[NETFILTER 00/22]: Netfilter update/fixes

[NETFILTER 00/22]: Netfilter update/fixes

[Patrick McHardy]

Hi Dave,

following are a number of fixes for netfilter, fixing RCU issues all over the
place, including the invalid preemption assumptions in the NF_CT_STAT_INC macro.
Additionally there are a few minor enhancements for things I noticed while going
over the code: replacement of a few unnecessary spinlocks by mutexes, some
cleanup for nf_log.c and some return value cleanup for unregistration functions.

With these patches I think there should be nothing left holding back the
preemptable RCU merge from netfilter's perspective.

Please apply, thanks.


 include/linux/netfilter.h                      |    4 
 include/linux/netfilter_ipv4/ip_conntrack.h    |    6 
 include/net/netfilter/nf_conntrack.h           |    6 
 include/net/netfilter/nf_conntrack_l3proto.h   |    4 
 include/net/netfilter/nf_conntrack_l4proto.h   |    2 
 net/bridge/netfilter/ebt_log.c                 |    2 
 net/bridge/netfilter/ebt_ulog.c                |    2 
 net/ipv4/netfilter/Kconfig                     |    8 
 net/ipv4/netfilter/ip_conntrack_core.c         |   53 +++---
 net/ipv4/netfilter/ip_conntrack_standalone.c   |    9 -
 net/ipv4/netfilter/ip_nat_core.c               |   74 ++++----
 net/ipv4/netfilter/ipt_LOG.c                   |    2 
 net/ipv4/netfilter/ipt_ULOG.c                  |    2 
 net/ipv4/netfilter/nf_conntrack_proto_icmp.c   |    2 
 net/ipv4/netfilter/nf_nat_core.c               |   75 ++++----
 net/ipv6/netfilter/Kconfig                     |    3 
 net/ipv6/netfilter/ip6t_LOG.c                  |    2 
 net/ipv6/netfilter/ip6t_mh.c                   |    7 
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |    4 
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |    1 
 net/netfilter/Kconfig                          |   12 +
 net/netfilter/core.c                           |   45 +++--
 net/netfilter/nf_conntrack_core.c              |   72 +++++---
 net/netfilter/nf_conntrack_expect.c            |    2 
 net/netfilter/nf_conntrack_ftp.c               |   14 -
 net/netfilter/nf_conntrack_h323_main.c         |   20 +-
 net/netfilter/nf_conntrack_irc.c               |    2 
 net/netfilter/nf_conntrack_l3proto_generic.c   |    2 
 net/netfilter/nf_conntrack_netbios_ns.c        |    2 
 net/netfilter/nf_conntrack_netlink.c           |  106 ++++++------
 net/netfilter/nf_conntrack_pptp.c              |    2 
 net/netfilter/nf_conntrack_proto.c             |   73 ++------
 net/netfilter/nf_conntrack_proto_sctp.c        |   72 ++++----
 net/netfilter/nf_conntrack_proto_tcp.c         |  210 ++++++++++++-------------
 net/netfilter/nf_conntrack_sip.c               |    6 
 net/netfilter/nf_conntrack_standalone.c        |    2 
 net/netfilter/nf_conntrack_tftp.c              |    2 
 net/netfilter/nf_internals.h                   |    2 
 net/netfilter/nf_log.c                         |   69 ++++----
 net/netfilter/nf_queue.c                       |   22 +-
 net/netfilter/nf_sockopt.c                     |   12 -
 net/netfilter/nfnetlink.c                      |   10 -
 net/netfilter/nfnetlink_log.c                  |   54 +++---
 net/netfilter/nfnetlink_queue.c                |   84 +++++-----
 net/netfilter/x_tables.c                       |   12 -
 net/netfilter/xt_CLASSIFY.c                    |   12 -
 net/netfilter/xt_MARK.c                        |    4 
 net/netfilter/xt_NFQUEUE.c                     |    4 
 net/netfilter/xt_NOTRACK.c                     |    4 
 net/netfilter/xt_SECMARK.c                     |    2 
 net/netfilter/xt_conntrack.c                   |   32 +--
 net/netfilter/xt_dccp.c                        |   20 +-
 net/netfilter/xt_hashlimit.c                   |    8 
 net/netfilter/xt_helper.c                      |   18 +-
 net/netfilter/xt_length.c                      |    4 
 net/netfilter/xt_limit.c                       |    2 
 net/netfilter/xt_mac.c                         |    7 
 net/netfilter/xt_mark.c                        |    6 
 net/netfilter/xt_multiport.c                   |    2 
 net/netfilter/xt_physdev.c                     |    2 
 net/netfilter/xt_policy.c                      |   24 +-
 net/netfilter/xt_quota.c                       |    4 
 net/netfilter/xt_realm.c                       |    2 
 net/netfilter/xt_sctp.c                        |   30 +--
 net/netfilter/xt_string.c                      |    8 
 net/netfilter/xt_tcpmss.c                      |    4 
 66 files changed, 709 insertions(+), 667 deletions(-)

Masahide NAKAMURA:
      [NETFILTER]: ip6t_mh: drop piggyback payload packet on MH packets

Patrick McHardy:
      [NETFILTER]: Properly use RCU in nf_ct_attach
      [NETFILTER]: Remove unnecessary synchronize_net() in nf_register_hook
      [NETFILTER]: Switch nf_register_afinfo/nf_unregister_afinfo to mutex
      [NETFILTER]: Switch nf_register_hook/nf_unregister_hook to mutex
      [NETFILTER]: nf_log: use rcu_assign_pointer for RCU protected pointer
      [NETFILTER]: nf_log: make nf_log_unregister_pf return void
      [NETFILTER]: nf_log: switch logger registration/unregistration to mutex
      [NETFILTER]: nf_log: minor cleanups
      [NETFILTER]: ip_nat: properly use RCU API for ip_nat_protos array
      [NETFILTER]: nf_nat: properly use RCU API for nf_nat_protos array
      [NETFILTER]: ip_conntrack: properly use RCU API for ip_ct_protos array
      [NETFILTER]: nf_conntrack: properly use RCU API for nf_ct_protos/nf_ct_l3protos arrays
      [NETFILTER]: ip_conntrack: fix invalid conntrack statistics RCU assumption
      [NETFILTER]: nf_conntrack: fix invalid conntrack statistics RCU assumption
      [NETFILTER]: ip_conntrack: properly use RCU for ip_conntrack_destroyed callback
      [NETFILTER]: nf_conntrack: properly use RCU for nf_conntrack_destroyed callback
      [NETFILTER]: nf_conntrack: change nf_conntrack_l[34]proto_unregister to void
      [NETFILTER]: xt_mac/xt_CLASSIFY: use IPv6 hook names for IPv6 registration
      [NETFILTER]: Kconfig: improve dependency handling
      [NETFILTER]: nf_conntrack_tcp: make sysctl variables static

YOSHIFUJI Hideaki:
      [NETFILTER]: Fix whitespace errors

[NETFILTER 01/22]: Properly use RCU in nf_ct_attach

[Patrick McHardy]

[NETFILTER]: Properly use RCU in nf_ct_attach

Use rcu_assign_pointer/rcu_dereference for ip_ct_attach pointer instead
of self-made RCU and use rcu_read_lock to make sure the conntrack module
doesn't disappear below us while calling it, since this function can be
called from outside the netfilter hooks.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit aa70e344f883b6fb4283024afa9af13376162ed3
tree f353ef51191c23f210f508b4edf1a7008e164e53
parent 70cdc55ed5432048c25025283f064323e3ae94f4
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:35:23 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:35:23 +0100

 net/ipv4/netfilter/ip_conntrack_core.c |    4 ++--
 net/netfilter/core.c                   |    9 ++++++---
 net/netfilter/nf_conntrack_core.c      |    4 ++--
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index 2e6e421..933b878 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -1355,7 +1355,7 @@ static void free_conntrack_hash(struct l
    supposed to kill the mall. */
 void ip_conntrack_cleanup(void)
 {
-	ip_ct_attach = NULL;
+	rcu_assign_pointer(ip_ct_attach, NULL);
 
 	/* This makes sure all current packets have passed through
 	   netfilter framework.  Roll on, two-stage module
@@ -1516,7 +1516,7 @@ int __init ip_conntrack_init(void)
 	write_unlock_bh(&ip_conntrack_lock);
 
 	/* For use by ipt_REJECT */
-	ip_ct_attach = ip_conntrack_attach;
+	rcu_assign_pointer(ip_ct_attach, ip_conntrack_attach);
 
 	/* Set up fake conntrack:
 	    - to never be deleted, not in any hashes */
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 291b8c6..ad24d0c 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -248,9 +248,12 @@ void nf_ct_attach(struct sk_buff *new, s
 {
 	void (*attach)(struct sk_buff *, struct sk_buff *);
 
-	if (skb->nfct && (attach = ip_ct_attach) != NULL) {
-		mb(); /* Just to be sure: must be read before executing this */
-		attach(new, skb);
+	if (skb->nfct) {
+		rcu_read_lock();
+		attach = rcu_dereference(ip_ct_attach);
+		if (attach)
+			attach(new, skb);
+		rcu_read_unlock();
 	}
 }
 EXPORT_SYMBOL(nf_ct_attach);
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 9b02ec4..59bcab1 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1105,7 +1105,7 @@ void nf_conntrack_cleanup(void)
 {
 	int i;
 
-	ip_ct_attach = NULL;
+	rcu_assign_pointer(ip_ct_attach, NULL);
 
 	/* This makes sure all current packets have passed through
 	   netfilter framework.  Roll on, two-stage module
@@ -1273,7 +1273,7 @@ int __init nf_conntrack_init(void)
         write_unlock_bh(&nf_conntrack_lock);
 
 	/* For use by REJECT target */
-	ip_ct_attach = __nf_conntrack_attach;
+	rcu_assign_pointer(ip_ct_attach, __nf_conntrack_attach);
 
 	/* Set up fake conntrack:
 	    - to never be deleted, not in any hashes */

[NETFILTER 02/22]: Remove unnecessary synchronize_net() in nf_register_hook

[Patrick McHardy]

[NETFILTER]: Remove unnecessary synchronize_net() in nf_register_hook

We're only adding to the list, no need to synchronize.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 4e6bba5661fe72e2c570701be4fcf4f2fabfdff2
tree 12e74ddf2a81a31aa4b5d59ba39c6fd0b14d7f5d
parent aa70e344f883b6fb4283024afa9af13376162ed3
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:35:30 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:35:30 +0100

 net/netfilter/core.c |    2 --
 1 files changed, 0 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index ad24d0c..a66bd6a 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -69,8 +69,6 @@ int nf_register_hook(struct nf_hook_ops 
 	}
 	list_add_rcu(&reg->list, i->prev);
 	spin_unlock_bh(&nf_hook_lock);
-
-	synchronize_net();
 	return 0;
 }
 EXPORT_SYMBOL(nf_register_hook);

[NETFILTER 03/22]: Switch nf_register_afinfo/nf_unregister_afinfo to mutex

[Patrick McHardy]

[NETFILTER]: Switch nf_register_afinfo/nf_unregister_afinfo to mutex

The spinlock is only used in process context (register/unregister),
switch to a mutex.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit ccead672bf5800d7418940aea9c0e6a231bc1f09
tree 9908ac59b324b764b4e7caaf17dc8472df8e52d9
parent 4e6bba5661fe72e2c570701be4fcf4f2fabfdff2
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:36:15 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:36:15 +0100

 net/netfilter/core.c |   15 ++++++++++-----
 1 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index a66bd6a..716603f 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -22,29 +22,34 @@ #include <linux/if.h>
 #include <linux/netdevice.h>
 #include <linux/inetdevice.h>
 #include <linux/proc_fs.h>
+#include <linux/mutex.h>
 #include <net/sock.h>
 
 #include "nf_internals.h"
 
-static DEFINE_SPINLOCK(afinfo_lock);
+static DEFINE_MUTEX(afinfo_mutex);
 
 struct nf_afinfo *nf_afinfo[NPROTO] __read_mostly;
 EXPORT_SYMBOL(nf_afinfo);
 
 int nf_register_afinfo(struct nf_afinfo *afinfo)
 {
-	spin_lock(&afinfo_lock);
+	int err;
+
+	err = mutex_lock_interruptible(&afinfo_mutex);
+	if (err < 0)
+		return err;
 	rcu_assign_pointer(nf_afinfo[afinfo->family], afinfo);
-	spin_unlock(&afinfo_lock);
+	mutex_unlock(&afinfo_mutex);
 	return 0;
 }
 EXPORT_SYMBOL_GPL(nf_register_afinfo);
 
 void nf_unregister_afinfo(struct nf_afinfo *afinfo)
 {
-	spin_lock(&afinfo_lock);
+	mutex_lock(&afinfo_mutex);
 	rcu_assign_pointer(nf_afinfo[afinfo->family], NULL);
-	spin_unlock(&afinfo_lock);
+	mutex_unlock(&afinfo_mutex);
 	synchronize_rcu();
 }
 EXPORT_SYMBOL_GPL(nf_unregister_afinfo);

[NETFILTER 04/22]: Switch nf_register_hook/nf_unregister_hook to mutex

[Patrick McHardy]

[NETFILTER]: Switch nf_register_hook/nf_unregister_hook to mutex

The spinlock is only used in process context (register/unregister)
since RCU is used for the nf_hook lists, switch to a mutex.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 4694a2599998f08af77aa1a1ee2c6d6bc2020913
tree b5d2752f7e5f66afd4b7d4bcd2402f1e1c9bfae9
parent ccead672bf5800d7418940aea9c0e6a231bc1f09
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:36:19 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:36:19 +0100

 net/netfilter/core.c |   13 ++++++++-----
 1 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 716603f..f61e0c2 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -61,28 +61,31 @@ EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
  * packets come back: if the hook is gone, the packet is discarded. */
 struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS] __read_mostly;
 EXPORT_SYMBOL(nf_hooks);
-static DEFINE_SPINLOCK(nf_hook_lock);
+static DEFINE_MUTEX(nf_hook_mutex);
 
 int nf_register_hook(struct nf_hook_ops *reg)
 {
 	struct list_head *i;
+	int err;
 
-	spin_lock_bh(&nf_hook_lock);
+	err = mutex_lock_interruptible(&nf_hook_mutex);
+	if (err < 0)
+		return err;
 	list_for_each(i, &nf_hooks[reg->pf][reg->hooknum]) {
 		if (reg->priority < ((struct nf_hook_ops *)i)->priority)
 			break;
 	}
 	list_add_rcu(&reg->list, i->prev);
-	spin_unlock_bh(&nf_hook_lock);
+	mutex_unlock(&nf_hook_mutex);
 	return 0;
 }
 EXPORT_SYMBOL(nf_register_hook);
 
 void nf_unregister_hook(struct nf_hook_ops *reg)
 {
-	spin_lock_bh(&nf_hook_lock);
+	mutex_lock(&nf_hook_mutex);
 	list_del_rcu(&reg->list);
-	spin_unlock_bh(&nf_hook_lock);
+	mutex_unlock(&nf_hook_mutex);
 
 	synchronize_net();
 }

[NETFILTER 05/22]: nf_log: use rcu_assign_pointer for RCU protected pointer

[Patrick McHardy]

[NETFILTER]: nf_log: use rcu_assign_pointer for RCU protected pointer

Also replace synchronize_net() calls by synchronize_rcu() since the
RCU protected data is also used for sysfs.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit a3d379f952d0861a1e0d876f69f301d5174f7990
tree 2f439287b3e9388ef7f186ea108868a05f119f4d
parent 4694a2599998f08af77aa1a1ee2c6d6bc2020913
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:36:34 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:36:34 +0100

 net/netfilter/nf_log.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 8901b3a..d6c6a8d 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -46,11 +46,11 @@ int nf_log_unregister_pf(int pf)
 		return -EINVAL;
 
 	spin_lock(&nf_log_lock);
-	nf_logging[pf] = NULL;
+	rcu_assign_pointer(nf_logging[pf], NULL);
 	spin_unlock(&nf_log_lock);
 
