeer_invalidate_tree(int family)
564{
565 struct inet_peer *old, *new, *prev;
566 struct inet_peer_base *base = family_to_base(family);
567
568 write_seqlock_bh(&base->lock);
569
570 old = base->root;
571 if (old == peer_avl_empty_rcu)
572 goto out;
573
574 new = peer_avl_empty_rcu;
575
576 prev = cmpxchg(&base->root, old, new);
577 if (prev == old) {
578 base->total = 0;
579 spin_lock(&gc_lock);
580 list_add_tail(&prev->gc_list, &gc_list);
581 spin_unlock(&gc_lock);
582 schedule_delayed_work(&gc_work, gc_delay);
583 }
584
585out:
586 write_sequnlock_bh(&base->lock);
587}
588EXPORT_SYMBOL(inetpeer_invalidate_tree);
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 0489cedc1671..815989b90dea 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -132,7 +132,6 @@ static int ip_rt_mtu_expires __read_mostly = 10 * 60 * HZ;
132static int ip_rt_min_pmtu __read_mostly = 512 + 20 + 20; 132static int ip_rt_min_pmtu __read_mostly = 512 + 20 + 20;
133static int ip_rt_min_advmss __read_mostly = 256; 133static int ip_rt_min_advmss __read_mostly = 256;
134static int rt_chain_length_max __read_mostly = 20; 134static int rt_chain_length_max __read_mostly = 20;
135static int redirect_genid;
136 135
137static struct delayed_work expires_work; 136static struct delayed_work expires_work;
138static unsigned long expires_ljiffies; 137static unsigned long expires_ljiffies;
@@ -937,7 +936,7 @@ static void rt_cache_invalidate(struct net *net)
937 936
938 get_random_bytes(&shuffle, sizeof(shuffle)); 937 get_random_bytes(&shuffle, sizeof(shuffle));
939 atomic_add(shuffle + 1U, &net->ipv4.rt_genid); 938 atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
940 redirect_genid++; 939 inetpeer_invalidate_tree(AF_INET);
941} 940}
942 941
943/* 942/*
@@ -1490,10 +1489,8 @@ void ip_rt_redirect(__be32 old_gw, __be32 daddr, __be32 new_gw,
1490 1489
1491 peer = rt->peer; 1490 peer = rt->peer;
1492 if (peer) { 1491 if (peer) {
1493 if (peer->redirect_learned.a4 != new_gw || 1492 if (peer->redirect_learned.a4 != new_gw) {
1494 peer->redirect_genid != redirect_genid) {
1495 peer->redirect_learned.a4 = new_gw; 1493 peer->redirect_learned.a4 = new_gw;
1496 peer->redirect_genid = redirect_genid;
1497 atomic_inc(&__rt_peer_genid); 1494 atomic_inc(&__rt_peer_genid);
1498 } 1495 }
1499 check_peer_redir(&rt->dst, peer); 1496 check_peer_redir(&rt->dst, peer);
@@ -1798,8 +1795,6 @@ static void ipv4_validate_peer(struct rtable *rt)
1798 if (peer) { 1795 if (peer) {
1799 check_peer_pmtu(&rt->dst, peer); 1796 check_peer_pmtu(&rt->dst, peer);
1800 1797
1801 if (peer->redirect_genid != redirect_genid)
1802 peer->redirect_learned.a4 = 0;
1803 if (peer->redirect_learned.a4 && 1798 if (peer->redirect_learned.a4 &&
1804 peer->redirect_learned.a4 != rt->rt_gateway) 1799 peer->redirect_learned.a4 != rt->rt_gateway)
1805 check_peer_redir(&rt->dst, peer); 1800 check_peer_redir(&rt->dst, peer);
@@ -1963,8 +1958,7 @@ static void rt_init_metrics(struct rtable *rt, const struct flowi4 *fl4,
1963 dst_init_metrics(&rt->dst, peer->metrics, false); 1958 dst_init_metrics(&rt->dst, peer->metrics, false);
1964 1959
1965 check_peer_pmtu(&rt->dst, peer); 1960 check_peer_pmtu(&rt->dst, peer);
1966 if (peer->redirect_genid != redirect_genid) 1961
1967 peer->redirect_learned.a4 = 0;
1968 if (peer->redirect_learned.a4 && 1962 if (peer->redirect_learned.a4 &&
1969 peer->redirect_learned.a4 != rt->rt_gateway) { 1963 peer->redirect_learned.a4 != rt->rt_gateway) {
