diff --git a/include/linux/netfilter_bridge/ebt_log.h b/include/linux/netfilter_bridge/ebt_log.h
index 358fbc84fb59c52b391aaa4b831a297f6a4db0d3..96e231ae75548a3188b77b5708567cb99c75e0e4 100644
--- a/include/linux/netfilter_bridge/ebt_log.h
+++ b/include/linux/netfilter_bridge/ebt_log.h
@@ -3,6 +3,7 @@
#define EBT_LOG_IP 0x01 /* if the frame is made by ip, log the ip information */
#define EBT_LOG_ARP 0x02
+#define EBT_LOG_NFLOG 0x04
#define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP)
#define EBT_LOG_PREFIX_SIZE 30
#define EBT_LOG_WATCHER "log"
diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h
index 22d16177319b9d46a335d11ede61f86c9fb28b8d..892f9a33fea88eff56fcb94ae9247705a3a44814 100644
--- a/include/linux/netfilter_ipv4/ipt_LOG.h
+++ b/include/linux/netfilter_ipv4/ipt_LOG.h
@@ -6,7 +6,8 @@
#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */
#define IPT_LOG_IPOPT 0x04 /* Log IP options */
#define IPT_LOG_UID 0x08 /* Log UID owning local socket */
-#define IPT_LOG_MASK 0x0f
+#define IPT_LOG_NFLOG 0x10 /* Log using nf_log backend */
+#define IPT_LOG_MASK 0x1f
struct ipt_log_info {
unsigned char level;
diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/linux/netfilter_ipv6/ip6t_LOG.h
index 9008ff5c40aec70e209f8f9efd036e34db1621ab..060c1a1c6c603ab19231b34d0e7325912d8f4b77 100644
--- a/include/linux/netfilter_ipv6/ip6t_LOG.h
+++ b/include/linux/netfilter_ipv6/ip6t_LOG.h
@@ -6,7 +6,8 @@
#define IP6T_LOG_TCPOPT 0x02 /* Log TCP options */
#define IP6T_LOG_IPOPT 0x04 /* Log IP options */
#define IP6T_LOG_UID 0x08 /* Log UID owning local socket */
-#define IP6T_LOG_MASK 0x0f
+#define IP6T_LOG_NFLOG 0x10 /* Log using nf_log backend */
+#define IP6T_LOG_MASK 0x1f
struct ip6t_log_info {
unsigned char level;
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 004e645f3e1829a81b39ed67918a243f66ef049e..8d362c49b8a9ecb9f00539a0ed1d292f0068bb3a 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -233,7 +233,6 @@ struct xfrm_type
int (*init_state)(struct xfrm_state *x);
void (*destructor)(struct xfrm_state *);
int (*input)(struct xfrm_state *, struct xfrm_decap_state *, struct sk_buff *skb);
- int (*post_input)(struct xfrm_state *, struct xfrm_decap_state *, struct sk_buff *skb);
int (*output)(struct xfrm_state *, struct sk_buff *pskb);
/* Estimate maximal size of result of transformation of a dgram */
u32 (*get_max_size)(struct xfrm_state *, int size);
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index 0128fbbe23281241d2929ab9ffd6eb74d71d67d9..288ff1d4ccc47fc453ba1cb6b605581da8722358 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -166,7 +166,12 @@ static void ebt_log(const struct sk_buff *skb, unsigned int hooknr,
li.u.log.level = info->loglevel;
li.u.log.logflags = info->bitmask;
- nf_log_packet(PF_BRIDGE, hooknr, skb, in, out, &li, info->prefix);
+ if (info->bitmask & EBT_LOG_NFLOG)