 	/* Give time to concurrent readers. */
-	synchronize_net();
+	synchronize_rcu();
 
 	return 0;
 }
@@ -63,11 +63,11 @@ void nf_log_unregister_logger(struct nf_
 	spin_lock(&nf_log_lock);
 	for (i = 0; i < NPROTO; i++) {
 		if (nf_logging[i] == logger)
-			nf_logging[i] = NULL;
+			rcu_assign_pointer(nf_logging[i], NULL);
 	}
 	spin_unlock(&nf_log_lock);
 
-	synchronize_net();
+	synchronize_rcu();
 }
 EXPORT_SYMBOL(nf_log_unregister_logger);
 

[NETFILTER 06/22]: nf_log: make nf_log_unregister_pf return void

[Patrick McHardy]

[NETFILTER]: nf_log: make nf_log_unregister_pf return void

Since the only user of nf_log_unregister_pf (nfnetlink_log) doesn't
check the return value, change it to void and bail out silently when
a non-existant address family is supplied.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit ca4c6357b4568c1b8644385828a542475a86c5fa
tree f5068e54682875208ff5d05cf7af434094daf545
parent a3d379f952d0861a1e0d876f69f301d5174f7990
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:37:02 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:37:02 +0100

 include/linux/netfilter.h |    2 +-
 net/netfilter/nf_log.c    |    7 ++-----
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index d4c4c51..18a6790 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -172,7 +172,7 @@ struct nf_logger {
 
 /* Function to register/unregister log function. */
 int nf_log_register(int pf, struct nf_logger *logger);
-int nf_log_unregister_pf(int pf);
+void nf_log_unregister_pf(int pf);
 void nf_log_unregister_logger(struct nf_logger *logger);
 
 /* Calls the registered backend logging function */
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index d6c6a8d..c159ef9 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -40,19 +40,16 @@ int nf_log_register(int pf, struct nf_lo
 }		
 EXPORT_SYMBOL(nf_log_register);
 
-int nf_log_unregister_pf(int pf)
+void nf_log_unregister_pf(int pf)
 {
 	if (pf >= NPROTO)
-		return -EINVAL;
-
+		return;
 	spin_lock(&nf_log_lock);
 	rcu_assign_pointer(nf_logging[pf], NULL);
 	spin_unlock(&nf_log_lock);
 
 	/* Give time to concurrent readers. */
 	synchronize_rcu();
-
-	return 0;
 }
 EXPORT_SYMBOL(nf_log_unregister_pf);
 

[NETFILTER 07/22]: nf_log: switch logger registration/unregistration to mutex

[Patrick McHardy]

[NETFILTER]: nf_log: switch logger registration/unregistration to mutex

The spinlock is only used in process context (register/unregister),
switch to a mutex.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 99c46fbd857a8a2d01987650bd1492b5379ac250
tree c91f6d98b4d9035255bf89e8153745eec7cb9349
parent ca4c6357b4568c1b8644385828a542475a86c5fa
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:37:13 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:37:13 +0100

 net/netfilter/nf_log.c |   26 +++++++++++++++-----------
 1 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index c159ef9..b942cd5 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -15,27 +15,31 @@ #include "nf_internals.h"
 #define NF_LOG_PREFIXLEN		128
 
 static struct nf_logger *nf_logging[NPROTO]; /* = NULL */
-static DEFINE_SPINLOCK(nf_log_lock);
+static DEFINE_MUTEX(nf_log_mutex);
 
 /* return EBUSY if somebody else is registered, EEXIST if the same logger
  * is registred, 0 on success. */
 int nf_log_register(int pf, struct nf_logger *logger)
 {
-	int ret = -EBUSY;
+	int ret;
 
 	if (pf >= NPROTO)
 		return -EINVAL;
 
 	/* Any setup of logging members must be done before
 	 * substituting pointer. */
-	spin_lock(&nf_log_lock);
-	if (!nf_logging[pf]) {
+	ret = mutex_lock_interruptible(&nf_log_mutex);
+	if (ret < 0)
+		return ret;
+
+	if (!nf_logging[pf])
 		rcu_assign_pointer(nf_logging[pf], logger);
-		ret = 0;
-	} else if (nf_logging[pf] == logger)
+	else if (nf_logging[pf] == logger)
 		ret = -EEXIST;
+	else
+		ret = -EBUSY;
 
-	spin_unlock(&nf_log_lock);
+	mutex_unlock(&nf_log_mutex);
 	return ret;
 }		
 EXPORT_SYMBOL(nf_log_register);
@@ -44,9 +48,9 @@ void nf_log_unregister_pf(int pf)
 {
 	if (pf >= NPROTO)
 		return;
-	spin_lock(&nf_log_lock);
+	mutex_lock(&nf_log_mutex);
 	rcu_assign_pointer(nf_logging[pf], NULL);
-	spin_unlock(&nf_log_lock);
+	mutex_unlock(&nf_log_mutex);
 
 	/* Give time to concurrent readers. */
 	synchronize_rcu();
@@ -57,12 +61,12 @@ void nf_log_unregister_logger(struct nf_
 {
 	int i;
 
-	spin_lock(&nf_log_lock);
+	mutex_lock(&nf_log_mutex);
 	for (i = 0; i < NPROTO; i++) {
 		if (nf_logging[i] == logger)
 			rcu_assign_pointer(nf_logging[i], NULL);
 	}
-	spin_unlock(&nf_log_lock);
+	mutex_unlock(&nf_log_mutex);
 
 	synchronize_rcu();
 }

[NETFILTER 08/22]: nf_log: minor cleanups

[Patrick McHardy]

[NETFILTER]: nf_log: minor cleanups

- rename nf_logging to nf_loggers since its an array of registered loggers

- rename nf_log_unregister_logger() to nf_log_unregister() to make it
  symetrical to nf_log_register() and convert all users

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 5187c6343d6eac0b2fc995bfb607f817565ec258
tree c0290f3d2891089ca4f7d231cd21d3e081890ddc
parent 99c46fbd857a8a2d01987650bd1492b5379ac250
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:37:47 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:37:47 +0100

 include/linux/netfilter.h       |    2 +-
 net/bridge/netfilter/ebt_log.c  |    2 +-
 net/bridge/netfilter/ebt_ulog.c |    2 +-
 net/ipv4/netfilter/ipt_LOG.c    |    2 +-
 net/ipv4/netfilter/ipt_ULOG.c   |    2 +-
 net/ipv6/netfilter/ip6t_LOG.c   |    2 +-
 net/netfilter/nf_log.c          |   22 +++++++++++-----------
 net/netfilter/nfnetlink_log.c   |    2 +-
 8 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 18a6790..70d3b4f 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -172,8 +172,8 @@ struct nf_logger {
 
 /* Function to register/unregister log function. */
 int nf_log_register(int pf, struct nf_logger *logger);
+void nf_log_unregister(struct nf_logger *logger);
 void nf_log_unregister_pf(int pf);
-void nf_log_unregister_logger(struct nf_logger *logger);
 
 /* Calls the registered backend logging function */
 void nf_log_packet(int pf,
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index f9a5ae9..45712ae 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -208,7 +208,7 @@ static int __init ebt_log_init(void)
 
 static void __exit ebt_log_fini(void)
 {
-	nf_log_unregister_logger(&ebt_log_logger);
+	nf_log_unregister(&ebt_log_logger);
 	ebt_unregister_watcher(&log);
 }
 
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index 2e4cb24..8e15cc4 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -323,7 +323,7 @@ static void __exit ebt_ulog_fini(void)
 	ebt_ulog_buff_t *ub;
 	int i;
 
-	nf_log_unregister_logger(&ebt_ulog_logger);
+	nf_log_unregister(&ebt_ulog_logger);
 	ebt_unregister_watcher(&ulog);
 	for (i = 0; i < EBT_ULOG_MAXNLGROUPS; i++) {
 		ub = &ulog_buffers[i];
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index f4a62f2..d9c37fd 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -489,7 +489,7 @@ static int __init ipt_log_init(void)
 
 static void __exit ipt_log_fini(void)
 {
-	nf_log_unregister_logger(&ipt_log_logger);
+	nf_log_unregister(&ipt_log_logger);
 	xt_unregister_target(&ipt_log_reg);
 }
 
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 3a1eacc..a26404d 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -419,7 +419,7 @@ static void __exit ipt_ulog_fini(void)
 	DEBUGP("ipt_ULOG: cleanup_module\n");
 
 	if (nflog)
-		nf_log_unregister_logger(&ipt_ulog_logger);
+		nf_log_unregister(&ipt_ulog_logger);
 	xt_unregister_target(&ipt_ulog_reg);
 	sock_release(nflognl->sk_socket);
 
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index dc9ec93..afaa039 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -501,7 +501,7 @@ static int __init ip6t_log_init(void)
 
 static void __exit ip6t_log_fini(void)
 {
-	nf_log_unregister_logger(&ip6t_logger);
+	nf_log_unregister(&ip6t_logger);
 	xt_unregister_target(&ip6t_log_reg);
 }
 
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index b942cd5..0db2fd8 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -14,7 +14,7 @@ #include "nf_internals.h"
 
 #define NF_LOG_PREFIXLEN		128
 
-static struct nf_logger *nf_logging[NPROTO]; /* = NULL */
+static struct nf_logger *nf_loggers[NPROTO];
 static DEFINE_MUTEX(nf_log_mutex);
 
 /* return EBUSY if somebody else is registered, EEXIST if the same logger
@@ -32,9 +32,9 @@ int nf_log_register(int pf, struct nf_lo
 	if (ret < 0)
 		return ret;
 
-	if (!nf_logging[pf])
-		rcu_assign_pointer(nf_logging[pf], logger);
-	else if (nf_logging[pf] == logger)
+	if (!nf_loggers[pf])
+		rcu_assign_pointer(nf_loggers[pf], logger);
+	else if (nf_loggers[pf] == logger)
 		ret = -EEXIST;
 	else
 		ret = -EBUSY;
@@ -49,7 +49,7 @@ void nf_log_unregister_pf(int pf)
 	if (pf >= NPROTO)
 		return;
 	mutex_lock(&nf_log_mutex);
-	rcu_assign_pointer(nf_logging[pf], NULL);
+	rcu_assign_pointer(nf_loggers[pf], NULL);
 	mutex_unlock(&nf_log_mutex);
 
 	/* Give time to concurrent readers. */
@@ -57,20 +57,20 @@ void nf_log_unregister_pf(int pf)
 }
 EXPORT_SYMBOL(nf_log_unregister_pf);
 
-void nf_log_unregister_logger(struct nf_logger *logger)
+void nf_log_unregister(struct nf_logger *logger)
 {
 	int i;
 
 	mutex_lock(&nf_log_mutex);
 	for (i = 0; i < NPROTO; i++) {
-		if (nf_logging[i] == logger)
-			rcu_assign_pointer(nf_logging[i], NULL);
+		if (nf_loggers[i] == logger)
+			rcu_assign_pointer(nf_loggers[i], NULL);
 	}
 	mutex_unlock(&nf_log_mutex);
 
 	synchronize_rcu();
 }
-EXPORT_SYMBOL(nf_log_unregister_logger);
+EXPORT_SYMBOL(nf_log_unregister);
 
 void nf_log_packet(int pf,
 		   unsigned int hooknum,
@@ -85,7 +85,7 @@ void nf_log_packet(int pf,
 	struct nf_logger *logger;
 	
 	rcu_read_lock();
-	logger = rcu_dereference(nf_logging[pf]);
+	logger = rcu_dereference(nf_loggers[pf]);
 	if (logger) {
 		va_start(args, fmt);
 		vsnprintf(prefix, sizeof(prefix), fmt, args);
@@ -132,7 +132,7 @@ static int seq_show(struct seq_file *s, 
 	loff_t *pos = v;
 	const struct nf_logger *logger;
 
-	logger = rcu_dereference(nf_logging[*pos]);
+	logger = rcu_dereference(nf_loggers[*pos]);
 
 	if (!logger)
 		return seq_printf(s, "%2lld NONE\n", *pos);
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index d1505dd..6511bb0 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -1077,7 +1077,7 @@ cleanup_netlink_notifier:
 
 static void __exit nfnetlink_log_fini(void)
 {
-	nf_log_unregister_logger(&nfulnl_logger);
+	nf_log_unregister(&nfulnl_logger);
 #ifdef CONFIG_PROC_FS
 	remove_proc_entry("nfnetlink_log", proc_net_netfilter);
 #endif

[NETFILTER 09/22]: ip_nat: properly use RCU API for ip_nat_protos array

[Patrick McHardy]

[NETFILTER]: ip_nat: properly use RCU API for ip_nat_protos array

Replace preempt_{enable,disable} based RCU by proper use of the
RCU API and add missing rcu_read_lock/rcu_read_unlock calls in
paths used outside of packet processing context (nfnetlink_conntrack).

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 6930ac084caa4aff8d702716b80a2b59212efb78
tree 527cf137f820f9aeecacc7fbfe6621bef49a333f
parent 5187c6343d6eac0b2fc995bfb607f817565ec258
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:43:27 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:43:27 +0100

 net/ipv4/netfilter/ip_nat_core.c |   61 ++++++++++++++++++--------------------
 1 files changed, 29 insertions(+), 32 deletions(-)

diff --git a/net/ipv4/netfilter/ip_nat_core.c b/net/ipv4/netfilter/ip_nat_core.c
index 275a4d3..85ae0ca 100644
--- a/net/ipv4/netfilter/ip_nat_core.c
+++ b/net/ipv4/netfilter/ip_nat_core.c
@@ -50,7 +50,7 @@ static struct ip_nat_protocol *ip_nat_pr
 static inline struct ip_nat_protocol *
 __ip_nat_proto_find(u_int8_t protonum)
 {
-	return ip_nat_protos[protonum];
+	return rcu_dereference(ip_nat_protos[protonum]);
 }
 
 struct ip_nat_protocol *
@@ -58,13 +58,11 @@ ip_nat_proto_find_get(u_int8_t protonum)
 {
 	struct ip_nat_protocol *p;
 
-	/* we need to disable preemption to make sure 'p' doesn't get
-	 * removed until we've grabbed the reference */
-	preempt_disable();
+	rcu_read_lock();
 	p = __ip_nat_proto_find(protonum);
 	if (!try_module_get(p->me))
 		p = &ip_nat_unknown_protocol;
-	preempt_enable();
+	rcu_read_unlock();
 
 	return p;
 }
@@ -120,8 +118,8 @@ static int
 in_range(const struct ip_conntrack_tuple *tuple,
 	 const struct ip_nat_range *range)
 {
-	struct ip_nat_protocol *proto =
-				__ip_nat_proto_find(tuple->dst.protonum);
+	struct ip_nat_protocol *proto;
+	int ret = 0;
 
 	/* If we are supposed to map IPs, then we must be in the
 	   range specified, otherwise let this drag us onto a new src IP. */
@@ -131,12 +129,15 @@ in_range(const struct ip_conntrack_tuple
 			return 0;
 	}
 
+	rcu_read_lock();
+	proto = __ip_nat_proto_find(tuple->dst.protonum);
 	if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)
 	    || proto->in_range(tuple, IP_NAT_MANIP_SRC,
 			       &range->min, &range->max))
-		return 1;
+		ret = 1;
+	rcu_read_unlock();
 
-	return 0;
+	return ret;
 }
 
 static inline int
@@ -260,27 +261,25 @@ get_unique_tuple(struct ip_conntrack_tup
 	/* 3) The per-protocol part of the manip is made to map into
 	   the range to make a unique tuple. */
 
-	proto = ip_nat_proto_find_get(orig_tuple->dst.protonum);
+	rcu_read_lock();
+	proto = __ip_nat_proto_find(orig_tuple->dst.protonum);
 
 	/* Change protocol info to have some randomization */
 	if (range->flags & IP_NAT_RANGE_PROTO_RANDOM) {
 		proto->unique_tuple(tuple, range, maniptype, conntrack);
-		ip_nat_proto_put(proto);
-		return;
+		goto out;
 	}
 
