---

yaml
---
r: 236634
b: refs/heads/master
c: f1e231a
h: refs/heads/master
v: v3

[refs]

@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 94b27cc36123069966616670c3653cd6873babe9
+refs/heads/master: f1e231a356f90a67f8547c2881a62c92084683c6

trunk/include/linux/netfilter.h

@@ -24,30 +24,23 @@
 #define NF_MAX_VERDICT NF_STOP
 
 /* we overload the higher bits for encoding auxiliary data such as the queue
- * number or errno values. Not nice, but better than additional function
- * arguments. */
-#define NF_VERDICT_MASK 0x000000ff
-
-/* extra verdict flags have mask 0x0000ff00 */
-#define NF_VERDICT_FLAG_QUEUE_BYPASS	0x00008000
+ * number. Not nice, but better than additional function arguments. */
+#define NF_VERDICT_MASK 0x0000ffff
+#define NF_VERDICT_BITS 16
 
-/* queue number (NF_QUEUE) or errno (NF_DROP) */
 #define NF_VERDICT_QMASK 0xffff0000
 #define NF_VERDICT_QBITS 16
 
-#define NF_QUEUE_NR(x) ((((x) << 16) & NF_VERDICT_QMASK) | NF_QUEUE)
+#define NF_QUEUE_NR(x) ((((x) << NF_VERDICT_BITS) & NF_VERDICT_QMASK) | NF_QUEUE)
 
-#define NF_DROP_ERR(x) (((-x) << 16) | NF_DROP)
+#define NF_DROP_ERR(x) (((-x) << NF_VERDICT_BITS) | NF_DROP)
 
 /* only for userspace compatibility */
 #ifndef __KERNEL__
 /* Generic cache responses from hook functions.
    <= 0x2000 is used for protocol-flags. */
 #define NFC_UNKNOWN 0x4000
 #define NFC_ALTERED 0x8000
-
-/* NF_VERDICT_BITS should be 8 now, but userspace might break if this changes */
-#define NF_VERDICT_BITS 16
 #endif
 
 enum nf_inet_hooks {
@@ -79,10 +72,6 @@ union nf_inet_addr {
 
 #ifdef __KERNEL__
 #ifdef CONFIG_NETFILTER
-static inline int NF_DROP_GETERR(int verdict)
-{
-	return -(verdict >> NF_VERDICT_QBITS);
-}
 
 static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1,
 				   const union nf_inet_addr *a2)

trunk/include/linux/netfilter/xt_NFQUEUE.h

@@ -20,10 +20,4 @@ struct xt_NFQ_info_v1 {
 	__u16 queues_total;
 };
 
-struct xt_NFQ_info_v2 {
-	__u16 queuenum;
-	__u16 queues_total;
-	__u16 bypass;
-};
-
 #endif /* _XT_NFQ_TARGET_H */

trunk/include/net/netfilter/nf_nat_core.h

@@ -21,9 +21,9 @@ static inline int nf_nat_initialized(struct nf_conn *ct,
 				     enum nf_nat_manip_type manip)
 {
 	if (manip == IP_NAT_MANIP_SRC)
-		return ct->status & IPS_SRC_NAT_DONE;
+		return ct->status & IPS_SRC_NAT_DONE_BIT;
 	else
-		return ct->status & IPS_DST_NAT_DONE;
+		return ct->status & IPS_DST_NAT_DONE_BIT;
 }
 
 struct nlattr;

trunk/net/ipv4/netfilter/nf_nat_core.c

@@ -323,9 +323,9 @@ nf_nat_setup_info(struct nf_conn *ct,
 
 	/* It's done. */
 	if (maniptype == IP_NAT_MANIP_DST)
-		ct->status |= IPS_DST_NAT_DONE;
+		ct->status |= IPS_DST_NAT_DONE_BIT;
 	else
-		ct->status |= IPS_SRC_NAT_DONE;
+		ct->status |= IPS_SRC_NAT_DONE_BIT;
 
 	return NF_ACCEPT;
 }

trunk/net/netfilter/Kconfig

@@ -487,7 +487,6 @@ config NETFILTER_XT_TARGET_NFLOG
 config NETFILTER_XT_TARGET_NFQUEUE
 	tristate '"NFQUEUE" target Support'
 	depends on NETFILTER_ADVANCED
-	select NETFILTER_NETLINK_QUEUE
 	help
 	  This target replaced the old obsolete QUEUE target.
 

trunk/net/netfilter/core.c

@@ -175,21 +175,13 @@ int nf_hook_slow(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
 		ret = 1;
 	} else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
 		kfree_skb(skb);
-		ret = NF_DROP_GETERR(verdict);
+		ret = -(verdict >> NF_VERDICT_BITS);
 		if (ret == 0)
 			ret = -EPERM;
 	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
-		ret = nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
-			       verdict >> NF_VERDICT_QBITS);
-		if (ret < 0) {
-			if (ret == -ECANCELED)
-				goto next_hook;
-			if (ret == -ESRCH &&
-			   (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
-				goto next_hook;
-			kfree_skb(skb);
-		}
-		ret = 0;
+		if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
+			      verdict >> NF_VERDICT_BITS))
+			goto next_hook;
 	}
 	rcu_read_unlock();
 	return ret;

trunk/net/netfilter/nf_conntrack_core.c

@@ -486,7 +486,7 @@ __nf_conntrack_confirm(struct sk_buff *skb)
 	ct->timeout.expires += jiffies;
 	add_timer(&ct->timeout);
 	atomic_inc(&ct->ct_general.use);
-	ct->status |= IPS_CONFIRMED;
+	set_bit(IPS_CONFIRMED_BIT, &ct->status);
 