+ nf_log_packet(PF_BRIDGE, hooknr, skb, in, out, &li,
+ info->prefix);
+ else
+ ebt_log_packet(PF_BRIDGE, hooknr, skb, in, out, &li,
+ info->prefix);
}
static struct ebt_watcher log =
diff --git a/net/core/request_sock.c b/net/core/request_sock.c
index b8203de5ff073c4e3bda5166ef1542b793141a0c..98f0fc923f9195326ed9d0fe538e58fd7528d8d7 100644
--- a/net/core/request_sock.c
+++ b/net/core/request_sock.c
@@ -52,7 +52,6 @@ int reqsk_queue_alloc(struct request_sock_queue *queue,
get_random_bytes(&lopt->hash_rnd, sizeof(lopt->hash_rnd));
rwlock_init(&queue->syn_wait_lock);
queue->rskq_accept_head = queue->rskq_accept_head = NULL;
- queue->rskq_defer_accept = 0;
lopt->nr_table_entries = nr_table_entries;
write_lock_bh(&queue->syn_wait_lock);
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 73bfcae8af9c367b3d88ffdf9f8e14afa476e927..09590f3560866758e0db00ff43580ca7b9ab798d 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -12,13 +12,6 @@
#include <net/protocol.h>
#include <net/udp.h>
-/* decapsulation data for use when post-processing */
-struct esp_decap_data {
- xfrm_address_t saddr;
- __u16 sport;
- __u8 proto;
-};
-
static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
{
int err;
@@ -150,6 +143,10 @@ static int esp_input(struct xfrm_state *x, struct xfrm_decap_state *decap, struc
int elen = skb->len - sizeof(struct ip_esp_hdr) - esp->conf.ivlen - alen;
int nfrags;
int encap_len = 0;
+ u8 nexthdr[2];
+ struct scatterlist *sg;
+ u8 workbuf[60];
+ int padlen;
if (!pskb_may_pull(skb, sizeof(struct ip_esp_hdr)))
goto out;
@@ -185,122 +182,82 @@ static int esp_input(struct xfrm_state *x, struct xfrm_decap_state *decap, struc
if (esp->conf.ivlen)
crypto_cipher_set_iv(esp->conf.tfm, esph->enc_data, crypto_tfm_alg_ivsize(esp->conf.tfm));
- {
- u8 nexthdr[2];
- struct scatterlist *sg = &esp->sgbuf[0];
- u8 workbuf[60];
- int padlen;
-
- if (unlikely(nfrags > ESP_NUM_FAST_SG)) {
- sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC);
- if (!sg)
- goto out;
- }
- skb_to_sgvec(skb, sg, sizeof(struct ip_esp_hdr) + esp->conf.ivlen, elen);
- crypto_cipher_decrypt(esp->conf.tfm, sg, sg, elen);
- if (unlikely(sg != &esp->sgbuf[0]))
- kfree(sg);
-
- if (skb_copy_bits(skb, skb->len-alen-2, nexthdr, 2))
- BUG();
+ sg = &esp->sgbuf[0];
- padlen = nexthdr[0];
- if (padlen+2 >= elen)
+ if (unlikely(nfrags > ESP_NUM_FAST_SG)) {
+ sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC);
+ if (!sg)
goto out;
-
- /* ... check padding bits here. Silly. :-) */
-
- if (x->encap && decap && decap->decap_type) {
- struct esp_decap_data *encap_data;
- struct udphdr *uh = (struct udphdr *) (iph+1);
-
- encap_data = (struct esp_decap_data *) (decap->decap_data);
- encap_data->proto = 0;
-
- switch (decap->decap_type) {
- case UDP_ENCAP_ESPINUDP:
- case UDP_ENCAP_ESPINUDP_NON_IKE:
- encap_data->proto = AF_INET;
