16 files changed, 76 insertions, 258 deletions

diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile
index c54edd76de..35e5f59990 100644
--- a/net/ipv4/Makefile
+++ b/net/ipv4/Makefile
@@ -9,7 +9,7 @@ obj-y     := route.o inetpeer.o protocol.o \
              tcp.o tcp_input.o tcp_output.o tcp_timer.o tcp_ipv4.o \
              tcp_minisocks.o tcp_cong.o \
              datagram.o raw.o udp.o arp.o icmp.o devinet.o af_inet.o igmp.o \
-             sysctl_net_ipv4.o fib_frontend.o fib_semantics.o netfilter.o
+             sysctl_net_ipv4.o fib_frontend.o fib_semantics.o
 
 obj-$(CONFIG_IP_FIB_HASH) += fib_hash.o
 obj-$(CONFIG_IP_FIB_TRIE) += fib_trie.o
@@ -28,7 +28,7 @@ obj-$(CONFIG_IP_ROUTE_MULTIPATH_RR) += multipath_rr.o
 obj-$(CONFIG_IP_ROUTE_MULTIPATH_RANDOM) += multipath_random.o
 obj-$(CONFIG_IP_ROUTE_MULTIPATH_WRANDOM) += multipath_wrandom.o
 obj-$(CONFIG_IP_ROUTE_MULTIPATH_DRR) += multipath_drr.o
-obj-$(CONFIG_NETFILTER) += netfilter/
+obj-$(CONFIG_NETFILTER) += netfilter.o netfilter/
 obj-$(CONFIG_IP_VS) += ipvs/
 obj-$(CONFIG_INET_DIAG) += inet_diag.o 
 obj-$(CONFIG_IP_ROUTE_MULTIPATH_CACHED) += multipath.o
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 3321092b09..52a3d7c579 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -1,16 +1,8 @@
 /* IPv4 specific functions of netfilter core */
-
-#include <linux/config.h>
-#ifdef CONFIG_NETFILTER
-
 #include <linux/kernel.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
-
 #include <linux/ip.h>
-#include <linux/tcp.h>
-#include <linux/udp.h>
-#include <linux/icmp.h>
 #include <net/route.h>
 #include <net/xfrm.h>
 #include <net/ip.h>
@@ -146,5 +138,3 @@ static void fini(void)
 
 module_init(init);
 module_exit(fini);
-
-#endif /* CONFIG_NETFILTER */
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_generic.c b/net/ipv4/netfilter/ip_conntrack_proto_generic.c
index 88c3712bd2..f891308b5e 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_generic.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_generic.c
@@ -12,7 +12,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
 
-unsigned long ip_ct_generic_timeout = 600*HZ;
+unsigned int ip_ct_generic_timeout = 600*HZ;
 
 static int generic_pkt_to_tuple(const struct sk_buff *skb,
                                 unsigned int dataoff,
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
index 30fc21d616..f2a90e2743 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
@@ -22,7 +22,7 @@
 #include <linux/netfilter_ipv4/ip_conntrack_core.h>
 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
 
-unsigned long ip_ct_icmp_timeout = 30*HZ;
+unsigned int ip_ct_icmp_timeout = 30*HZ;
 
 #if 0
 #define DEBUGP printk
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
index 0b25050981..be602e8aea 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
@@ -58,15 +58,15 @@ static const char *sctp_conntrack_names[] = {
 #define HOURS * 60 MINS
 #define DAYS  * 24 HOURS
 
