From bef537544cb72a92a08a78dee1f75dfe1e7401dc Mon Sep 17 00:00:00 2001 From: Jacob Keller Date: Thu, 8 Nov 2012 07:07:08 +0000 Subject: [PATCH] --- yaml --- r: 351638 b: refs/heads/master c: dfcc4615f09c33454bc553567f7c7506cae60cb9 h: refs/heads/master v: v3 --- [refs] | 2 +- .../networking/nf_conntrack-sysctl.txt | 176 ---------------- trunk/arch/mips/include/uapi/asm/socket.h | 1 + .../net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 38 ++-- .../net/ethernet/qlogic/qlcnic/qlcnic.h | 20 +- .../net/ethernet/qlogic/qlcnic/qlcnic_ctx.c | 31 --- .../net/ethernet/qlogic/qlcnic/qlcnic_hw.c | 68 ++----- .../net/ethernet/qlogic/qlcnic/qlcnic_io.c | 24 +-- .../net/ethernet/qlogic/qlcnic/qlcnic_main.c | 136 ++----------- .../linux/netfilter/nf_conntrack_sip.h | 3 - .../include/net/netfilter/nf_conntrack_acct.h | 6 +- .../include/net/netfilter/nf_conntrack_core.h | 15 +- .../net/netfilter/nf_conntrack_ecache.h | 19 +- .../net/netfilter/nf_conntrack_expect.h | 7 +- .../net/netfilter/nf_conntrack_extend.h | 4 - .../net/netfilter/nf_conntrack_helper.h | 7 +- .../net/netfilter/nf_conntrack_l3proto.h | 11 +- .../net/netfilter/nf_conntrack_l4proto.h | 10 +- .../net/netfilter/nf_conntrack_labels.h | 58 ------ .../net/netfilter/nf_conntrack_timeout.h | 8 +- .../net/netfilter/nf_conntrack_timestamp.h | 21 +- trunk/include/net/netns/conntrack.h | 4 - trunk/include/uapi/linux/netfilter/Kbuild | 2 - .../linux/netfilter/nf_conntrack_common.h | 1 - .../linux/netfilter/nfnetlink_conntrack.h | 2 - trunk/include/uapi/linux/netfilter/xt_bpf.h | 17 -- .../uapi/linux/netfilter/xt_connlabel.h | 12 -- trunk/net/ipv4/inet_connection_sock.c | 11 +- .../netfilter/nf_conntrack_l3proto_ipv4.c | 82 +++----- .../netfilter/nf_conntrack_l3proto_ipv6.c | 86 +++----- trunk/net/netfilter/Kconfig | 27 --- trunk/net/netfilter/Makefile | 3 - trunk/net/netfilter/nf_conntrack_acct.c | 36 ++-- trunk/net/netfilter/nf_conntrack_core.c | 191 ++++++++---------- trunk/net/netfilter/nf_conntrack_ecache.c | 37 ++-- trunk/net/netfilter/nf_conntrack_expect.c | 53 ++--- trunk/net/netfilter/nf_conntrack_helper.c | 53 ++--- trunk/net/netfilter/nf_conntrack_labels.c | 112 ---------- trunk/net/netfilter/nf_conntrack_netlink.c | 88 -------- trunk/net/netfilter/nf_conntrack_proto.c | 92 +++++---- trunk/net/netfilter/nf_conntrack_proto_dccp.c | 43 ++-- trunk/net/netfilter/nf_conntrack_proto_gre.c | 23 +-- trunk/net/netfilter/nf_conntrack_proto_sctp.c | 43 ++-- .../netfilter/nf_conntrack_proto_udplite.c | 40 +--- trunk/net/netfilter/nf_conntrack_sip.c | 17 -- trunk/net/netfilter/nf_conntrack_snmp.c | 1 - trunk/net/netfilter/nf_conntrack_standalone.c | 63 ++---- trunk/net/netfilter/nf_conntrack_timeout.c | 23 ++- trunk/net/netfilter/nf_conntrack_timestamp.c | 39 ++-- trunk/net/netfilter/nf_nat_sip.c | 27 +-- trunk/net/netfilter/xt_bpf.c | 73 ------- trunk/net/netfilter/xt_connlabel.c | 99 --------- 52 files changed, 500 insertions(+), 1565 deletions(-) delete mode 100644 trunk/Documentation/networking/nf_conntrack-sysctl.txt delete mode 100644 trunk/include/net/netfilter/nf_conntrack_labels.h delete mode 100644 trunk/include/uapi/linux/netfilter/xt_bpf.h delete mode 100644 trunk/include/uapi/linux/netfilter/xt_connlabel.h delete mode 100644 trunk/net/netfilter/nf_conntrack_labels.c delete mode 100644 trunk/net/netfilter/xt_bpf.c delete mode 100644 trunk/net/netfilter/xt_connlabel.c diff --git a/[refs] b/[refs] index afabd554ff58..5a95313fd1c0 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: 9c5e0c0bbc5f683ada546af3c39a5a90b156a6f0 +refs/heads/master: dfcc4615f09c33454bc553567f7c7506cae60cb9 diff --git a/trunk/Documentation/networking/nf_conntrack-sysctl.txt b/trunk/Documentation/networking/nf_conntrack-sysctl.txt deleted file mode 100644 index 70da5086153d..000000000000 --- a/trunk/Documentation/networking/nf_conntrack-sysctl.txt +++ /dev/null @@ -1,176 +0,0 @@ -/proc/sys/net/netfilter/nf_conntrack_* Variables: - -nf_conntrack_acct - BOOLEAN - 0 - disabled (default) - not 0 - enabled - - Enable connection tracking flow accounting. 64-bit byte and packet - counters per flow are added. - -nf_conntrack_buckets - INTEGER (read-only) - Size of hash table. If not specified as parameter during module - loading, the default size is calculated by dividing total memory - by 16384 to determine the number of buckets but the hash table will - never have fewer than 32 or more than 16384 buckets. - -nf_conntrack_checksum - BOOLEAN - 0 - disabled - not 0 - enabled (default) - - Verify checksum of incoming packets. Packets with bad checksums are - in INVALID state. If this is enabled, such packets will not be - considered for connection tracking. - -nf_conntrack_count - INTEGER (read-only) - Number of currently allocated flow entries. - -nf_conntrack_events - BOOLEAN - 0 - disabled - not 0 - enabled (default) - - If this option is enabled, the connection tracking code will - provide userspace with connection tracking events via ctnetlink. - -nf_conntrack_events_retry_timeout - INTEGER (seconds) - default 15 - - This option is only relevant when "reliable connection tracking - events" are used. Normally, ctnetlink is "lossy", that is, - events are normally dropped when userspace listeners can't keep up. - - Userspace can request "reliable event mode". When this mode is - active, the conntrack will only be destroyed after the event was - delivered. If event delivery fails, the kernel periodically - re-tries to send the event to userspace. - - This is the maximum interval the kernel should use when re-trying - to deliver the destroy event. - - A higher number means there will be fewer delivery retries and it - will take longer for a backlog to be processed. - -nf_conntrack_expect_max - INTEGER - Maximum size of expectation table. Default value is - nf_conntrack_buckets / 256. Minimum is 1. - -nf_conntrack_frag6_high_thresh - INTEGER - default 262144 - - Maximum memory used to reassemble IPv6 fragments. When - nf_conntrack_frag6_high_thresh bytes of memory is allocated for this - purpose, the fragment handler will toss packets until - nf_conntrack_frag6_low_thresh is reached. - -nf_conntrack_frag6_low_thresh - INTEGER - default 196608 - - See nf_conntrack_frag6_low_thresh - -nf_conntrack_frag6_timeout - INTEGER (seconds) - default 60 - - Time to keep an IPv6 fragment in memory. - -nf_conntrack_generic_timeout - INTEGER (seconds) - default 600 - - Default for generic timeout. This refers to layer 4 unknown/unsupported - protocols. - -nf_conntrack_helper - BOOLEAN - 0 - disabled - not 0 - enabled (default) - - Enable automatic conntrack helper assignment. - -nf_conntrack_icmp_timeout - INTEGER (seconds) - default 30 - - Default for ICMP timeout. - -nf_conntrack_icmpv6_timeout - INTEGER (seconds) - default 30 - - Default for ICMP6 timeout. - -nf_conntrack_log_invalid - INTEGER - 0 - disable (default) - 1 - log ICMP packets - 6 - log TCP packets - 17 - log UDP packets - 33 - log DCCP packets - 41 - log ICMPv6 packets - 136 - log UDPLITE packets - 255 - log packets of any protocol - - Log invalid packets of a type specified by value. - -nf_conntrack_max - INTEGER - Size of connection tracking table. Default value is - nf_conntrack_buckets value * 4. - -nf_conntrack_tcp_be_liberal - BOOLEAN - 0 - disabled (default) - not 0 - enabled - - Be conservative in what you do, be liberal in what you accept from others. - If it's non-zero, we mark only out of window RST segments as INVALID. - -nf_conntrack_tcp_loose - BOOLEAN - 0 - disabled - not 0 - enabled (default) - - If it is set to zero, we disable picking up already established - connections. - -nf_conntrack_tcp_max_retrans - INTEGER - default 3 - - Maximum number of packets that can be retransmitted without - received an (acceptable) ACK from the destination. If this number - is reached, a shorter timer will be started. - -nf_conntrack_tcp_timeout_close - INTEGER (seconds) - default 10 - -nf_conntrack_tcp_timeout_close_wait - INTEGER (seconds) - default 60 - -nf_conntrack_tcp_timeout_established - INTEGER (seconds) - default 432000 (5 days) - -nf_conntrack_tcp_timeout_fin_wait - INTEGER (seconds) - default 120 - -nf_conntrack_tcp_timeout_last_ack - INTEGER (seconds) - default 30 - -nf_conntrack_tcp_timeout_max_retrans - INTEGER (seconds) - default 300 - -nf_conntrack_tcp_timeout_syn_recv - INTEGER (seconds) - default 60 - -nf_conntrack_tcp_timeout_syn_sent - INTEGER (seconds) - default 120 - -nf_conntrack_tcp_timeout_time_wait - INTEGER (seconds) - default 120 - -nf_conntrack_tcp_timeout_unacknowledged - INTEGER (seconds) - default 300 - -nf_conntrack_timestamp - BOOLEAN - 0 - disabled (default) - not 0 - enabled - - Enable connection tracking flow timestamping. - -nf_conntrack_udp_timeout - INTEGER (seconds) - default 30 - -nf_conntrack_udp_timeout_stream2 - INTEGER (seconds) - default 180 - - This extended timeout will be used in case there is an UDP stream - detected. diff --git a/trunk/arch/mips/include/uapi/asm/socket.h b/trunk/arch/mips/include/uapi/asm/socket.h index 3e68bfbda6bc..7e2723637b35 100644 --- a/trunk/arch/mips/include/uapi/asm/socket.h +++ b/trunk/arch/mips/include/uapi/asm/socket.h @@ -29,6 +29,7 @@ socket to transmit pending data. */ #define SO_OOBINLINE 0x0100 /* Receive out-of-band data in-band. */ #define SO_REUSEPORT 0x0200 /* Allow local address and port reuse. */ +#endif #define SO_TYPE 0x1008 /* Compatible name for SO_STYLE. */ #define SO_STYLE SO_TYPE /* Synonym */ diff --git a/trunk/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/trunk/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c index 326858424345..21bc72e99c2e 100644 --- a/trunk/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +++ b/trunk/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c @@ -1837,19 +1837,11 @@ static void ixgbe_diag_test(struct net_device *netdev, struct ethtool_test *eth_test, u64 *data) { struct ixgbe_adapter *adapter = netdev_priv(netdev); + struct ixgbe_hw *hw = &adapter->hw; bool if_running = netif_running(netdev); set_bit(__IXGBE_TESTING, &adapter->state); if (eth_test->flags == ETH_TEST_FL_OFFLINE) { - /* Offline tests */ - - e_info(hw, "offline testing starting\n"); - - /* Link test performed before hardware reset so autoneg doesn't - * interfere with test result */ - if (ixgbe_link_test(adapter, &data[4])) - eth_test->flags |= ETH_TEST_FL_FAILED; - if (adapter->flags & IXGBE_FLAG_SRIOV_ENABLED) { int i; for (i = 0; i < adapter->num_vfs; i++) { @@ -1870,12 +1862,24 @@ static void ixgbe_diag_test(struct net_device *netdev, } } + /* Offline tests */ + e_info(hw, "offline testing starting\n"); + if (if_running) /* indicate we're in test mode */ dev_close(netdev); - else - ixgbe_reset(adapter); + /* bringing adapter down disables SFP+ optics */ + if (hw->mac.ops.enable_tx_laser) + hw->mac.ops.enable_tx_laser(hw); + + /* Link test performed before hardware reset so autoneg doesn't + * interfere with test result + */ + if (ixgbe_link_test(adapter, &data[4])) + eth_test->flags |= ETH_TEST_FL_FAILED; + + ixgbe_reset(adapter); e_info(hw, "register testing starting\n"); if (ixgbe_reg_test(adapter, &data[0])) eth_test->flags |= ETH_TEST_FL_FAILED; @@ -1908,16 +1912,22 @@ static void ixgbe_diag_test(struct net_device *netdev, skip_loopback: ixgbe_reset(adapter); + /* clear testing bit and return adapter to previous state */ clear_bit(__IXGBE_TESTING, &adapter->state); if (if_running) dev_open(netdev); } else { e_info(hw, "online testing starting\n"); + + /* if adapter is down, SFP+ optics will be disabled */ + if (!if_running && hw->mac.ops.enable_tx_laser) + hw->mac.ops.enable_tx_laser(hw); + /* Online tests */ if (ixgbe_link_test(adapter, &data[4])) eth_test->flags |= ETH_TEST_FL_FAILED; - /* Online tests aren't run; pass by default */ + /* Offline tests aren't run; pass by default */ data[0] = 0; data[1] = 0; data[2] = 0; @@ -1925,6 +1935,10 @@ static void ixgbe_diag_test(struct net_device *netdev, clear_bit(__IXGBE_TESTING, &adapter->state); } + + /* if adapter was down, ensure SFP+ optics are disabled again */ + if (!if_running && hw->mac.ops.disable_tx_laser) + hw->mac.ops.disable_tx_laser(hw); skip_ol_tests: msleep_interruptible(4 * 1000); } diff --git a/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h b/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h index f71aef58f84d..893cbe8dd8e2 100644 --- a/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h +++ b/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic.h @@ -37,9 +37,9 @@ #include "qlcnic_83xx_hw.h" #define _QLCNIC_LINUX_MAJOR 5 -#define _QLCNIC_LINUX_MINOR 1 -#define _QLCNIC_LINUX_SUBVERSION 32 -#define QLCNIC_LINUX_VERSIONID "5.1.32" +#define _QLCNIC_LINUX_MINOR 0 +#define _QLCNIC_LINUX_SUBVERSION 31 +#define QLCNIC_LINUX_VERSIONID "5.1.31" #define QLCNIC_DRV_IDC_VER 0x01 #define QLCNIC_DRIVER_VERSION ((_QLCNIC_LINUX_MAJOR << 16) |\ (_QLCNIC_LINUX_MINOR << 8) | (_QLCNIC_LINUX_SUBVERSION)) @@ -436,7 +436,6 @@ struct qlcnic_hardware_context { u16 act_pci_func; u32 capabilities; - u32 capabilities2; u32 temp; u32 int_vec_bit; u32 fw_hal_version; @@ -746,11 +745,6 @@ struct qlcnic_mac_list_s { uint8_t mac_addr[ETH_ALEN+2]; }; -/* MAC Learn */ -#define NO_MAC_LEARN 0 -#define DRV_MAC_LEARN 1 -#define FDB_MAC_LEARN 2 - #define QLCNIC_HOST_REQUEST 0x13 #define QLCNIC_REQUEST 0x14 @@ -804,8 +798,6 @@ struct qlcnic_mac_list_s { #define QLCNIC_FW_CAPABILITY_MORE_CAPS BIT_31 #define QLCNIC_FW_CAPABILITY_2_LRO_MAX_TCP_SEG BIT_2 -#define QLCNIC_FW_CAP2_HW_LRO_IPV6 BIT_3 -#define QLCNIC_FW_CAPABILITY_2_OCBB BIT_5 /* module types */ #define LINKEVENT_MODULE_NOT_PRESENT 1 @@ -986,8 +978,7 @@ struct qlcnic_adapter { u8 mac_addr[ETH_ALEN]; u64 dev_rst_time; - bool drv_mac_learn; - bool fdb_mac_learn; + u8 mac_learn; unsigned long vlans[BITS_TO_LONGS(VLAN_N_VID)]; u8 flash_mfg_id; struct qlcnic_npar_info *npars; @@ -1427,12 +1418,9 @@ void qlcnic_post_rx_buffers(struct qlcnic_adapter *adapter, struct qlcnic_host_rds_ring *rds_ring, u8 ring_id); int qlcnic_process_rcv_ring(struct qlcnic_host_sds_ring *sds_ring, int max); void qlcnic_set_multi(struct net_device *netdev); -int qlcnic_nic_add_mac(struct qlcnic_adapter *, const u8 *); -int qlcnic_nic_del_mac(struct qlcnic_adapter *, const u8 *); void qlcnic_free_mac_list(struct qlcnic_adapter *adapter); int qlcnic_fw_cmd_set_mtu(struct qlcnic_adapter *adapter, int mtu); -int qlcnic_fw_cmd_set_drv_version(struct qlcnic_adapter *); int qlcnic_change_mtu(struct net_device *netdev, int new_mtu); netdev_features_t qlcnic_fix_features(struct net_device *netdev, netdev_features_t features); diff --git a/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c b/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c index 7372964d3a76..ee68fe35a27e 100644 --- a/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c +++ b/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic_ctx.c @@ -160,37 +160,6 @@ int qlcnic_82xx_issue_cmd(struct qlcnic_adapter *adapter, return cmd->rsp.arg[0]; } -int qlcnic_fw_cmd_set_drv_version(struct qlcnic_adapter *adapter) -{ - struct qlcnic_cmd_args cmd; - u32 arg1, arg2, arg3; - char drv_string[12]; - int err = 0; - - memset(drv_string, 0, sizeof(drv_string)); - snprintf(drv_string, sizeof(drv_string), "%d"".""