 	/* Only bother mapping if it's not already in range and unique */
 	if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)
 	     || proto->in_range(tuple, maniptype, &range->min, &range->max))
-	    && !ip_nat_used_tuple(tuple, conntrack)) {
-		ip_nat_proto_put(proto);
-		return;
-	}
+	    && !ip_nat_used_tuple(tuple, conntrack))
+		goto out;
 
 	/* Last change: get protocol to try to obtain unique tuple. */
 	proto->unique_tuple(tuple, range, maniptype, conntrack);
-
-	ip_nat_proto_put(proto);
+out:
+	rcu_read_unlock();
 }
 
 unsigned int
@@ -360,12 +359,11 @@ manip_pkt(u_int16_t proto,
 	iph = (void *)(*pskb)->data + iphdroff;
 
 	/* Manipulate protcol part. */
-	p = ip_nat_proto_find_get(proto);
-	if (!p->manip_pkt(pskb, iphdroff, target, maniptype)) {
-		ip_nat_proto_put(p);
+
+	/* rcu_read_lock()ed by nf_hook_slow */
+	p = __ip_nat_proto_find(proto);
+	if (!p->manip_pkt(pskb, iphdroff, target, maniptype))
 		return 0;
-	}
-	ip_nat_proto_put(p);
 
 	iph = (void *)(*pskb)->data + iphdroff;
 
@@ -515,7 +513,7 @@ int ip_nat_protocol_register(struct ip_n
 		ret = -EBUSY;
 		goto out;
 	}
-	ip_nat_protos[proto->protonum] = proto;
+	rcu_assign_pointer(ip_nat_protos[proto->protonum], proto);
  out:
 	write_unlock_bh(&ip_nat_lock);
 	return ret;
@@ -526,11 +524,10 @@ EXPORT_SYMBOL(ip_nat_protocol_register);
 void ip_nat_protocol_unregister(struct ip_nat_protocol *proto)
 {
 	write_lock_bh(&ip_nat_lock);
-	ip_nat_protos[proto->protonum] = &ip_nat_unknown_protocol;
+	rcu_assign_pointer(ip_nat_protos[proto->protonum],
+			   &ip_nat_unknown_protocol);
 	write_unlock_bh(&ip_nat_lock);
-
-	/* Someone could be still looking at the proto in a bh. */
-	synchronize_net();
+	synchronize_rcu();
 }
 EXPORT_SYMBOL(ip_nat_protocol_unregister);
 
@@ -594,10 +591,10 @@ static int __init ip_nat_init(void)
 	/* Sew in builtin protocols. */
 	write_lock_bh(&ip_nat_lock);
 	for (i = 0; i < MAX_IP_NAT_PROTO; i++)
-		ip_nat_protos[i] = &ip_nat_unknown_protocol;
-	ip_nat_protos[IPPROTO_TCP] = &ip_nat_protocol_tcp;
-	ip_nat_protos[IPPROTO_UDP] = &ip_nat_protocol_udp;
-	ip_nat_protos[IPPROTO_ICMP] = &ip_nat_protocol_icmp;
+		rcu_assign_pointer(ip_nat_protos[i], &ip_nat_unknown_protocol);
+	rcu_assign_pointer(ip_nat_protos[IPPROTO_TCP], &ip_nat_protocol_tcp);
+	rcu_assign_pointer(ip_nat_protos[IPPROTO_UDP], &ip_nat_protocol_udp);
+	rcu_assign_pointer(ip_nat_protos[IPPROTO_ICMP], &ip_nat_protocol_icmp);
 	write_unlock_bh(&ip_nat_lock);
 
 	for (i = 0; i < ip_nat_htable_size; i++) {

[NETFILTER 10/22]: nf_nat: properly use RCU API for nf_nat_protos array

[Patrick McHardy]

[NETFILTER]: nf_nat: properly use RCU API for nf_nat_protos array

Replace preempt_{enable,disable} based RCU by proper use of the
RCU API and add missing rcu_read_lock/rcu_read_unlock calls in
paths used outside of packet processing context (nfnetlink_conntrack).

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 8592a4e696c2d452053b005a7b8a84e29a7462af
tree c900a38cb8b11b3f4c78776f416cec8b7adbfd6c
parent 6930ac084caa4aff8d702716b80a2b59212efb78
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:44:58 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:44:58 +0100

 net/ipv4/netfilter/nf_nat_core.c |   59 ++++++++++++++++++--------------------
 1 files changed, 28 insertions(+), 31 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index cf10108..6d0061f 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -53,7 +53,7 @@ static struct nf_nat_protocol *nf_nat_pr
 static inline struct nf_nat_protocol *
 __nf_nat_proto_find(u_int8_t protonum)
 {
-	return nf_nat_protos[protonum];
+	return rcu_dereference(nf_nat_protos[protonum]);
 }
 
 struct nf_nat_protocol *
@@ -61,13 +61,11 @@ nf_nat_proto_find_get(u_int8_t protonum)
 {
 	struct nf_nat_protocol *p;
 
-	/* we need to disable preemption to make sure 'p' doesn't get
-	 * removed until we've grabbed the reference */
-	preempt_disable();
+	rcu_read_lock();
 	p = __nf_nat_proto_find(protonum);
 	if (!try_module_get(p->me))
 		p = &nf_nat_unknown_protocol;
-	preempt_enable();
+	rcu_read_unlock();
 
 	return p;
 }
@@ -126,8 +124,8 @@ in_range(const struct nf_conntrack_tuple
 	 const struct nf_nat_range *range)
 {
 	struct nf_nat_protocol *proto;
+	int ret = 0;
 
-	proto = __nf_nat_proto_find(tuple->dst.protonum);
 	/* If we are supposed to map IPs, then we must be in the
 	   range specified, otherwise let this drag us onto a new src IP. */
 	if (range->flags & IP_NAT_RANGE_MAP_IPS) {
@@ -136,12 +134,15 @@ in_range(const struct nf_conntrack_tuple
 			return 0;
 	}
 
+	rcu_read_lock();
+	proto = __nf_nat_proto_find(tuple->dst.protonum);
 	if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) ||
 	    proto->in_range(tuple, IP_NAT_MANIP_SRC,
 			    &range->min, &range->max))
-		return 1;
+		ret = 1;
+	rcu_read_unlock();
 
-	return 0;
+	return ret;
 }
 
 static inline int
@@ -268,27 +269,25 @@ get_unique_tuple(struct nf_conntrack_tup
 	/* 3) The per-protocol part of the manip is made to map into
 	   the range to make a unique tuple. */
 
-	proto = nf_nat_proto_find_get(orig_tuple->dst.protonum);
+	rcu_read_lock();
+	proto = __nf_nat_proto_find(orig_tuple->dst.protonum);
 
 	/* Change protocol info to have some randomization */
 	if (range->flags & IP_NAT_RANGE_PROTO_RANDOM) {
 		proto->unique_tuple(tuple, range, maniptype, ct);
-		nf_nat_proto_put(proto);
-		return;
+		goto out;
 	}
 
 	/* Only bother mapping if it's not already in range and unique */
 	if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) ||
 	     proto->in_range(tuple, maniptype, &range->min, &range->max)) &&
-	    !nf_nat_used_tuple(tuple, ct)) {
-		nf_nat_proto_put(proto);
-		return;
-	}
+	    !nf_nat_used_tuple(tuple, ct))
+		goto out;
 
 	/* Last change: get protocol to try to obtain unique tuple. */
 	proto->unique_tuple(tuple, range, maniptype, ct);
-
-	nf_nat_proto_put(proto);
+out:
+	rcu_read_unlock();
 }
 
 unsigned int
@@ -369,12 +368,11 @@ manip_pkt(u_int16_t proto,
 	iph = (void *)(*pskb)->data + iphdroff;
 
 	/* Manipulate protcol part. */
-	p = nf_nat_proto_find_get(proto);
-	if (!p->manip_pkt(pskb, iphdroff, target, maniptype)) {
-		nf_nat_proto_put(p);
+
+	/* rcu_read_lock()ed by nf_hook_slow */
+	p = __nf_nat_proto_find(proto);
+	if (!p->manip_pkt(pskb, iphdroff, target, maniptype))
 		return 0;
-	}
-	nf_nat_proto_put(p);
 
 	iph = (void *)(*pskb)->data + iphdroff;
 
@@ -529,7 +527,7 @@ int nf_nat_protocol_register(struct nf_n
 		ret = -EBUSY;
 		goto out;
 	}
-	nf_nat_protos[proto->protonum] = proto;
+	rcu_assign_pointer(nf_nat_protos[proto->protonum], proto);
  out:
 	write_unlock_bh(&nf_nat_lock);
 	return ret;
@@ -540,11 +538,10 @@ EXPORT_SYMBOL(nf_nat_protocol_register);
 void nf_nat_protocol_unregister(struct nf_nat_protocol *proto)
 {
 	write_lock_bh(&nf_nat_lock);
-	nf_nat_protos[proto->protonum] = &nf_nat_unknown_protocol;
+	rcu_assign_pointer(nf_nat_protos[proto->protonum],
+			   &nf_nat_unknown_protocol);
 	write_unlock_bh(&nf_nat_lock);
-
-	/* Someone could be still looking at the proto in a bh. */
-	synchronize_net();
+	synchronize_rcu();
 }
 EXPORT_SYMBOL(nf_nat_protocol_unregister);
 
@@ -608,10 +605,10 @@ static int __init nf_nat_init(void)
 	/* Sew in builtin protocols. */
 	write_lock_bh(&nf_nat_lock);
 	for (i = 0; i < MAX_IP_NAT_PROTO; i++)
-		nf_nat_protos[i] = &nf_nat_unknown_protocol;
-	nf_nat_protos[IPPROTO_TCP] = &nf_nat_protocol_tcp;
-	nf_nat_protos[IPPROTO_UDP] = &nf_nat_protocol_udp;
-	nf_nat_protos[IPPROTO_ICMP] = &nf_nat_protocol_icmp;
+		rcu_assign_pointer(nf_nat_protos[i], &nf_nat_unknown_protocol);
+	rcu_assign_pointer(nf_nat_protos[IPPROTO_TCP], &nf_nat_protocol_tcp);
+	rcu_assign_pointer(nf_nat_protos[IPPROTO_UDP], &nf_nat_protocol_udp);
+	rcu_assign_pointer(nf_nat_protos[IPPROTO_ICMP], &nf_nat_protocol_icmp);
 	write_unlock_bh(&nf_nat_lock);
 
 	for (i = 0; i < nf_nat_htable_size; i++) {

[NETFILTER 11/22]: ip_conntrack: properly use RCU API for ip_ct_protos array

[Patrick McHardy]

[NETFILTER]: ip_conntrack: properly use RCU API for ip_ct_protos array

Replace preempt_{enable,disable} based RCU by proper use of the
RCU API and add missing rcu_read_lock/rcu_read_unlock calls in
all paths not obviously only used within packet process context
(nfnetlink_conntrack).

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit f99ec74e0c460f0969f028c2853d2d31178ba3aa
tree 4a0534a350b1f4067cc2c4b1ef450dace12b9da7
parent 8592a4e696c2d452053b005a7b8a84e29a7462af
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:56:31 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 10:56:31 +0100

 net/ipv4/netfilter/ip_conntrack_core.c       |   26 ++++++++++++++++++--------
 net/ipv4/netfilter/ip_conntrack_standalone.c |    9 ++++-----
 net/ipv4/netfilter/ip_nat_core.c             |    6 ++++--
 3 files changed, 26 insertions(+), 15 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index 933b878..ed87812 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -318,9 +318,11 @@ destroy_conntrack(struct nf_conntrack *n
 	/* To make sure we don't get any weird locking issues here:
 	 * destroy_conntrack() MUST NOT be called with a write lock
 	 * to ip_conntrack_lock!!! -HW */
+	rcu_read_lock();
 	proto = __ip_conntrack_proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum);
 	if (proto && proto->destroy)
 		proto->destroy(ct);
+	rcu_read_unlock();
 
 	if (ip_conntrack_destroyed)
 		ip_conntrack_destroyed(ct);
@@ -595,13 +597,13 @@ ip_conntrack_proto_find_get(u_int8_t pro
 {
 	struct ip_conntrack_protocol *p;
 
-	preempt_disable();
+	rcu_read_lock();
 	p = __ip_conntrack_proto_find(protocol);
 	if (p) {
 		if (!try_module_get(p->me))
 			p = &ip_conntrack_generic_protocol;
 	}
-	preempt_enable();
+	rcu_read_unlock();
 
 	return p;
 }
@@ -831,6 +833,7 @@ #if 0
 	}
 #endif
 
+	/* rcu_read_lock()ed by nf_hook_slow */
 	proto = __ip_conntrack_proto_find((*pskb)->nh.iph->protocol);
 
 	/* It may be an special packet, error, unclean...
@@ -876,8 +879,15 @@ #endif
 int invert_tuplepr(struct ip_conntrack_tuple *inverse,
 		   const struct ip_conntrack_tuple *orig)
 {
-	return ip_ct_invert_tuple(inverse, orig,
-				  __ip_conntrack_proto_find(orig->dst.protonum));
+	struct ip_conntrack_protocol *proto;
+	int ret;
+
+	rcu_read_lock();
+	proto = __ip_conntrack_proto_find(orig->dst.protonum);
+	ret = ip_ct_invert_tuple(inverse, orig, proto);
+	rcu_read_unlock();
+
+	return ret;
 }
 
 /* Would two expected things clash? */
@@ -1508,11 +1518,11 @@ int __init ip_conntrack_init(void)
 	/* Don't NEED lock here, but good form anyway. */
 	write_lock_bh(&ip_conntrack_lock);
 	for (i = 0; i < MAX_IP_CT_PROTO; i++)
-		ip_ct_protos[i] = &ip_conntrack_generic_protocol;
+		rcu_assign_pointer(ip_ct_protos[i], &ip_conntrack_generic_protocol);
 	/* Sew in builtin protocols. */
-	ip_ct_protos[IPPROTO_TCP] = &ip_conntrack_protocol_tcp;
-	ip_ct_protos[IPPROTO_UDP] = &ip_conntrack_protocol_udp;
-	ip_ct_protos[IPPROTO_ICMP] = &ip_conntrack_protocol_icmp;
+	rcu_assign_pointer(ip_ct_protos[IPPROTO_TCP], &ip_conntrack_protocol_tcp);
+	rcu_assign_pointer(ip_ct_protos[IPPROTO_UDP], &ip_conntrack_protocol_udp);
+	rcu_assign_pointer(ip_ct_protos[IPPROTO_ICMP], &ip_conntrack_protocol_icmp);
 	write_unlock_bh(&ip_conntrack_lock);
 
 	/* For use by ipt_REJECT */
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
index 5903588..d0045e4 100644
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -796,7 +796,7 @@ int ip_conntrack_protocol_register(struc
 		ret = -EBUSY;
 		goto out;
 	}
-	ip_ct_protos[proto->proto] = proto;
+	rcu_assign_pointer(ip_ct_protos[proto->proto], proto);
  out:
 	write_unlock_bh(&ip_conntrack_lock);
 	return ret;
@@ -805,11 +805,10 @@ int ip_conntrack_protocol_register(struc
 void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto)
 {
 	write_lock_bh(&ip_conntrack_lock);
-	ip_ct_protos[proto->proto] = &ip_conntrack_generic_protocol;
+	rcu_assign_pointer(ip_ct_protos[proto->proto],
+			   &ip_conntrack_generic_protocol);
 	write_unlock_bh(&ip_conntrack_lock);
-
-	/* Somebody could be still looking at the proto in bh. */
-	synchronize_net();
+	synchronize_rcu();
 
 	/* Remove all contrack entries for this protocol */
 	ip_ct_iterate_cleanup(kill_proto, &proto->proto);
diff --git a/net/ipv4/netfilter/ip_nat_core.c b/net/ipv4/netfilter/ip_nat_core.c
index 85ae0ca..18daabc 100644
--- a/net/ipv4/netfilter/ip_nat_core.c
+++ b/net/ipv4/netfilter/ip_nat_core.c
@@ -420,6 +420,7 @@ int ip_nat_icmp_reply_translation(struct
 		struct icmphdr icmp;
 		struct iphdr ip;
 	} *inside;
+	struct ip_conntrack_protocol *proto;
 	struct ip_conntrack_tuple inner, target;
 	int hdrlen = (*pskb)->nh.iph->ihl * 4;
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
@@ -455,10 +456,11 @@ int ip_nat_icmp_reply_translation(struct
 	DEBUGP("icmp_reply_translation: translating error %p manp %u dir %s\n",
 	       *pskb, manip, dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY");
 
+	/* rcu_read_lock()ed by nf_hook_slow */
+	proto = __ip_conntrack_proto_find(inside->ip.protocol);
 	if (!ip_ct_get_tuple(&inside->ip, *pskb, (*pskb)->nh.iph->ihl*4 +
 			     sizeof(struct icmphdr) + inside->ip.ihl*4,
-			     &inner,
-			     __ip_conntrack_proto_find(inside->ip.protocol)))
+			     &inner, proto))
 		return 0;
 
 	/* Change inner back to look like incoming packet.  We do the

[NETFILTER 12/22]: nf_conntrack: properly use RCU API for nf_ct_protos/nf_ct_l3protos arrays

[Patrick McHardy]

[NETFILTER]: nf_conntrack: properly use RCU API for nf_ct_protos/nf_ct_l3protos arrays

Replace preempt_{enable,disable} based RCU by proper use of the
RCU API and add missing rcu_read_lock/rcu_read_unlock calls in
all paths not obviously only used within packet process context
(nfnetlink_conntrack).
  