-static unsigned long ip_ct_sctp_timeout_closed            =  10 SECS;
-static unsigned long ip_ct_sctp_timeout_cookie_wait       =   3 SECS;
-static unsigned long ip_ct_sctp_timeout_cookie_echoed     =   3 SECS;
-static unsigned long ip_ct_sctp_timeout_established       =   5 DAYS;
-static unsigned long ip_ct_sctp_timeout_shutdown_sent     = 300 SECS / 1000;
-static unsigned long ip_ct_sctp_timeout_shutdown_recd     = 300 SECS / 1000;
-static unsigned long ip_ct_sctp_timeout_shutdown_ack_sent =   3 SECS;
-
-static const unsigned long * sctp_timeouts[]
+static unsigned int ip_ct_sctp_timeout_closed            =  10 SECS;
+static unsigned int ip_ct_sctp_timeout_cookie_wait       =   3 SECS;
+static unsigned int ip_ct_sctp_timeout_cookie_echoed     =   3 SECS;
+static unsigned int ip_ct_sctp_timeout_established       =   5 DAYS;
+static unsigned int ip_ct_sctp_timeout_shutdown_sent     = 300 SECS / 1000;
+static unsigned int ip_ct_sctp_timeout_shutdown_recd     = 300 SECS / 1000;
+static unsigned int ip_ct_sctp_timeout_shutdown_ack_sent =   3 SECS;
+
+static const unsigned int * sctp_timeouts[]
 = { NULL,                                  /* SCTP_CONNTRACK_NONE  */
     &ip_ct_sctp_timeout_closed,            /* SCTP_CONNTRACK_CLOSED */
     &ip_ct_sctp_timeout_cookie_wait,       /* SCTP_CONNTRACK_COOKIE_WAIT */
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
index 77f304680d..ea2b39c180 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
@@ -85,21 +85,21 @@ static const char *tcp_conntrack_names[] = {
 #define HOURS * 60 MINS
 #define DAYS * 24 HOURS
 
-unsigned long ip_ct_tcp_timeout_syn_sent =      2 MINS;
-unsigned long ip_ct_tcp_timeout_syn_recv =     60 SECS;
-unsigned long ip_ct_tcp_timeout_established =   5 DAYS;
-unsigned long ip_ct_tcp_timeout_fin_wait =      2 MINS;
-unsigned long ip_ct_tcp_timeout_close_wait =   60 SECS;
-unsigned long ip_ct_tcp_timeout_last_ack =     30 SECS;
-unsigned long ip_ct_tcp_timeout_time_wait =     2 MINS;
-unsigned long ip_ct_tcp_timeout_close =        10 SECS;
+unsigned int ip_ct_tcp_timeout_syn_sent =      2 MINS;
+unsigned int ip_ct_tcp_timeout_syn_recv =     60 SECS;
+unsigned int ip_ct_tcp_timeout_established =   5 DAYS;
+unsigned int ip_ct_tcp_timeout_fin_wait =      2 MINS;
+unsigned int ip_ct_tcp_timeout_close_wait =   60 SECS;
+unsigned int ip_ct_tcp_timeout_last_ack =     30 SECS;
+unsigned int ip_ct_tcp_timeout_time_wait =     2 MINS;
+unsigned int ip_ct_tcp_timeout_close =        10 SECS;
 
 /* RFC1122 says the R2 limit should be at least 100 seconds.
    Linux uses 15 packets as limit, which corresponds 
    to ~13-30min depending on RTO. */
-unsigned long ip_ct_tcp_timeout_max_retrans =     5 MINS;
+unsigned int ip_ct_tcp_timeout_max_retrans =     5 MINS;
  
-static const unsigned long * tcp_timeouts[]
+static const unsigned int * tcp_timeouts[]
 = { NULL,                              /*      TCP_CONNTRACK_NONE */
     &ip_ct_tcp_timeout_syn_sent,       /*      TCP_CONNTRACK_SYN_SENT, */
     &ip_ct_tcp_timeout_syn_recv,       /*      TCP_CONNTRACK_SYN_RECV, */
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_udp.c b/net/ipv4/netfilter/ip_conntrack_proto_udp.c
index 46becbe4fe..004003fd61 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_udp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_udp.c
@@ -19,8 +19,8 @@
 #include <linux/netfilter_ipv4.h>
 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
 
-unsigned long ip_ct_udp_timeout = 30*HZ;
-unsigned long ip_ct_udp_timeout_stream = 180*HZ;
+unsigned int ip_ct_udp_timeout = 30*HZ;
+unsigned int ip_ct_udp_timeout_stream = 180*HZ;
 
 static int udp_pkt_to_tuple(const struct sk_buff *skb,
                              unsigned int dataoff,
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
index 7ba97783e7..9dec1293f6 100644
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -544,28 +544,28 @@ extern int ip_conntrack_max;
 extern unsigned int ip_conntrack_htable_size;
 