%d"".""%d", - _QLCNIC_LINUX_MAJOR, _QLCNIC_LINUX_MINOR, - _QLCNIC_LINUX_SUBVERSION); - - qlcnic_alloc_mbx_args(&cmd, adapter, QLCNIC_CMD_SET_DRV_VER); - memcpy(&arg1, drv_string, sizeof(u32)); - memcpy(&arg2, drv_string + 4, sizeof(u32)); - memcpy(&arg3, drv_string + 8, sizeof(u32)); - - cmd.req.arg[1] = arg1; - cmd.req.arg[2] = arg2; - cmd.req.arg[3] = arg3; - - err = qlcnic_issue_cmd(adapter, &cmd); - if (err) { - dev_info(&adapter->pdev->dev, - "Failed to set driver version in firmware\n"); - return -EIO; - } - - return 0; -} - int qlcnic_fw_cmd_set_mtu(struct qlcnic_adapter *adapter, int mtu) { diff --git a/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c b/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c index 6c6ecfc152b8..6f5b5eb2c44a 100644 --- a/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c +++ b/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c @@ -446,29 +446,7 @@ int qlcnic_82xx_sre_macaddr_change(struct qlcnic_adapter *adapter, u8 *addr, return qlcnic_send_cmd_descs(adapter, (struct cmd_desc_type0 *)&req, 1); } -int qlcnic_nic_del_mac(struct qlcnic_adapter *adapter, const u8 *addr) -{ - struct list_head *head; - struct qlcnic_mac_list_s *cur; - int err = -EINVAL; - - /* Delete MAC from the existing list */ - list_for_each(head, &adapter->mac_list) { - cur = list_entry(head, struct qlcnic_mac_list_s, list); - if (memcmp(addr, cur->mac_addr, ETH_ALEN) == 0) { - err = qlcnic_sre_macaddr_change(adapter, cur->mac_addr, - 0, QLCNIC_MAC_DEL); - if (err) - return err; - list_del(&cur->list); - kfree(cur); - return err; - } - } - return err; -} - -int qlcnic_nic_add_mac(struct qlcnic_adapter *adapter, const u8 *addr) +static int qlcnic_nic_add_mac(struct qlcnic_adapter *adapter, const u8 *addr) { struct list_head *head; struct qlcnic_mac_list_s *cur; @@ -532,11 +510,11 @@ void qlcnic_set_multi(struct net_device *netdev) } send_fw_cmd: - if (mode == VPORT_MISS_MODE_ACCEPT_ALL && !adapter->fdb_mac_learn) { + if (mode == VPORT_MISS_MODE_ACCEPT_ALL) { qlcnic_alloc_lb_filters_mem(adapter); - adapter->drv_mac_learn = true; + adapter->mac_learn = 1; } else { - adapter->drv_mac_learn = false; + adapter->mac_learn = 0; } qlcnic_nic_set_promisc(adapter, mode); @@ -709,11 +687,6 @@ void qlcnic_82xx_config_intr_coalesce(struct qlcnic_adapter *adapter) "Could not send interrupt coalescing parameters\n"); } -#define QLCNIC_ENABLE_IPV4_LRO 1 -#define QLCNIC_ENABLE_IPV6_LRO 2 -#define QLCNIC_NO_DEST_IPV4_CHECK (1 << 8) -#define QLCNIC_NO_DEST_IPV6_CHECK (2 << 8) - int qlcnic_82xx_config_hw_lro(struct qlcnic_adapter *adapter, int enable) { struct qlcnic_nic_req req; @@ -730,15 +703,7 @@ int qlcnic_82xx_config_hw_lro(struct qlcnic_adapter *adapter, int enable) word = QLCNIC_H2C_OPCODE_CONFIG_HW_LRO | ((u64)adapter->portnum << 16); req.req_hdr = cpu_to_le64(word); - word = 0; - if (enable) { - word = QLCNIC_ENABLE_IPV4_LRO | QLCNIC_NO_DEST_IPV4_CHECK; - if (adapter->ahw->capabilities2 & QLCNIC_FW_CAP2_HW_LRO_IPV6) - word |= QLCNIC_ENABLE_IPV6_LRO | - QLCNIC_NO_DEST_IPV6_CHECK; - } - - req.words[0] = cpu_to_le64(word); + req.words[0] = cpu_to_le64(enable); rv = qlcnic_send_cmd_descs(adapter, (struct cmd_desc_type0 *)&req, 1); if (rv != 0) @@ -778,10 +743,7 @@ int qlcnic_config_bridged_mode(struct qlcnic_adapter *adapter, u32 enable) } -#define QLCNIC_RSS_HASHTYPE_IP_TCP 0x3 -#define QLCNIC_ENABLE_TYPE_C_RSS BIT_10 -#define QLCNIC_RSS_FEATURE_FLAG (1ULL << 63) -#define QLCNIC_RSS_IND_TABLE_MASK 0x7ULL +#define RSS_HASHTYPE_IP_TCP 0x3 int qlcnic_82xx_config_rss(struct qlcnic_adapter *adapter, int enable) { @@ -808,19 +770,13 @@ int qlcnic_82xx_config_rss(struct qlcnic_adapter *adapter, int enable) * 7-6: hash_type_ipv6 * 8: enable * 9: use indirection table - * 10: type-c rss - * 11: udp rss - * 47-12: reserved - * 62-48: indirection table mask - * 63: feature flag + * 47-10: reserved + * 63-48: indirection table mask */ - word = ((u64)(QLCNIC_RSS_HASHTYPE_IP_TCP & 0x3) << 4) | - ((u64)(QLCNIC_RSS_HASHTYPE_IP_TCP & 0x3) << 6) | + word = ((u64)(RSS_HASHTYPE_IP_TCP & 0x3) << 4) | + ((u64)(RSS_HASHTYPE_IP_TCP & 0x3) << 6) | ((u64)(enable & 0x1) << 8) | - ((u64)QLCNIC_RSS_IND_TABLE_MASK << 48) | - (u64)QLCNIC_ENABLE_TYPE_C_RSS | - (u64)QLCNIC_RSS_FEATURE_FLAG; - + ((0x7ULL) << 48); req.words[0] = cpu_to_le64(word); for (i = 0; i < 5; i++) req.words[i+1] = cpu_to_le64(key[i]); @@ -1402,7 +1358,7 @@ int qlcnic_82xx_config_led(struct qlcnic_adapter *adapter, u32 state, u32 rate) word = QLCNIC_H2C_OPCODE_CONFIG_LED | ((u64)adapter->portnum << 16); req.req_hdr = cpu_to_le64(word); - req.words[0] = cpu_to_le64(((u64)rate << 32) | adapter->portnum); + req.words[0] = cpu_to_le64((u64)rate << 32); req.words[1] = cpu_to_le64(state); rv = qlcnic_send_cmd_descs(adapter, (struct cmd_desc_type0 *)&req, 1); diff --git a/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c b/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c index fdf34836ef41..383ecd20d9b5 100644 --- a/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c +++ b/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic_io.c @@ -521,7 +521,7 @@ netdev_tx_t qlcnic_xmit_frame(struct sk_buff *skb, struct net_device *netdev) if (unlikely(qlcnic_tx_pkt(adapter, first_desc, skb))) goto unwind_buff; - if (adapter->drv_mac_learn) + if (adapter->mac_learn) qlcnic_send_filter(adapter, first_desc, skb); adapter->stats.txbytes += skb->len; @@ -973,7 +973,6 @@ qlcnic_process_lro(struct qlcnic_adapter *adapter, struct sk_buff *skb; struct qlcnic_host_rds_ring *rds_ring; struct iphdr *iph; - struct ipv6hdr *ipv6h; struct tcphdr *th; bool push, timestamp; int index, l2_hdr_offset, l4_hdr_offset; @@ -1017,21 +1016,12 @@ qlcnic_process_lro(struct qlcnic_adapter *adapter, } skb->protocol = eth_type_trans(skb, netdev); - - if (htons(skb->protocol) == ETH_P_IPV6) { - ipv6h = (struct ipv6hdr *)skb->data; - th = (struct tcphdr *)(skb->data + sizeof(struct ipv6hdr)); - length = (th->doff << 2) + lro_length; - ipv6h->payload_len = htons(length); - } else { - iph = (struct iphdr *)skb->data; - th = (struct tcphdr *)(skb->data + (iph->ihl << 2)); - length = (iph->ihl << 2) + (th->doff << 2) + lro_length; - iph->tot_len = htons(length); - iph->check = 0; - iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl); - } - + iph = (struct iphdr *)skb->data; + th = (struct tcphdr *)(skb->data + (iph->ihl << 2)); + length = (iph->ihl << 2) + (th->doff << 2) + lro_length; + iph->tot_len = htons(length); + iph->check = 0; + iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl); th->psh = push; th->seq = htonl(seq_number); length = skb->len; diff --git a/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c index e6b363a7664f..fb7ac8ecd45a 100644 --- a/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c +++ b/trunk/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c @@ -32,8 +32,7 @@ static const char qlcnic_driver_string[] = "QLogic 1/10 GbE " static int qlcnic_mac_learn; module_param(qlcnic_mac_learn, int, 0444); -MODULE_PARM_DESC(qlcnic_mac_learn, - "Mac Filter (0=learning is disabled, 1=Driver learning is enabled, 2=FDB learning is enabled)"); +MODULE_PARM_DESC(qlcnic_mac_learn, "Mac Filter (0=disabled, 1=enabled)"); int qlcnic_use_msi = 1; MODULE_PARM_DESC(use_msi, "MSI interrupt (0=disabled, 1=enabled"); @@ -247,77 +246,6 @@ static int qlcnic_set_mac(struct net_device *netdev, void *p) return 0; } -static int qlcnic_fdb_del(struct ndmsg *ndm, struct net_device *netdev, - const unsigned char *addr) -{ - struct qlcnic_adapter *adapter = netdev_priv(netdev); - int err = -EOPNOTSUPP; - - if (!adapter->fdb_mac_learn) { - pr_info("%s: Driver mac learn is enabled, FDB operation not allowed\n", - __func__); - return err; - } - - if (adapter->flags & QLCNIC_ESWITCH_ENABLED) { - if (is_unicast_ether_addr(addr)) - err = qlcnic_nic_del_mac(adapter, addr); - else if (is_multicast_ether_addr(addr)) - err = dev_mc_del(netdev, addr); - else - err = -EINVAL; - } - return err; -} - -static int qlcnic_fdb_add(struct ndmsg *ndm, struct nlattr *tb[], - struct net_device *netdev, - const unsigned char *addr, u16 flags) -{ - struct qlcnic_adapter *adapter = netdev_priv(netdev); - int err = 0; - - if (!adapter->fdb_mac_learn) { - pr_info("%s: Driver mac learn is enabled, FDB operation not allowed\n", - __func__); - return -EOPNOTSUPP; - } - - if (!(adapter->flags & QLCNIC_ESWITCH_ENABLED)) { - pr_info("%s: FDB e-switch is not enabled\n", __func__); - return -EOPNOTSUPP; - } - - if (ether_addr_equal(addr, adapter->mac_addr)) - return err; - - if (is_unicast_ether_addr(addr)) - err = qlcnic_nic_add_mac(adapter, addr); - else if (is_multicast_ether_addr(addr)) - err = dev_mc_add_excl(netdev, addr); - else - err = -EINVAL; - - return err; -} - -static int qlcnic_fdb_dump(struct sk_buff *skb, struct netlink_callback *ncb, - struct net_device *netdev, int idx) -{ - struct qlcnic_adapter *adapter = netdev_priv(netdev); - - if (!adapter->fdb_mac_learn) { - pr_info("%s: Driver mac learn is enabled, FDB operation not allowed\n", - __func__); - return -EOPNOTSUPP; - } - - if (adapter->flags & QLCNIC_ESWITCH_ENABLED) - idx = ndo_dflt_fdb_dump(skb, ncb, netdev, idx); - - return idx; -} - static void qlcnic_82xx_cancel_idc_work(struct qlcnic_adapter *adapter) { while (test_and_set_bit(__QLCNIC_RESETTING, &adapter->state)) @@ -340,9 +268,6 @@ static const struct net_device_ops qlcnic_netdev_ops = { .ndo_tx_timeout = qlcnic_tx_timeout, .ndo_vlan_rx_add_vid = qlcnic_vlan_rx_add, .ndo_vlan_rx_kill_vid = qlcnic_vlan_rx_del, - .ndo_fdb_add = qlcnic_fdb_add, - .ndo_fdb_del = qlcnic_fdb_del, - .ndo_fdb_dump = qlcnic_fdb_dump, #ifdef CONFIG_NET_POLL_CONTROLLER .ndo_poll_controller = qlcnic_poll_controller, #endif @@ -470,9 +395,8 @@ int qlcnic_enable_msix(struct qlcnic_adapter *adapter, u32 num_msix) return err; } -static int qlcnic_enable_msi_legacy(struct qlcnic_adapter *adapter) +static void qlcnic_enable_msi_legacy(struct qlcnic_adapter *adapter) { - int err = 0; u32 offset, mask_reg; const struct qlcnic_legacy_intr_set *legacy_intrp; struct qlcnic_hardware_context *ahw = adapter->ahw; @@ -485,10 +409,8 @@ static int qlcnic_enable_msi_legacy(struct qlcnic_adapter *adapter) offset); dev_info(&pdev->dev, "using msi interrupts\n"); adapter->msix_entries[0].vector = pdev->irq; - return err; + return; } - if (qlcnic_use_msi || qlcnic_use_msi_x) - return -EOPNOTSUPP; legacy_intrp = &legacy_intr[adapter->ahw->pci_func]; adapter->ahw->int_vec_bit = legacy_intrp->int_vec_bit; @@ -500,12 +422,11 @@ static int qlcnic_enable_msi_legacy(struct qlcnic_adapter *adapter) adapter->crb_int_state_reg = qlcnic_get_ioaddr(ahw, ISR_INT_STATE_REG); dev_info(&pdev->dev, "using legacy interrupts\n"); adapter->msix_entries[0].vector = pdev->irq; - return err; } int qlcnic_82xx_setup_intr(struct qlcnic_adapter *adapter, u8 num_intr) { - int num_msix, err = 0; + int num_msix, err; if (!num_intr) num_intr = QLCNIC_DEF_NUM_STS_DESC_RINGS; @@ -520,11 +441,8 @@ int qlcnic_82xx_setup_intr(struct qlcnic_adapter *adapter, u8 num_intr) if (err == -ENOMEM || !err) return err; - err = qlcnic_enable_msi_legacy(adapter); - if (!err) - return err; - - return -EIO; + qlcnic_enable_msi_legacy(adapter); + return 0; } void qlcnic_teardown_intr(struct qlcnic_adapter *adapter) @@ -863,12 +781,6 @@ qlcnic_initialize_nic(struct qlcnic_adapter *adapter) adapter->ahw->max_tx_ques = nic_info.max_tx_ques; adapter->ahw->max_rx_ques = nic_info.max_rx_ques; adapter->ahw->capabilities = nic_info.capabilities; - - if (adapter->ahw->capabilities & QLCNIC_FW_CAPABILITY_MORE_CAPS) { - u32 temp; - temp = QLCRD32(adapter, CRB_FW_CAPABILITIES_2); - adapter->ahw->capabilities2 = temp; - } adapter->ahw->max_mac_filters = nic_info.max_mac_filters; adapter->ahw->max_mtu = nic_info.max_mtu; @@ -1812,7 +1724,6 @@ qlcnic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) struct qlcnic_adapter *adapter = NULL; struct qlcnic_hardware_context *ahw; int err, pci_using_dac = -1; - u32 capab2; char board_name[QLCNIC_MAX_BOARD_NAME_LEN]; err = pci_enable_device(pdev); @@ -1877,10 +1788,7 @@ qlcnic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) adapter->dev_rst_time = jiffies; adapter->ahw->revision_id = pdev->revision; - if (qlcnic_mac_learn == FDB_MAC_LEARN) - adapter->fdb_mac_learn = true; - else if (qlcnic_mac_learn == DRV_MAC_LEARN) - adapter->drv_mac_learn = true; + adapter->mac_learn = qlcnic_mac_learn; adapter->max_drv_tx_rings = 1; rwlock_init(&adapter->ahw->crb_lock); @@ -1928,10 +1836,8 @@ qlcnic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) board_name, adapter->ahw->revision_id); } err = qlcnic_setup_intr(adapter, 0); - if (err) { - dev_err(&pdev->dev, "Failed to setup interrupt\n"); + if (err) goto err_out_disable_msi; - } if (qlcnic_83xx_check(adapter)) { err = qlcnic_83xx_setup_mbx_intr(adapter); @@ -1943,14 +1849,6 @@ qlcnic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) if (err) goto err_out_disable_mbx_intr; - if (qlcnic_82xx_check(adapter)) { - if (ahw->capabilities & QLCNIC_FW_CAPABILITY_MORE_CAPS) { - capab2 = QLCRD32(adapter, CRB_FW_CAPABILITIES_2); - if (capab2 & QLCNIC_FW_CAPABILITY_2_OCBB) - qlcnic_fw_cmd_set_drv_version(adapter); - } - } - pci_set_drvdata(pdev, adapter); if (qlcnic_82xx_check(adapter)) @@ -1971,7 +1869,7 @@ qlcnic_probe(struct pci_dev *pdev, const struct pci_device_id *ent) if (qlcnic_get_act_pci_func(adapter)) goto err_out_disable_mbx_intr; - if (adapter->drv_mac_learn) + if (adapter->mac_learn) qlcnic_alloc_lb_filters_mem(adapter); qlcnic_add_sysfs(adapter); @@ -2220,7 +2118,7 @@ void qlcnic_alloc_lb_filters_mem(struct qlcnic_adapter *adapter) } head = kcalloc(adapter->fhash.fbucket_size, - sizeof(struct hlist_head), GFP_ATOMIC); + sizeof(struct hlist_head), GFP_KERNEL); if (!head) return; @@ -3063,12 +2961,6 @@ static int qlcnic_attach_func(struct pci_dev *pdev) adapter->msix_entries = NULL; err = qlcnic_setup_intr(adapter, 0); - if (err) { - kfree(adapter->msix_entries); - netdev_err(netdev, "failed to setup interrupt\n"); - return err; - } - if (qlcnic_83xx_check(adapter)) { err = qlcnic_83xx_setup_mbx_intr(adapter); if (err) { @@ -3224,11 +3116,9 @@ int qlcnic_set_max_rss(struct qlcnic_adapter *adapter, u8 data, size_t len) qlcnic_detach(adapter); qlcnic_teardown_intr(adapter); err = qlcnic_setup_intr(adapter, data); - if (err) { - kfree(adapter->msix_entries); - netdev_err(netdev, "failed to setup interrupt\n"); - return err; - } + if (err) + dev_err(&adapter->pdev->dev, + "failed setting max_rss; rss disabled\n"); if (qlcnic_83xx_check(adapter)) { err = qlcnic_83xx_setup_mbx_intr(adapter); diff --git a/trunk/include/linux/netfilter/nf_conntrack_sip.h b/trunk/include/linux/netfilter/nf_conntrack_sip.h index ba7f571a2b1c..387bdd02945d 100644 --- a/trunk/include/linux/netfilter/nf_conntrack_sip.h +++ b/trunk/include/linux/netfilter/nf_conntrack_sip.h @@ -4,15 +4,12 @@ #include -#include - #define SIP_PORT 5060 #define SIP_TIMEOUT 3600 struct nf_ct_sip_master { unsigned int register_cseq; unsigned int invite_cseq; - __be16 forced_dport; }; enum sip_expectation_classes { diff --git a/trunk/include/net/netfilter/nf_conntrack_acct.h b/trunk/include/net/netfilter/nf_conntrack_acct.h index 2bdb7a15fe06..463ae8e16696 100644 --- a/trunk/include/net/netfilter/nf_conntrack_acct.h +++ b/trunk/include/net/netfilter/nf_conntrack_acct.h @@ -57,9 +57,7 @@ static inline void nf_ct_set_acct(struct net *net, bool enable) net->ct.sysctl_acct = enable; } -extern int nf_conntrack_acct_pernet_init(struct net *net); -extern void nf_conntrack_acct_pernet_fini(struct net *net); +extern int nf_conntrack_acct_init(struct net *net); +extern void nf_conntrack_acct_fini(struct net *net); -extern int nf_conntrack_acct_init(void); -extern void nf_conntrack_acct_fini(void); #endif /* _NF_CONNTRACK_ACCT_H */ diff --git a/trunk/include/net/netfilter/nf_conntrack_core.h b/trunk/include/net/netfilter/nf_conntrack_core.h index 930275fa2ea6..e98aeb3da033 100644 --- a/trunk/include/net/netfilter/nf_conntrack_core.h +++ b/trunk/include/net/netfilter/nf_conntrack_core.h @@ -25,19 +25,12 @@ extern unsigned int nf_conntrack_in(struct net *net, unsigned int hooknum, struct sk_buff *skb); -extern int nf_conntrack_init_net(struct net *net); -extern void nf_conntrack_cleanup_net(struct net *net); +extern int nf_conntrack_init(struct net *net); +extern void nf_conntrack_cleanup(struct net *net); -extern int nf_conntrack_proto_pernet_init(struct net *net); -extern void nf_conntrack_proto_pernet_fini(struct net *net); +extern int nf_conntrack_proto_init(struct net *net); +extern void nf_conntrack_proto_fini(struct net *net); -extern int nf_conntrack_proto_init(void); -extern void nf_conntrack_proto_fini(void); - -extern int nf_conntrack_init_start(void); -extern void nf_conntrack_cleanup_start(void); - -extern void nf_conntrack_init_end(void); extern void nf_conntrack_cleanup_end(void); extern bool diff --git a/trunk/include/net/netfilter/nf_conntrack_ecache.h b/trunk/include/net/netfilter/nf_conntrack_ecache.h index 092dc651689f..5654d292efd4 100644 --- a/trunk/include/net/netfilter/nf_conntrack_ecache.h +++ b/trunk/include/net/netfilter/nf_conntrack_ecache.h @@ -207,11 +207,9 @@ nf_ct_expect_event(enum ip_conntrack_expect_events event, nf_ct_expect_event_report(event, exp, 0, 0); } -extern int nf_conntrack_ecache_pernet_init(struct net *net); -extern void nf_conntrack_ecache_pernet_fini(struct net *net); +extern int nf_conntrack_ecache_init(struct net *net); +extern void nf_conntrack_ecache_fini(struct net *net); -extern int nf_conntrack_ecache_init(void); -extern void nf_conntrack_ecache_fini(void); #else /* CONFIG_NF_CONNTRACK_EVENTS */ static inline void nf_conntrack_event_cache(enum ip_conntrack_events event, @@ -234,21 +232,12 @@ static inline void nf_ct_expect_event_report(enum ip_conntrack_expect_events e, u32 portid, int report) {} -static inline int nf_conntrack_ecache_pernet_init(struct net *net) +static inline int nf_conntrack_ecache_init(struct net *net) { return 0; } -static inline void nf_conntrack_ecache_pernet_fini(struct net *net) -{ -} - -static inline int nf_conntrack_ecache_init(void) -{ - return 0; -} - -static inline void nf_conntrack_ecache_fini(void) +static inline void nf_conntrack_ecache_fini(struct net *net) { } #endif /* CONFIG_NF_CONNTRACK_EVENTS */ diff --git a/trunk/include/net/netfilter/nf_conntrack_expect.h b/trunk/include/net/netfilter/nf_conntrack_expect.h index cbbae7621e22..cc13f377a705 100644 --- a/trunk/include/net/netfilter/nf_conntrack_expect.h +++ b/trunk/include/net/netfilter/nf_conntrack_expect.h @@ -69,11 +69,8 @@ struct nf_conntrack_expect_policy { #define NF_CT_EXPECT_CLASS_DEFAULT 0 -int nf_conntrack_expect_pernet_init(struct net *net); -void nf_conntrack_expect_pernet_fini(struct net *net); - -int nf_conntrack_expect_init(void); -void nf_conntrack_expect_fini(void); +int nf_conntrack_expect_init(struct net *net); +void nf_conntrack_expect_fini(struct net *net); struct nf_conntrack_expect * __nf_ct_expect_find(struct net *net, u16 zone, diff --git a/trunk/include/net/netfilter/nf_conntrack_extend.h b/trunk/include/net/netfilter/nf_conntrack_extend.h index 977bc8a46444..8b4d1fc29096 100644 --- a/trunk/include/net/netfilter/nf_conntrack_extend.h +++ b/trunk/include/net/netfilter/nf_conntrack_extend.h @@ -22,9 +22,6 @@ enum nf_ct_ext_id { #endif #ifdef CONFIG_NF_CONNTRACK_TIMEOUT NF_CT_EXT_TIMEOUT, -#endif -#ifdef CONFIG_NF_CONNTRACK_LABELS - NF_CT_EXT_LABELS, #endif NF_CT_EXT_NUM, }; @@ -36,7 +33,6 @@ enum nf_ct_ext_id { #define NF_CT_EXT_ZONE_TYPE struct nf_conntrack_zone #define NF_CT_EXT_TSTAMP_TYPE struct nf_conn_tstamp #define NF_CT_EXT_TIMEOUT_TYPE struct nf_conn_timeout -#define NF_CT_EXT_LABELS_TYPE struct nf_conn_labels /* Extensions: optional stuff which isn't permanently in struct. */ struct nf_ct_ext { diff --git a/trunk/include/net/netfilter/nf_conntrack_helper.h b/trunk/include/net/netfilter/nf_conntrack_helper.h index ce27edf57570..9aad956d1008 100644 --- a/trunk/include/net/netfilter/nf_conntrack_helper.h +++ b/trunk/include/net/netfilter/nf_conntrack_helper.h @@ -82,11 +82,8 @@ static inline void *nfct_help_data(const struct nf_conn *ct) return (void *)help->data; } -extern int nf_conntrack_helper_pernet_init(struct net *net); -extern void nf_conntrack_helper_pernet_fini(struct net *net); - -extern int nf_conntrack_helper_init(void); -extern void nf_conntrack_helper_fini(void); +extern int nf_conntrack_helper_init(struct net *net); +extern void nf_conntrack_helper_fini(struct net *net); extern int nf_conntrack_broadcast_help(struct sk_buff *skb, unsigned int protoff, diff --git a/trunk/include/net/netfilter/nf_conntrack_l3proto.h b/trunk/include/net/netfilter/nf_conntrack_l3proto.h index 3bb89eac3fa1..6f7c13f4ac03 100644 --- a/trunk/include/net/netfilter/nf_conntrack_l3proto.h +++ b/trunk/include/net/netfilter/nf_conntrack_l3proto.h @@ -76,16 +76,11 @@ struct nf_conntrack_l3proto { extern struct nf_conntrack_l3proto __rcu *nf_ct_l3protos[AF_MAX]; -/* Protocol pernet registration. */ -extern int nf_ct_l3proto_pernet_register(struct net *net, +/* Protocol registration. */ +extern int nf_conntrack_l3proto_register(struct net *net, struct nf_conntrack_l3proto *proto); -extern void nf_ct_l3proto_pernet_unregister(struct net *net, +extern void nf_conntrack_l3proto_unregister(struct net *net, struct nf_conntrack_l3proto *proto); - -/* Protocol global registration. */ -extern int nf_ct_l3proto_register(struct nf_conntrack_l3proto *proto); -extern void nf_ct_l3proto_unregister(struct nf_conntrack_l3proto *proto); - extern struct nf_conntrack_l3proto *nf_ct_l3proto_find_get(u_int16_t l3proto); extern void nf_ct_l3proto_put(struct nf_conntrack_l3proto *p); diff --git a/trunk/include/net/netfilter/nf_conntrack_l4proto.h b/trunk/include/net/netfilter/nf_conntrack_l4proto.h index 914d8d900798..c3be4aef6bf7 100644 --- a/trunk/include/net/netfilter/nf_conntrack_l4proto.h +++ b/trunk/include/net/netfilter/nf_conntrack_l4proto.h @@ -121,16 +121,12 @@ extern struct nf_conntrack_l4proto * nf_ct_l4proto_find_get(u_int16_t l3proto, u_int8_t l4proto); extern void nf_ct_l4proto_put(struct nf_conntrack_l4proto *p); -/* Protocol pernet registration. */ -extern int nf_ct_l4proto_pernet_register(struct net *net, +/* Protocol registration. */ +extern int nf_conntrack_l4proto_register(struct net *net, struct nf_conntrack_l4proto *proto); -extern void nf_ct_l4proto_pernet_unregister(struct net *net, +extern void nf_conntrack_l4proto_unregister(struct net *net, struct nf_conntrack_l4proto *proto); -/* Protocol global registration. */ -extern int nf_ct_l4proto_register(struct nf_conntrack_l4proto *proto); -extern void nf_ct_l4proto_unregister(struct nf_conntrack_l4proto *proto); - static inline void nf_ct_kfree_compat_sysctl_table(struct nf_proto_net *pn) { #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT) diff --git a/trunk/include/net/netfilter/nf_conntrack_labels.h b/trunk/include/net/netfilter/nf_conntrack_labels.h deleted file mode 100644 index c985695283b3..000000000000 --- a/trunk/include/net/netfilter/nf_conntrack_labels.h +++ /dev/null @@ -1,58 +0,0 @@ -#include -#include -#include -#include -#include -#include - -#include - -struct nf_conn_labels { - u8 words; - unsigned long bits[]; -}; - -static inline struct nf_conn_labels *nf_ct_labels_find(const struct nf_conn *ct) -{ -#ifdef CONFIG_NF_CONNTRACK_LABELS - return nf_ct_ext_find(ct, NF_CT_EXT_LABELS); -#else - return NULL; -#endif -} - -static inline struct nf_conn_labels *nf_ct_labels_ext_add(struct nf_conn *ct) -{ -#ifdef CONFIG_NF_CONNTRACK_LABELS - struct nf_conn_labels *cl_ext; - struct net *net = nf_ct_net(ct); - u8 words; - - words = ACCESS_ONCE(net->ct.label_words); - if (words == 0 || WARN_ON_ONCE(words > 8)) - return NULL; - - cl_ext = nf_ct_ext_add_length(ct, NF_CT_EXT_LABELS, - words * sizeof(long), GFP_ATOMIC); - if (cl_ext != NULL) - cl_ext->words = words; - - return cl_ext; -#else - return NULL; -#endif -} - -bool nf_connlabel_match(const struct nf_conn *ct, u16 bit); -int nf_connlabel_set(struct nf_conn *ct, u16 bit); - -int nf_connlabels_replace(struct nf_conn *ct, - const u32 *data, const u32 *mask, unsigned int words); - -#ifdef CONFIG_NF_CONNTRACK_LABELS -int nf_conntrack_labels_init(void); -void nf_conntrack_labels_fini(void); -#else -static inline int nf_conntrack_labels_init(void) { return 0; } -static inline void nf_conntrack_labels_fini(void) {} -#endif diff --git a/trunk/include/net/netfilter/nf_conntrack_timeout.h b/trunk/include/net/netfilter/nf_conntrack_timeout.h index d23aceb16d94..e41e472d08f2 100644 --- a/trunk/include/net/netfilter/nf_conntrack_timeout.h +++ b/trunk/include/net/netfilter/nf_conntrack_timeout.h @@ -76,15 +76,15 @@ nf_ct_timeout_lookup(struct net *net, struct nf_conn *ct, } #ifdef CONFIG_NF_CONNTRACK_TIMEOUT -extern int nf_conntrack_timeout_init(void); -extern void nf_conntrack_timeout_fini(void); +extern int nf_conntrack_timeout_init(struct net *net); +extern void nf_conntrack_timeout_fini(struct net *net); #else -static inline int nf_conntrack_timeout_init(void) +static inline int nf_conntrack_timeout_init(struct net *net) { return 0; } -static inline void nf_conntrack_timeout_fini(void) +static inline void nf_conntrack_timeout_fini(struct net *net) { return; } diff --git a/trunk/include/net/netfilter/nf_conntrack_timestamp.h b/trunk/include/net/netfilter/nf_conntrack_timestamp.h index b00461413efd..fc9c82b1f06b 100644 --- a/trunk/include/net/netfilter/nf_conntrack_timestamp.h +++ b/trunk/include/net/netfilter/nf_conntrack_timestamp.h @@ -48,28 +48,15 @@ static inline void nf_ct_set_tstamp(struct net *net, bool enable) } #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP -extern int nf_conntrack_tstamp_pernet_init(struct net *net); -extern void nf_conntrack_tstamp_pernet_fini(struct net *net); - -extern int nf_conntrack_tstamp_init(void); -extern void nf_conntrack_tstamp_fini(void); +extern int nf_conntrack_tstamp_init(struct net *net); +extern void nf_conntrack_tstamp_fini(struct net *net); #else -static inline int