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 2f34e7966f36432f6915ab7eee85116439a3944e
tree 829a240f1c040ef8a712d7e159adb473934320f7
parent f99ec74e0c460f0969f028c2853d2d31178ba3aa
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:01:11 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:01:11 +0100

 include/net/netfilter/nf_conntrack_l3proto.h   |    2 +
 net/ipv4/netfilter/nf_conntrack_proto_icmp.c   |    2 +
 net/ipv4/netfilter/nf_nat_core.c               |    9 ++++---
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |    1 +
 net/netfilter/nf_conntrack_core.c              |   27 +++++++++++++++-----
 net/netfilter/nf_conntrack_proto.c             |   33 ++++++++++--------------
 6 files changed, 44 insertions(+), 30 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
index 664ddcf..ba760fe 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -106,7 +106,7 @@ __nf_ct_l3proto_find(u_int16_t l3proto)
 {
 	if (unlikely(l3proto >= AF_MAX))
 		return &nf_conntrack_l3proto_generic;
-	return nf_ct_l3protos[l3proto];
+	return rcu_dereference(nf_ct_l3protos[l3proto]);
 }
 
 #endif /*_NF_CONNTRACK_L3PROTO_H*/
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 677b6c8..e5aa4d8 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -170,7 +170,9 @@ icmp_error_message(struct sk_buff *skb,
 		return -NF_ACCEPT;
 	}
 
+	/* rcu_read_lock()ed by nf_hook_slow */
 	innerproto = __nf_ct_l4proto_find(PF_INET, inside->ip.protocol);
+
 	dataoff = skb->nh.iph->ihl*4 + sizeof(inside->icmp);
 	/* Are they talking about one of our connections? */
 	if (!nf_ct_get_tuple(skb, dataoff, dataoff + inside->ip.ihl*4, PF_INET,
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 6d0061f..5156d5d 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -429,6 +429,7 @@ int nf_nat_icmp_reply_translation(struct
 		struct icmphdr icmp;
 		struct iphdr ip;
 	} *inside;
+	struct nf_conntrack_l4proto *l4proto;
 	struct nf_conntrack_tuple inner, target;
 	int hdrlen = (*pskb)->nh.iph->ihl * 4;
 	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
@@ -464,16 +465,16 @@ int nf_nat_icmp_reply_translation(struct
 	DEBUGP("icmp_reply_translation: translating error %p manp %u dir %s\n",
 	       *pskb, manip, dir == IP_CT_DIR_ORIGINAL ? "ORIG" : "REPLY");
 
+	/* rcu_read_lock()ed by nf_hook_slow */
+	l4proto = __nf_ct_l4proto_find(PF_INET, inside->ip.protocol);
+
 	if (!nf_ct_get_tuple(*pskb,
 			     (*pskb)->nh.iph->ihl*4 + sizeof(struct icmphdr),
 			     (*pskb)->nh.iph->ihl*4 +
 			     sizeof(struct icmphdr) + inside->ip.ihl*4,
 			     (u_int16_t)AF_INET,
 			     inside->ip.protocol,
-			     &inner,
-			     l3proto,
-			     __nf_ct_l4proto_find((u_int16_t)PF_INET,
-						  inside->ip.protocol)))
+			     &inner, l3proto, l4proto))
 		return 0;
 
 	/* Change inner back to look like incoming packet.  We do the
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index b08622c..19bdb7c 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -182,6 +182,7 @@ icmpv6_error_message(struct sk_buff *skb
 		return -NF_ACCEPT;
 	}
 
+	/* rcu_read_lock()ed by nf_hook_slow */
 	inproto = __nf_ct_l4proto_find(PF_INET6, inprotonum);
 
 	/* Are they talking about one of our connections? */
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 59bcab1..3deeb90 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -332,13 +332,16 @@ destroy_conntrack(struct nf_conntrack *n
 	/* To make sure we don't get any weird locking issues here:
 	 * destroy_conntrack() MUST NOT be called with a write lock
 	 * to nf_conntrack_lock!!! -HW */
+	rcu_read_lock();
 	l3proto = __nf_ct_l3proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.l3num);
 	if (l3proto && l3proto->destroy)
 		l3proto->destroy(ct);
 
-	l4proto = __nf_ct_l4proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.l3num, ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum);
+	l4proto = __nf_ct_l4proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.l3num,
+				       ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum);
 	if (l4proto && l4proto->destroy)
 		l4proto->destroy(ct);
+	rcu_read_unlock();
 
 	if (nf_conntrack_destroyed)
 		nf_conntrack_destroyed(ct);
@@ -647,9 +650,14 @@ struct nf_conn *nf_conntrack_alloc(const
 				   const struct nf_conntrack_tuple *repl)
 {
 	struct nf_conntrack_l3proto *l3proto;
+	struct nf_conn *ct;
 
+	rcu_read_lock();
 	l3proto = __nf_ct_l3proto_find(orig->src.l3num);
-	return __nf_conntrack_alloc(orig, repl, l3proto, 0);
+	ct = __nf_conntrack_alloc(orig, repl, l3proto, 0);
+	rcu_read_unlock();
+
+	return ct;
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_alloc);
 
@@ -817,7 +825,9 @@ nf_conntrack_in(int pf, unsigned int hoo
 		return NF_ACCEPT;
 	}
 
+	/* rcu_read_lock()ed by nf_hook_slow */
 	l3proto = __nf_ct_l3proto_find((u_int16_t)pf);
+
 	if ((ret = l3proto->prepare(pskb, hooknum, &dataoff, &protonum)) <= 0) {
 		DEBUGP("not prepared to track yet or error occured\n");
 		return -ret;
@@ -872,10 +882,15 @@ EXPORT_SYMBOL_GPL(nf_conntrack_in);
 int nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,
 			 const struct nf_conntrack_tuple *orig)
 {
-	return nf_ct_invert_tuple(inverse, orig,
-				  __nf_ct_l3proto_find(orig->src.l3num),
-				  __nf_ct_l4proto_find(orig->src.l3num,
-						     orig->dst.protonum));
+	int ret;
+
+	rcu_read_lock();
+	ret = nf_ct_invert_tuple(inverse, orig,
+				 __nf_ct_l3proto_find(orig->src.l3num),
+				 __nf_ct_l4proto_find(orig->src.l3num,
+						      orig->dst.protonum));
+	rcu_read_unlock();
+	return ret;
 }
 EXPORT_SYMBOL_GPL(nf_ct_invert_tuplepr);
 
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index 1a61b72..4dab3fa 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -66,7 +66,7 @@ __nf_ct_l4proto_find(u_int16_t l3proto, 
 	if (unlikely(l3proto >= AF_MAX || nf_ct_protos[l3proto] == NULL))
 		return &nf_conntrack_l4proto_generic;
 
-	return nf_ct_protos[l3proto][l4proto];
+	return rcu_dereference(nf_ct_protos[l3proto][l4proto]);
 }
 EXPORT_SYMBOL_GPL(__nf_ct_l4proto_find);
 
@@ -77,11 +77,11 @@ nf_ct_l4proto_find_get(u_int16_t l3proto
 {
 	struct nf_conntrack_l4proto *p;
 
-	preempt_disable();
+	rcu_read_lock();
 	p = __nf_ct_l4proto_find(l3proto, l4proto);
 	if (!try_module_get(p->me))
 		p = &nf_conntrack_l4proto_generic;
-	preempt_enable();
+	rcu_read_unlock();
 
 	return p;
 }
@@ -98,11 +98,11 @@ nf_ct_l3proto_find_get(u_int16_t l3proto
 {
 	struct nf_conntrack_l3proto *p;
 
-	preempt_disable();
+	rcu_read_lock();
 	p = __nf_ct_l3proto_find(l3proto);
 	if (!try_module_get(p->me))
 		p = &nf_conntrack_l3proto_generic;
-	preempt_enable();
+	rcu_read_unlock();
 
 	return p;
 }
@@ -137,10 +137,8 @@ void nf_ct_l3proto_module_put(unsigned s
 {
 	struct nf_conntrack_l3proto *p;
 
-	preempt_disable();
+	/* rcu_read_lock not necessary since the caller holds a reference */
 	p = __nf_ct_l3proto_find(l3proto);
-	preempt_enable();
-
 	module_put(p->me);
 }
 EXPORT_SYMBOL_GPL(nf_ct_l3proto_module_put);
@@ -202,7 +200,7 @@ int nf_conntrack_l3proto_register(struct
 		ret = -EBUSY;
 		goto out_unlock;
 	}
-	nf_ct_l3protos[proto->l3proto] = proto;
+	rcu_assign_pointer(nf_ct_l3protos[proto->l3proto], proto);
 	write_unlock_bh(&nf_conntrack_lock);
 
 	ret = nf_ct_l3proto_register_sysctl(proto);
@@ -233,14 +231,13 @@ int nf_conntrack_l3proto_unregister(stru
 		goto out;
 	}
 
-	nf_ct_l3protos[proto->l3proto] = &nf_conntrack_l3proto_generic;
+	rcu_assign_pointer(nf_ct_l3protos[proto->l3proto],
+			   &nf_conntrack_l3proto_generic);
 	write_unlock_bh(&nf_conntrack_lock);
+	synchronize_rcu();
 
 	nf_ct_l3proto_unregister_sysctl(proto);
 
-	/* Somebody could be still looking at the proto in bh. */
-	synchronize_net();
-
 	/* Remove all contrack entries for this protocol */
 	nf_ct_iterate_cleanup(kill_l3proto, proto);
 
@@ -356,7 +353,7 @@ retry:
 		goto retry;
 	}
 
-	nf_ct_protos[l4proto->l3proto][l4proto->l4proto] = l4proto;
+	rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto], l4proto);
 	write_unlock_bh(&nf_conntrack_lock);
 
 	ret = nf_ct_l4proto_register_sysctl(l4proto);
@@ -392,15 +389,13 @@ int nf_conntrack_l4proto_unregister(stru
 		ret = -EBUSY;
 		goto out;
 	}
-	nf_ct_protos[l4proto->l3proto][l4proto->l4proto]
-		= &nf_conntrack_l4proto_generic;
+	rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
+			   &nf_conntrack_l4proto_generic);
 	write_unlock_bh(&nf_conntrack_lock);
+	synchronize_rcu();
 
 	nf_ct_l4proto_unregister_sysctl(l4proto);
 
-	/* Somebody could be still looking at the proto in bh. */
-	synchronize_net();
-
 	/* Remove all contrack entries for this protocol */
 	nf_ct_iterate_cleanup(kill_l4proto, l4proto);
 

[NETFILTER 13/22]: ip_conntrack: fix invalid conntrack statistics RCU assumption

[Patrick McHardy]

[NETFILTER]: ip_conntrack: fix invalid conntrack statistics RCU assumption

CONNTRACK_STAT_INC assumes rcu_read_lock in nf_hook_slow disables
preemption as well, making it legal to use __get_cpu_var without
disabling preemption manually. The assumption is not correct anymore
with preemptable RCU, additionally we need to protect against softirqs
when not holding ip_conntrack_lock.

Add CONNTRACK_STAT_INC_ATOMIC macro, which disables local softirqs,
and use where necessary.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit ff0856c0c2e24e278b0611df2d66f66d5c0d1fd6
tree d5899481f22f436368fa121ac617a08fc53941f4
parent 2f34e7966f36432f6915ab7eee85116439a3944e
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:03:24 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:03:24 +0100

 include/linux/netfilter_ipv4/ip_conntrack.h |    6 ++++++
 net/ipv4/netfilter/ip_conntrack_core.c      |   14 +++++++-------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
index 33581c1..da9274e 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -301,6 +301,12 @@ extern unsigned int ip_conntrack_htable_
 extern int ip_conntrack_checksum;
  
 #define CONNTRACK_STAT_INC(count) (__get_cpu_var(ip_conntrack_stat).count++)
+#define CONNTRACK_STAT_INC_ATOMIC(count)		\
+do {							\
+	local_bh_disable();				\
+	__get_cpu_var(ip_conntrack_stat).count++;	\
+	local_bh_enable();				\
+} while (0)
 
 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
 #include <linux/notifier.h>
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index ed87812..d1368db 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -538,7 +538,7 @@ static int early_drop(struct list_head *
 	if (del_timer(&ct->timeout)) {
 		death_by_timeout((unsigned long)ct);
 		dropped = 1;
-		CONNTRACK_STAT_INC(early_drop);
+		CONNTRACK_STAT_INC_ATOMIC(early_drop);
 	}
 	ip_conntrack_put(ct);
 	return dropped;
@@ -805,7 +805,7 @@ unsigned int ip_conntrack_in(unsigned in
 
 	/* Previously seen (loopback or untracked)?  Ignore. */
 	if ((*pskb)->nfct) {
-		CONNTRACK_STAT_INC(ignore);
+		CONNTRACK_STAT_INC_ATOMIC(ignore);
 		return NF_ACCEPT;
 	}
 
@@ -841,20 +841,20 @@ #endif
 	 * core what to do with the packet. */
 	if (proto->error != NULL
 	    && (ret = proto->error(*pskb, &ctinfo, hooknum)) <= 0) {
-		CONNTRACK_STAT_INC(error);
-		CONNTRACK_STAT_INC(invalid);
+		CONNTRACK_STAT_INC_ATOMIC(error);
+		CONNTRACK_STAT_INC_ATOMIC(invalid);
 		return -ret;
 	}
 
 	if (!(ct = resolve_normal_ct(*pskb, proto,&set_reply,hooknum,&ctinfo))) {
 		/* Not valid part of a connection */
-		CONNTRACK_STAT_INC(invalid);
+		CONNTRACK_STAT_INC_ATOMIC(invalid);
 		return NF_ACCEPT;
 	}
 
 	if (IS_ERR(ct)) {
 		/* Too stressed to deal. */
-		CONNTRACK_STAT_INC(drop);
+		CONNTRACK_STAT_INC_ATOMIC(drop);
 		return NF_DROP;
 	}
 
@@ -866,7 +866,7 @@ #endif
 		 * the netfilter core what to do*/
 		nf_conntrack_put((*pskb)->nfct);
 		(*pskb)->nfct = NULL;
-		CONNTRACK_STAT_INC(invalid);
+		CONNTRACK_STAT_INC_ATOMIC(invalid);
 		return -ret;
 	}
 

[NETFILTER 14/22]: nf_conntrack: fix invalid conntrack statistics RCU assumption

[Patrick McHardy]

[NETFILTER]: nf_conntrack: fix invalid conntrack statistics RCU assumption

NF_CT_STAT_INC assumes rcu_read_lock in nf_hook_slow disables
preemption as well, making it legal to use __get_cpu_var without
disabling preemption manually. The assumption is not correct anymore
with preemptable RCU, additionally we need to protect against softirqs
when not holding nf_conntrack_lock.