 /* From ip_conntrack_proto_tcp.c */
-extern unsigned long ip_ct_tcp_timeout_syn_sent;
-extern unsigned long ip_ct_tcp_timeout_syn_recv;
-extern unsigned long ip_ct_tcp_timeout_established;
-extern unsigned long ip_ct_tcp_timeout_fin_wait;
-extern unsigned long ip_ct_tcp_timeout_close_wait;
-extern unsigned long ip_ct_tcp_timeout_last_ack;
-extern unsigned long ip_ct_tcp_timeout_time_wait;
-extern unsigned long ip_ct_tcp_timeout_close;
-extern unsigned long ip_ct_tcp_timeout_max_retrans;
+extern unsigned int ip_ct_tcp_timeout_syn_sent;
+extern unsigned int ip_ct_tcp_timeout_syn_recv;
+extern unsigned int ip_ct_tcp_timeout_established;
+extern unsigned int ip_ct_tcp_timeout_fin_wait;
+extern unsigned int ip_ct_tcp_timeout_close_wait;
+extern unsigned int ip_ct_tcp_timeout_last_ack;
+extern unsigned int ip_ct_tcp_timeout_time_wait;
+extern unsigned int ip_ct_tcp_timeout_close;
+extern unsigned int ip_ct_tcp_timeout_max_retrans;
 extern int ip_ct_tcp_loose;
 extern int ip_ct_tcp_be_liberal;
 extern int ip_ct_tcp_max_retrans;
 
 /* From ip_conntrack_proto_udp.c */
-extern unsigned long ip_ct_udp_timeout;
-extern unsigned long ip_ct_udp_timeout_stream;
+extern unsigned int ip_ct_udp_timeout;
+extern unsigned int ip_ct_udp_timeout_stream;
 
 /* From ip_conntrack_proto_icmp.c */
-extern unsigned long ip_ct_icmp_timeout;
+extern unsigned int ip_ct_icmp_timeout;
 
 /* From ip_conntrack_proto_icmp.c */
-extern unsigned long ip_ct_generic_timeout;
+extern unsigned int ip_ct_generic_timeout;
 
 /* Log invalid packets of a given protocol */
 static int log_invalid_proto_min = 0;
diff --git a/net/ipv4/netfilter/ip_nat_helper_pptp.c b/net/ipv4/netfilter/ip_nat_helper_pptp.c
index e546203f56..ac00489578 100644
--- a/net/ipv4/netfilter/ip_nat_helper_pptp.c
+++ b/net/ipv4/netfilter/ip_nat_helper_pptp.c
@@ -148,14 +148,14 @@ pptp_outbound_pkt(struct sk_buff **pskb,
 {
         struct ip_ct_pptp_master *ct_pptp_info = &ct->help.ct_pptp_info;
         struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info;
-
-        u_int16_t msg, *cid = NULL, new_callid;
+        u_int16_t msg, new_callid;
+        unsigned int cid_off;
 
         new_callid = htons(ct_pptp_info->pns_call_id);
         
         switch (msg = ntohs(ctlh->messageType)) {
                 case PPTP_OUT_CALL_REQUEST:
-                        cid = &pptpReq->ocreq.callID;
+                        cid_off = offsetof(union pptp_ctrl_union, ocreq.callID);
                         /* FIXME: ideally we would want to reserve a call ID
                          * here.  current netfilter NAT core is not able to do
                          * this :( For now we use TCP source port. This breaks
@@ -172,10 +172,10 @@ pptp_outbound_pkt(struct sk_buff **pskb,
                         ct_pptp_info->pns_call_id = ntohs(new_callid);
                         break;
                 case PPTP_IN_CALL_REPLY:
-                        cid = &pptpReq->icreq.callID;
+                        cid_off = offsetof(union pptp_ctrl_union, icreq.callID);
                         break;
                 case PPTP_CALL_CLEAR_REQUEST:
-                        cid = &pptpReq->clrreq.callID;
+                        cid_off = offsetof(union pptp_ctrl_union, clrreq.callID);
                         break;
                 default:
                         DEBUGP("unknown outbound packet 0x%04x:%s\n", msg,
@@ -197,18 +197,15 @@ pptp_outbound_pkt(struct sk_buff **pskb,
 