1970 rt->rt_gateway = peer->redirect_learned.a4; 1964 rt->rt_gateway = peer->redirect_learned.a4;
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index d9b83d198c3d..b5e315f13641 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1585,6 +1585,10 @@ static struct sk_buff *tcp_shift_skb_data(struct sock *sk, struct sk_buff *skb,
1585 } 1585 }
1586 } 1586 }
1587 1587
1588 /* tcp_sacktag_one() won't SACK-tag ranges below snd_una */
1589 if (!after(TCP_SKB_CB(skb)->seq + len, tp->snd_una))
1590 goto fallback;
1591
1588 if (!skb_shift(prev, skb, len)) 1592 if (!skb_shift(prev, skb, len))
1589 goto fallback; 1593 goto fallback;
1590 if (!tcp_shifted_skb(sk, skb, state, pcount, len, mss, dup_sack)) 1594 if (!tcp_shifted_skb(sk, skb, state, pcount, len, mss, dup_sack))
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index c02280a4d126..6b8ebc5da0e1 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -434,6 +434,10 @@ static struct inet6_dev * ipv6_add_dev(struct net_device *dev)
434 /* Join all-node multicast group */ 434 /* Join all-node multicast group */
435 ipv6_dev_mc_inc(dev, &in6addr_linklocal_allnodes); 435 ipv6_dev_mc_inc(dev, &in6addr_linklocal_allnodes);
436 436
437 /* Join all-router multicast group if forwarding is set */
438 if (ndev->cnf.forwarding && dev && (dev->flags & IFF_MULTICAST))
439 ipv6_dev_mc_inc(dev, &in6addr_linklocal_allrouters);
440
437 return ndev; 441 return ndev;
438} 442}
439 443
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 81e2aa4ca1fe..7b48035826ee 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -636,8 +636,12 @@ static noinline int early_drop(struct net *net, unsigned int hash)
636 636
637 if (del_timer(&ct->timeout)) { 637 if (del_timer(&ct->timeout)) {
638 death_by_timeout((unsigned long)ct); 638 death_by_timeout((unsigned long)ct);
639 dropped = 1; 639 /* Check if we indeed killed this entry. Reliable event
640 NF_CT_STAT_INC_ATOMIC(net, early_drop); 640 delivery may have inserted it into the dying list. */
641 if (test_bit(IPS_DYING_BIT, &ct->status)) {
642 dropped = 1;
643 NF_CT_STAT_INC_ATOMIC(net, early_drop);
644 }
641 } 645 }
642 nf_ct_put(ct); 646 nf_ct_put(ct);
643 return dropped; 647 return dropped;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index c1ea64c6c70d..2124977ac31d 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1084,16 +1084,13 @@ ctnetlink_parse_nat_setup(struct nf_conn *ct,
1084 if (!parse_nat_setup) { 1084 if (!parse_nat_setup) {
1085#ifdef CONFIG_MODULES 1085#ifdef CONFIG_MODULES
1086 rcu_read_unlock(); 1086 rcu_read_unlock();
1087 spin_unlock_bh(&nf_conntrack_lock);
1088 nfnl_unlock(); 1087 nfnl_unlock();
1089 if (request_module("nf-nat-ipv4") < 0) { 1088 if (request_module("nf-nat-ipv4") < 0) {
1090 nfnl_lock(); 1089 nfnl_lock();
1091 spin_lock_bh(&nf_conntrack_lock);
1092 rcu_read_lock(); 1090 rcu_read_lock();
1093 return -EOPNOTSUPP; 1091 return -EOPNOTSUPP;
1094 } 1092 }
1095 nfnl_lock(); 1093 nfnl_lock();
1096 spin_lock_bh(&nf_conntrack_lock);
1097 rcu_read_lock(); 1094 rcu_read_lock();
1098 if (nfnetlink_parse_nat_setup_hook) 1095 if (nfnetlink_parse_nat_setup_hook)
1099 return -EAGAIN; 1096 return -EAGAIN;
diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
index 2725d1bdf291..48badffaafc1 100644
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -1,5 +1,5 @@
1/* 1/*
2 * Copyright (c) 2007-2011 Nicira Networks. 2 * Copyright (c) 2007-2012 Nicira Networks.