 	/* Since the lookup is lockless, hash insertion must be done after
 	 * starting the timer and setting the CONFIRMED bit. The RCU barriers

trunk/net/netfilter/nf_queue.c

@@ -125,7 +125,7 @@ static int __nf_queue(struct sk_buff *skb,
 		      int (*okfn)(struct sk_buff *),
 		      unsigned int queuenum)
 {
-	int status = -ENOENT;
+	int status;
 	struct nf_queue_entry *entry = NULL;
 #ifdef CONFIG_BRIDGE_NETFILTER
 	struct net_device *physindev;
@@ -138,20 +138,16 @@ static int __nf_queue(struct sk_buff *skb,
 	rcu_read_lock();
 
 	qh = rcu_dereference(queue_handler[pf]);
-	if (!qh) {
-		status = -ESRCH;
+	if (!qh)
 		goto err_unlock;
-	}
 
 	afinfo = nf_get_afinfo(pf);
 	if (!afinfo)
 		goto err_unlock;
 
 	entry = kmalloc(sizeof(*entry) + afinfo->route_key_size, GFP_ATOMIC);
-	if (!entry) {
-		status = -ENOMEM;
+	if (!entry)
 		goto err_unlock;
-	}
 
 	*entry = (struct nf_queue_entry) {
 		.skb	= skb,
@@ -165,9 +161,11 @@ static int __nf_queue(struct sk_buff *skb,
 
 	/* If it's going away, ignore hook. */
 	if (!try_module_get(entry->elem->owner)) {
-		status = -ECANCELED;
-		goto err_unlock;
+		rcu_read_unlock();
+		kfree(entry);
+		return 0;
 	}
+
 	/* Bump dev refs so they don't vanish while packet is out */
 	if (indev)
 		dev_hold(indev);
@@ -194,13 +192,14 @@ static int __nf_queue(struct sk_buff *skb,
 		goto err;
 	}
 
-	return 0;
+	return 1;
 
 err_unlock:
 	rcu_read_unlock();
 err:
+	kfree_skb(skb);
 	kfree(entry);
-	return status;
+	return 1;
 }
 
 int nf_queue(struct sk_buff *skb,
@@ -212,8 +211,6 @@ int nf_queue(struct sk_buff *skb,
 	     unsigned int queuenum)
 {
 	struct sk_buff *segs;
-	int err;
-	unsigned int queued;
 
 	if (!skb_is_gso(skb))
 		return __nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
@@ -229,43 +226,27 @@ int nf_queue(struct sk_buff *skb,
 	}
 
 	segs = skb_gso_segment(skb, 0);
-	/* Does not use PTR_ERR to limit the number of error codes that can be
-	 * returned by nf_queue.  For instance, callers rely on -ECANCELED to mean
-	 * 'ignore this hook'.
-	 */
+	kfree_skb(skb);
 	if (IS_ERR(segs))
-		return -EINVAL;
+		return 1;
 
-	queued = 0;
-	err = 0;
 	do {
 		struct sk_buff *nskb = segs->next;
 
 		segs->next = NULL;
-		if (err == 0)
-			err = __nf_queue(segs, elem, pf, hook, indev,
-					   outdev, okfn, queuenum);
-		if (err == 0)
-			queued++;
-		else
+		if (!__nf_queue(segs, elem, pf, hook, indev, outdev, okfn,
+				queuenum))
 			kfree_skb(segs);
 		segs = nskb;
 	} while (segs);
-
-	/* also free orig skb if only some segments were queued */
-	if (unlikely(err && queued))
-		err = 0;
-	if (err == 0)
-		kfree_skb(skb);
-	return err;
+	return 1;
 }
 
 void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
 {
 	struct sk_buff *skb = entry->skb;
 	struct list_head *elem = &entry->elem->list;
 	const struct nf_afinfo *afinfo;
-	int err;
 
 	rcu_read_lock();
 
@@ -299,17 +280,10 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
 		local_bh_enable();
 		break;
 	case NF_QUEUE:
-		err = __nf_queue(skb, elem, entry->pf, entry->hook,
-				 entry->indev, entry->outdev, entry->okfn,
-				 verdict >> NF_VERDICT_QBITS);
-		if (err < 0) {
-			if (err == -ECANCELED)
-				goto next_hook;
-			if (err == -ESRCH &&
-			   (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
-				goto next_hook;
-			kfree_skb(skb);
-		}
+		if (!__nf_queue(skb, elem, entry->pf, entry->hook,
+				entry->indev, entry->outdev, entry->okfn,
+				verdict >> NF_VERDICT_BITS))
+			goto next_hook;
 		break;
 	case NF_STOLEN:
 	default:

trunk/net/netfilter/nfnetlink_queue.c

@@ -387,31 +387,25 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
 {
 	struct sk_buff *nskb;
 	struct nfqnl_instance *queue;
-	int err = -ENOBUFS;
+	int err;
 