         /* only OUT_CALL_REQUEST, IN_CALL_REPLY, CALL_CLEAR_REQUEST pass
          * down to here */
-
-        IP_NF_ASSERT(cid);
-
         DEBUGP("altering call id from 0x%04x to 0x%04x\n",
-                ntohs(*cid), ntohs(new_callid));
+                ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_callid));
 
         /* mangle packet */
         if (ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
-                (void *)cid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
-                                        sizeof(new_callid), 
-                                        (char *)&new_callid,
-                                        sizeof(new_callid)) == 0)
+                                     cid_off + sizeof(struct pptp_pkt_hdr) +
+                                     sizeof(struct PptpControlHeader),
+                                     sizeof(new_callid), (char *)&new_callid,
+                                     sizeof(new_callid)) == 0)
                 return NF_DROP;
 
         return NF_ACCEPT;
@@ -299,31 +296,30 @@ pptp_inbound_pkt(struct sk_buff **pskb,
                  union pptp_ctrl_union *pptpReq)
 {
         struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info;
-        u_int16_t msg, new_cid = 0, new_pcid, *pcid = NULL, *cid = NULL;
-
-        int ret = NF_ACCEPT, rv;
+        u_int16_t msg, new_cid = 0, new_pcid;
+        unsigned int pcid_off, cid_off = 0;
 
         new_pcid = htons(nat_pptp_info->pns_call_id);
 
         switch (msg = ntohs(ctlh->messageType)) {
         case PPTP_OUT_CALL_REPLY:
-                pcid = &pptpReq->ocack.peersCallID;     
-                cid = &pptpReq->ocack.callID;
+                pcid_off = offsetof(union pptp_ctrl_union, ocack.peersCallID);
+                cid_off = offsetof(union pptp_ctrl_union, ocack.callID);
                 break;
         case PPTP_IN_CALL_CONNECT:
-                pcid = &pptpReq->iccon.peersCallID;
+                pcid_off = offsetof(union pptp_ctrl_union, iccon.peersCallID);
                 break;
         case PPTP_IN_CALL_REQUEST:
                 /* only need to nat in case PAC is behind NAT box */
-                break;
+                return NF_ACCEPT;
         case PPTP_WAN_ERROR_NOTIFY:
-                pcid = &pptpReq->wanerr.peersCallID;
+                pcid_off = offsetof(union pptp_ctrl_union, wanerr.peersCallID);
                 break;
         case PPTP_CALL_DISCONNECT_NOTIFY:
-                pcid = &pptpReq->disc.callID;
+                pcid_off = offsetof(union pptp_ctrl_union, disc.callID);
                 break;
         case PPTP_SET_LINK_INFO:
-                pcid = &pptpReq->setlink.peersCallID;
+                pcid_off = offsetof(union pptp_ctrl_union, setlink.peersCallID);
                 break;
 
         default:
@@ -345,35 +341,26 @@ pptp_inbound_pkt(struct sk_buff **pskb,
          * WAN_ERROR_NOTIFY, CALL_DISCONNECT_NOTIFY pass down here */
 
         /* mangle packet */
-        IP_NF_ASSERT(pcid);
         DEBUGP("altering peer call id from 0x%04x to 0x%04x\n",
-                ntohs(*pcid), ntohs(new_pcid));
-        
-        rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, 
-                                      (void *)pcid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
-                                      sizeof(new_pcid), (char *)&new_pcid, 
-                                      sizeof(new_pcid));
-        if (rv != NF_ACCEPT) 
-                return rv;
+                ntohs(*(u_int16_t *)pptpReq + pcid_off), ntohs(new_pcid));
+
+        if (ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
+                                     pcid_off + sizeof(struct pptp_pkt_hdr) +
+                                     sizeof(struct PptpControlHeader),
+                                     sizeof(new_pcid), (char *)&new_pcid,
+                                     sizeof(new_pcid)) == 0)
+                return NF_DROP;
 