nf_conntrack_tstamp_pernet_init(struct net *net) -{ - return 0; -} - -static inline void nf_conntrack_tstamp_pernet_fini(struct net *net) -{ - return; -} - -static inline int nf_conntrack_tstamp_init(void) +static inline int nf_conntrack_tstamp_init(struct net *net) { return 0; } -static inline void nf_conntrack_tstamp_fini(void) +static inline void nf_conntrack_tstamp_fini(struct net *net) { return; } diff --git a/trunk/include/net/netns/conntrack.h b/trunk/include/net/netns/conntrack.h index c9c0c538b68b..923cb20051ed 100644 --- a/trunk/include/net/netns/conntrack.h +++ b/trunk/include/net/netns/conntrack.h @@ -84,10 +84,6 @@ struct netns_ct { int sysctl_auto_assign_helper; bool auto_assign_helper_warned; struct nf_ip_net nf_ct_proto; -#if defined(CONFIG_NF_CONNTRACK_LABELS) - unsigned int labels_used; - u8 label_words; -#endif #ifdef CONFIG_NF_NAT_NEEDED struct hlist_head *nat_bysource; unsigned int nat_htable_size; diff --git a/trunk/include/uapi/linux/netfilter/Kbuild b/trunk/include/uapi/linux/netfilter/Kbuild index 41115776d76f..08f555fef13f 100644 --- a/trunk/include/uapi/linux/netfilter/Kbuild +++ b/trunk/include/uapi/linux/netfilter/Kbuild @@ -35,11 +35,9 @@ header-y += xt_TCPOPTSTRIP.h header-y += xt_TEE.h header-y += xt_TPROXY.h header-y += xt_addrtype.h -header-y += xt_bpf.h header-y += xt_cluster.h header-y += xt_comment.h header-y += xt_connbytes.h -header-y += xt_connlabel.h header-y += xt_connlimit.h header-y += xt_connmark.h header-y += xt_conntrack.h diff --git a/trunk/include/uapi/linux/netfilter/nf_conntrack_common.h b/trunk/include/uapi/linux/netfilter/nf_conntrack_common.h index d69483fb3825..1644cdd8be91 100644 --- a/trunk/include/uapi/linux/netfilter/nf_conntrack_common.h +++ b/trunk/include/uapi/linux/netfilter/nf_conntrack_common.h @@ -101,7 +101,6 @@ enum ip_conntrack_events { IPCT_MARK, /* new mark has been set */ IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */ IPCT_SECMARK, /* new security mark has been set */ - IPCT_LABEL, /* new connlabel has been set */ }; enum ip_conntrack_expect_events { diff --git a/trunk/include/uapi/linux/netfilter/nfnetlink_conntrack.h b/trunk/include/uapi/linux/netfilter/nfnetlink_conntrack.h index 08fabc6c93f3..86e930cf3dfb 100644 --- a/trunk/include/uapi/linux/netfilter/nfnetlink_conntrack.h +++ b/trunk/include/uapi/linux/netfilter/nfnetlink_conntrack.h @@ -49,8 +49,6 @@ enum ctattr_type { CTA_SECCTX, CTA_TIMESTAMP, CTA_MARK_MASK, - CTA_LABELS, - CTA_LABELS_MASK, __CTA_MAX }; #define CTA_MAX (__CTA_MAX - 1) diff --git a/trunk/include/uapi/linux/netfilter/xt_bpf.h b/trunk/include/uapi/linux/netfilter/xt_bpf.h deleted file mode 100644 index 5dda450eb55b..000000000000 --- a/trunk/include/uapi/linux/netfilter/xt_bpf.h +++ /dev/null @@ -1,17 +0,0 @@ -#ifndef _XT_BPF_H -#define _XT_BPF_H - -#include -#include - -#define XT_BPF_MAX_NUM_INSTR 64 - -struct xt_bpf_info { - __u16 bpf_program_num_elem; - struct sock_filter bpf_program[XT_BPF_MAX_NUM_INSTR]; - - /* only used in the kernel */ - struct sk_filter *filter __attribute__((aligned(8))); -}; - -#endif /*_XT_BPF_H */ diff --git a/trunk/include/uapi/linux/netfilter/xt_connlabel.h b/trunk/include/uapi/linux/netfilter/xt_connlabel.h deleted file mode 100644 index c4bc9ee9b330..000000000000 --- a/trunk/include/uapi/linux/netfilter/xt_connlabel.h +++ /dev/null @@ -1,12 +0,0 @@ -#include - -#define XT_CONNLABEL_MAXBIT 127 -enum xt_connlabel_mtopts { - XT_CONNLABEL_OP_INVERT = 1 << 0, - XT_CONNLABEL_OP_SET = 1 << 1, -}; - -struct xt_connlabel_mtinfo { - __u16 bit; - __u16 options; -}; diff --git a/trunk/net/ipv4/inet_connection_sock.c b/trunk/net/ipv4/inet_connection_sock.c index 11cb4979a465..8bb623d357ad 100644 --- a/trunk/net/ipv4/inet_connection_sock.c +++ b/trunk/net/ipv4/inet_connection_sock.c @@ -204,8 +204,7 @@ int inet_csk_get_port(struct sock *sk, unsigned short snum) ret = 1; if (inet_csk(sk)->icsk_af_ops->bind_conflict(sk, tb, true)) { if (((sk->sk_reuse && sk->sk_state != TCP_LISTEN) || - (tb->fastreuseport > 0 && - sk->sk_reuseport && uid_eq(tb->fastuid, uid))) && + (sk->sk_reuseport && uid_eq(tb->fastuid, uid))) && smallest_size != -1 && --attempts >= 0) { spin_unlock(&head->lock); goto again; @@ -228,15 +227,19 @@ int inet_csk_get_port(struct sock *sk, unsigned short snum) if (sk->sk_reuseport) { tb->fastreuseport = 1; tb->fastuid = uid; - } else + } else { tb->fastreuseport = 0; + tb->fastuid = 0; + } } else { if (tb->fastreuse && (!sk->sk_reuse || sk->sk_state == TCP_LISTEN)) tb->fastreuse = 0; if (tb->fastreuseport && - (!sk->sk_reuseport || !uid_eq(tb->fastuid, uid))) + (!sk->sk_reuseport || !uid_eq(tb->fastuid, uid))) { tb->fastreuseport = 0; + tb->fastuid = 0; + } } success: if (!inet_csk(sk)->icsk_bind_hash) diff --git a/trunk/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/trunk/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c index 48990ada0e1e..fcdd0c2406e6 100644 --- a/trunk/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c +++ b/trunk/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c @@ -420,43 +420,54 @@ static int ipv4_net_init(struct net *net) { int ret = 0; - ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_tcp4); + ret = nf_conntrack_l4proto_register(net, + &nf_conntrack_l4proto_tcp4); if (ret < 0) { - pr_err("nf_conntrack_tcp4: pernet registration failed\n"); + pr_err("nf_conntrack_l4proto_tcp4 :protocol register failed\n"); goto out_tcp; } - ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_udp4); + ret = nf_conntrack_l4proto_register(net, + &nf_conntrack_l4proto_udp4); if (ret < 0) { - pr_err("nf_conntrack_udp4: pernet registration failed\n"); + pr_err("nf_conntrack_l4proto_udp4 :protocol register failed\n"); goto out_udp; } - ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_icmp); + ret = nf_conntrack_l4proto_register(net, + &nf_conntrack_l4proto_icmp); if (ret < 0) { - pr_err("nf_conntrack_icmp4: pernet registration failed\n"); + pr_err("nf_conntrack_l4proto_icmp4 :protocol register failed\n"); goto out_icmp; } - ret = nf_ct_l3proto_pernet_register(net, &nf_conntrack_l3proto_ipv4); + ret = nf_conntrack_l3proto_register(net, + &nf_conntrack_l3proto_ipv4); if (ret < 0) { - pr_err("nf_conntrack_ipv4: pernet registration failed\n"); + pr_err("nf_conntrack_l3proto_ipv4 :protocol register failed\n"); goto out_ipv4; } return 0; out_ipv4: - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_icmp); + nf_conntrack_l4proto_unregister(net, + &nf_conntrack_l4proto_icmp); out_icmp: - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_udp4); + nf_conntrack_l4proto_unregister(net, + &nf_conntrack_l4proto_udp4); out_udp: - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_tcp4); + nf_conntrack_l4proto_unregister(net, + &nf_conntrack_l4proto_tcp4); out_tcp: return ret; } static void ipv4_net_exit(struct net *net) { - nf_ct_l3proto_pernet_unregister(net, &nf_conntrack_l3proto_ipv4); - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_icmp); - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_udp4); - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_tcp4); + nf_conntrack_l3proto_unregister(net, + &nf_conntrack_l3proto_ipv4); + nf_conntrack_l4proto_unregister(net, + &nf_conntrack_l4proto_icmp); + nf_conntrack_l4proto_unregister(net, + &nf_conntrack_l4proto_udp4); + nf_conntrack_l4proto_unregister(net, + &nf_conntrack_l4proto_tcp4); } static struct pernet_operations ipv4_net_ops = { @@ -489,49 +500,16 @@ static int __init nf_conntrack_l3proto_ipv4_init(void) pr_err("nf_conntrack_ipv4: can't register hooks.\n"); goto cleanup_pernet; } - - ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_tcp4); - if (ret < 0) { - pr_err("nf_conntrack_ipv4: can't register tcp4 proto.\n"); - goto cleanup_hooks; - } - - ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_udp4); - if (ret < 0) { - pr_err("nf_conntrack_ipv4: can't register udp4 proto.\n"); - goto cleanup_tcp4; - } - - ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_icmp); - if (ret < 0) { - pr_err("nf_conntrack_ipv4: can't register icmpv4 proto.\n"); - goto cleanup_udp4; - } - - ret = nf_ct_l3proto_register(&nf_conntrack_l3proto_ipv4); - if (ret < 0) { - pr_err("nf_conntrack_ipv4: can't register ipv4 proto.\n"); - goto cleanup_icmpv4; - } - #if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT) ret = nf_conntrack_ipv4_compat_init(); if (ret < 0) - goto cleanup_proto; + goto cleanup_hooks; #endif return ret; #if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT) - cleanup_proto: - nf_ct_l3proto_unregister(&nf_conntrack_l3proto_ipv4); -#endif - cleanup_icmpv4: - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_icmp); - cleanup_udp4: - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udp4); - cleanup_tcp4: - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_tcp4); cleanup_hooks: nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops)); +#endif cleanup_pernet: unregister_pernet_subsys(&ipv4_net_ops); cleanup_sockopt: @@ -545,10 +523,6 @@ static void __exit nf_conntrack_l3proto_ipv4_fini(void) #if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT) nf_conntrack_ipv4_compat_fini(); #endif - nf_ct_l3proto_unregister(&nf_conntrack_l3proto_ipv4); - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_icmp); - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udp4); - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_tcp4); nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops)); unregister_pernet_subsys(&ipv4_net_ops); nf_unregister_sockopt(&so_getorigdst); diff --git a/trunk/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/trunk/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c index 8a45bb20bedb..137e245860ab 100644 --- a/trunk/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +++ b/trunk/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c @@ -421,43 +421,54 @@ static int ipv6_net_init(struct net *net) { int ret = 0; - ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_tcp6); + ret = nf_conntrack_l4proto_register(net, + &nf_conntrack_l4proto_tcp6); if (ret < 0) { - pr_err("nf_conntrack_tcp6: pernet registration failed\n"); + printk(KERN_ERR "nf_conntrack_l4proto_tcp6: protocol register failed\n"); goto out; } - ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_udp6); + ret = nf_conntrack_l4proto_register(net, + &nf_conntrack_l4proto_udp6); if (ret < 0) { - pr_err("nf_conntrack_udp6: pernet registration failed\n"); + printk(KERN_ERR "nf_conntrack_l4proto_udp6: protocol register failed\n"); goto cleanup_tcp6; } - ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_icmpv6); + ret = nf_conntrack_l4proto_register(net, + &nf_conntrack_l4proto_icmpv6); if (ret < 0) { - pr_err("nf_conntrack_icmp6: pernet registration failed\n"); + printk(KERN_ERR "nf_conntrack_l4proto_icmp6: protocol register failed\n"); goto cleanup_udp6; } - ret = nf_ct_l3proto_pernet_register(net, &nf_conntrack_l3proto_ipv6); + ret = nf_conntrack_l3proto_register(net, + &nf_conntrack_l3proto_ipv6); if (ret < 0) { - pr_err("nf_conntrack_ipv6: pernet registration failed.\n"); + printk(KERN_ERR "nf_conntrack_l3proto_ipv6: protocol register failed\n"); goto cleanup_icmpv6; } return 0; cleanup_icmpv6: - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_icmpv6); + nf_conntrack_l4proto_unregister(net, + &nf_conntrack_l4proto_icmpv6); cleanup_udp6: - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_udp6); + nf_conntrack_l4proto_unregister(net, + &nf_conntrack_l4proto_udp6); cleanup_tcp6: - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_tcp6); + nf_conntrack_l4proto_unregister(net, + &nf_conntrack_l4proto_tcp6); out: return ret; } static void ipv6_net_exit(struct net *net) { - nf_ct_l3proto_pernet_unregister(net, &nf_conntrack_l3proto_ipv6); - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_icmpv6); - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_udp6); - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_tcp6); + nf_conntrack_l3proto_unregister(net, + &nf_conntrack_l3proto_ipv6); + nf_conntrack_l4proto_unregister(net, + &nf_conntrack_l4proto_icmpv6); + nf_conntrack_l4proto_unregister(net, + &nf_conntrack_l4proto_udp6); + nf_conntrack_l4proto_unregister(net, + &nf_conntrack_l4proto_tcp6); } static struct pernet_operations ipv6_net_ops = { @@ -480,52 +491,19 @@ static int __init nf_conntrack_l3proto_ipv6_init(void) ret = register_pernet_subsys(&ipv6_net_ops); if (ret < 0) - goto cleanup_sockopt; - + goto cleanup_pernet; ret = nf_register_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops)); if (ret < 0) { pr_err("nf_conntrack_ipv6: can't register pre-routing defrag " "hook.\n"); - goto cleanup_pernet; - } - - ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_tcp6); - if (ret < 0) { - pr_err("nf_conntrack_ipv6: can't register tcp6 proto.\n"); - goto cleanup_hooks; - } - - ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_udp6); - if (ret < 0) { - pr_err("nf_conntrack_ipv6: can't register udp6 proto.\n"); - goto cleanup_tcp6; - } - - ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_icmpv6); - if (ret < 0) { - pr_err("nf_conntrack_ipv6: can't register icmpv6 proto.\n"); - goto cleanup_udp6; - } - - ret = nf_ct_l3proto_register(&nf_conntrack_l3proto_ipv6); - if (ret < 0) { - pr_err("nf_conntrack_ipv6: can't register ipv6 proto.