Add NF_CT_STAT_INC_ATOMIC macro, which disables local softirqs,
and use where necessary.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit bab7afccc8d458cc09b3a5bb4224358cbd4f188a
tree 537777d83e0b45a4fa17aa148113c9b275823806
parent ff0856c0c2e24e278b0611df2d66f66d5c0d1fd6
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:04:50 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:04:50 +0100

 include/net/netfilter/nf_conntrack.h           |    6 ++++++
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |    4 ++--
 net/netfilter/nf_conntrack_core.c              |   14 +++++++-------
 3 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 68ec274..0e690e3 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -257,6 +257,12 @@ extern int nf_conntrack_max;
 
 DECLARE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat);
 #define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++)
+#define NF_CT_STAT_INC_ATOMIC(count)			\
+do {							\
+	local_bh_disable();				\
+	__get_cpu_var(nf_conntrack_stat).count++;	\
+	local_bh_enable();				\
+} while (0)
 
 /* no helper, no nat */
 #define	NF_CT_F_BASIC	0
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index a2353ed..4b7be4b 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -154,8 +154,8 @@ ipv6_prepare(struct sk_buff **pskb, unsi
 	 */
 	if ((protoff < 0) || (protoff > (*pskb)->len)) {
 		DEBUGP("ip6_conntrack_core: can't find proto in pkt\n");
-		NF_CT_STAT_INC(error);
-		NF_CT_STAT_INC(invalid);
+		NF_CT_STAT_INC_ATOMIC(error);
+		NF_CT_STAT_INC_ATOMIC(invalid);
 		return -NF_ACCEPT;
 	}
 
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 3deeb90..d59640e 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -563,7 +563,7 @@ static int early_drop(struct list_head *
 	if (del_timer(&ct->timeout)) {
 		death_by_timeout((unsigned long)ct);
 		dropped = 1;
-		NF_CT_STAT_INC(early_drop);
+		NF_CT_STAT_INC_ATOMIC(early_drop);
 	}
 	nf_ct_put(ct);
 	return dropped;
@@ -821,7 +821,7 @@ nf_conntrack_in(int pf, unsigned int hoo
 
 	/* Previously seen (loopback or untracked)?  Ignore. */
 	if ((*pskb)->nfct) {
-		NF_CT_STAT_INC(ignore);
+		NF_CT_STAT_INC_ATOMIC(ignore);
 		return NF_ACCEPT;
 	}
 
@@ -840,8 +840,8 @@ nf_conntrack_in(int pf, unsigned int hoo
 	 * core what to do with the packet. */
 	if (l4proto->error != NULL &&
 	    (ret = l4proto->error(*pskb, dataoff, &ctinfo, pf, hooknum)) <= 0) {
-		NF_CT_STAT_INC(error);
-		NF_CT_STAT_INC(invalid);
+		NF_CT_STAT_INC_ATOMIC(error);
+		NF_CT_STAT_INC_ATOMIC(invalid);
 		return -ret;
 	}
 
@@ -849,13 +849,13 @@ nf_conntrack_in(int pf, unsigned int hoo
 			       &set_reply, &ctinfo);
 	if (!ct) {
 		/* Not valid part of a connection */
-		NF_CT_STAT_INC(invalid);
+		NF_CT_STAT_INC_ATOMIC(invalid);
 		return NF_ACCEPT;
 	}
 
 	if (IS_ERR(ct)) {
 		/* Too stressed to deal. */
-		NF_CT_STAT_INC(drop);
+		NF_CT_STAT_INC_ATOMIC(drop);
 		return NF_DROP;
 	}
 
@@ -868,7 +868,7 @@ nf_conntrack_in(int pf, unsigned int hoo
 		DEBUGP("nf_conntrack_in: Can't track with proto module\n");
 		nf_conntrack_put((*pskb)->nfct);
 		(*pskb)->nfct = NULL;
-		NF_CT_STAT_INC(invalid);
+		NF_CT_STAT_INC_ATOMIC(invalid);
 		return -ret;
 	}
 

[NETFILTER 15/22]: ip_conntrack: properly use RCU for ip_conntrack_destroyed callback

[Patrick McHardy]

[NETFILTER]: ip_conntrack: properly use RCU for ip_conntrack_destroyed callback

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 26462f9a42bcf2230a68d84dec3a048bc5a9a1af
tree 89f615281c88a2f541583337f1fb700a7a3c1874
parent bab7afccc8d458cc09b3a5bb4224358cbd4f188a
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:06:55 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:06:55 +0100

 net/ipv4/netfilter/ip_conntrack_core.c |    9 ++++++---
 net/ipv4/netfilter/ip_nat_core.c       |    7 ++++---
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index d1368db..5e9caaf 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -303,6 +303,7 @@ destroy_conntrack(struct nf_conntrack *n
 	struct ip_conntrack *ct = (struct ip_conntrack *)nfct;
 	struct ip_conntrack_protocol *proto;
 	struct ip_conntrack_helper *helper;
+	typeof(ip_conntrack_destroyed) destroyed;
 
 	DEBUGP("destroy_conntrack(%p)\n", ct);
 	IP_NF_ASSERT(atomic_read(&nfct->use) == 0);
@@ -322,10 +323,12 @@ destroy_conntrack(struct nf_conntrack *n
 	proto = __ip_conntrack_proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum);
 	if (proto && proto->destroy)
 		proto->destroy(ct);
-	rcu_read_unlock();
 
-	if (ip_conntrack_destroyed)
-		ip_conntrack_destroyed(ct);
+	destroyed = rcu_dereference(ip_conntrack_destroyed);
+	if (destroyed)
+		destroyed(ct);
+
+	rcu_read_unlock();
 
 	write_lock_bh(&ip_conntrack_lock);
 	/* Expectations will have been removed in clean_from_lists,
diff --git a/net/ipv4/netfilter/ip_nat_core.c b/net/ipv4/netfilter/ip_nat_core.c
index 18daabc..40737fd 100644
--- a/net/ipv4/netfilter/ip_nat_core.c
+++ b/net/ipv4/netfilter/ip_nat_core.c
@@ -604,8 +604,8 @@ static int __init ip_nat_init(void)
 	}
 
 	/* FIXME: Man, this is a hack.  <SIGH> */
-	IP_NF_ASSERT(ip_conntrack_destroyed == NULL);
-	ip_conntrack_destroyed = &ip_nat_cleanup_conntrack;
+	IP_NF_ASSERT(rcu_dereference(ip_conntrack_destroyed) == NULL);
+	rcu_assign_pointer(ip_conntrack_destroyed, ip_nat_cleanup_conntrack);
 
 	/* Initialize fake conntrack so that NAT will skip it */
 	ip_conntrack_untracked.status |= IPS_NAT_DONE_MASK;
@@ -623,7 +623,8 @@ static int clean_nat(struct ip_conntrack
 static void __exit ip_nat_cleanup(void)
 {
 	ip_ct_iterate_cleanup(&clean_nat, NULL);
-	ip_conntrack_destroyed = NULL;
+	rcu_assign_pointer(ip_conntrack_destroyed, NULL);
+	synchronize_rcu();
 	vfree(bysource);
 }
 

[NETFILTER 16/22]: nf_conntrack: properly use RCU for nf_conntrack_destroyed callback

[Patrick McHardy]

[NETFILTER]: nf_conntrack: properly use RCU for nf_conntrack_destroyed callback

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 2428570e4fc9d689faeb4a96ba7b34352f0a6e2c
tree 7224fd0620ed1a49075a55da0c3b08cd77334313
parent 26462f9a42bcf2230a68d84dec3a048bc5a9a1af
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:07:18 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:07:18 +0100

 net/ipv4/netfilter/nf_nat_core.c  |    7 ++++---
 net/netfilter/nf_conntrack_core.c |    9 ++++++---
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 5156d5d..2c01378 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -617,8 +617,8 @@ static int __init nf_nat_init(void)
 	}
 
 	/* FIXME: Man, this is a hack.  <SIGH> */
-	NF_CT_ASSERT(nf_conntrack_destroyed == NULL);
-	nf_conntrack_destroyed = &nf_nat_cleanup_conntrack;
+	NF_CT_ASSERT(rcu_dereference(nf_conntrack_destroyed) == NULL);
+	rcu_assign_pointer(nf_conntrack_destroyed, nf_nat_cleanup_conntrack);
 
 	/* Initialize fake conntrack so that NAT will skip it */
 	nf_conntrack_untracked.status |= IPS_NAT_DONE_MASK;
@@ -642,7 +642,8 @@ static int clean_nat(struct nf_conn *i, 
 static void __exit nf_nat_cleanup(void)
 {
 	nf_ct_iterate_cleanup(&clean_nat, NULL);
-	nf_conntrack_destroyed = NULL;
+	rcu_assign_pointer(nf_conntrack_destroyed, NULL);
+	synchronize_rcu();
 	vfree(bysource);
 	nf_ct_l3proto_put(l3proto);
 }
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index d59640e..0cc1505 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -318,6 +318,7 @@ destroy_conntrack(struct nf_conntrack *n
 	struct nf_conn_help *help = nfct_help(ct);
 	struct nf_conntrack_l3proto *l3proto;
 	struct nf_conntrack_l4proto *l4proto;
+	typeof(nf_conntrack_destroyed) destroyed;
 
 	DEBUGP("destroy_conntrack(%p)\n", ct);
 	NF_CT_ASSERT(atomic_read(&nfct->use) == 0);
@@ -341,10 +342,12 @@ destroy_conntrack(struct nf_conntrack *n
 				       ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum);
 	if (l4proto && l4proto->destroy)
 		l4proto->destroy(ct);
-	rcu_read_unlock();
 
-	if (nf_conntrack_destroyed)
-		nf_conntrack_destroyed(ct);
+	destroyed = rcu_dereference(nf_conntrack_destroyed);
+	if (destroyed)
+		destroyed(ct);
+
+	rcu_read_unlock();
 
 	write_lock_bh(&nf_conntrack_lock);
 	/* Expectations will have been removed in clean_from_lists,

[NETFILTER 17/22]: nf_conntrack: change nf_conntrack_l[34]proto_unregister to void

[Patrick McHardy]

[NETFILTER]: nf_conntrack: change nf_conntrack_l[34]proto_unregister to void

No caller checks the return value, and since its usually called within the
module unload path there's nothing a module could do about errors anyway,
so BUG on invalid conditions and return void.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 4b4109fff045b66b7bc0a696fc020f0cc22bad0e
tree 88928fbaa762aca7dfce1d0b4138fc9372487e4e
parent 2428570e4fc9d689faeb4a96ba7b34352f0a6e2c
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:07:30 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:07:30 +0100

 include/net/netfilter/nf_conntrack_l3proto.h |    2 +
 include/net/netfilter/nf_conntrack_l4proto.h |    2 +
 net/netfilter/nf_conntrack_proto.c           |   40 +++++---------------------
 3 files changed, 9 insertions(+), 35 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
index ba760fe..eb575cb 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -89,7 +89,7 @@ extern struct nf_conntrack_l3proto *nf_c
 
 /* Protocol registration. */
 extern int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto);
-extern int nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto);
+extern void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto);
 
 extern struct nf_conntrack_l3proto *
 nf_ct_l3proto_find_get(u_int16_t l3proto);
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index fc8af08..8415182 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -109,7 +109,7 @@ extern void nf_ct_l4proto_put(struct nf_
 
 /* Protocol registration. */
 extern int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *proto);
-extern int nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *proto);
+extern void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *proto);
 
 /* Generic netlink helpers */
 extern int nf_ct_port_tuple_to_nfattr(struct sk_buff *skb,
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index 4dab3fa..456155f 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -215,22 +215,12 @@ out:
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_register);
 
-int nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
+void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
 {
-	int ret = 0;
-
-	if (proto->l3proto >= AF_MAX) {
-		ret = -EBUSY;
-		goto out;
-	}
+	BUG_ON(proto->l3proto >= AF_MAX);
 
 	write_lock_bh(&nf_conntrack_lock);
-	if (nf_ct_l3protos[proto->l3proto] != proto) {
-		write_unlock_bh(&nf_conntrack_lock);
-		ret = -EBUSY;
-		goto out;
-	}
-
+	BUG_ON(nf_ct_l3protos[proto->l3proto] != proto);
 	rcu_assign_pointer(nf_ct_l3protos[proto->l3proto],
 			   &nf_conntrack_l3proto_generic);
 	write_unlock_bh(&nf_conntrack_lock);
@@ -240,9 +230,6 @@ int nf_conntrack_l3proto_unregister(stru
 
 	/* Remove all contrack entries for this protocol */
 	nf_ct_iterate_cleanup(kill_l3proto, proto);
-
-out:
-	return ret;
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
 
@@ -368,27 +355,17 @@ out:
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_register);
 
-int nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *l4proto)
+void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *l4proto)
 {
-	int ret = 0;
-
-	if (l4proto->l3proto >= PF_MAX) {
-		ret = -EBUSY;
-		goto out;
-	}
+	BUG_ON(l4proto->l3proto >= PF_MAX);
 
 	if (l4proto == &nf_conntrack_l4proto_generic) {
 		nf_ct_l4proto_unregister_sysctl(l4proto);
-		goto out;
+		return;
 	}
 
 	write_lock_bh(&nf_conntrack_lock);
-	if (nf_ct_protos[l4proto->l3proto][l4proto->l4proto]
-	    != l4proto) {
-		write_unlock_bh(&nf_conntrack_lock);
-		ret = -EBUSY;
-		goto out;
-	}
+	BUG_ON(nf_ct_protos[l4proto->l3proto][l4proto->l4proto] != l4proto);
 	rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
 			   &nf_conntrack_l4proto_generic);
 	write_unlock_bh(&nf_conntrack_lock);
@@ -398,8 +375,5 @@ int nf_conntrack_l4proto_unregister(stru
 
 	/* Remove all contrack entries for this protocol */
 	nf_ct_iterate_cleanup(kill_l4proto, l4proto);
-
-out:
-	return ret;
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);

[NETFILTER 18/22]: xt_mac/xt_CLASSIFY: use IPv6 hook names for IPv6 registration

[Patrick McHardy]

[NETFILTER]: xt_mac/xt_CLASSIFY: use IPv6 hook names for IPv6 registration

Use NF_IP6_ instead of NF_IP_. The values are identical, this is merely
cleanup.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 0a03715d7befc80612212ee80723dcce8b75f3c1
tree 1ddf22e671682d94ad017f0a9f7f4a74566c60bd
parent 4b4109fff045b66b7bc0a696fc020f0cc22bad0e
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:07:51 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:07:51 +0100

 net/netfilter/xt_CLASSIFY.c |    8 +++++---
 net/netfilter/xt_mac.c      |    7 ++++---
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 195e929..4007bbe 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -15,6 +15,8 @@ #include <linux/skbuff.h>
 #include <linux/ip.h>
 #include <net/checksum.h>
 
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv6.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_CLASSIFY.h>
 
@@ -55,9 +57,9 @@ static struct xt_target xt_classify_targ
 		.target 	= target,
 		.targetsize	= sizeof(struct xt_classify_target_info),
 		.table		= "mangle",
-		.hooks		= (1 << NF_IP_LOCAL_OUT) |
-				  (1 << NF_IP_FORWARD) |
-			          (1 << NF_IP_POST_ROUTING),
+		.hooks		= (1 << NF_IP6_LOCAL_OUT) |
+				  (1 << NF_IP6_FORWARD) |
+			          (1 << NF_IP6_POST_ROUTING),
 		.me 		= THIS_MODULE,
 	},
 };
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index 425fc21..d430d90 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -14,6 +14,7 @@ #include <linux/if_ether.h>
 #include <linux/etherdevice.h>
 
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv6.h>
 #include <linux/netfilter/xt_mac.h>
 #include <linux/netfilter/x_tables.h>
 