         if (new_cid) {
-                IP_NF_ASSERT(cid);
                 DEBUGP("altering call id from 0x%04x to 0x%04x\n",
-                        ntohs(*cid), ntohs(new_cid));
-                rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo, 
-                                              (void *)cid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)), 
-                                              sizeof(new_cid),
-                                              (char *)&new_cid, 
-                                              sizeof(new_cid));
-                if (rv != NF_ACCEPT)
-                        return rv;
+                        ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_cid));
+                if (ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
+                                             cid_off + sizeof(struct pptp_pkt_hdr) +
+                                             sizeof(struct PptpControlHeader),
+                                             sizeof(new_cid), (char *)&new_cid,
+                                             sizeof(new_cid)) == 0)
+                        return NF_DROP;
         }
-
-        /* check for earlier return value of 'switch' above */
-        if (ret != NF_ACCEPT)
-                return ret;
-
-        /* great, at least we don't need to resize packets */
         return NF_ACCEPT;
 }
 
diff --git a/net/ipv4/netfilter/ip_nat_proto_gre.c b/net/ipv4/netfilter/ip_nat_proto_gre.c
index f7cad7cf1a..6c4899d804 100644
--- a/net/ipv4/netfilter/ip_nat_proto_gre.c
+++ b/net/ipv4/netfilter/ip_nat_proto_gre.c
@@ -151,42 +151,6 @@ gre_manip_pkt(struct sk_buff **pskb,
         return 1;
 }
 
-/* print out a nat tuple */
-static unsigned int 
-gre_print(char *buffer, 
-          const struct ip_conntrack_tuple *match,
-          const struct ip_conntrack_tuple *mask)
-{
-        unsigned int len = 0;
-
-        if (mask->src.u.gre.key)
-                len += sprintf(buffer + len, "srckey=0x%x ", 
-                                ntohl(match->src.u.gre.key));
-
-        if (mask->dst.u.gre.key)
-                len += sprintf(buffer + len, "dstkey=0x%x ",
-                                ntohl(match->src.u.gre.key));
-
-        return len;
-}
-
-/* print a range of keys */
-static unsigned int 
-gre_print_range(char *buffer, const struct ip_nat_range *range)
-{
-        if (range->min.gre.key != 0 
-            || range->max.gre.key != 0xFFFF) {
-                if (range->min.gre.key == range->max.gre.key)
-                        return sprintf(buffer, "key 0x%x ",
-                                        ntohl(range->min.gre.key));
-                else
-                        return sprintf(buffer, "keys 0x%u-0x%u ",
-                                        ntohl(range->min.gre.key),
-                                        ntohl(range->max.gre.key));
-        } else
-                return 0;
-}
-
 /* nat helper struct */
 static struct ip_nat_protocol gre = { 
         .name           = "GRE", 
@@ -194,8 +158,6 @@ static struct ip_nat_protocol gre = {
         .manip_pkt      = gre_manip_pkt,
         .in_range       = gre_in_range,
         .unique_tuple   = gre_unique_tuple,
-        .print          = gre_print,
-        .print_range    = gre_print_range,
 #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
     defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
         .range_to_nfattr        = ip_nat_port_range_to_nfattr,
diff --git a/net/ipv4/netfilter/ip_nat_proto_icmp.c b/net/ipv4/netfilter/ip_nat_proto_icmp.c
index 9387190439..31a3f4ccb9 100644
--- a/net/ipv4/netfilter/ip_nat_proto_icmp.c
+++ b/net/ipv4/netfilter/ip_nat_proto_icmp.c
@@ -74,38 +74,6 @@ icmp_manip_pkt(struct sk_buff **pskb,
         return 1;
 }
 