\n"); - goto cleanup_icmpv6; + goto cleanup_ipv6; } return ret; - cleanup_icmpv6: - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_icmpv6); - cleanup_udp6: - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udp6); - cleanup_tcp6: - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_tcp6); - cleanup_hooks: - nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops)); - cleanup_pernet: + cleanup_ipv6: unregister_pernet_subsys(&ipv6_net_ops); - cleanup_sockopt: + cleanup_pernet: nf_unregister_sockopt(&so_getorigdst6); return ret; } @@ -533,10 +511,6 @@ static int __init nf_conntrack_l3proto_ipv6_init(void) static void __exit nf_conntrack_l3proto_ipv6_fini(void) { synchronize_net(); - nf_ct_l3proto_unregister(&nf_conntrack_l3proto_ipv6); - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_tcp6); - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udp6); - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_icmpv6); nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops)); unregister_pernet_subsys(&ipv6_net_ops); nf_unregister_sockopt(&so_getorigdst6); diff --git a/trunk/net/netfilter/Kconfig b/trunk/net/netfilter/Kconfig index eb2c8ebf6d99..49e96df5fbc4 100644 --- a/trunk/net/netfilter/Kconfig +++ b/trunk/net/netfilter/Kconfig @@ -124,12 +124,6 @@ config NF_CONNTRACK_TIMESTAMP If unsure, say `N'. -config NF_CONNTRACK_LABELS - bool - help - This option enables support for assigning user-defined flag bits - to connection tracking entries. It selected by the connlabel match. - config NF_CT_PROTO_DCCP tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' depends on EXPERIMENTAL @@ -811,15 +805,6 @@ config NETFILTER_XT_MATCH_ADDRTYPE If you want to compile it as a module, say M here and read . If unsure, say `N'. -config NETFILTER_XT_MATCH_BPF - tristate '"bpf" match support' - depends on NETFILTER_ADVANCED - help - BPF matching applies a linux socket filter to each packet and - accepts those for which the filter returns non-zero. - - To compile it as a module, choose M here. If unsure, say N. - config NETFILTER_XT_MATCH_CLUSTER tristate '"cluster" match support' depends on NF_CONNTRACK @@ -857,18 +842,6 @@ config NETFILTER_XT_MATCH_CONNBYTES If you want to compile it as a module, say M here and read . If unsure, say `N'. -config NETFILTER_XT_MATCH_CONNLABEL - tristate '"connlabel" match support' - select NF_CONNTRACK_LABELS - depends on NETFILTER_ADVANCED - ---help--- - This match allows you to test and assign userspace-defined labels names - to a connection. The kernel only stores bit values - mapping - names to bits is done by userspace. - - Unlike connmark, more than 32 flag bits may be assigned to a - connection simultaneously. - config NETFILTER_XT_MATCH_CONNLIMIT tristate '"connlimit" match support"' depends on NF_CONNTRACK diff --git a/trunk/net/netfilter/Makefile b/trunk/net/netfilter/Makefile index a1abf87d43bf..32596978df1d 100644 --- a/trunk/net/netfilter/Makefile +++ b/trunk/net/netfilter/Makefile @@ -4,7 +4,6 @@ nf_conntrack-y := nf_conntrack_core.o nf_conntrack_standalone.o nf_conntrack_exp nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMEOUT) += nf_conntrack_timeout.o nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMESTAMP) += nf_conntrack_timestamp.o nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o -nf_conntrack-$(CONFIG_NF_CONNTRACK_LABELS) += nf_conntrack_labels.o obj-$(CONFIG_NETFILTER) = netfilter.o @@ -99,11 +98,9 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_IDLETIMER) += xt_IDLETIMER.o # matches obj-$(CONFIG_NETFILTER_XT_MATCH_ADDRTYPE) += xt_addrtype.o -obj-$(CONFIG_NETFILTER_XT_MATCH_BPF) += xt_bpf.o obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o -obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLABEL) += xt_connlabel.o obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) += xt_cpu.o diff --git a/trunk/net/netfilter/nf_conntrack_acct.c b/trunk/net/netfilter/nf_conntrack_acct.c index 2d3030ab5b61..7df424e2d10c 100644 --- a/trunk/net/netfilter/nf_conntrack_acct.c +++ b/trunk/net/netfilter/nf_conntrack_acct.c @@ -106,26 +106,36 @@ static void nf_conntrack_acct_fini_sysctl(struct net *net) } #endif -int nf_conntrack_acct_pernet_init(struct net *net) +int nf_conntrack_acct_init(struct net *net) { + int ret; + net->ct.sysctl_acct = nf_ct_acct; - return nf_conntrack_acct_init_sysctl(net); -} -void nf_conntrack_acct_pernet_fini(struct net *net) -{ - nf_conntrack_acct_fini_sysctl(net); -} + if (net_eq(net, &init_net)) { + ret = nf_ct_extend_register(&acct_extend); + if (ret < 0) { + printk(KERN_ERR "nf_conntrack_acct: Unable to register extension\n"); + goto out_extend_register; + } + } -int nf_conntrack_acct_init(void) -{ - int ret = nf_ct_extend_register(&acct_extend); + ret = nf_conntrack_acct_init_sysctl(net); if (ret < 0) - pr_err("nf_conntrack_acct: Unable to register extension\n"); + goto out_sysctl; + + return 0; + +out_sysctl: + if (net_eq(net, &init_net)) + nf_ct_extend_unregister(&acct_extend); +out_extend_register: return ret; } -void nf_conntrack_acct_fini(void) +void nf_conntrack_acct_fini(struct net *net) { - nf_ct_extend_unregister(&acct_extend); + nf_conntrack_acct_fini_sysctl(net); + if (net_eq(net, &init_net)) + nf_ct_extend_unregister(&acct_extend); } diff --git a/trunk/net/netfilter/nf_conntrack_core.c b/trunk/net/netfilter/nf_conntrack_core.c index c8e001a9c45b..e4a0c4fb3a7c 100644 --- a/trunk/net/netfilter/nf_conntrack_core.c +++ b/trunk/net/netfilter/nf_conntrack_core.c @@ -45,7 +45,6 @@ #include #include #include -#include #include #include @@ -764,7 +763,6 @@ void nf_conntrack_free(struct nf_conn *ct) } EXPORT_SYMBOL_GPL(nf_conntrack_free); - /* Allocate a new conntrack: we return -ENOMEM if classification failed due to stress. Otherwise it really is unclassifiable. */ static struct nf_conntrack_tuple_hash * @@ -811,7 +809,6 @@ init_conntrack(struct net *net, struct nf_conn *tmpl, nf_ct_acct_ext_add(ct, GFP_ATOMIC); nf_ct_tstamp_ext_add(ct, GFP_ATOMIC); - nf_ct_labels_ext_add(ct); ecache = tmpl ? nf_ct_ecache_find(tmpl) : NULL; nf_ct_ecache_ext_add(ct, ecache ? ecache->ctmask : 0, @@ -1334,42 +1331,18 @@ static int untrack_refs(void) return cnt; } -void nf_conntrack_cleanup_start(void) -{ - RCU_INIT_POINTER(ip_ct_attach, NULL); -} - -void nf_conntrack_cleanup_end(void) +static void nf_conntrack_cleanup_init_net(void) { - RCU_INIT_POINTER(nf_ct_destroy, NULL); while (untrack_refs() > 0) schedule(); #ifdef CONFIG_NF_CONNTRACK_ZONES nf_ct_extend_unregister(&nf_ct_zone_extend); #endif - nf_conntrack_proto_fini(); - nf_conntrack_labels_fini(); - nf_conntrack_helper_fini(); - nf_conntrack_timeout_fini(); - nf_conntrack_ecache_fini(); - nf_conntrack_tstamp_fini(); - nf_conntrack_acct_fini(); - nf_conntrack_expect_fini(); } -/* - * Mishearing the voices in his head, our hero wonders how he's - * supposed to kill the mall. - */ -void nf_conntrack_cleanup_net(struct net *net) +static void nf_conntrack_cleanup_net(struct net *net) { - /* - * This makes sure all current packets have passed through - * netfilter framework. Roll on, two-stage module - * delete... - */ - synchronize_net(); i_see_dead_people: nf_ct_iterate_cleanup(net, kill_all, NULL); nf_ct_release_dying_list(net); @@ -1379,17 +1352,38 @@ void nf_conntrack_cleanup_net(struct net *net) } nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size); - nf_conntrack_proto_pernet_fini(net); - nf_conntrack_helper_pernet_fini(net); - nf_conntrack_ecache_pernet_fini(net); - nf_conntrack_tstamp_pernet_fini(net); - nf_conntrack_acct_pernet_fini(net); - nf_conntrack_expect_pernet_fini(net); + nf_conntrack_helper_fini(net); + nf_conntrack_timeout_fini(net); + nf_conntrack_ecache_fini(net); + nf_conntrack_tstamp_fini(net); + nf_conntrack_acct_fini(net); + nf_conntrack_expect_fini(net); kmem_cache_destroy(net->ct.nf_conntrack_cachep); kfree(net->ct.slabname); free_percpu(net->ct.stat); } +/* Mishearing the voices in his head, our hero wonders how he's + supposed to kill the mall. */ +void nf_conntrack_cleanup(struct net *net) +{ + if (net_eq(net, &init_net)) + RCU_INIT_POINTER(ip_ct_attach, NULL); + + /* This makes sure all current packets have passed through + netfilter framework. Roll on, two-stage module + delete... */ + synchronize_net(); + nf_conntrack_proto_fini(net); + nf_conntrack_cleanup_net(net); +} + +void nf_conntrack_cleanup_end(void) +{ + RCU_INIT_POINTER(nf_ct_destroy, NULL); + nf_conntrack_cleanup_init_net(); +} + void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls) { struct hlist_nulls_head *hash; @@ -1480,7 +1474,7 @@ void nf_ct_untracked_status_or(unsigned long bits) } EXPORT_SYMBOL_GPL(nf_ct_untracked_status_or); -int nf_conntrack_init_start(void) +static int nf_conntrack_init_init_net(void) { int max_factor = 8; int ret, cpu; @@ -1507,44 +1501,11 @@ int nf_conntrack_init_start(void) printk(KERN_INFO "nf_conntrack version %s (%u buckets, %d max)\n", NF_CONNTRACK_VERSION, nf_conntrack_htable_size, nf_conntrack_max); - - ret = nf_conntrack_expect_init(); - if (ret < 0) - goto err_expect; - - ret = nf_conntrack_acct_init(); - if (ret < 0) - goto err_acct; - - ret = nf_conntrack_tstamp_init(); - if (ret < 0) - goto err_tstamp; - - ret = nf_conntrack_ecache_init(); - if (ret < 0) - goto err_ecache; - - ret = nf_conntrack_timeout_init(); - if (ret < 0) - goto err_timeout; - - ret = nf_conntrack_helper_init(); - if (ret < 0) - goto err_helper; - - ret = nf_conntrack_labels_init(); - if (ret < 0) - goto err_labels; - #ifdef CONFIG_NF_CONNTRACK_ZONES ret = nf_ct_extend_register(&nf_ct_zone_extend); if (ret < 0) goto err_extend; #endif - ret = nf_conntrack_proto_init(); - if (ret < 0) - goto err_proto; - /* Set up fake conntrack: to never be deleted, not in any hashes */ for_each_possible_cpu(cpu) { struct nf_conn *ct = &per_cpu(nf_conntrack_untracked, cpu); @@ -1555,38 +1516,12 @@ int nf_conntrack_init_start(void) nf_ct_untracked_status_or(IPS_CONFIRMED | IPS_UNTRACKED); return 0; -err_proto: #ifdef CONFIG_NF_CONNTRACK_ZONES - nf_ct_extend_unregister(&nf_ct_zone_extend); err_extend: #endif - nf_conntrack_labels_fini(); -err_labels: - nf_conntrack_helper_fini(); -err_helper: - nf_conntrack_timeout_fini(); -err_timeout: - nf_conntrack_ecache_fini(); -err_ecache: - nf_conntrack_tstamp_fini(); -err_tstamp: - nf_conntrack_acct_fini(); -err_acct: - nf_conntrack_expect_fini(); -err_expect: return ret; } -void nf_conntrack_init_end(void) -{ - /* For use by REJECT target */ - RCU_INIT_POINTER(ip_ct_attach, nf_conntrack_attach); - RCU_INIT_POINTER(nf_ct_destroy, destroy_conntrack); - - /* Howto get NAT offsets */ - RCU_INIT_POINTER(nf_ct_nat_offset, NULL); -} - /* * We need to use special "null" values, not used in hash table */ @@ -1594,7 +1529,7 @@ void nf_conntrack_init_end(void) #define DYING_NULLS_VAL ((1<<30)+1) #define TEMPLATE_NULLS_VAL ((1<<30)+2) -int nf_conntrack_init_net(struct net *net) +static int nf_conntrack_init_net(struct net *net) { int ret; @@ -1630,36 +1565,35 @@ int nf_conntrack_init_net(struct net *net) printk(KERN_ERR "Unable to create nf_conntrack_hash\n"); goto err_hash; } - ret = nf_conntrack_expect_pernet_init(net); + ret = nf_conntrack_expect_init(net); if (ret < 0) goto err_expect; - ret = nf_conntrack_acct_pernet_init(net); + ret = nf_conntrack_acct_init(net); if (ret < 0) goto err_acct; - ret = nf_conntrack_tstamp_pernet_init(net); + ret = nf_conntrack_tstamp_init(net); if (ret < 0) goto err_tstamp; - ret = nf_conntrack_ecache_pernet_init(net); + ret = nf_conntrack_ecache_init(net); if (ret < 0) goto err_ecache; - ret = nf_conntrack_helper_pernet_init(net); + ret = nf_conntrack_timeout_init(net); if (ret < 0) - goto err_helper; - ret = nf_conntrack_proto_pernet_init(net); + goto err_timeout; + ret = nf_conntrack_helper_init(net); if (ret < 0) - goto err_proto; + goto err_helper; return 0; - -err_proto: - nf_conntrack_helper_pernet_fini(net); err_helper: - nf_conntrack_ecache_pernet_fini(net); + nf_conntrack_timeout_fini(net); +err_timeout: + nf_conntrack_ecache_fini(net); err_ecache: - nf_conntrack_tstamp_pernet_fini(net); + nf_conntrack_tstamp_fini(net); err_tstamp: - nf_conntrack_acct_pernet_fini(net); + nf_conntrack_acct_fini(net); err_acct: - nf_conntrack_expect_pernet_fini(net); + nf_conntrack_expect_fini(net); err_expect: nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size); err_hash: @@ -1676,3 +1610,38 @@ s16 (*nf_ct_nat_offset)(const struct nf_conn *ct, enum ip_conntrack_dir dir, u32 seq); EXPORT_SYMBOL_GPL(nf_ct_nat_offset); + +int nf_conntrack_init(struct net *net) +{ + int ret; + + if (net_eq(net, &init_net)) { + ret = nf_conntrack_init_init_net(); + if (ret < 0) + goto out_init_net; + } + ret = nf_conntrack_proto_init(net); + if (ret < 0) + goto out_proto; + ret = nf_conntrack_init_net(net); + if (ret < 0) + goto out_net; + + if (net_eq(net, &init_net)) { + /* For use by REJECT target */ + RCU_INIT_POINTER(ip_ct_attach, nf_conntrack_attach); + RCU_INIT_POINTER(nf_ct_destroy, destroy_conntrack); + + /* Howto get NAT offsets */ + RCU_INIT_POINTER(nf_ct_nat_offset, NULL); + } + return 0; + +out_net: + nf_conntrack_proto_fini(net); +out_proto: + if (net_eq(net, &init_net)) + nf_conntrack_cleanup_init_net(); +out_init_net: + return ret; +} diff --git a/trunk/net/netfilter/nf_conntrack_ecache.c b/trunk/net/netfilter/nf_conntrack_ecache.c index b5d2eb8bf0d5..faa978f1714b 100644 --- a/trunk/net/netfilter/nf_conntrack_ecache.c +++ b/trunk/net/netfilter/nf_conntrack_ecache.c @@ -233,27 +233,38 @@ static void nf_conntrack_event_fini_sysctl(struct net *net) } #endif /* CONFIG_SYSCTL */ -int nf_conntrack_ecache_pernet_init(struct net *net) +int nf_conntrack_ecache_init(struct net *net) { + int ret; + net->ct.sysctl_events = nf_ct_events; net->ct.sysctl_events_retry_timeout = nf_ct_events_retry_timeout; - return nf_conntrack_event_init_sysctl(net); -} -void nf_conntrack_ecache_pernet_fini(struct net *net) -{ - nf_conntrack_event_fini_sysctl(net); -} + if (net_eq(net, &init_net)) { + ret = nf_ct_extend_register(&event_extend); + if (ret < 0) { + printk(KERN_ERR "nf_ct_event: Unable to register " + "event extension.\n"); + goto out_extend_register; + } + } -int nf_conntrack_ecache_init(void) -{ - int ret = nf_ct_extend_register(&event_extend); + ret = nf_conntrack_event_init_sysctl(net); if (ret < 0) - pr_err("nf_ct_event: Unable to register event extension.