 	/* rcu_read_lock()ed by nf_hook_slow() */
 	queue = instance_lookup(queuenum);
-	if (!queue) {
-		err = -ESRCH;
+	if (!queue)
 		goto err_out;
-	}
 
-	if (queue->copy_mode == NFQNL_COPY_NONE) {
-		err = -EINVAL;
+	if (queue->copy_mode == NFQNL_COPY_NONE)
 		goto err_out;
-	}
 
 	nskb = nfqnl_build_packet_message(queue, entry);
-	if (nskb == NULL) {
-		err = -ENOMEM;
+	if (nskb == NULL)
 		goto err_out;
-	}
+
 	spin_lock_bh(&queue->lock);
 
-	if (!queue->peer_pid) {
-		err = -EINVAL;
+	if (!queue->peer_pid)
 		goto err_out_free_nskb;
-	}
+
 	if (queue->queue_total >= queue->queue_maxlen) {
 		queue->queue_dropped++;
 		if (net_ratelimit())
@@ -438,7 +432,7 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
 err_out_unlock:
 	spin_unlock_bh(&queue->lock);
 err_out:
-	return err;
+	return -1;
 }
 
 static int

trunk/net/netfilter/xt_IDLETIMER.c

@@ -313,3 +313,5 @@ MODULE_AUTHOR("Timo Teras <ext-timo.teras@nokia.com>");
 MODULE_AUTHOR("Luciano Coelho <luciano.coelho@nokia.com>");
 MODULE_DESCRIPTION("Xtables: idle time monitor");
 MODULE_LICENSE("GPL v2");
+MODULE_ALIAS("ipt_IDLETIMER");
+MODULE_ALIAS("ip6t_IDLETIMER");

trunk/net/netfilter/xt_LED.c

@@ -31,6 +31,8 @@
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Adam Nielsen <a.nielsen@shikadi.net>");
 MODULE_DESCRIPTION("Xtables: trigger LED devices on packet match");
+MODULE_ALIAS("ipt_LED");
+MODULE_ALIAS("ip6t_LED");
 
 static LIST_HEAD(xt_led_triggers);
 static DEFINE_MUTEX(xt_led_mutex);

trunk/net/netfilter/xt_NFQUEUE.c

@@ -83,20 +83,9 @@ nfqueue_tg_v1(struct sk_buff *skb, const struct xt_action_param *par)
 	return NF_QUEUE_NR(queue);
 }
 
-static unsigned int
-nfqueue_tg_v2(struct sk_buff *skb, const struct xt_action_param *par)
-{
-	const struct xt_NFQ_info_v2 *info = par->targinfo;
-	unsigned int ret = nfqueue_tg_v1(skb, par);
-
-	if (info->bypass)
-		ret |= NF_VERDICT_FLAG_QUEUE_BYPASS;
-	return ret;
-}
-
-static int nfqueue_tg_check(const struct xt_tgchk_param *par)
+static int nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
 {
-	const struct xt_NFQ_info_v2 *info = par->targinfo;
+	const struct xt_NFQ_info_v1 *info = par->targinfo;
 	u32 maxid;
 
 	if (unlikely(!rnd_inited)) {
@@ -113,8 +102,6 @@ static int nfqueue_tg_check(const struct xt_tgchk_param *par)
 		       info->queues_total, maxid);
 		return -ERANGE;
 	}
-	if (par->target->revision == 2 && info->bypass > 1)
-		return -EINVAL;
 	return 0;
 }
 
@@ -130,20 +117,11 @@ static struct xt_target nfqueue_tg_reg[] __read_mostly = {
 		.name		= "NFQUEUE",
 		.revision	= 1,
 		.family		= NFPROTO_UNSPEC,
-		.checkentry	= nfqueue_tg_check,
+		.checkentry	= nfqueue_tg_v1_check,
 		.target		= nfqueue_tg_v1,
 		.targetsize	= sizeof(struct xt_NFQ_info_v1),
 		.me		= THIS_MODULE,
 	},
-	{
-		.name		= "NFQUEUE",
-		.revision	= 2,
-		.family		= NFPROTO_UNSPEC,
-		.checkentry	= nfqueue_tg_check,
-		.target		= nfqueue_tg_v2,
-		.targetsize	= sizeof(struct xt_NFQ_info_v2),
-		.me		= THIS_MODULE,
-	},
 };
 
 static int __init nfqueue_tg_init(void)

trunk/net/netfilter/xt_cpu.c

@@ -22,6 +22,8 @@
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Eric Dumazet <eric.dumazet@gmail.com>");
 MODULE_DESCRIPTION("Xtables: CPU match");
+MODULE_ALIAS("ipt_cpu");
+MODULE_ALIAS("ip6t_cpu");
 
 static int cpu_mt_check(const struct xt_mtchk_param *par)
 {