- encap_data->saddr.a4 = iph->saddr;
- encap_data->sport = uh->source;
- encap_len = (void*)esph - (void*)uh;
- break;
-
- default:
- goto out;
- }
- }
-
- iph->protocol = nexthdr[1];
- pskb_trim(skb, skb->len - alen - padlen - 2);
- memcpy(workbuf, skb->nh.raw, iph->ihl*4);
- skb->h.raw = skb_pull(skb, sizeof(struct ip_esp_hdr) + esp->conf.ivlen);
- skb->nh.raw += encap_len + sizeof(struct ip_esp_hdr) + esp->conf.ivlen;
- memcpy(skb->nh.raw, workbuf, iph->ihl*4);
- skb->nh.iph->tot_len = htons(skb->len);
}
+ skb_to_sgvec(skb, sg, sizeof(struct ip_esp_hdr) + esp->conf.ivlen, elen);
+ crypto_cipher_decrypt(esp->conf.tfm, sg, sg, elen);
+ if (unlikely(sg != &esp->sgbuf[0]))
+ kfree(sg);
- return 0;
+ if (skb_copy_bits(skb, skb->len-alen-2, nexthdr, 2))
+ BUG();
-out:
- return -EINVAL;
-}
+ padlen = nexthdr[0];
+ if (padlen+2 >= elen)
+ goto out;
-static int esp_post_input(struct xfrm_state *x, struct xfrm_decap_state *decap, struct sk_buff *skb)
-{
-
- if (x->encap) {
- struct xfrm_encap_tmpl *encap;
- struct esp_decap_data *decap_data;
+ /* ... check padding bits here. Silly. :-) */
- encap = x->encap;
- decap_data = (struct esp_decap_data *)(decap->decap_data);
+ if (x->encap) {
+ struct xfrm_encap_tmpl *encap = x->encap;
+ struct udphdr *uh;
- /* first, make sure that the decap type == the encap type */
if (encap->encap_type != decap->decap_type)
- return -EINVAL;
+ goto out;
- switch (encap->encap_type) {
- default:
- case UDP_ENCAP_ESPINUDP:
- case UDP_ENCAP_ESPINUDP_NON_IKE:
- /*
- * 1) if the NAT-T peer's IP or port changed then
- * advertize the change to the keying daemon.
- * This is an inbound SA, so just compare
- * SRC ports.
- */
- if (decap_data->proto == AF_INET &&
- (decap_data->saddr.a4 != x->props.saddr.a4 ||
- decap_data->sport != encap->encap_sport)) {
- xfrm_address_t ipaddr;
-
- ipaddr.a4 = decap_data->saddr.a4;
- km_new_mapping(x, &ipaddr, decap_data->sport);
-
- /* XXX: perhaps add an extra
- * policy check here, to see
- * if we should allow or
- * reject a packet from a
- * different source
- * address/port.
- */
- }
-
- /*
- * 2) ignore UDP/TCP checksums in case
- * of NAT-T in Transport Mode, or
- * perform other post-processing fixes
- * as per * draft-ietf-ipsec-udp-encaps-06,
- * section 3.1.2
+ uh = (struct udphdr *)(iph + 1);
+ encap_len = (void*)esph - (void*)uh;
+
+ /*
+ * 1) if the NAT-T peer's IP or port changed then
+ * advertize the change to the keying daemon.
+ * This is an inbound SA, so just compare
+ * SRC ports.
+ */
+ if (iph->saddr != x->props.saddr.a4 ||
+ uh->source != encap->encap_sport) {
+ xfrm_address_t ipaddr;
+
+ ipaddr.a4 = iph->saddr;
+ km_new_mapping(x, &ipaddr, uh->source);
+
+ /* XXX: perhaps add an extra
+ * policy check here, to see
+ * if we should allow or
+ * reject a packet from a
+ * different source
+ * address/port.