3 * 3 *
4 * This program is free software; you can redistribute it and/or 4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of version 2 of the GNU General Public 5 * modify it under the terms of version 2 of the GNU General Public
@@ -145,9 +145,16 @@ static void set_ip_addr(struct sk_buff *skb, struct iphdr *nh,
145 inet_proto_csum_replace4(&tcp_hdr(skb)->check, skb, 145 inet_proto_csum_replace4(&tcp_hdr(skb)->check, skb,
146 *addr, new_addr, 1); 146 *addr, new_addr, 1);
147 } else if (nh->protocol == IPPROTO_UDP) { 147 } else if (nh->protocol == IPPROTO_UDP) {
148 if (likely(transport_len >= sizeof(struct udphdr))) 148 if (likely(transport_len >= sizeof(struct udphdr))) {
149 inet_proto_csum_replace4(&udp_hdr(skb)->check, skb, 149 struct udphdr *uh = udp_hdr(skb);
150 *addr, new_addr, 1); 150
151 if (uh->check || skb->ip_summed == CHECKSUM_PARTIAL) {
152 inet_proto_csum_replace4(&uh->check, skb,
153 *addr, new_addr, 1);
154 if (!uh->check)
155 uh->check = CSUM_MANGLED_0;
156 }
157 }
151 } 158 }
152 159
153 csum_replace4(&nh->check, *addr, new_addr); 160 csum_replace4(&nh->check, *addr, new_addr);
@@ -197,8 +204,22 @@ static void set_tp_port(struct sk_buff *skb, __be16 *port,
197 skb->rxhash = 0; 204 skb->rxhash = 0;
198} 205}
199 206
200static int set_udp_port(struct sk_buff *skb, 207static void set_udp_port(struct sk_buff *skb, __be16 *port, __be16 new_port)
201 const struct ovs_key_udp *udp_port_key) 208{
209 struct udphdr *uh = udp_hdr(skb);
210
211 if (uh->check && skb->ip_summed != CHECKSUM_PARTIAL) {
212 set_tp_port(skb, port, new_port, &uh->check);
213
214 if (!uh->check)
215 uh->check = CSUM_MANGLED_0;
216 } else {
217 *port = new_port;
218 skb->rxhash = 0;
219 }
220}
221
222static int set_udp(struct sk_buff *skb, const struct ovs_key_udp *udp_port_key)
202{ 223{
203 struct udphdr *uh; 224 struct udphdr *uh;
204 int err; 225 int err;
@@ -210,16 +231,15 @@ static int set_udp_port(struct sk_buff *skb,
210 231
211 uh = udp_hdr(skb); 232 uh = udp_hdr(skb);
212 if (udp_port_key->udp_src != uh->source) 233 if (udp_port_key->udp_src != uh->source)
213 set_tp_port(skb, &uh->source, udp_port_key->udp_src, &uh->check); 234 set_udp_port(skb, &uh->source, udp_port_key->udp_src);
214 235
215 if (udp_port_key->udp_dst != uh->dest) 236 if (udp_port_key->udp_dst != uh->dest)
216 set_tp_port(skb, &uh->dest, udp_port_key->udp_dst, &uh->check); 237 set_udp_port(skb, &uh->dest, udp_port_key->udp_dst);
217 238
218 return 0; 239 return 0;
219} 240}
220 241
221static int set_tcp_port(struct sk_buff *skb, 242static int set_tcp(struct sk_buff *skb, const struct ovs_key_tcp *tcp_port_key)
222 const struct ovs_key_tcp *tcp_port_key)
223{ 243{
224 struct tcphdr *th; 244 struct tcphdr *th;
225 int err; 245 int err;
@@ -328,11 +348,11 @@ static int execute_set_action(struct sk_buff *skb,
328 break; 348 break;
329 349
330 case OVS_KEY_ATTR_TCP: 350 case OVS_KEY_ATTR_TCP:
331 err = set_tcp_port(skb, nla_data(nested_attr)); 351 err = set_tcp(skb, nla_data(nested_attr));
332 break; 352 break;
333 353
334 case OVS_KEY_ATTR_UDP: 354 case OVS_KEY_ATTR_UDP:
335 err = set_udp_port(skb, nla_data(nested_attr)); 355 err = set_udp(skb, nla_data(nested_attr));
336 break; 356 break;
337 } 357 }
338 358
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index ce64c18b8c79..2c030505b335 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -1521,6 +1521,9 @@ static struct vport *lookup_vport(struct ovs_header *ovs_header,
1521 vport = ovs_vport_locate(nla_data(a[OVS_VPORT_ATTR_NAME])); 1521 vport = ovs_vport_locate(nla_data(a[OVS_VPORT_ATTR_NAME]));
1522 if (!vport) 1522 if (!vport)
1523 return ERR_PTR(-ENODEV); 1523 return ERR_PTR(-ENODEV);
1524 if (ovs_header->dp_ifindex &&
1525 ovs_header->dp_ifindex != get_dpifindex(vport->dp))
1526 return ERR_PTR(-ENODEV);
1524 return vport; 1527 return vport;
1525 } else if (a[OVS_VPORT_ATTR_PORT_NO]) { 1528 } else if (a[OVS_VPORT_ATTR_PORT_NO]) {
1526 u32 port_no = nla_get_u32(a[OVS_VPORT_ATTR_PORT_NO]); 1529 u32 port_no = nla_get_u32(a[OVS_VPORT_ATTR_PORT_NO]);