-static unsigned int
-icmp_print(char *buffer,
-           const struct ip_conntrack_tuple *match,
-           const struct ip_conntrack_tuple *mask)
-{
-        unsigned int len = 0;
-
-        if (mask->src.u.icmp.id)
-                len += sprintf(buffer + len, "id=%u ",
-                               ntohs(match->src.u.icmp.id));
-
-        if (mask->dst.u.icmp.type)
-                len += sprintf(buffer + len, "type=%u ",
-                               ntohs(match->dst.u.icmp.type));
-
-        if (mask->dst.u.icmp.code)
-                len += sprintf(buffer + len, "code=%u ",
-                               ntohs(match->dst.u.icmp.code));
-
-        return len;
-}
-
-static unsigned int
-icmp_print_range(char *buffer, const struct ip_nat_range *range)
-{
-        if (range->min.icmp.id != 0 || range->max.icmp.id != 0xFFFF)
-                return sprintf(buffer, "id %u-%u ",
-                               ntohs(range->min.icmp.id),
-                               ntohs(range->max.icmp.id));
-        else return 0;
-}
-
 struct ip_nat_protocol ip_nat_protocol_icmp = {
         .name                   = "ICMP",
         .protonum               = IPPROTO_ICMP,
@@ -113,8 +81,6 @@ struct ip_nat_protocol ip_nat_protocol_icmp = {
         .manip_pkt              = icmp_manip_pkt,
         .in_range               = icmp_in_range,
         .unique_tuple           = icmp_unique_tuple,
-        .print                  = icmp_print,
-        .print_range            = icmp_print_range,
 #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
     defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
         .range_to_nfattr        = ip_nat_port_range_to_nfattr,
diff --git a/net/ipv4/netfilter/ip_nat_proto_tcp.c b/net/ipv4/netfilter/ip_nat_proto_tcp.c
index 1d381bf685..a3d14079eb 100644
--- a/net/ipv4/netfilter/ip_nat_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_nat_proto_tcp.c
@@ -136,40 +136,6 @@ tcp_manip_pkt(struct sk_buff **pskb,
         return 1;
 }
 
-static unsigned int
-tcp_print(char *buffer,
-          const struct ip_conntrack_tuple *match,
-          const struct ip_conntrack_tuple *mask)
-{
-        unsigned int len = 0;
-
-        if (mask->src.u.tcp.port)
-                len += sprintf(buffer + len, "srcpt=%u ",
-                               ntohs(match->src.u.tcp.port));
-
-
-        if (mask->dst.u.tcp.port)
-                len += sprintf(buffer + len, "dstpt=%u ",
-                               ntohs(match->dst.u.tcp.port));
-
-        return len;
-}
-
-static unsigned int
-tcp_print_range(char *buffer, const struct ip_nat_range *range)
-{
-        if (range->min.tcp.port != 0 || range->max.tcp.port != 0xFFFF) {
-                if (range->min.tcp.port == range->max.tcp.port)
-                        return sprintf(buffer, "port %u ",
-                                       ntohs(range->min.tcp.port));
-                else
-                        return sprintf(buffer, "ports %u-%u ",
-                                       ntohs(range->min.tcp.port),
-                                       ntohs(range->max.tcp.port));
-        }
-        else return 0;
-}
-
 struct ip_nat_protocol ip_nat_protocol_tcp = {
         .name                   = "TCP",
         .protonum               = IPPROTO_TCP,
@@ -177,8 +143,6 @@ struct ip_nat_protocol ip_nat_protocol_tcp = {
         .manip_pkt              = tcp_manip_pkt,
         .in_range               = tcp_in_range,
         .unique_tuple           = tcp_unique_tuple,
-        .print                  = tcp_print,
-        .print_range            = tcp_print_range,
 #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
     defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
         .range_to_nfattr        = ip_nat_port_range_to_nfattr,
diff --git a/net/ipv4/netfilter/ip_nat_proto_udp.c b/net/ipv4/netfilter/ip_nat_proto_udp.c
index c4906e1aa2..ec6053fdc8 100644
--- a/net/ipv4/netfilter/ip_nat_proto_udp.c
+++ b/net/ipv4/netfilter/ip_nat_proto_udp.c
@@ -122,40 +122,6 @@ udp_manip_pkt(struct sk_buff **pskb,
         return 1;
 }
 