*/
- if (!x->props.mode)
- skb->ip_summed = CHECKSUM_UNNECESSARY;
-
- break;
}
+
+ /*
+ * 2) ignore UDP/TCP checksums in case
+ * of NAT-T in Transport Mode, or
+ * perform other post-processing fixes
+ * as per draft-ietf-ipsec-udp-encaps-06,
+ * section 3.1.2
+ */
+ if (!x->props.mode)
+ skb->ip_summed = CHECKSUM_UNNECESSARY;
}
+
+ iph->protocol = nexthdr[1];
+ pskb_trim(skb, skb->len - alen - padlen - 2);
+ memcpy(workbuf, skb->nh.raw, iph->ihl*4);
+ skb->h.raw = skb_pull(skb, sizeof(struct ip_esp_hdr) + esp->conf.ivlen);
+ skb->nh.raw += encap_len + sizeof(struct ip_esp_hdr) + esp->conf.ivlen;
+ memcpy(skb->nh.raw, workbuf, iph->ihl*4);
+ skb->nh.iph->tot_len = htons(skb->len);
+
return 0;
+
+out:
+ return -EINVAL;
}
static u32 esp4_get_max_size(struct xfrm_state *x, int mtu)
@@ -458,7 +415,6 @@ static struct xfrm_type esp_type =
.destructor = esp_destroy,
.get_max_size = esp4_get_max_size,
.input = esp_input,
- .post_input = esp_post_input,
.output = esp_output
};
@@ -470,15 +426,6 @@ static struct net_protocol esp4_protocol = {
static int __init esp4_init(void)
{
- struct xfrm_decap_state decap;
-
- if (sizeof(struct esp_decap_data) >
- sizeof(decap.decap_data)) {
- extern void decap_data_too_small(void);
-
- decap_data_too_small();
- }
-
if (xfrm_register_type(&esp_type, AF_INET) < 0) {
printk(KERN_INFO "ip esp init: can't add xfrm type\n");
return -EAGAIN;
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 6606ddb66a29e6ea0044c24ce596bb9767aae424..cc27545ff97f67b3d60dbea1b3f32bce4f8d3001 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -425,7 +425,12 @@ ipt_log_target(struct sk_buff **pskb,
li.u.log.level = loginfo->level;
li.u.log.logflags = loginfo->logflags;
- nf_log_packet(PF_INET, hooknum, *pskb, in, out, &li, loginfo->prefix);
+ if (loginfo->logflags & IPT_LOG_NFLOG)
+ nf_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
+ loginfo->prefix);
+ else
+ ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
+ loginfo->prefix);
return IPT_CONTINUE;
}
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 77c725832decdbfc28b1108f9912cae8b09965dd..6b930efa9fb9965bc78bcb64009ffb81a51e8b0d 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -436,7 +436,12 @@ ip6t_log_target(struct sk_buff **pskb,
li.u.log.level = loginfo->level;
li.u.log.logflags = loginfo->logflags;
- nf_log_packet(PF_INET6, hooknum, *pskb, in, out, &li, loginfo->prefix);
+ if (loginfo->logflags & IP6T_LOG_NFLOG)
+ nf_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
+ loginfo->prefix);
+ else
+ ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
+ loginfo->prefix);
return IP6T_CONTINUE;
}
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index d3a4f30a7f2247f0bac16cdc9466c31b12409e39..d9f0d7ef103b61f8209eaa9fd9aaa29306438309 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -6,6 +6,7 @@
#include <linux/skbuff.h>
#include <linux/netfilter.h>
#include <linux/seq_file.h>
+#include <linux/rcupdate.h>
#include <net/protocol.h>
#include "nf_internals.h"
@@ -16,7 +17,7 @@
* for queueing and must reinject all packets it receives, no matter what.