@@ -59,9 +60,9 @@ static struct xt_match xt_mac_match[] = 
 		.family		= AF_INET6,
 		.match		= match,
 		.matchsize	= sizeof(struct xt_mac_info),
-		.hooks		= (1 << NF_IP_PRE_ROUTING) |
-				  (1 << NF_IP_LOCAL_IN) |
-				  (1 << NF_IP_FORWARD),
+		.hooks		= (1 << NF_IP6_PRE_ROUTING) |
+				  (1 << NF_IP6_LOCAL_IN) |
+				  (1 << NF_IP6_FORWARD),
 		.me		= THIS_MODULE,
 	},
 };

[NETFILTER 19/22]: Kconfig: improve dependency handling

[Patrick McHardy]

[NETFILTER]: Kconfig: improve dependency handling

Instead of depending on internally needed options and letting users
figure out what is needed, select them when needed:

- IP_NF_IPTABLES, IP_NF_ARPTABLES and IP6_NF_IPTABLES select
  NETFILTER_XTABLES

- NETFILTER_XT_TARGET_CONNMARK, NETFILTER_XT_MATCH_CONNMARK and
  IP_NF_TARGET_CLUSTERIP select NF_CONNTRACK_MARK

- NETFILTER_XT_MATCH_CONNBYTES selects NF_CT_ACCT

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit a3987b41ed8c0275393942316c502e4cffbc0126
tree e5f23f16e4bdd9b454356a75269f8a3fb161082a
parent 0a03715d7befc80612212ee80723dcce8b75f3c1
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:08:00 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:08:00 +0100

 net/ipv4/netfilter/Kconfig |    8 +++++---
 net/ipv6/netfilter/Kconfig |    3 ++-
 net/netfilter/Kconfig      |   12 +++++++++---
 3 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 9b08e7a..601808c 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -226,7 +226,7 @@ config IP_NF_QUEUE
 
 config IP_NF_IPTABLES
 	tristate "IP tables support (required for filtering/masq/NAT)"
-	depends on NETFILTER_XTABLES
+	select NETFILTER_XTABLES
 	help
 	  iptables is a general, extensible packet identification framework.
 	  The packet filtering and full NAT (masquerading, port forwarding,
@@ -606,7 +606,9 @@ config IP_NF_TARGET_TTL
 config IP_NF_TARGET_CLUSTERIP
 	tristate "CLUSTERIP target support (EXPERIMENTAL)"
 	depends on IP_NF_MANGLE && EXPERIMENTAL
-	depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK_IPV4)
+	depends on IP_NF_CONNTRACK || NF_CONNTRACK_IPV4
+	select IP_NF_CONNTRACK_MARK if IP_NF_CONNTRACK
+	select NF_CONNTRACK_MARK if NF_CONNTRACK_IPV4
 	help
 	  The CLUSTERIP target allows you to build load-balancing clusters of
 	  network servers without having a dedicated load-balancing
@@ -629,7 +631,7 @@ config IP_NF_RAW
 # ARP tables
 config IP_NF_ARPTABLES
 	tristate "ARP tables support"
-	depends on NETFILTER_XTABLES
+	select NETFILTER_XTABLES
 	help
 	  arptables is a general, extensible packet identification framework.
 	  The ARP packet filtering and mangling (manipulation)subsystems
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index cd549ae..da07e9a 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -42,7 +42,8 @@ config IP6_NF_QUEUE
 
 config IP6_NF_IPTABLES
 	tristate "IP6 tables support (required for filtering)"
-	depends on INET && IPV6 && EXPERIMENTAL && NETFILTER_XTABLES
+	depends on INET && IPV6 && EXPERIMENTAL
+	select NETFILTER_XTABLES
 	help
 	  ip6tables is a general, extensible packet identification framework.
 	  Currently only the packet filtering and packet mangling subsystem
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 748f7f0..253fce3 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -302,7 +302,9 @@ config NETFILTER_XT_TARGET_CONNMARK
 	tristate  '"CONNMARK" target support'
 	depends on NETFILTER_XTABLES
 	depends on IP_NF_MANGLE || IP6_NF_MANGLE
-	depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK)
+	depends on IP_NF_CONNTRACK || NF_CONNTRACK
+	select IP_NF_CONNTRACK_MARK if IP_NF_CONNTRACK
+	select NF_CONNTRACK_MARK if NF_CONNTRACK
 	help
 	  This option adds a `CONNMARK' target, which allows one to manipulate
 	  the connection mark value.  Similar to the MARK target, but
@@ -434,7 +436,9 @@ config NETFILTER_XT_MATCH_COMMENT
 config NETFILTER_XT_MATCH_CONNBYTES
 	tristate  '"connbytes" per-connection counter match support'
 	depends on NETFILTER_XTABLES
-	depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || (NF_CT_ACCT && NF_CONNTRACK)
+	depends on IP_NF_CONNTRACK || NF_CONNTRACK
+	select IP_NF_CT_ACCT if IP_NF_CONNTRACK
+	select NF_CT_ACCT if NF_CONNTRACK
 	help
 	  This option adds a `connbytes' match, which allows you to match the
 	  number of bytes and/or packets for each direction within a connection.
@@ -445,7 +449,9 @@ config NETFILTER_XT_MATCH_CONNBYTES
 config NETFILTER_XT_MATCH_CONNMARK
 	tristate  '"connmark" connection mark match support'
 	depends on NETFILTER_XTABLES
-	depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK)
+	depends on IP_NF_CONNTRACK || NF_CONNTRACK
+	select IP_NF_CONNTRACK_MARK if IP_NF_CONNTRACK
+	select NF_CONNTRACK_MARK if NF_CONNTRACK
 	help
 	  This option adds a `connmark' match, which allows you to match the
 	  connection mark value previously set for the session by `CONNMARK'. 

[NETFILTER 20/22]: Fix whitespace errors

[Patrick McHardy]

[NETFILTER]: Fix whitespace errors

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 353c941b0735b883510bfd7bb98fcd4fc8a0ee08
tree 14c9e7a24feed39641b2f97b6e2b247bd229062c
parent a3987b41ed8c0275393942316c502e4cffbc0126
author YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Mon, 12 Feb 2007 11:08:07 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:08:07 +0100

 net/netfilter/core.c                         |    6 -
 net/netfilter/nf_conntrack_core.c            |   18 +-
 net/netfilter/nf_conntrack_expect.c          |    2 
 net/netfilter/nf_conntrack_ftp.c             |   14 +-
 net/netfilter/nf_conntrack_h323_main.c       |   20 +--
 net/netfilter/nf_conntrack_irc.c             |    2 
 net/netfilter/nf_conntrack_l3proto_generic.c |    2 
 net/netfilter/nf_conntrack_netbios_ns.c      |    2 
 net/netfilter/nf_conntrack_netlink.c         |  106 +++++++-------
 net/netfilter/nf_conntrack_pptp.c            |    2 
 net/netfilter/nf_conntrack_proto_sctp.c      |   72 +++++----
 net/netfilter/nf_conntrack_proto_tcp.c       |  204 +++++++++++++-------------
 net/netfilter/nf_conntrack_sip.c             |    6 -
 net/netfilter/nf_conntrack_standalone.c      |    2 
 net/netfilter/nf_conntrack_tftp.c            |    2 
 net/netfilter/nf_internals.h                 |    2 
 net/netfilter/nf_log.c                       |    6 -
 net/netfilter/nf_queue.c                     |   22 +--
 net/netfilter/nf_sockopt.c                   |   12 +-
 net/netfilter/nfnetlink.c                    |   10 +
 net/netfilter/nfnetlink_log.c                |   52 +++----
 net/netfilter/nfnetlink_queue.c              |   84 +++++------
 net/netfilter/x_tables.c                     |   12 +-
 net/netfilter/xt_CLASSIFY.c                  |    4 -
 net/netfilter/xt_MARK.c                      |    4 -
 net/netfilter/xt_NFQUEUE.c                   |    4 -
 net/netfilter/xt_NOTRACK.c                   |    4 -
 net/netfilter/xt_SECMARK.c                   |    2 
 net/netfilter/xt_conntrack.c                 |   32 ++--
 net/netfilter/xt_dccp.c                      |   20 +--
 net/netfilter/xt_hashlimit.c                 |    8 +
 net/netfilter/xt_helper.c                    |   18 +-
 net/netfilter/xt_length.c                    |    4 -
 net/netfilter/xt_limit.c                     |    2 
 net/netfilter/xt_mark.c                      |    6 -
 net/netfilter/xt_multiport.c                 |    2 
 net/netfilter/xt_physdev.c                   |    2 
 net/netfilter/xt_policy.c                    |   24 ++-
 net/netfilter/xt_quota.c                     |    4 -
 net/netfilter/xt_realm.c                     |    2 
 net/netfilter/xt_sctp.c                      |   30 ++--
 net/netfilter/xt_string.c                    |    8 +
 net/netfilter/xt_tcpmss.c                    |    4 -
 43 files changed, 422 insertions(+), 422 deletions(-)

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index f61e0c2..c3ebdbd 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -1,4 +1,4 @@
-/* netfilter.c: look after the filters for various protocols. 
+/* netfilter.c: look after the filters for various protocols.
  * Heavily influenced by the old firewall.c by David Bonn and Alan Cox.
  *
  * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any
@@ -141,14 +141,14 @@ unsigned int nf_iterate(struct list_head
 			continue;
 
 		/* Optimization: we don't need to hold module
-                   reference here, since function can't sleep. --RR */
+		   reference here, since function can't sleep. --RR */
 		verdict = elem->hook(hook, skb, indev, outdev, okfn);
 		if (verdict != NF_ACCEPT) {
 #ifdef CONFIG_NETFILTER_DEBUG
 			if (unlikely((verdict & NF_VERDICT_MASK)
 							> NF_MAX_VERDICT)) {
 				NFDEBUG("Evil return from %p(%u).\n",
-				        elem->hook, hook);
+					elem->hook, hook);
 				continue;
 			}
 #endif
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 0cc1505..32891eb 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -424,7 +424,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_find_get)
 
 static void __nf_conntrack_hash_insert(struct nf_conn *ct,
 				       unsigned int hash,
-				       unsigned int repl_hash) 
+				       unsigned int repl_hash)
 {
 	ct->id = ++nf_conntrack_next_id;
 	list_add(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list,
@@ -1066,7 +1066,7 @@ get_next_corpse(int (*iter)(struct nf_co
 			if (iter(ct, data))
 				goto found;
 		}
- 	}
+	}
 	list_for_each_entry(h, &unconfirmed, list) {
 		ct = nf_ct_tuplehash_to_ctrack(h);
 		if (iter(ct, data))
@@ -1107,7 +1107,7 @@ static void free_conntrack_hash(struct l
 	if (vmalloced)
 		vfree(hash);
 	else
-		free_pages((unsigned long)hash, 
+		free_pages((unsigned long)hash,
 			   get_order(sizeof(struct list_head) * size));
 }
 
@@ -1168,18 +1168,18 @@ static struct list_head *alloc_hashtable
 	struct list_head *hash;
 	unsigned int i;
 
-	*vmalloced = 0; 
-	hash = (void*)__get_free_pages(GFP_KERNEL, 
+	*vmalloced = 0;
+	hash = (void*)__get_free_pages(GFP_KERNEL,
 				       get_order(sizeof(struct list_head)
 						 * size));
-	if (!hash) { 
+	if (!hash) {
 		*vmalloced = 1;
 		printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n");
 		hash = vmalloc(sizeof(struct list_head) * size);
 	}
 
 	if (hash)
-		for (i = 0; i < size; i++) 
+		for (i = 0; i < size; i++)
 			INIT_LIST_HEAD(&hash[i]);
 
 	return hash;
@@ -1286,9 +1286,9 @@ int __init nf_conntrack_init(void)
 
 	/* Don't NEED lock here, but good form anyway. */
 	write_lock_bh(&nf_conntrack_lock);
-        for (i = 0; i < AF_MAX; i++)
+	for (i = 0; i < AF_MAX; i++)
 		nf_ct_l3protos[i] = &nf_conntrack_l3proto_generic;
-        write_unlock_bh(&nf_conntrack_lock);
+	write_unlock_bh(&nf_conntrack_lock);
 
 	/* For use by REJECT target */
 	rcu_assign_pointer(ip_ct_attach, __nf_conntrack_attach);
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 9cbf926..3139f45 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -130,7 +130,7 @@ void nf_ct_remove_expectations(struct nf
 		if (i->master == ct && del_timer(&i->timeout)) {
 			nf_ct_unlink_expect(i);
 			nf_conntrack_expect_put(i);
- 		}
+		}
 	}
 }
 EXPORT_SYMBOL_GPL(nf_ct_remove_expectations);
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 92a9471..3089dfc 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -126,7 +126,7 @@ get_ipv6_addr(const char *src, size_t dl
 }
 
 static int try_number(const char *data, size_t dlen, u_int32_t array[],
-                      int array_size, char sep, char term)
+		      int array_size, char sep, char term)
 {
 	u_int32_t i, len;
 
@@ -413,8 +413,8 @@ static int help(struct sk_buff **pskb,
 		goto out_update_nl;
 	}
 
-        /* Initialize IP/IPv6 addr to expected address (it's not mentioned
-           in EPSV responses) */
+	/* Initialize IP/IPv6 addr to expected address (it's not mentioned
+	   in EPSV responses) */
 	cmd.l3num = ct->tuplehash[dir].tuple.src.l3num;
 	memcpy(cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all,
 	       sizeof(cmd.u3.all));
@@ -466,11 +466,11 @@ static int help(struct sk_buff **pskb,
 	    memcmp(&cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all,
 		     sizeof(cmd.u3.all))) {
 		/* Enrico Scholz's passive FTP to partially RNAT'd ftp
-                   server: it really wants us to connect to a
-                   different IP address.  Simply don't record it for
-                   NAT. */
+		   server: it really wants us to connect to a
+		   different IP address.  Simply don't record it for
+		   NAT. */
 		if (cmd.l3num == PF_INET) {
-                	DEBUGP("conntrack_ftp: NOT RECORDING: " NIPQUAD_FMT " != " NIPQUAD_FMT "\n",
+			DEBUGP("conntrack_ftp: NOT RECORDING: " NIPQUAD_FMT " != " NIPQUAD_FMT "\n",
 			       NIPQUAD(cmd.u3.ip),
 			       NIPQUAD(ct->tuplehash[dir].tuple.src.u3.ip));
 		} else {
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 6d85689..b284db7 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -49,7 +49,7 @@ MODULE_PARM_DESC(gkrouted_only, "only ac
 static int callforward_filter __read_mostly = 1;
 module_param(callforward_filter, bool, 0600);
 MODULE_PARM_DESC(callforward_filter, "only create call forwarding expectations "
-		                     "if both endpoints are on different sides "
+				     "if both endpoints are on different sides "
 				     "(determined by routing information)");
 
