Similar to how IPv4's ip_output.c works, have ip6_output also check
the IPSKB_REROUTED flag. It will be set from xt_TEE for cloned packets
since Xtables can currently only deal with a single packet in flight
at a time.
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
Acked-by: NDavid S. Miller <davem@davemloft.net>
[Patrick: changed to use an IP6SKB value instead of IPSKB]
Signed-off-by: NPatrick McHardy <kaber@trash.net>

Patrick McHardy notes: "We used to invoke IPv4 POST_ROUTING after
fragmentation as well just to defragment the packets in conntrack
immediately afterwards, but that got changed during the
netfilter-ipsec integration. Ideally IPv6 would behave like IPv4."

This patch makes it so. Sending an oversized frame (e.g. `ping6
-s64000 -c1 ::1`) will now show up in POSTROUTING as a single skb
rather than multiple ones.
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
Signed-off-by: NPatrick McHardy <kaber@trash.net>

ip_refrag isn't used anymore in the bridge-netfilter code
Signed-off-by: NBart De Schuymer <bdschuym@pandora.be>
Signed-off-by: NPatrick McHardy <kaber@trash.net>

bridge-netfilter: cleanup br_netfilter.c

- remove some of the graffiti at the head of br_netfilter.c
- remove __br_dnat_complain()
- remove KERN_INFO messages when CONFIG_NETFILTER_DEBUG is defined
Signed-off-by: NBart De Schuymer <bdschuym@pandora.be>
Signed-off-by: NPatrick McHardy <kaber@trash.net>

Fix some coding styles and remove moduleparam.h
Signed-off-by: NZhitong Wang <zhitong.wangzt@alibaba-inc.com>
Signed-off-by: NPatrick McHardy <kaber@trash.net>

Add reference counting to the netfilter LED target, to fix errors when
multiple rules point to the same target ("LED trigger already exists").
Signed-off-by: NAdam Nielsen <a.nielsen@shikadi.net>
Signed-off-by: NPatrick McHardy <kaber@trash.net>

The CONFIG_PROVE_RCU option discovered a few invalid uses of
rcu_dereference() in netfilter. In all these cases, the code code
intends to check whether a pointer is already assigned when
performing registration or whether the assigned pointer matches
when performing unregistration. The entire registration/
unregistration is protected by a mutex, so we don't need the
rcu_dereference() calls.
Reported-by: NValdis Kletnieks <Valdis.Kletnieks@vt.edu>
Tested-by: NValdis Kletnieks <Valdis.Kletnieks@vt.edu>
Signed-off-by: NPatrick McHardy <kaber@trash.net>

As we will set ip_summed to CHECKSUM_NONE when necessary in
nfqnl_mangle, there is no need to zap CHECKSUM_COMPLETE in
nfqnl_build_packet_message.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NPatrick McHardy <kaber@trash.net>

As we will set ip_summed to CHECKSUM_NONE when necessary in
ipq_mangle_ipv6, there is no need to zap CHECKSUM_COMPLETE in
ipq_build_packet_message.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NPatrick McHardy <kaber@trash.net>

While doing yet another audit on ip_summed I noticed ip_queue
calling skb_checksum_help unnecessarily.  As we will set ip_summed
to CHECKSUM_NONE when necessary in ipq_mangle_ipv4, there is no
need to zap CHECKSUM_COMPLETE in ipq_build_packet_message.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NPatrick McHardy <kaber@trash.net>

When protocols use very long names, the sprintf calls might overflow
the on-stack buffer. No protocol in the kernel does this however.

Print the protocol name in the pr_debug statement directly to avoid
this.

Based on patch by Zhitong Wang <zhitong.wangzt@alibaba-inc.com>
Acked-by: NSimon Horman <horms@verge.net.au>
Signed-off-by: NPatrick McHardy <kaber@trash.net>

xt_hashlimit uses a central lock per hash table and suffers from
contention on some workloads. (Multiqueue NIC or if RPS is enabled)

After RCU conversion, central lock is only used when a writer wants to
add or delete an entry.

For 'readers', updating an existing entry, they use an individual lock
per entry.
Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: NPatrick McHardy <kaber@trash.net>

If clusterip_seq_start() memory allocation fails, we crash later in
clusterip_seq_start(), trying to kfree(ERR_PTR(-ENOMEM))
Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: NPatrick McHardy <kaber@trash.net>

Message size should be dependent on the presence of an accounting
extension, not on CONFIG_NF_CT_ACCT definition.
Signed-off-by: NJiri Pirko <jpirko@redhat.com>
Signed-off-by: NPatrick McHardy <kaber@trash.net>

Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

Superseded by xt_string revision 1 (linux v2.6.26-rc8-1127-g4ad3f261,
iptables 1.4.2-rc1).
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

Superseded by xt_multiport revision 1 (introduction already predates
linux.git).
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

Superseded by xt_hashlimit revision 1 (linux v2.6.24-6212-g09e410de,
iptables 1.4.1-rc1).
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