\n"); + goto out_sysctl; + + return 0; + +out_sysctl: + if (net_eq(net, &init_net)) + nf_ct_extend_unregister(&event_extend); +out_extend_register: return ret; } -void nf_conntrack_ecache_fini(void) +void nf_conntrack_ecache_fini(struct net *net) { - nf_ct_extend_unregister(&event_extend); + nf_conntrack_event_fini_sysctl(net); + if (net_eq(net, &init_net)) + nf_ct_extend_unregister(&event_extend); } diff --git a/trunk/net/netfilter/nf_conntrack_expect.c b/trunk/net/netfilter/nf_conntrack_expect.c index bdd341899ed3..527651a53a45 100644 --- a/trunk/net/netfilter/nf_conntrack_expect.c +++ b/trunk/net/netfilter/nf_conntrack_expect.c @@ -587,50 +587,53 @@ static void exp_proc_remove(struct net *net) module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400); -int nf_conntrack_expect_pernet_init(struct net *net) +int nf_conntrack_expect_init(struct net *net) { int err = -ENOMEM; + if (net_eq(net, &init_net)) { + if (!nf_ct_expect_hsize) { + nf_ct_expect_hsize = net->ct.htable_size / 256; + if (!nf_ct_expect_hsize) + nf_ct_expect_hsize = 1; + } + nf_ct_expect_max = nf_ct_expect_hsize * 4; + } + net->ct.expect_count = 0; net->ct.expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize, 0); if (net->ct.expect_hash == NULL) goto err1; + if (net_eq(net, &init_net)) { + nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect", + sizeof(struct nf_conntrack_expect), + 0, 0, NULL); + if (!nf_ct_expect_cachep) + goto err2; + } + err = exp_proc_init(net); if (err < 0) - goto err2; + goto err3; return 0; + +err3: + if (net_eq(net, &init_net)) + kmem_cache_destroy(nf_ct_expect_cachep); err2: nf_ct_free_hashtable(net->ct.expect_hash, nf_ct_expect_hsize); err1: return err; } -void nf_conntrack_expect_pernet_fini(struct net *net) +void nf_conntrack_expect_fini(struct net *net) { exp_proc_remove(net); - nf_ct_free_hashtable(net->ct.expect_hash, nf_ct_expect_hsize); -} - -int nf_conntrack_expect_init(void) -{ - if (!nf_ct_expect_hsize) { - nf_ct_expect_hsize = nf_conntrack_htable_size / 256; - if (!nf_ct_expect_hsize) - nf_ct_expect_hsize = 1; + if (net_eq(net, &init_net)) { + rcu_barrier(); /* Wait for call_rcu() before destroy */ + kmem_cache_destroy(nf_ct_expect_cachep); } - nf_ct_expect_max = nf_ct_expect_hsize * 4; - nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect", - sizeof(struct nf_conntrack_expect), - 0, 0, NULL); - if (!nf_ct_expect_cachep) - return -ENOMEM; - return 0; -} - -void nf_conntrack_expect_fini(void) -{ - rcu_barrier(); /* Wait for call_rcu() before destroy */ - kmem_cache_destroy(nf_ct_expect_cachep); + nf_ct_free_hashtable(net->ct.expect_hash, nf_ct_expect_hsize); } diff --git a/trunk/net/netfilter/nf_conntrack_helper.c b/trunk/net/netfilter/nf_conntrack_helper.c index 2f380f73c4c0..884f2b39319a 100644 --- a/trunk/net/netfilter/nf_conntrack_helper.c +++ b/trunk/net/netfilter/nf_conntrack_helper.c @@ -423,41 +423,44 @@ static struct nf_ct_ext_type helper_extend __read_mostly = { .id = NF_CT_EXT_HELPER, }; -int nf_conntrack_helper_pernet_init(struct net *net) +int nf_conntrack_helper_init(struct net *net) { + int err; + net->ct.auto_assign_helper_warned = false; net->ct.sysctl_auto_assign_helper = nf_ct_auto_assign_helper; - return nf_conntrack_helper_init_sysctl(net); -} -void nf_conntrack_helper_pernet_fini(struct net *net) -{ - nf_conntrack_helper_fini_sysctl(net); -} + if (net_eq(net, &init_net)) { + nf_ct_helper_hsize = 1; /* gets rounded up to use one page */ + nf_ct_helper_hash = + nf_ct_alloc_hashtable(&nf_ct_helper_hsize, 0); + if (!nf_ct_helper_hash) + return -ENOMEM; -int nf_conntrack_helper_init(void) -{ - int ret; - nf_ct_helper_hsize = 1; /* gets rounded up to use one page */ - nf_ct_helper_hash = - nf_ct_alloc_hashtable(&nf_ct_helper_hsize, 0); - if (!nf_ct_helper_hash) - return -ENOMEM; - - ret = nf_ct_extend_register(&helper_extend); - if (ret < 0) { - pr_err("nf_ct_helper: Unable to register helper extension.\n"); - goto out_extend; + err = nf_ct_extend_register(&helper_extend); + if (err < 0) + goto err1; } + err = nf_conntrack_helper_init_sysctl(net); + if (err < 0) + goto out_sysctl; + return 0; -out_extend: + +out_sysctl: + if (net_eq(net, &init_net)) + nf_ct_extend_unregister(&helper_extend); +err1: nf_ct_free_hashtable(nf_ct_helper_hash, nf_ct_helper_hsize); - return ret; + return err; } -void nf_conntrack_helper_fini(void) +void nf_conntrack_helper_fini(struct net *net) { - nf_ct_extend_unregister(&helper_extend); - nf_ct_free_hashtable(nf_ct_helper_hash, nf_ct_helper_hsize); + nf_conntrack_helper_fini_sysctl(net); + if (net_eq(net, &init_net)) { + nf_ct_extend_unregister(&helper_extend); + nf_ct_free_hashtable(nf_ct_helper_hash, nf_ct_helper_hsize); + } } diff --git a/trunk/net/netfilter/nf_conntrack_labels.c b/trunk/net/netfilter/nf_conntrack_labels.c deleted file mode 100644 index 8fe2e99428b7..000000000000 --- a/trunk/net/netfilter/nf_conntrack_labels.c +++ /dev/null @@ -1,112 +0,0 @@ -/* - * test/set flag bits stored in conntrack extension area. - * - * (C) 2013 Astaro GmbH & Co KG - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - */ - -#include -#include -#include -#include -#include -#include - -#include -#include - -static unsigned int label_bits(const struct nf_conn_labels *l) -{ - unsigned int longs = l->words; - return longs * BITS_PER_LONG; -} - -bool nf_connlabel_match(const struct nf_conn *ct, u16 bit) -{ - struct nf_conn_labels *labels = nf_ct_labels_find(ct); - - if (!labels) - return false; - - return bit < label_bits(labels) && test_bit(bit, labels->bits); -} -EXPORT_SYMBOL_GPL(nf_connlabel_match); - -int nf_connlabel_set(struct nf_conn *ct, u16 bit) -{ - struct nf_conn_labels *labels = nf_ct_labels_find(ct); - - if (!labels || bit >= label_bits(labels)) - return -ENOSPC; - - if (test_bit(bit, labels->bits)) - return 0; - - if (test_and_set_bit(bit, labels->bits)) - nf_conntrack_event_cache(IPCT_LABEL, ct); - - return 0; -} -EXPORT_SYMBOL_GPL(nf_connlabel_set); - -#if IS_ENABLED(CONFIG_NF_CT_NETLINK) -static void replace_u32(u32 *address, u32 mask, u32 new) -{ - u32 old, tmp; - - do { - old = *address; - tmp = (old & mask) ^ new; - } while (cmpxchg(address, old, tmp) != old); -} - -int nf_connlabels_replace(struct nf_conn *ct, - const u32 *data, - const u32 *mask, unsigned int words32) -{ - struct nf_conn_labels *labels; - unsigned int size, i; - u32 *dst; - - labels = nf_ct_labels_find(ct); - if (!labels) - return -ENOSPC; - - size = labels->words * sizeof(long); - if (size < (words32 * sizeof(u32))) - words32 = size / sizeof(u32); - - dst = (u32 *) labels->bits; - if (words32) { - for (i = 0; i < words32; i++) - replace_u32(&dst[i], mask ? ~mask[i] : 0, data[i]); - } - - size /= sizeof(u32); - for (i = words32; i < size; i++) /* pad */ - replace_u32(&dst[i], 0, 0); - - nf_conntrack_event_cache(IPCT_LABEL, ct); - return 0; -} -EXPORT_SYMBOL_GPL(nf_connlabels_replace); -#endif - -static struct nf_ct_ext_type labels_extend __read_mostly = { - .len = sizeof(struct nf_conn_labels), - .align = __alignof__(struct nf_conn_labels), - .id = NF_CT_EXT_LABELS, -}; - -int nf_conntrack_labels_init(void) -{ - return nf_ct_extend_register(&labels_extend); -} - -void nf_conntrack_labels_fini(void) -{ - nf_ct_extend_unregister(&labels_extend); -} diff --git a/trunk/net/netfilter/nf_conntrack_netlink.c b/trunk/net/netfilter/nf_conntrack_netlink.c index 2334cc5d2b16..627b0e50b238 100644 --- a/trunk/net/netfilter/nf_conntrack_netlink.c +++ b/trunk/net/netfilter/nf_conntrack_netlink.c @@ -43,7 +43,6 @@ #include #include #include -#include #ifdef CONFIG_NF_NAT_NEEDED #include #include @@ -324,40 +323,6 @@ ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) #define ctnetlink_dump_secctx(a, b) (0) #endif -#ifdef CONFIG_NF_CONNTRACK_LABELS -static int ctnetlink_label_size(const struct nf_conn *ct) -{ - struct nf_conn_labels *labels = nf_ct_labels_find(ct); - - if (!labels) - return 0; - return nla_total_size(labels->words * sizeof(long)); -} - -static int -ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct) -{ - struct nf_conn_labels *labels = nf_ct_labels_find(ct); - unsigned int len, i; - - if (!labels) - return 0; - - len = labels->words * sizeof(long); - i = 0; - do { - if (labels->bits[i] != 0) - return nla_put(skb, CTA_LABELS, len, labels->bits); - i++; - } while (i < labels->words); - - return 0; -} -#else -#define ctnetlink_dump_labels(a, b) (0) -#define ctnetlink_label_size(a) (0) -#endif - #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) static inline int @@ -498,7 +463,6 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, ctnetlink_dump_helpinfo(skb, ct) < 0 || ctnetlink_dump_mark(skb, ct) < 0 || ctnetlink_dump_secctx(skb, ct) < 0 || - ctnetlink_dump_labels(skb, ct) < 0 || ctnetlink_dump_id(skb, ct) < 0 || ctnetlink_dump_use(skb, ct) < 0 || ctnetlink_dump_master(skb, ct) < 0 || @@ -597,7 +561,6 @@ ctnetlink_nlmsg_size(const struct nf_conn *ct) + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */ #endif + ctnetlink_proto_size(ct) - + ctnetlink_label_size(ct) ; } @@ -699,9 +662,6 @@ ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item) && ctnetlink_dump_secctx(skb, ct) < 0) goto nla_put_failure; #endif - if (events & (1 << IPCT_LABEL) && - ctnetlink_dump_labels(skb, ct) < 0) - goto nla_put_failure; if (events & (1 << IPCT_RELATED) && ctnetlink_dump_master(skb, ct) < 0) @@ -961,7 +921,6 @@ ctnetlink_parse_help(const struct nlattr *attr, char **helper_name, return 0; } -#define __CTA_LABELS_MAX_LENGTH ((XT_CONNLABEL_MAXBIT + 1) / BITS_PER_BYTE) static const struct nla_policy ct_nla_policy[CTA_MAX+1] = { [CTA_TUPLE_ORIG] = { .type = NLA_NESTED }, [CTA_TUPLE_REPLY] = { .type = NLA_NESTED }, @@ -978,10 +937,6 @@ static const struct nla_policy ct_nla_policy[CTA_MAX+1] = { [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED }, [CTA_ZONE] = { .type = NLA_U16 }, [CTA_MARK_MASK] = { .type = NLA_U32 }, - [CTA_LABELS] = { .type = NLA_BINARY, - .len = __CTA_LABELS_MAX_LENGTH }, - [CTA_LABELS_MASK] = { .type = NLA_BINARY, - .len = __CTA_LABELS_MAX_LENGTH }, }; static int @@ -1509,31 +1464,6 @@ ctnetlink_change_nat_seq_adj(struct nf_conn *ct, } #endif -static int -ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[]) -{ -#ifdef CONFIG_NF_CONNTRACK_LABELS - size_t len = nla_len(cda[CTA_LABELS]); - const void *mask = cda[CTA_LABELS_MASK]; - - if (len & (sizeof(u32)-1)) /* must be multiple of u32 */ - return -EINVAL; - - if (mask) { - if (nla_len(cda[CTA_LABELS_MASK]) == 0 || - nla_len(cda[CTA_LABELS_MASK]) != len) - return -EINVAL; - mask = nla_data(cda[CTA_LABELS_MASK]); - } - - len /= sizeof(u32); - - return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len); -#else - return -EOPNOTSUPP; -#endif -} - static int ctnetlink_change_conntrack(struct nf_conn *ct, const struct nlattr * const cda[]) @@ -1580,11 +1510,6 @@ ctnetlink_change_conntrack(struct nf_conn *ct, return err; } #endif - if (cda[CTA_LABELS]) { - err = ctnetlink_attach_labels(ct, cda); - if (err < 0) - return err; - } return 0; } @@ -1673,8 +1598,6 @@ ctnetlink_create_conntrack(struct net *net, u16 zone, nf_ct_acct_ext_add(ct, GFP_ATOMIC); nf_ct_tstamp_ext_add(ct, GFP_ATOMIC); nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); - nf_ct_labels_ext_add(ct); - /* we must add conntrack extensions before confirmation. */ ct->status |= IPS_CONFIRMED; @@ -1793,10 +1716,6 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, else events = IPCT_NEW; - if (cda[CTA_LABELS] && - ctnetlink_attach_labels(ct, cda) == 0) - events |= (1 << IPCT_LABEL); - nf_conntrack_eventmask_report((1 << IPCT_REPLY) | (1 << IPCT_ASSURED) | (1 << IPCT_HELPER) | @@ -2064,8 +1983,6 @@ ctnetlink_nfqueue_build(struct sk_buff *skb, struct nf_conn *ct) if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0) goto nla_put_failure; #endif - if (ctnetlink_dump_labels(skb, ct) < 0) - goto nla_put_failure; rcu_read_unlock(); return 0; @@ -2094,11 +2011,6 @@ ctnetlink_nfqueue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct) if (err < 0) return err; } - if (cda[CTA_LABELS]) { - err = ctnetlink_attach_labels(ct, cda); - if (err < 0) - return err; - } #if defined(CONFIG_NF_CONNTRACK_MARK) if (cda[CTA_MARK]) ct->mark = ntohl(nla_get_be32(cda[CTA_MARK])); diff --git a/trunk/net/netfilter/nf_conntrack_proto.c b/trunk/net/netfilter/nf_conntrack_proto.c index 58ab4050830c..51e928db48c8 100644 --- a/trunk/net/netfilter/nf_conntrack_proto.c +++ b/trunk/net/netfilter/nf_conntrack_proto.c @@ -212,7 +212,8 @@ static void nf_ct_l3proto_unregister_sysctl(struct net *net, #endif } -int nf_ct_l3proto_register(struct nf_conntrack_l3proto *proto) +static int +nf_conntrack_l3proto_register_net(struct nf_conntrack_l3proto *proto) { int ret = 0; struct nf_conntrack_l3proto *old; @@ -241,9 +242,8 @@ int nf_ct_l3proto_register(struct nf_conntrack_l3proto *proto) return ret; } -EXPORT_SYMBOL_GPL(nf_ct_l3proto_register); -int nf_ct_l3proto_pernet_register(struct net *net, +int nf_conntrack_l3proto_register(struct net *net, struct nf_conntrack_l3proto *proto) { int ret = 0; @@ -254,11 +254,22 @@ int nf_ct_l3proto_pernet_register(struct net *net, return ret; } - return nf_ct_l3proto_register_sysctl(net, proto); + ret = nf_ct_l3proto_register_sysctl(net, proto); + if (ret < 0) + return ret; + + if (net == &init_net) { + ret = nf_conntrack_l3proto_register_net(proto); + if (ret < 0) + nf_ct_l3proto_unregister_sysctl(net, proto); + } + + return ret; } -EXPORT_SYMBOL_GPL(nf_ct_l3proto_pernet_register); +EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_register); -void nf_ct_l3proto_unregister(struct nf_conntrack_l3proto *proto) +static void +nf_conntrack_l3proto_unregister_net(struct nf_conntrack_l3proto *proto) { BUG_ON(proto->l3proto >= AF_MAX); @@ -272,17 +283,19 @@ void nf_ct_l3proto_unregister(struct nf_conntrack_l3proto *proto) synchronize_rcu(); } -EXPORT_SYMBOL_GPL(nf_ct_l3proto_unregister); -void nf_ct_l3proto_pernet_unregister(struct net *net, +void nf_conntrack_l3proto_unregister(struct net *net, struct nf_conntrack_l3proto *proto) { + if (net == &init_net) + nf_conntrack_l3proto_unregister_net(proto); + nf_ct_l3proto_unregister_sysctl(net, proto); /* Remove all contrack entries for this protocol */ nf_ct_iterate_cleanup(net, kill_l3proto, proto); } -EXPORT_SYMBOL_GPL(nf_ct_l3proto_pernet_unregister); +EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister); static struct nf_proto_net *nf_ct_l4proto_net(struct net *net, struct nf_conntrack_l4proto *l4proto) @@ -363,7 +376,8 @@ void nf_ct_l4proto_unregister_sysctl(struct net *net, /* FIXME: Allow NULL functions and sub in pointers to generic for them. --RR */ -int nf_ct_l4proto_register(struct nf_conntrack_l4proto *l4proto) +static int +nf_conntrack_l4proto_register_net(struct nf_conntrack_l4proto *l4proto) { int ret = 0; @@ -417,9 +431,8 @@ int nf_ct_l4proto_register(struct nf_conntrack_l4proto *l4proto) mutex_unlock(&nf_ct_proto_mutex); return ret; } -EXPORT_SYMBOL_GPL(nf_ct_l4proto_register); -int nf_ct_l4proto_pernet_register(struct net *net, +int nf_conntrack_l4proto_register(struct net *net, struct nf_conntrack_l4proto *l4proto) { int ret = 0; @@ -439,13 +452,22 @@ int nf_ct_l4proto_pernet_register(struct net *net, if (ret < 0) goto out; + if (net == &init_net) { + ret = nf_conntrack_l4proto_register_net(l4proto); + if (ret < 0) { + nf_ct_l4proto_unregister_sysctl(net, pn, l4proto); + goto out; + } + } + pn->users++; out: return ret; } -EXPORT_SYMBOL_GPL(nf_ct_l4proto_pernet_register); +EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_register); -void nf_ct_l4proto_unregister(struct nf_conntrack_l4proto *l4proto) +static void +nf_conntrack_l4proto_unregister_net(struct nf_conntrack_l4proto *l4proto) { BUG_ON(l4proto->l3proto >= PF_MAX); @@ -460,13 +482,15 @@ void nf_ct_l4proto_unregister(struct nf_conntrack_l4proto *l4proto) synchronize_rcu(); } -EXPORT_SYMBOL_GPL(nf_ct_l4proto_unregister); -void nf_ct_l4proto_pernet_unregister(struct net *net, +void nf_conntrack_l4proto_unregister(struct net *net, struct nf_conntrack_l4proto *l4proto) { struct nf_proto_net *pn = NULL; + if (net == &init_net) + nf_conntrack_l4proto_unregister_net(l4proto); + pn = nf_ct_l4proto_net(net, l4proto); if (pn == NULL) return; @@ -477,10 +501,11 @@ void nf_ct_l4proto_pernet_unregister(struct net *net, /* Remove all contrack entries for this protocol */ nf_ct_iterate_cleanup(net, kill_l4proto, l4proto); } -EXPORT_SYMBOL_GPL(nf_ct_l4proto_pernet_unregister); +EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister); -int nf_conntrack_proto_pernet_init(struct net *net) +int nf_conntrack_proto_init(struct net *net) { + unsigned int i; int err; struct nf_proto_net *pn = nf_ct_l4proto_net(net, &nf_conntrack_l4proto_generic); @@ -495,12 +520,19 @@ int nf_conntrack_proto_pernet_init(struct net *net) if (err < 0) return err; + if (net == &init_net) { + for (i = 0; i < AF_MAX; i++) + rcu_assign_pointer(nf_ct_l3protos[i], + &nf_conntrack_l3proto_generic); + } + pn->users++; return 0; } -void nf_conntrack_proto_pernet_fini(struct net *net) +void nf_conntrack_proto_fini(struct net *net) { + unsigned int i; struct nf_proto_net *pn = nf_ct_l4proto_net(net, &nf_conntrack_l4proto_generic); @@ -508,21 +540,9 @@ void nf_conntrack_proto_pernet_fini(struct net *net) nf_ct_l4proto_unregister_sysctl(net, pn, &nf_conntrack_l4proto_generic); -} - -int nf_conntrack_proto_init(void) -{ - unsigned int i; - for (i = 0; i < AF_MAX; i++) - rcu_assign_pointer(nf_ct_l3protos[i], - &nf_conntrack_l3proto_generic); - return 0; -} - -void nf_conntrack_proto_fini(void) -{ - unsigned int i; - /* free l3proto protocol tables */ - for (i = 0; i < PF_MAX; i++) - kfree(nf_ct_protos[i]); + if (net == &init_net) { + /* free l3proto protocol tables */ + for (i = 0; i < PF_MAX; i++) + kfree(nf_ct_protos[i]); + } } diff --git a/trunk/net/netfilter/nf_conntrack_proto_dccp.c b/trunk/net/netfilter/nf_conntrack_proto_dccp.c index 432f95780003..a8ae287bc7af 100644 --- a/trunk/net/netfilter/nf_conntrack_proto_dccp.c +++ b/trunk/net/netfilter/nf_conntrack_proto_dccp.c @@ -935,27 +935,32 @@ static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = { static __net_init int dccp_net_init(struct net *net) { int ret = 0; - ret = nf_ct_l4proto_pernet_register(net, &dccp_proto4); + ret = nf_conntrack_l4proto_register(net, + &dccp_proto4); if (ret < 0) { - pr_err("nf_conntrack_dccp4: pernet registration failed.\n"); + pr_err("nf_conntrack_l4proto_dccp4 :protocol register failed.\n"); goto out; } - ret = nf_ct_l4proto_pernet_register(net, &dccp_proto6); + ret = nf_conntrack_l4proto_register(net, + &dccp_proto6); if (ret < 0) { - pr_err("nf_conntrack_dccp6: pernet registration failed.\n"); + pr_err("nf_conntrack_l4proto_dccp6 :protocol register failed.\n"); goto cleanup_dccp4; } return 0; cleanup_dccp4: - nf_ct_l4proto_pernet_unregister(net, &dccp_proto4); + nf_conntrack_l4proto_unregister(net, + &dccp_proto4); out: return ret; } static __net_exit void dccp_net_exit(struct net *net) { - nf_ct_l4proto_pernet_unregister(net, &dccp_proto6); - nf_ct_l4proto_pernet_unregister(net, &dccp_proto4); + nf_conntrack_l4proto_unregister(net, + &dccp_proto6); + nf_conntrack_l4proto_unregister(net, + &dccp_proto4); } static struct pernet_operations dccp_net_ops = { @@ -967,33 +972,11 @@ static struct pernet_operations dccp_net_ops = { static int __init nf_conntrack_proto_dccp_init(void) { - int ret; - - ret = nf_ct_l4proto_register(&dccp_proto4); - if (ret < 0) - goto out_dccp4; - - ret = nf_ct_l4proto_register(&dccp_proto6); - if (ret < 0) - goto out_dccp6; - - ret = register_pernet_subsys(&dccp_net_ops); - if (ret < 0) - goto out_pernet; - - return 0; -out_pernet: - nf_ct_l4proto_unregister(&dccp_proto6); -out_dccp6: - nf_ct_l4proto_unregister(&dccp_proto4); -out_dccp4: - return ret; + return register_pernet_subsys(&dccp_net_ops); } static void __exit nf_conntrack_proto_dccp_fini(void) { - nf_ct_l4proto_unregister(&dccp_proto6); - nf_ct_l4proto_unregister(&dccp_proto4); unregister_pernet_subsys(&dccp_net_ops); } diff --git a/trunk/net/netfilter/nf_conntrack_proto_gre.c b/trunk/net/netfilter/nf_conntrack_proto_gre.c index bd7d01d9c7e7..b09b7af7f6f8 100644 --- a/trunk/net/netfilter/nf_conntrack_proto_gre.c +++ b/trunk/net/netfilter/nf_conntrack_proto_gre.c @@ -397,15 +397,15 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 __read_mostly = { static int proto_gre_net_init(struct net *net) { int ret = 0; - ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_gre4); + ret = nf_conntrack_l4proto_register(net, &nf_conntrack_l4proto_gre4); if (ret < 0) - pr_err("nf_conntrack_gre4: pernet registration failed.\n"); + pr_err("nf_conntrack_l4proto_gre4 :protocol register failed.\n"); return ret; } static void proto_gre_net_exit(struct net *net) { - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_gre4); + nf_conntrack_l4proto_unregister(net, &nf_conntrack_l4proto_gre4); nf_ct_gre_keymap_flush(net); } @@ -418,26 +418,11 @@ static struct pernet_operations proto_gre_net_ops = { static int __init nf_ct_proto_gre_init(void) { - int ret; - - ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_gre4); - if (ret < 0) - goto out_gre4; - - ret = register_pernet_subsys(&proto_gre_net_ops); - if (ret < 0) - goto out_pernet; - - return 0; -out_pernet: - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_gre4); -out_gre4: - return ret; + return register_pernet_subsys(&proto_gre_net_ops); } static void __exit nf_ct_proto_gre_fini(void) { - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_gre4); unregister_pernet_subsys(&proto_gre_net_ops); } diff --git a/trunk/net/netfilter/nf_conntrack_proto_sctp.c b/trunk/net/netfilter/nf_conntrack_proto_sctp.c index 480f616d5936..c746d61f83ed 100644 --- a/trunk/net/netfilter/nf_conntrack_proto_sctp.c +++ b/trunk/net/netfilter/nf_conntrack_proto_sctp.c @@ -853,28 +853,33 @@ static int sctp_net_init(struct net *net) { int ret = 0; - ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_sctp4); + ret = nf_conntrack_l4proto_register(net, + &nf_conntrack_l4proto_sctp4); if (ret < 0) { - pr_err("nf_conntrack_sctp4: pernet registration failed.\n"); + pr_err("nf_conntrack_l4proto_sctp4 :protocol register failed.\n"); goto out; } - ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_sctp6); + ret = nf_conntrack_l4proto_register(net, + &nf_conntrack_l4proto_sctp6); if (ret < 0) { - pr_err("nf_conntrack_sctp6: pernet registration failed.\n"); + pr_err("nf_conntrack_l4proto_sctp6 :protocol register failed.\n"); goto cleanup_sctp4; } return 0; cleanup_sctp4: - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp4); + nf_conntrack_l4proto_unregister(net, + &nf_conntrack_l4proto_sctp4); out: return ret; } static void sctp_net_exit(struct net *net) { - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp6); - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_sctp4); + nf_conntrack_l4proto_unregister(net, + &nf_conntrack_l4proto_sctp6); + nf_conntrack_l4proto_unregister(net, + &nf_conntrack_l4proto_sctp4); } static struct pernet_operations sctp_net_ops = { @@ -886,33 +891,11 @@ static struct pernet_operations sctp_net_ops = { static int __init nf_conntrack_proto_sctp_init(void) { - int ret; - - ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_sctp4); - if (ret < 0) - goto out_sctp4; - - ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_sctp6); - if (ret < 0) - goto out_sctp6; - - ret = register_pernet_subsys(&sctp_net_ops); - if (ret < 0) - goto out_pernet; - - return 0; -out_pernet: - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp6); -out_sctp6: - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp4); -out_sctp4: - return ret; + return register_pernet_subsys(&sctp_net_ops); } static void __exit nf_conntrack_proto_sctp_fini(void) { - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp6); - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_sctp4); unregister_pernet_subsys(&sctp_net_ops); } diff --git a/trunk/net/netfilter/nf_conntrack_proto_udplite.c b/trunk/net/netfilter/nf_conntrack_proto_udplite.c index 157489581c31..4b66df209286 100644 --- a/trunk/net/netfilter/nf_conntrack_proto_udplite.c +++ b/trunk/net/netfilter/nf_conntrack_proto_udplite.c @@ -336,28 +336,30 @@ static int udplite_net_init(struct net *net) { int ret = 0; - ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_udplite4); + ret = nf_conntrack_l4proto_register(net, + &nf_conntrack_l4proto_udplite4); if (ret < 0) { - pr_err("nf_conntrack_udplite4: pernet registration failed.\n"); + pr_err("nf_conntrack_l4proto_udplite4 :protocol register failed.\n"); goto out; } - ret = nf_ct_l4proto_pernet_register(net, &nf_conntrack_l4proto_udplite6); + ret = nf_conntrack_l4proto_register(net, + &nf_conntrack_l4proto_udplite6); if (ret < 0) { - pr_err("nf_conntrack_udplite6: pernet registration failed.\n"); + pr_err("nf_conntrack_l4proto_udplite4 :protocol register failed.\n"); goto cleanup_udplite4; } return 0; cleanup_udplite4: - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_udplite4); + nf_conntrack_l4proto_unregister(net, &nf_conntrack_l4proto_udplite4); out: return ret; } static void udplite_net_exit(struct net *net) { - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_udplite6); - nf_ct_l4proto_pernet_unregister(net, &nf_conntrack_l4proto_udplite4); + nf_conntrack_l4proto_unregister(net, &nf_conntrack_l4proto_udplite6); + nf_conntrack_l4proto_unregister(net, &nf_conntrack_l4proto_udplite4); } static struct pernet_operations udplite_net_ops = { @@ -369,33 +371,11 @@ static struct pernet_operations udplite_net_ops = { static int __init nf_conntrack_proto_udplite_init(void) { - int ret; - - ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_udplite4); - if (ret < 0) - goto out_udplite4; - - ret = nf_ct_l4proto_register(&nf_conntrack_l4proto_udplite6); - if (ret < 0) - goto out_udplite6; - - ret = register_pernet_subsys(&udplite_net_ops); - if (ret < 0) - goto out_pernet; - - return 0; -out_pernet: - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udplite6); -out_udplite6: - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udplite4); -out_udplite4: - return ret; + return register_pernet_subsys(&udplite_net_ops); } static void __exit nf_conntrack_proto_udplite_exit(void) { - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udplite6); - nf_ct_l4proto_unregister(&nf_conntrack_l4proto_udplite4); unregister_pernet_subsys(&udplite_net_ops); } diff --git a/trunk/net/netfilter/nf_conntrack_sip.c b/trunk/net/netfilter/nf_conntrack_sip.c index 72a67bbe3518..df8f4f284481 100644 --- a/trunk/net/netfilter/nf_conntrack_sip.c +++ b/trunk/net/netfilter/nf_conntrack_sip.c @@ -1440,25 +1440,8 @@ static int process_sip_request(struct sk_buff *skb, unsigned int protoff, { enum ip_conntrack_info ctinfo; struct nf_conn *ct = nf_ct_get(skb, &ctinfo); - struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct); - enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); unsigned int matchoff, matchlen; unsigned int cseq, i; - union nf_inet_addr addr; - __be16 port; - - /* Many Cisco IP phones use a high source port for SIP requests, but - * listen for the response on port 5060. If we are the local - * router for one of these phones, save the port number from the - * Via: header so that nf_nat_sip can redirect the responses to - * the correct port. - */ - if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen, - SIP_HDR_VIA_UDP, NULL, &matchoff, - &matchlen, &addr, &port) > 0 && - port != ct->tuplehash[dir].tuple.src.u.udp.port && - nf_inet_addr_cmp(&addr, &ct->tuplehash[dir].tuple.src.u3)) - ct_sip_info->forced_dport = port; for (i = 0; i < ARRAY_SIZE(sip_handlers); i++) { const struct sip_handler *handler; diff --git a/trunk/net/netfilter/nf_conntrack_snmp.c b/trunk/net/netfilter/nf_conntrack_snmp.c index 87b95a2c270c..6e545e26289e 100644 --- a/trunk/net/netfilter/nf_conntrack_snmp.c +++ b/trunk/net/netfilter/nf_conntrack_snmp.c @@ -16,7 +16,6 @@ #include #include #include -#include #define SNMP_PORT 161 diff --git a/trunk/net/netfilter/nf_conntrack_standalone.c b/trunk/net/netfilter/nf_conntrack_standalone.c index 7936bf7f90ba..e7185c684816 100644 --- a/trunk/net/netfilter/nf_conntrack_standalone.c +++ b/trunk/net/netfilter/nf_conntrack_standalone.c @@ -472,6 +472,13 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net) { struct ctl_table *table; + if (net_eq(net, &init_net)) { + nf_ct_netfilter_header = + register_net_sysctl(&init_net, "net", nf_ct_netfilter_table); + if (!nf_ct_netfilter_header) + goto out; + } + table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table), GFP_KERNEL); if (!table) @@ -495,6 +502,10 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net) out_unregister_netfilter: kfree(table); out_kmemdup: + if (net_eq(net, &init_net)) + unregister_net_sysctl_table(nf_ct_netfilter_header); +out: + printk(KERN_ERR "nf_conntrack: can't register to sysctl.