 /* Hooks for NAT */
@@ -300,7 +300,7 @@ static int expect_rtp_rtcp(struct sk_buf
 				 IPPROTO_UDP, NULL, &rtcp_port);
 
 	if (memcmp(&ct->tuplehash[dir].tuple.src.u3,
-	   	   &ct->tuplehash[!dir].tuple.dst.u3,
+		   &ct->tuplehash[!dir].tuple.dst.u3,
 		   sizeof(ct->tuplehash[dir].tuple.src.u3)) &&
 		   (nat_rtp_rtcp = rcu_dereference(nat_rtp_rtcp_hook)) &&
 		   ct->status & IPS_NAT_MASK) {
@@ -743,7 +743,7 @@ #if defined(CONFIG_IPV6) || defined(CONF
 			rt2 = (struct rt6_info *)ip6_route_output(NULL, &fl2);
 			if (rt2) {
 				if (!memcmp(&rt1->rt6i_gateway, &rt2->rt6i_gateway,
-				 	    sizeof(rt1->rt6i_gateway)) &&
+					    sizeof(rt1->rt6i_gateway)) &&
 				    rt1->u.dst.dev == rt2->u.dst.dev)
 					ret = 1;
 				dst_release(&rt2->u.dst);
@@ -780,7 +780,7 @@ static int expect_callforwarding(struct 
 	 * we don't need to track the second call */
 	if (callforward_filter &&
 	    callforward_do_filter(&addr, &ct->tuplehash[!dir].tuple.src.u3,
-	    			  ct->tuplehash[!dir].tuple.src.l3num)) {
+				  ct->tuplehash[!dir].tuple.src.l3num)) {
 		DEBUGP("nf_ct_q931: Call Forwarding not tracked\n");
 		return 0;
 	}
@@ -840,7 +840,7 @@ static int process_setup(struct sk_buff 
 	if ((setup->options & eSetup_UUIE_destCallSignalAddress) &&
 	    (set_h225_addr) && ct->status && IPS_NAT_MASK &&
 	    get_h225_addr(ct, *data, &setup->destCallSignalAddress,
-	    		  &addr, &port) &&
+			  &addr, &port) &&
 	    memcmp(&addr, &ct->tuplehash[!dir].tuple.src.u3, sizeof(addr))) {
 		DEBUGP("nf_ct_q931: set destCallSignalAddress "
 		       NIP6_FMT ":%hu->" NIP6_FMT ":%hu\n",
@@ -858,7 +858,7 @@ static int process_setup(struct sk_buff 
 	if ((setup->options & eSetup_UUIE_sourceCallSignalAddress) &&
 	    (set_h225_addr) && ct->status & IPS_NAT_MASK &&
 	    get_h225_addr(ct, *data, &setup->sourceCallSignalAddress,
-	    		  &addr, &port) &&
+			  &addr, &port) &&
 	    memcmp(&addr, &ct->tuplehash[!dir].tuple.dst.u3, sizeof(addr))) {
 		DEBUGP("nf_ct_q931: set sourceCallSignalAddress "
 		       NIP6_FMT ":%hu->" NIP6_FMT ":%hu\n",
@@ -1282,7 +1282,7 @@ static int expect_q931(struct sk_buff **
 	for (i = 0; i < count; i++) {
 		if (get_h225_addr(ct, *data, &taddr[i], &addr, &port) &&
 		    memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3,
-		    	   sizeof(addr)) == 0 && port != 0)
+			   sizeof(addr)) == 0 && port != 0)
 			break;
 	}
 
@@ -1294,7 +1294,7 @@ static int expect_q931(struct sk_buff **
 		return -1;
 	nf_conntrack_expect_init(exp, ct->tuplehash[!dir].tuple.src.l3num,
 				 gkrouted_only ? /* only accept calls from GK? */
-				 	&ct->tuplehash[!dir].tuple.src.u3 :
+					&ct->tuplehash[!dir].tuple.src.u3 :
 					NULL,
 				 &ct->tuplehash[!dir].tuple.dst.u3,
 				 IPPROTO_TCP, NULL, &port);
@@ -1513,7 +1513,7 @@ static int process_arq(struct sk_buff **
 	set_h225_addr = rcu_dereference(set_h225_addr_hook);
 	if ((arq->options & eAdmissionRequest_destCallSignalAddress) &&
 	    get_h225_addr(ct, *data, &arq->destCallSignalAddress,
-	    		  &addr, &port) &&
+			  &addr, &port) &&
 	    !memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) &&
 	    port == info->sig_port[dir] &&
 	    set_h225_addr && ct->status & IPS_NAT_MASK) {
@@ -1526,7 +1526,7 @@ static int process_arq(struct sk_buff **
 
 	if ((arq->options & eAdmissionRequest_srcCallSignalAddress) &&
 	    get_h225_addr(ct, *data, &arq->srcCallSignalAddress,
-	    		  &addr, &port) &&
+			  &addr, &port) &&
 	    !memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) &&
 	    set_h225_addr && ct->status & IPS_NAT_MASK) {
 		/* Calling ARQ */
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index ed01db6..43ccd0e 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -57,7 +57,7 @@ #define MINMATCHLEN	5
 
 #if 0
 #define DEBUGP(format, args...) printk(KERN_DEBUG "%s:%s:" format, \
-                                       __FILE__, __FUNCTION__ , ## args)
+				       __FILE__, __FUNCTION__ , ## args)
 #else
 #define DEBUGP(format, args...)
 #endif
diff --git a/net/netfilter/nf_conntrack_l3proto_generic.c b/net/netfilter/nf_conntrack_l3proto_generic.c
index a3d31c3..cbd96f3 100644
--- a/net/netfilter/nf_conntrack_l3proto_generic.c
+++ b/net/netfilter/nf_conntrack_l3proto_generic.c
@@ -77,7 +77,7 @@ generic_prepare(struct sk_buff **pskb, u
 
 
 static u_int32_t generic_get_features(const struct nf_conntrack_tuple *tuple)
-				
+
 {
 	return NF_CT_F_BASIC;
 }
diff --git a/net/netfilter/nf_conntrack_netbios_ns.c b/net/netfilter/nf_conntrack_netbios_ns.c
index 2a48efd..bb26a65 100644
--- a/net/netfilter/nf_conntrack_netbios_ns.c
+++ b/net/netfilter/nf_conntrack_netbios_ns.c
@@ -43,7 +43,7 @@ module_param(timeout, uint, 0400);
 MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds");
 
 static int help(struct sk_buff **pskb, unsigned int protoff,
-                struct nf_conn *ct, enum ip_conntrack_info ctinfo)
+		struct nf_conn *ct, enum ip_conntrack_info ctinfo)
 {
 	struct nf_conntrack_expect *exp;
 	struct iphdr *iph = (*pskb)->nh.iph;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index c64f029..48f0531 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -6,10 +6,10 @@
  * (C) 2003 by Patrick Mchardy <kaber@trash.net>
  * (C) 2005-2006 by Pablo Neira Ayuso <pablo@eurodev.net>
  *
- * I've reworked this stuff to use attributes instead of conntrack 
+ * I've reworked this stuff to use attributes instead of conntrack
  * structures. 5.44 am. I need more tea. --pablo 05/07/11.
  *
- * Initial connection tracking via netlink development funded and 
+ * Initial connection tracking via netlink development funded and
  * generally made possible by Network Robots, Inc. (www.networkrobots.com)
  *
  * Further development of this code funded by Astaro AG (http://www.astaro.com)
@@ -53,7 +53,7 @@ MODULE_LICENSE("GPL");
 static char __initdata version[] = "0.93";
 
 static inline int
-ctnetlink_dump_tuples_proto(struct sk_buff *skb, 
+ctnetlink_dump_tuples_proto(struct sk_buff *skb,
 			    const struct nf_conntrack_tuple *tuple,
 			    struct nf_conntrack_l4proto *l4proto)
 {
@@ -64,7 +64,7 @@ ctnetlink_dump_tuples_proto(struct sk_bu
 
 	if (likely(l4proto->tuple_to_nfattr))
 		ret = l4proto->tuple_to_nfattr(skb, tuple);
-	
+
 	NFA_NEST_END(skb, nest_parms);
 
 	return ret;
@@ -135,7 +135,7 @@ ctnetlink_dump_timeout(struct sk_buff *s
 		timeout = 0;
 	else
 		timeout = htonl(timeout_l / HZ);
-	
+
 	NFA_PUT(skb, CTA_TIMEOUT, sizeof(timeout), &timeout);
 	return 0;
 
@@ -154,7 +154,7 @@ ctnetlink_dump_protoinfo(struct sk_buff 
 		nf_ct_l4proto_put(l4proto);
 		return 0;
 	}
-	
+
 	nest_proto = NFA_NEST(skb, CTA_PROTOINFO);
 
 	ret = l4proto->to_nfattr(skb, nest_proto, ct);
@@ -178,7 +178,7 @@ ctnetlink_dump_helpinfo(struct sk_buff *
 
 	if (!help || !help->helper)
 		return 0;
-		
+
 	nest_helper = NFA_NEST(skb, CTA_HELP);
 	NFA_PUT(skb, CTA_HELP_NAME, strlen(help->helper->name), help->helper->name);
 
@@ -250,7 +250,7 @@ static inline int
 ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
 {
 	__be32 use = htonl(atomic_read(&ct->ct_general.use));
-	
+
 	NFA_PUT(skb, CTA_USE, sizeof(u_int32_t), &use);
 	return 0;
 
@@ -262,7 +262,7 @@ #define tuple(ct, dir) (&(ct)->tuplehash
 
 static int
 ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
-		    int event, int nowait, 
+		    int event, int nowait,
 		    const struct nf_conn *ct)
 {
 	struct nlmsghdr *nlh;
@@ -277,7 +277,7 @@ ctnetlink_fill_info(struct sk_buff *skb,
 	nfmsg  = NLMSG_DATA(nlh);
 
 	nlh->nlmsg_flags    = (nowait && pid) ? NLM_F_MULTI : 0;
-	nfmsg->nfgen_family = 
+	nfmsg->nfgen_family =
 		ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
 	nfmsg->version      = NFNETLINK_V0;
 	nfmsg->res_id	    = 0;
@@ -286,7 +286,7 @@ ctnetlink_fill_info(struct sk_buff *skb,
 	if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
 		goto nfattr_failure;
 	NFA_NEST_END(skb, nest_parms);
-	
+
 	nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY);
 	if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
 		goto nfattr_failure;
@@ -314,7 +314,7 @@ nfattr_failure:
 
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
 static int ctnetlink_conntrack_event(struct notifier_block *this,
-                                     unsigned long events, void *ptr)
+				     unsigned long events, void *ptr)
 {
 	struct nlmsghdr *nlh;
 	struct nfgenmsg *nfmsg;
@@ -364,7 +364,7 @@ static int ctnetlink_conntrack_event(str
 	if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
 		goto nfattr_failure;
 	NFA_NEST_END(skb, nest_parms);
-	
+
 	nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY);
 	if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
 		goto nfattr_failure;
@@ -383,16 +383,16 @@ static int ctnetlink_conntrack_event(str
 
 		if (events & IPCT_PROTOINFO
 		    && ctnetlink_dump_protoinfo(skb, ct) < 0)
-		    	goto nfattr_failure;
+			goto nfattr_failure;
 
 		if ((events & IPCT_HELPER || nfct_help(ct))
 		    && ctnetlink_dump_helpinfo(skb, ct) < 0)
-		    	goto nfattr_failure;
+			goto nfattr_failure;
 
 #ifdef CONFIG_NF_CONNTRACK_MARK
 		if ((events & IPCT_MARK || ct->mark)
 		    && ctnetlink_dump_mark(skb, ct) < 0)
-		    	goto nfattr_failure;
+			goto nfattr_failure;
 #endif
 
 		if (events & IPCT_COUNTER_FILLING &&
@@ -450,7 +450,7 @@ restart:
 				cb->args[1] = 0;
 			}
 			if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
-		                        	cb->nlh->nlmsg_seq,
+						cb->nlh->nlmsg_seq,
 						IPCTNL_MSG_CT_NEW,
 						1, ct) < 0) {
 				nf_conntrack_get(&ct->ct_general);
@@ -500,7 +500,7 @@ static const size_t cta_min_proto[CTA_PR
 };
 
 static inline int
-ctnetlink_parse_tuple_proto(struct nfattr *attr, 
+ctnetlink_parse_tuple_proto(struct nfattr *attr,
 			    struct nf_conntrack_tuple *tuple)
 {
 	struct nfattr *tb[CTA_PROTO_MAX];
@@ -522,7 +522,7 @@ ctnetlink_parse_tuple_proto(struct nfatt
 		ret = l4proto->nfattr_to_tuple(tb, tuple);
 
 	nf_ct_l4proto_put(l4proto);
-	
+
 	return ret;
 }
 
@@ -609,7 +609,7 @@ nfnetlink_parse_nat(struct nfattr *nat,
 	int err;
 
 	memset(range, 0, sizeof(*range));
-	
+
 	nfattr_parse_nested(tb, CTA_NAT_MAX, nat);
 
 	if (nfattr_bad_size(tb, CTA_NAT_MAX, cta_min_nat))
@@ -661,7 +661,7 @@ static const size_t cta_min[CTA_MAX] = {
 };
 
 static int
-ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, 
+ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
 			struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
 {
 	struct nf_conntrack_tuple_hash *h;
@@ -692,14 +692,14 @@ ctnetlink_del_conntrack(struct sock *ctn
 		return -ENOENT;
 
 	ct = nf_ct_tuplehash_to_ctrack(h);
-	
+
 	if (cda[CTA_ID-1]) {
 		u_int32_t id = ntohl(*(__be32 *)NFA_DATA(cda[CTA_ID-1]));
 		if (ct->id != id) {
 			nf_ct_put(ct);
 			return -ENOENT;
 		}
-	}	
+	}
 	if (del_timer(&ct->timeout))
 		ct->timeout.function((unsigned long)ct);
 
@@ -709,7 +709,7 @@ ctnetlink_del_conntrack(struct sock *ctn
 }
 
 static int
-ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb, 
+ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
 			struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
 {
 	struct nf_conntrack_tuple_hash *h;
@@ -765,7 +765,7 @@ #endif
 		return -ENOMEM;
 	}
 
-	err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 
+	err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq,
 				  IPCTNL_MSG_CT_NEW, 1, ct);
 	nf_ct_put(ct);
 	if (err <= 0)
@@ -793,12 +793,12 @@ ctnetlink_change_status(struct nf_conn *
 	if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
 		/* unchangeable */
 		return -EINVAL;
-	
+
 	if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
 		/* SEEN_REPLY bit can only be set */
 		return -EINVAL;
 
-	
+
 	if (d & IPS_ASSURED && !(status & IPS_ASSURED))
 		/* ASSURED bit can only be set */
 		return -EINVAL;
@@ -877,7 +877,7 @@ ctnetlink_change_helper(struct nf_conn *
 			memset(&help->help, 0, sizeof(help->help));
 		}
 	}
-	
+
 	help->helper = helper;
 
 	return 0;
@@ -887,7 +887,7 @@ static inline int
 ctnetlink_change_timeout(struct nf_conn *ct, struct nfattr *cda[])
 {
 	u_int32_t timeout = ntohl(*(__be32 *)NFA_DATA(cda[CTA_TIMEOUT-1]));
-	
+
 	if (!del_timer(&ct->timeout))
 		return -ETIME;
 
@@ -955,7 +955,7 @@ #endif
 }
 
 static int
-ctnetlink_create_conntrack(struct nfattr *cda[], 
+ctnetlink_create_conntrack(struct nfattr *cda[],
 			   struct nf_conntrack_tuple *otuple,
 			   struct nf_conntrack_tuple *rtuple)
 {
@@ -965,7 +965,7 @@ ctnetlink_create_conntrack(struct nfattr
 
 	ct = nf_conntrack_alloc(otuple, rtuple);
 	if (ct == NULL || IS_ERR(ct))
-		return -ENOMEM;	
+		return -ENOMEM;
 
 	if (!cda[CTA_TIMEOUT-1])
 		goto err;
@@ -1003,13 +1003,13 @@ #endif
 
 	return 0;
 
-err:	
+err:
 	nf_conntrack_free(ct);
 	return err;
 }
 
-static int 
-ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, 
+static int
+ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
 			struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
 {
 	struct nf_conntrack_tuple otuple, rtuple;
@@ -1065,9 +1065,9 @@ out_unlock:
 	return err;
 }
 
-/*********************************************************************** 
- * EXPECT 
- ***********************************************************************/ 
+/***********************************************************************
+ * EXPECT
+ ***********************************************************************/
 
 static inline int
 ctnetlink_exp_dump_tuple(struct sk_buff *skb,
@@ -1075,7 +1075,7 @@ ctnetlink_exp_dump_tuple(struct sk_buff 
 			 enum ctattr_expect type)
 {
 	struct nfattr *nest_parms = NFA_NEST(skb, type);
-	
+
 	if (ctnetlink_dump_tuples(skb, tuple) < 0)
 		goto nfattr_failure;
 