-static unsigned int
-udp_print(char *buffer,
-          const struct ip_conntrack_tuple *match,
-          const struct ip_conntrack_tuple *mask)
-{
-        unsigned int len = 0;
-
-        if (mask->src.u.udp.port)
-                len += sprintf(buffer + len, "srcpt=%u ",
-                               ntohs(match->src.u.udp.port));
-
-
-        if (mask->dst.u.udp.port)
-                len += sprintf(buffer + len, "dstpt=%u ",
-                               ntohs(match->dst.u.udp.port));
-
-        return len;
-}
-
-static unsigned int
-udp_print_range(char *buffer, const struct ip_nat_range *range)
-{
-        if (range->min.udp.port != 0 || range->max.udp.port != 0xFFFF) {
-                if (range->min.udp.port == range->max.udp.port)
-                        return sprintf(buffer, "port %u ",
-                                       ntohs(range->min.udp.port));
-                else
-                        return sprintf(buffer, "ports %u-%u ",
-                                       ntohs(range->min.udp.port),
-                                       ntohs(range->max.udp.port));
-        }
-        else return 0;
-}
-
 struct ip_nat_protocol ip_nat_protocol_udp = {
         .name                   = "UDP",
         .protonum               = IPPROTO_UDP,
@@ -163,8 +129,6 @@ struct ip_nat_protocol ip_nat_protocol_udp = {
         .manip_pkt              = udp_manip_pkt,
         .in_range               = udp_in_range,
         .unique_tuple           = udp_unique_tuple,
-        .print                  = udp_print,
-        .print_range            = udp_print_range,
 #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
     defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
         .range_to_nfattr        = ip_nat_port_range_to_nfattr,
diff --git a/net/ipv4/netfilter/ip_nat_proto_unknown.c b/net/ipv4/netfilter/ip_nat_proto_unknown.c
index f0099a646a..3bf0495172 100644
--- a/net/ipv4/netfilter/ip_nat_proto_unknown.c
+++ b/net/ipv4/netfilter/ip_nat_proto_unknown.c
@@ -46,26 +46,10 @@ unknown_manip_pkt(struct sk_buff **pskb,
         return 1;
 }
 
-static unsigned int
-unknown_print(char *buffer,
-              const struct ip_conntrack_tuple *match,
-              const struct ip_conntrack_tuple *mask)
-{
-        return 0;
-}
-
-static unsigned int
-unknown_print_range(char *buffer, const struct ip_nat_range *range)
-{
-        return 0;
-}
-
 struct ip_nat_protocol ip_nat_unknown_protocol = {
         .name                   = "unknown",
         /* .me isn't set: getting a ref to this cannot fail. */
         .manip_pkt              = unknown_manip_pkt,
         .in_range               = unknown_in_range,
         .unique_tuple           = unknown_unique_tuple,
-        .print                  = unknown_print,
-        .print_range            = unknown_print_range
 };
diff --git a/net/ipv4/netfilter/ipt_mac.c b/net/ipv4/netfilter/ipt_mac.c
index 11a459e33f..1b9bb4559f 100644
--- a/net/ipv4/netfilter/ipt_mac.c
+++ b/net/ipv4/netfilter/ipt_mac.c
@@ -11,6 +11,7 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/if_ether.h>
+#include <linux/etherdevice.h>
 
 #include <linux/netfilter_ipv4/ipt_mac.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
@@ -33,8 +34,8 @@ match(const struct sk_buff *skb,
     return (skb->mac.raw >= skb->head
             && (skb->mac.raw + ETH_HLEN) <= skb->data
             /* If so, compare... */
-            && ((memcmp(eth_hdr(skb)->h_source, info->srcaddr, ETH_ALEN)
-                == 0) ^ info->invert));
+            && ((!compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr))
+                ^ info->invert));
 }
 
 static int
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 9bdbb77939..0c56c52a38 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -277,7 +277,7 @@ static struct nf_hook_ops ipv4_conntrack_local_in_ops = {
 
 #ifdef CONFIG_SYSCTL
 /* From nf_conntrack_proto_icmp.c */
-extern unsigned long nf_ct_icmp_timeout;
+extern unsigned int nf_ct_icmp_timeout;
 static struct ctl_table_header *nf_ct_ipv4_sysctl_header;
 
 static ctl_table nf_ct_sysctl_table[] = {