The return value of nf_ct_l3proto_get can directly be returned even in
the case of success.
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

When extended status codes are available, such as ENOMEM on failed
allocations, or subsequent functions (e.g. nf_ct_get_l3proto), passing
them up to userspace seems like a good idea compared to just always
EINVAL.
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

Part of the transition of done by this semantic patch:
// <smpl>
@ rule1 @
struct xt_target ops;
identifier check;
@@
 ops.checkentry = check;

@@
identifier rule1.check;
@@
 check(...) { <...
-return true;
+return 0;
 ...> }

@@
identifier rule1.check;
@@
 check(...) { <...
-return false;
+return -EINVAL;
 ...> }
// </smpl>
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

The following semantic patch does part of the transformation:
// <smpl>
@ rule1 @
struct xt_match ops;
identifier check;
@@
 ops.checkentry = check;

@@
identifier rule1.check;
@@
 check(...) { <...
-return true;
+return 0;
 ...> }

@@
identifier rule1.check;
@@
 check(...) { <...
-return false;
+return -EINVAL;
 ...> }
// </smpl>
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

Restore function signatures from bool to int so that we can report
memory allocation failures or similar using -ENOMEM rather than
always having to pass -EINVAL back.

// <smpl>
@@
type bool;
identifier check, par;
@@
-bool check
+int check
 (struct xt_tgchk_param *par) { ... }
// </smpl>

Minus the change it does to xt_ct_find_proto.
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

Restore function signatures from bool to int so that we can report
memory allocation failures or similar using -ENOMEM rather than
always having to pass -EINVAL back.

This semantic patch may not be too precise (checking for functions
that use xt_mtchk_param rather than functions referenced by
xt_match.checkentry), but reviewed, it produced the intended result.

// <smpl>
@@
type bool;
identifier check, par;
@@
-bool check
+int check
 (struct xt_mtchk_param *par) { ... }
// </smpl>
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

As I'm changing the return values soon, I want to have a clear visual
path.
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

Semantic patch:
// <smpl>
@@
@@
 IP_VS_XMIT(
-PF_INET6,
+NFPROTO_IPV6,
 ...)

@@
@@
 IP_VS_XMIT(
-PF_INET,
+NFPROTO_IPV4,
 ...)
// </smpl>
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

The semantic patch used was:
// <smpl>
@@
@@
 NF_HOOK(
-PF_DECnet,
+NFPROTO_DECNET,
 ...)
// </smpl>
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

The semantic patch that was used:
// <smpl>
@@
@@
(NF_HOOK
|NF_HOOK_THRESH
|nf_hook
)(
-PF_INET6,
+NFPROTO_IPV6,
 ...)
// </smpl>
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

The semantic patch that was used:
// <smpl>
@@
@@
(NF_HOOK
|NF_HOOK_COND
|nf_hook
)(
-PF_INET,
+NFPROTO_IPV4,
 ...)
// </smpl>
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

The first argument to NF_HOOK* is an nfproto since quite some time.
Commit v2.6.27-2457-gfdc9314c was the first to practically start using
the new names. Do that now for the remaining NF_HOOK calls.

The semantic patch used was:
// <smpl>
@@
@@
(NF_HOOK
|NF_HOOK_THRESH
)(
-PF_BRIDGE,
+NFPROTO_BRIDGE,
 ...)

@@
@@
 NF_HOOK(
-PF_INET6,
+NFPROTO_IPV6,
 ...)

@@
@@
 NF_HOOK(
-PF_INET,
+NFPROTO_IPV4,
 ...)
// </smpl>
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

Supplement to 1159683e.

Downgrade the log level to INFO for most checkentry messages as they
are, IMO, just an extra information to the -EINVAL code that is
returned as part of a parameter "constraint violation". Leave errors
to real errors, such as being unable to create a LED trigger.
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

Supplement to aa5fa318.
The semantic patch for this change is:

// <smpl>
@@
struct xt_target_param *par;
@@
-par->target->family
+par->family

@@
struct xt_tgchk_param *par;
@@
-par->target->family
+par->family

@@
struct xt_tgdtor_param *par;
@@
-par->target->family
+par->family
// </smpl>
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

Remove unused headers in net/ipv4/netfilter/nf_nat_h323.c
Signed-off-by: NZhitong Wang <zhitong.wangzt@alibaba-inc.com>
Signed-off-by: NPatrick McHardy <kaber@trash.net>

Remove unused headers in net/ipv6/netfilter/ip6t_LOG.c
Signed-off-by: NZhitong Wang <zhitong.wangzt@alibaba-inc.com>
Signed-off-by: NPatrick McHardy <kaber@trash.net>

Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

Signed-off-by: NJan Engelhardt <jengelh@medozas.de>

ENOMEM is a very obvious error code (cf. EINVAL), so I think we do not
really need a warning message. Not to mention that if the allocation
fails, the user is most likely going to get a stack trace from slab
already.
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>