*/
static struct nf_queue_handler *queue_handler[NPROTO];
-static struct nf_queue_rerouter *queue_rerouter;
+static struct nf_queue_rerouter *queue_rerouter[NPROTO];
static DEFINE_RWLOCK(queue_handler_lock);
@@ -64,7 +65,7 @@ int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer)
return -EINVAL;
write_lock_bh(&queue_handler_lock);
- memcpy(&queue_rerouter[pf], rer, sizeof(queue_rerouter[pf]));
+ rcu_assign_pointer(queue_rerouter[pf], rer);
write_unlock_bh(&queue_handler_lock);
return 0;
@@ -77,8 +78,9 @@ int nf_unregister_queue_rerouter(int pf)
return -EINVAL;
write_lock_bh(&queue_handler_lock);
- memset(&queue_rerouter[pf], 0, sizeof(queue_rerouter[pf]));
+ rcu_assign_pointer(queue_rerouter[pf], NULL);
write_unlock_bh(&queue_handler_lock);
+ synchronize_rcu();
return 0;
}
EXPORT_SYMBOL_GPL(nf_unregister_queue_rerouter);
@@ -114,16 +116,17 @@ int nf_queue(struct sk_buff **skb,
struct net_device *physindev = NULL;
struct net_device *physoutdev = NULL;
#endif
+ struct nf_queue_rerouter *rerouter;
/* QUEUE == DROP if noone is waiting, to be safe. */
read_lock(&queue_handler_lock);
- if (!queue_handler[pf] || !queue_handler[pf]->outfn) {
+ if (!queue_handler[pf]) {
read_unlock(&queue_handler_lock);
kfree_skb(*skb);
return 1;
}
- info = kmalloc(sizeof(*info)+queue_rerouter[pf].rer_size, GFP_ATOMIC);
+ info = kmalloc(sizeof(*info)+queue_rerouter[pf]->rer_size, GFP_ATOMIC);
if (!info) {
if (net_ratelimit())
printk(KERN_ERR "OOM queueing packet %p\n",
@@ -155,15 +158,13 @@ int nf_queue(struct sk_buff **skb,
if (physoutdev) dev_hold(physoutdev);
}
#endif
- if (queue_rerouter[pf].save)
- queue_rerouter[pf].save(*skb, info);
+ rerouter = rcu_dereference(queue_rerouter[pf]);
+ if (rerouter)
+ rerouter->save(*skb, info);
status = queue_handler[pf]->outfn(*skb, info, queuenum,
queue_handler[pf]->data);
- if (status >= 0 && queue_rerouter[pf].reroute)
- status = queue_rerouter[pf].reroute(skb, info);
-
read_unlock(&queue_handler_lock);
if (status < 0) {
@@ -189,6 +190,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
{
struct list_head *elem = &info->elem->list;
struct list_head *i;
+ struct nf_queue_rerouter *rerouter;
rcu_read_lock();
@@ -212,7 +214,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
break;
}
- if (elem == &nf_hooks[info->pf][info->hook]) {
+ if (i == &nf_hooks[info->pf][info->hook]) {
/* The module which sent it to userspace is gone. */
NFDEBUG("%s: module disappeared, dropping packet.\n",
__FUNCTION__);
@@ -225,6 +227,12 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
verdict = NF_ACCEPT;
}
+ if (verdict == NF_ACCEPT) {
+ rerouter = rcu_dereference(queue_rerouter[info->pf]);
+ if (rerouter && rerouter->reroute(&skb, info) < 0)
+ verdict = NF_DROP;
+ }
+
if (verdict == NF_ACCEPT) {
next_hook:
verdict = nf_iterate(&nf_hooks[info->pf][info->hook],
@@ -322,22 +330,12 @@ int __init netfilter_queue_init(void)
{
#ifdef CONFIG_PROC_FS
struct proc_dir_entry *pde;
-#endif
- queue_rerouter = kmalloc(NPROTO * sizeof(struct nf_queue_rerouter),
- GFP_KERNEL);
- if (!queue_rerouter)
- return -ENOMEM;
-#ifdef CONFIG_PROC_FS
pde = create_proc_entry("nf_queue", S_IRUGO, proc_net_netfilter);
- if (!pde) {
- kfree(queue_rerouter);
+ if (!pde)
return -1;
- }
pde->proc_fops = &nfqueue_file_ops;
#endif
- memset(queue_rerouter, 0, NPROTO * sizeof(struct nf_queue_rerouter));
-
return 0;
}
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 8206025d8e46297c786e58fc19fd1725c0bd5ff5..ae62054a9fc4c22bb41678f2c8fd64ce87e7d427 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -996,13 +996,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
struct sec_decap_state *xvec = &(skb->sp->x[i]);
if (!xfrm_selector_match(&xvec->xvec->sel, &fl, family))
return 0;
-
- /* If there is a post_input processor, try running it */
- if (xvec->xvec->type->post_input &&
- (xvec->xvec->type->post_input)(xvec->xvec,
- &(xvec->decap),
- skb) != 0)
- return 0;
}
}