\n"); return -ENOMEM; } @@ -502,6 +513,8 @@ static void nf_conntrack_standalone_fini_sysctl(struct net *net) { struct ctl_table *table; + if (net_eq(net, &init_net)) + unregister_net_sysctl_table(nf_ct_netfilter_header); table = net->ct.sysctl_header->ctl_table_arg; unregister_net_sysctl_table(net->ct.sysctl_header); kfree(table); @@ -517,85 +530,51 @@ static void nf_conntrack_standalone_fini_sysctl(struct net *net) } #endif /* CONFIG_SYSCTL */ -static int nf_conntrack_pernet_init(struct net *net) +static int nf_conntrack_net_init(struct net *net) { int ret; - ret = nf_conntrack_init_net(net); + ret = nf_conntrack_init(net); if (ret < 0) goto out_init; - ret = nf_conntrack_standalone_init_proc(net); if (ret < 0) goto out_proc; - net->ct.sysctl_checksum = 1; net->ct.sysctl_log_invalid = 0; ret = nf_conntrack_standalone_init_sysctl(net); if (ret < 0) goto out_sysctl; - return 0; out_sysctl: nf_conntrack_standalone_fini_proc(net); out_proc: - nf_conntrack_cleanup_net(net); + nf_conntrack_cleanup(net); out_init: return ret; } -static void nf_conntrack_pernet_exit(struct net *net) +static void nf_conntrack_net_exit(struct net *net) { nf_conntrack_standalone_fini_sysctl(net); nf_conntrack_standalone_fini_proc(net); - nf_conntrack_cleanup_net(net); + nf_conntrack_cleanup(net); } static struct pernet_operations nf_conntrack_net_ops = { - .init = nf_conntrack_pernet_init, - .exit = nf_conntrack_pernet_exit, + .init = nf_conntrack_net_init, + .exit = nf_conntrack_net_exit, }; static int __init nf_conntrack_standalone_init(void) { - int ret = nf_conntrack_init_start(); - if (ret < 0) - goto out_start; - -#ifdef CONFIG_SYSCTL - nf_ct_netfilter_header = - register_net_sysctl(&init_net, "net", nf_ct_netfilter_table); - if (!nf_ct_netfilter_header) { - pr_err("nf_conntrack: can't register to sysctl.\n"); - goto out_sysctl; - } -#endif - - ret = register_pernet_subsys(&nf_conntrack_net_ops); - if (ret < 0) - goto out_pernet; - - nf_conntrack_init_end(); - return 0; - -out_pernet: -#ifdef CONFIG_SYSCTL - unregister_net_sysctl_table(nf_ct_netfilter_header); -out_sysctl: -#endif - nf_conntrack_cleanup_end(); -out_start: - return ret; + return register_pernet_subsys(&nf_conntrack_net_ops); } static void __exit nf_conntrack_standalone_fini(void) { - nf_conntrack_cleanup_start(); unregister_pernet_subsys(&nf_conntrack_net_ops); -#ifdef CONFIG_SYSCTL - unregister_net_sysctl_table(nf_ct_netfilter_header); -#endif nf_conntrack_cleanup_end(); } diff --git a/trunk/net/netfilter/nf_conntrack_timeout.c b/trunk/net/netfilter/nf_conntrack_timeout.c index 93da609d9d29..a878ce5b252c 100644 --- a/trunk/net/netfilter/nf_conntrack_timeout.c +++ b/trunk/net/netfilter/nf_conntrack_timeout.c @@ -37,15 +37,24 @@ static struct nf_ct_ext_type timeout_extend __read_mostly = { .id = NF_CT_EXT_TIMEOUT, }; -int nf_conntrack_timeout_init(void) +int nf_conntrack_timeout_init(struct net *net) { - int ret = nf_ct_extend_register(&timeout_extend); - if (ret < 0) - pr_err("nf_ct_timeout: Unable to register timeout extension.\n"); - return ret; + int ret = 0; + + if (net_eq(net, &init_net)) { + ret = nf_ct_extend_register(&timeout_extend); + if (ret < 0) { + printk(KERN_ERR "nf_ct_timeout: Unable to register " + "timeout extension.\n"); + return ret; + } + } + + return 0; } -void nf_conntrack_timeout_fini(void) +void nf_conntrack_timeout_fini(struct net *net) { - nf_ct_extend_unregister(&timeout_extend); + if (net_eq(net, &init_net)) + nf_ct_extend_unregister(&timeout_extend); } diff --git a/trunk/net/netfilter/nf_conntrack_timestamp.c b/trunk/net/netfilter/nf_conntrack_timestamp.c index 902fb0a6b38a..7ea8026f07c9 100644 --- a/trunk/net/netfilter/nf_conntrack_timestamp.c +++ b/trunk/net/netfilter/nf_conntrack_timestamp.c @@ -88,28 +88,37 @@ static void nf_conntrack_tstamp_fini_sysctl(struct net *net) } #endif -int nf_conntrack_tstamp_pernet_init(struct net *net) +int nf_conntrack_tstamp_init(struct net *net) { + int ret; + net->ct.sysctl_tstamp = nf_ct_tstamp; - return nf_conntrack_tstamp_init_sysctl(net); -} -void nf_conntrack_tstamp_pernet_fini(struct net *net) -{ - nf_conntrack_tstamp_fini_sysctl(net); - nf_ct_extend_unregister(&tstamp_extend); -} + if (net_eq(net, &init_net)) { + ret = nf_ct_extend_register(&tstamp_extend); + if (ret < 0) { + printk(KERN_ERR "nf_ct_tstamp: Unable to register " + "extension\n"); + goto out_extend_register; + } + } -int nf_conntrack_tstamp_init(void) -{ - int ret; - ret = nf_ct_extend_register(&tstamp_extend); + ret = nf_conntrack_tstamp_init_sysctl(net); if (ret < 0) - pr_err("nf_ct_tstamp: Unable to register extension\n"); + goto out_sysctl; + + return 0; + +out_sysctl: + if (net_eq(net, &init_net)) + nf_ct_extend_unregister(&tstamp_extend); +out_extend_register: return ret; } -void nf_conntrack_tstamp_fini(void) +void nf_conntrack_tstamp_fini(struct net *net) { - nf_ct_extend_unregister(&tstamp_extend); + nf_conntrack_tstamp_fini_sysctl(net); + if (net_eq(net, &init_net)) + nf_ct_extend_unregister(&tstamp_extend); } diff --git a/trunk/net/netfilter/nf_nat_sip.c b/trunk/net/netfilter/nf_nat_sip.c index 5951146e7688..16303c752213 100644 --- a/trunk/net/netfilter/nf_nat_sip.c +++ b/trunk/net/netfilter/nf_nat_sip.c @@ -95,7 +95,6 @@ static int map_addr(struct sk_buff *skb, unsigned int protoff, enum ip_conntrack_info ctinfo; struct nf_conn *ct = nf_ct_get(skb, &ctinfo); enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); - struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct); char buffer[INET6_ADDRSTRLEN + sizeof("[]:nnnnn")]; unsigned int buflen; union nf_inet_addr newaddr; @@ -108,8 +107,7 @@ static int map_addr(struct sk_buff *skb, unsigned int protoff, } else if (nf_inet_addr_cmp(&ct->tuplehash[dir].tuple.dst.u3, addr) && ct->tuplehash[dir].tuple.dst.u.udp.port == port) { newaddr = ct->tuplehash[!dir].tuple.src.u3; - newport = ct_sip_info->forced_dport ? : - ct->tuplehash[!dir].tuple.src.u.udp.port; + newport = ct->tuplehash[!dir].tuple.src.u.udp.port; } else return 1; @@ -146,7 +144,6 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff, enum ip_conntrack_info ctinfo; struct nf_conn *ct = nf_ct_get(skb, &ctinfo); enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); - struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct); unsigned int coff, matchoff, matchlen; enum sip_header_types hdr; union nf_inet_addr addr; @@ -261,21 +258,6 @@ static unsigned int nf_nat_sip(struct sk_buff *skb, unsigned int protoff, !map_sip_addr(skb, protoff, dataoff, dptr, datalen, SIP_HDR_TO)) return NF_DROP; - /* Mangle destination port for Cisco phones, then fix up checksums */ - if (dir == IP_CT_DIR_REPLY && ct_sip_info->forced_dport) { - struct udphdr *uh; - - if (!skb_make_writable(skb, skb->len)) - return NF_DROP; - - uh = (void *)skb->data + protoff; - uh->dest = ct_sip_info->forced_dport; - - if (!nf_nat_mangle_udp_packet(skb, ct, ctinfo, protoff, - 0, 0, NULL, 0)) - return NF_DROP; - } - return NF_ACCEPT; } @@ -329,10 +311,8 @@ static unsigned int nf_nat_sip_expect(struct sk_buff *skb, unsigned int protoff, enum ip_conntrack_info ctinfo; struct nf_conn *ct = nf_ct_get(skb, &ctinfo); enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); - struct nf_ct_sip_master *ct_sip_info = nfct_help_data(ct); union nf_inet_addr newaddr; u_int16_t port; - __be16 srcport; char buffer[INET6_ADDRSTRLEN + sizeof("[]:nnnnn")]; unsigned int buflen; @@ -346,9 +326,8 @@ static unsigned int nf_nat_sip_expect(struct sk_buff *skb, unsigned int protoff, /* If the signalling port matches the connection's source port in the * original direction, try to use the destination port in the opposite * direction. */ - srcport = ct_sip_info->forced_dport ? : - ct->tuplehash[dir].tuple.src.u.udp.port; - if (exp->tuple.dst.u.udp.port == srcport) + if (exp->tuple.dst.u.udp.port == + ct->tuplehash[dir].tuple.src.u.udp.port) port = ntohs(ct->tuplehash[!dir].tuple.dst.u.udp.port); else port = ntohs(exp->tuple.dst.u.udp.port); diff --git a/trunk/net/netfilter/xt_bpf.c b/trunk/net/netfilter/xt_bpf.c deleted file mode 100644 index 12d4da8e6c77..000000000000 --- a/trunk/net/netfilter/xt_bpf.c +++ /dev/null @@ -1,73 +0,0 @@ -/* Xtables module to match packets using a BPF filter. - * Copyright 2013 Google Inc. - * Written by Willem de Bruijn - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - */ - -#include -#include -#include - -#include -#include - -MODULE_AUTHOR("Willem de Bruijn "); -MODULE_DESCRIPTION("Xtables: BPF filter match"); -MODULE_LICENSE("GPL"); -MODULE_ALIAS("ipt_bpf"); -MODULE_ALIAS("ip6t_bpf"); - -static int bpf_mt_check(const struct xt_mtchk_param *par) -{ - struct xt_bpf_info *info = par->matchinfo; - struct sock_fprog program; - - program.len = info->bpf_program_num_elem; - program.filter = (struct sock_filter __user *) info->bpf_program; - if (sk_unattached_filter_create(&info->filter, &program)) { - pr_info("bpf: check failed: parse error\n"); - return -EINVAL; - } - - return 0; -} - -static bool bpf_mt(const struct sk_buff *skb, struct xt_action_param *par) -{ - const struct xt_bpf_info *info = par->matchinfo; - - return SK_RUN_FILTER(info->filter, skb); -} - -static void bpf_mt_destroy(const struct xt_mtdtor_param *par) -{ - const struct xt_bpf_info *info = par->matchinfo; - sk_unattached_filter_destroy(info->filter); -} - -static struct xt_match bpf_mt_reg __read_mostly = { - .name = "bpf", - .revision = 0, - .family = NFPROTO_UNSPEC, - .checkentry = bpf_mt_check, - .match = bpf_mt, - .destroy = bpf_mt_destroy, - .matchsize = sizeof(struct xt_bpf_info), - .me = THIS_MODULE, -}; - -static int __init bpf_mt_init(void) -{ - return xt_register_match(&bpf_mt_reg); -} - -static void __exit bpf_mt_exit(void) -{ - xt_unregister_match(&bpf_mt_reg); -} - -module_init(bpf_mt_init); -module_exit(bpf_mt_exit); diff --git a/trunk/net/netfilter/xt_connlabel.c b/trunk/net/netfilter/xt_connlabel.c deleted file mode 100644 index 9f8719df2001..000000000000 --- a/trunk/net/netfilter/xt_connlabel.c +++ /dev/null @@ -1,99 +0,0 @@ -/* - * (C) 2013 Astaro GmbH & Co KG - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 as - * published by the Free Software Foundation. - */ - -#include -#include -#include -#include -#include - -MODULE_LICENSE("GPL"); -MODULE_AUTHOR("Florian Westphal "); -MODULE_DESCRIPTION("Xtables: add/match connection trackling labels"); -MODULE_ALIAS("ipt_connlabel"); -MODULE_ALIAS("ip6t_connlabel"); - -static bool -connlabel_mt(const struct sk_buff *skb, struct xt_action_param *par) -{ - const struct xt_connlabel_mtinfo *info = par->matchinfo; - enum ip_conntrack_info ctinfo; - struct nf_conn *ct; - bool invert = info->options & XT_CONNLABEL_OP_INVERT; - - ct = nf_ct_get(skb, &ctinfo); - if (ct == NULL || nf_ct_is_untracked(ct)) - return invert; - - if (info->options & XT_CONNLABEL_OP_SET) - return (nf_connlabel_set(ct, info->bit) == 0) ^ invert; - - return nf_connlabel_match(ct, info->bit) ^ invert; -} - -static int connlabel_mt_check(const struct xt_mtchk_param *par) -{ - const int options = XT_CONNLABEL_OP_INVERT | - XT_CONNLABEL_OP_SET; - struct xt_connlabel_mtinfo *info = par->matchinfo; - int ret; - size_t words; - - if (info->bit > XT_CONNLABEL_MAXBIT) - return -ERANGE; - - if (info->options & ~options) { - pr_err("Unknown options in mask %x\n", info->options); - return -EINVAL; - } - - ret = nf_ct_l3proto_try_module_get(par->family); - if (ret < 0) { - pr_info("cannot load conntrack support for proto=%u\n", - par->family); - return ret; - } - - par->net->ct.labels_used++; - words = BITS_TO_LONGS(info->bit+1); - if (words > par->net->ct.label_words) - par->net->ct.label_words = words; - - return ret; -} - -static void connlabel_mt_destroy(const struct xt_mtdtor_param *par) -{ - par->net->ct.labels_used--; - if (par->net->ct.labels_used == 0) - par->net->ct.label_words = 0; - nf_ct_l3proto_module_put(par->family); -} - -static struct xt_match connlabels_mt_reg __read_mostly = { - .name = "connlabel", - .family = NFPROTO_UNSPEC, - .checkentry = connlabel_mt_check, - .match = connlabel_mt, - .matchsize = sizeof(struct xt_connlabel_mtinfo), - .destroy = connlabel_mt_destroy, - .me = THIS_MODULE, -}; - -static int __init connlabel_mt_init(void) -{ - return xt_register_match(&connlabels_mt_reg); -} - -static void __exit connlabel_mt_exit(void) -{ - xt_unregister_match(&connlabels_mt_reg); -} - -module_init(connlabel_mt_init); -module_exit(connlabel_mt_exit);