@@ -1085,7 +1085,7 @@ ctnetlink_exp_dump_tuple(struct sk_buff 
 
 nfattr_failure:
 	return -1;
-}			
+}
 
 static inline int
 ctnetlink_exp_dump_mask(struct sk_buff *skb,
@@ -1120,7 +1120,7 @@ nfattr_failure:
 
 static inline int
 ctnetlink_exp_dump_expect(struct sk_buff *skb,
-                          const struct nf_conntrack_expect *exp)
+			  const struct nf_conntrack_expect *exp)
 {
 	struct nf_conn *master = exp->master;
 	__be32 timeout = htonl((exp->timeout.expires - jiffies) / HZ);
@@ -1134,20 +1134,20 @@ ctnetlink_exp_dump_expect(struct sk_buff
 				 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
 				 CTA_EXPECT_MASTER) < 0)
 		goto nfattr_failure;
-	
+
 	NFA_PUT(skb, CTA_EXPECT_TIMEOUT, sizeof(timeout), &timeout);
 	NFA_PUT(skb, CTA_EXPECT_ID, sizeof(u_int32_t), &id);
 
 	return 0;
-	
+
 nfattr_failure:
 	return -1;
 }
 
 static int
 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
-		    int event, 
-		    int nowait, 
+		    int event,
+		    int nowait,
 		    const struct nf_conntrack_expect *exp)
 {
 	struct nlmsghdr *nlh;
@@ -1250,7 +1250,7 @@ ctnetlink_exp_dump_table(struct sk_buff 
 			goto out;
 		*id = exp->id;
 	}
-out:	
+out:
 	read_unlock_bh(&nf_conntrack_lock);
 
 	return skb->len;
@@ -1262,7 +1262,7 @@ static const size_t cta_min_exp[CTA_EXPE
 };
 
 static int
-ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, 
+ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
 		     struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
 {
 	struct nf_conntrack_tuple tuple;
@@ -1279,7 +1279,7 @@ ctnetlink_get_expect(struct sock *ctnl, 
 		u32 rlen;
 
 		if ((*errp = netlink_dump_start(ctnl, skb, nlh,
-		    				ctnetlink_exp_dump_table,
+						ctnetlink_exp_dump_table,
 						ctnetlink_done)) != 0)
 			return -EINVAL;
 		rlen = NLMSG_ALIGN(nlh->nlmsg_len);
@@ -1307,14 +1307,14 @@ ctnetlink_get_expect(struct sock *ctnl, 
 			nf_conntrack_expect_put(exp);
 			return -ENOENT;
 		}
-	}	
+	}
 
 	err = -ENOMEM;
 	skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
 	if (!skb2)
 		goto out;
 
-	err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid, 
+	err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid,
 				      nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,
 				      1, exp);
 	if (err <= 0)
@@ -1332,7 +1332,7 @@ out:
 }
 
 static int
-ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, 
+ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
 		     struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
 {
 	struct nf_conntrack_expect *exp, *tmp;
@@ -1366,7 +1366,7 @@ ctnetlink_del_expect(struct sock *ctnl, 
 
 		/* after list removal, usage count == 1 */
 		nf_conntrack_unexpect_related(exp);
-		/* have to put what we 'get' above. 
+		/* have to put what we 'get' above.
 		 * after this line usage count == 0 */
 		nf_conntrack_expect_put(exp);
 	} else if (cda[CTA_EXPECT_HELP_NAME-1]) {
@@ -1449,7 +1449,7 @@ ctnetlink_create_expect(struct nfattr *c
 		err = -ENOMEM;
 		goto out;
 	}
-	
+
 	exp->expectfn = NULL;
 	exp->flags = 0;
 	exp->master = ct;
@@ -1460,7 +1460,7 @@ ctnetlink_create_expect(struct nfattr *c
 	err = nf_conntrack_expect_related(exp);
 	nf_conntrack_expect_put(exp);
 
-out:	
+out:
 	nf_ct_put(nf_ct_tuplehash_to_ctrack(h));
 	return err;
 }
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index c59df3b..115bcb5 100644
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -520,7 +520,7 @@ conntrack_pptp_help(struct sk_buff **psk
 	tcph = skb_header_pointer(*pskb, nexthdr_off, sizeof(_tcph), &_tcph);
 	BUG_ON(!tcph);
 	nexthdr_off += tcph->doff * 4;
- 	datalen = tcplen - tcph->doff * 4;
+	datalen = tcplen - tcph->doff * 4;
 
 	pptph = skb_header_pointer(*pskb, nexthdr_off, sizeof(_pptph), &_pptph);
 	if (!pptph) {
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 76e2636..0133afa 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -1,9 +1,9 @@
 /*
  * Connection tracking protocol helper module for SCTP.
- * 
- * SCTP is defined in RFC 2960. References to various sections in this code 
+ *
+ * SCTP is defined in RFC 2960. References to various sections in this code
  * are to this RFC.
- * 
+ *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
@@ -45,7 +45,7 @@ #endif
 static DEFINE_RWLOCK(sctp_lock);
 
 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
-   closely.  They're more complex. --RR 
+   closely.  They're more complex. --RR
 
    And so for me for SCTP :D -Kiran */
 
@@ -94,32 +94,32 @@ #define	sSR SCTP_CONNTRACK_SHUTDOWN_RECD
 #define	sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
 #define	sIV SCTP_CONNTRACK_MAX
 
-/* 
+/*
 	These are the descriptions of the states:
 
-NOTE: These state names are tantalizingly similar to the states of an 
+NOTE: These state names are tantalizingly similar to the states of an
 SCTP endpoint. But the interpretation of the states is a little different,
-considering that these are the states of the connection and not of an end 
+considering that these are the states of the connection and not of an end
 point. Please note the subtleties. -Kiran
 
 NONE              - Nothing so far.
-COOKIE WAIT       - We have seen an INIT chunk in the original direction, or also 
-                    an INIT_ACK chunk in the reply direction.
+COOKIE WAIT       - We have seen an INIT chunk in the original direction, or also
+		    an INIT_ACK chunk in the reply direction.
 COOKIE ECHOED     - We have seen a COOKIE_ECHO chunk in the original direction.
 ESTABLISHED       - We have seen a COOKIE_ACK in the reply direction.
 SHUTDOWN_SENT     - We have seen a SHUTDOWN chunk in the original direction.
 SHUTDOWN_RECD     - We have seen a SHUTDOWN chunk in the reply directoin.
 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
-                    to that of the SHUTDOWN chunk.
-CLOSED            - We have seen a SHUTDOWN_COMPLETE chunk in the direction of 
-                    the SHUTDOWN chunk. Connection is closed.
+		    to that of the SHUTDOWN chunk.
+CLOSED            - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
+		    the SHUTDOWN chunk. Connection is closed.
 */
 
 /* TODO
- - I have assumed that the first INIT is in the original direction. 
+ - I have assumed that the first INIT is in the original direction.
  This messes things when an INIT comes in the reply direction in CLOSED
  state.
- - Check the error type in the reply dir before transitioning from 
+ - Check the error type in the reply dir before transitioning from
 cookie echoed to closed.
  - Sec 5.2.4 of RFC 2960
  - Multi Homing support.
@@ -237,7 +237,7 @@ static int do_basic_checks(struct nf_con
 	for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 		DEBUGP("Chunk Num: %d  Type: %d\n", count, sch->type);
 
-		if (sch->type == SCTP_CID_INIT 
+		if (sch->type == SCTP_CID_INIT
 			|| sch->type == SCTP_CID_INIT_ACK
 			|| sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
 			flag = 1;
@@ -277,42 +277,42 @@ static int new_state(enum ip_conntrack_d
 	DEBUGP("Chunk type: %d\n", chunk_type);
 
 	switch (chunk_type) {
-		case SCTP_CID_INIT: 
+		case SCTP_CID_INIT:
 			DEBUGP("SCTP_CID_INIT\n");
 			i = 0; break;
-		case SCTP_CID_INIT_ACK: 
+		case SCTP_CID_INIT_ACK:
 			DEBUGP("SCTP_CID_INIT_ACK\n");
 			i = 1; break;
-		case SCTP_CID_ABORT: 
+		case SCTP_CID_ABORT:
 			DEBUGP("SCTP_CID_ABORT\n");
 			i = 2; break;
-		case SCTP_CID_SHUTDOWN: 
+		case SCTP_CID_SHUTDOWN:
 			DEBUGP("SCTP_CID_SHUTDOWN\n");
 			i = 3; break;
-		case SCTP_CID_SHUTDOWN_ACK: 
+		case SCTP_CID_SHUTDOWN_ACK:
 			DEBUGP("SCTP_CID_SHUTDOWN_ACK\n");
 			i = 4; break;
-		case SCTP_CID_ERROR: 
+		case SCTP_CID_ERROR:
 			DEBUGP("SCTP_CID_ERROR\n");
 			i = 5; break;
-		case SCTP_CID_COOKIE_ECHO: 
+		case SCTP_CID_COOKIE_ECHO:
 			DEBUGP("SCTP_CID_COOKIE_ECHO\n");
 			i = 6; break;
-		case SCTP_CID_COOKIE_ACK: 
+		case SCTP_CID_COOKIE_ACK:
 			DEBUGP("SCTP_CID_COOKIE_ACK\n");
 			i = 7; break;
-		case SCTP_CID_SHUTDOWN_COMPLETE: 
+		case SCTP_CID_SHUTDOWN_COMPLETE:
 			DEBUGP("SCTP_CID_SHUTDOWN_COMPLETE\n");
 			i = 8; break;
 		default:
 			/* Other chunks like DATA, SACK, HEARTBEAT and
 			its ACK do not cause a change in state */
-			DEBUGP("Unknown chunk type, Will stay in %s\n", 
+			DEBUGP("Unknown chunk type, Will stay in %s\n",
 						sctp_conntrack_names[cur_state]);
 			return cur_state;
 	}
 
-	DEBUGP("dir: %d   cur_state: %s  chunk_type: %d  new_state: %s\n", 
+	DEBUGP("dir: %d   cur_state: %s  chunk_type: %d  new_state: %s\n",
 			dir, sctp_conntrack_names[cur_state], chunk_type,
 			sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
 
@@ -377,7 +377,7 @@ static int sctp_packet(struct nf_conn *c
 			/* Sec 8.5.1 (C) */
 			if (!(sh->vtag == conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)])
 				&& !(sh->vtag == conntrack->proto.sctp.vtag
-							[1 - CTINFO2DIR(ctinfo)] 
+							[1 - CTINFO2DIR(ctinfo)]
 					&& (sch->flags & 1))) {
 				write_unlock_bh(&sctp_lock);
 				return -1;
@@ -402,17 +402,17 @@ static int sctp_packet(struct nf_conn *c
 		}
 
 		/* If it is an INIT or an INIT ACK note down the vtag */
-		if (sch->type == SCTP_CID_INIT 
+		if (sch->type == SCTP_CID_INIT
 			|| sch->type == SCTP_CID_INIT_ACK) {
 			sctp_inithdr_t _inithdr, *ih;
 
 			ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
-			                        sizeof(_inithdr), &_inithdr);
+						sizeof(_inithdr), &_inithdr);
 			if (ih == NULL) {
 					write_unlock_bh(&sctp_lock);
 					return -1;
 			}
-			DEBUGP("Setting vtag %x for dir %d\n", 
+			DEBUGP("Setting vtag %x for dir %d\n",
 					ih->init_tag, !CTINFO2DIR(ctinfo));
 			conntrack->proto.sctp.vtag[!CTINFO2DIR(ctinfo)] = ih->init_tag;
 		}
@@ -466,7 +466,7 @@ static int sctp_new(struct nf_conn *conn
 	newconntrack = SCTP_CONNTRACK_MAX;
 	for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
 		/* Don't need lock here: this conntrack not in circulation yet */
-		newconntrack = new_state(IP_CT_DIR_ORIGINAL, 
+		newconntrack = new_state(IP_CT_DIR_ORIGINAL,
 					 SCTP_CONNTRACK_NONE, sch->type);
 
 		/* Invalid: delete conntrack */
@@ -481,14 +481,14 @@ static int sctp_new(struct nf_conn *conn
 				sctp_inithdr_t _inithdr, *ih;
 
 				ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
-				                        sizeof(_inithdr), &_inithdr);
+							sizeof(_inithdr), &_inithdr);
 				if (ih == NULL)
 					return 0;
 
-				DEBUGP("Setting vtag %x for new conn\n", 
+				DEBUGP("Setting vtag %x for new conn\n",
 					ih->init_tag);
 
-				conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] = 
+				conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] =
 								ih->init_tag;
 			} else {
 				/* Sec 8.5.1 (A) */
@@ -498,7 +498,7 @@ static int sctp_new(struct nf_conn *conn
 		/* If it is a shutdown ack OOTB packet, we expect a return
 		   shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
 		else {
-			DEBUGP("Setting vtag %x for new conn OOTB\n", 
+			DEBUGP("Setting vtag %x for new conn OOTB\n",
 				sh->vtag);
 			conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
 		}
@@ -698,7 +698,7 @@ int __init nf_conntrack_proto_sctp_init(
  cleanup_sctp4:
 	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
  out:
-	DEBUGP("SCTP conntrack module loading %s\n", 
+	DEBUGP("SCTP conntrack module loading %s\n",
 					ret ? "failed": "succeeded");
 	return ret;
 }
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 6fccdcf..c2884f9 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -55,8 +55,8 @@ #endif
 /* Protects conntrack->proto.tcp */
 static DEFINE_RWLOCK(tcp_lock);
 
-/* "Be conservative in what you do, 
-    be liberal in what you accept from others." 
+/* "Be conservative in what you do,
+    be liberal in what you accept from others."
     If it's non-zero, we mark only out of window RST segments as INVALID. */
 int nf_ct_tcp_be_liberal __read_mostly = 0;
 
@@ -64,8 +64,8 @@ int nf_ct_tcp_be_liberal __read_mostly =
    connections. */
 int nf_ct_tcp_loose __read_mostly = 1;
 
-/* Max number of the retransmitted packets without receiving an (acceptable) 
-   ACK from the destination. If this number is reached, a shorter timer 
+/* Max number of the retransmitted packets without receiving an (acceptable)
+   ACK from the destination. If this number is reached, a shorter timer
    will be started. */
 int nf_ct_tcp_max_retrans __read_mostly = 3;
 
@@ -84,7 +84,7 @@ static const char *tcp_conntrack_names[]
 	"CLOSE",
 	"LISTEN"
 };
-  
+
 #define SECS * HZ
 #define MINS * 60 SECS
 #define HOURS * 60 MINS
@@ -100,10 +100,10 @@ static unsigned int nf_ct_tcp_timeout_ti
 static unsigned int nf_ct_tcp_timeout_close __read_mostly =        10 SECS;
 
 /* RFC1122 says the R2 limit should be at least 100 seconds.
-   Linux uses 15 packets as limit, which corresponds 
+   Linux uses 15 packets as limit, which corresponds
    to ~13-30min depending on RTO. */
 static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly =   5 MINS;
- 
+
 static unsigned int * tcp_timeouts[] = {
     NULL,                              /* TCP_CONNTRACK_NONE */
     &nf_ct_tcp_timeout_syn_sent,       /* TCP_CONNTRACK_SYN_SENT, */
@@ -116,7 +116,7 @@ static unsigned int * tcp_timeouts[] = {
     &nf_ct_tcp_timeout_close,          /* TCP_CONNTRACK_CLOSE, */
     NULL,                              /* TCP_CONNTRACK_LISTEN */
  };
- 
+
 #define sNO TCP_CONNTRACK_NONE
 #define sSS TCP_CONNTRACK_SYN_SENT
 #define sSR TCP_CONNTRACK_SYN_RECV
@@ -139,13 +139,13 @@ enum tcp_bit_set {
 	TCP_RST_SET,
 	TCP_NONE_SET,
 };
-  
+
 /*
  * The TCP state transition table needs a few words...
  *
  * We are the man in the middle. All the packets go through us
  * but might get lost in transit to the destination.
- * It is assumed that the destinations can't receive segments 
+ * It is assumed that the destinations can't receive segments
  * we haven't seen.
  *
  * The checked segment is in window, but our windows are *not*
@@ -155,11 +155,11 @@ enum tcp_bit_set {
  * The meaning of the states are:
  *
  * NONE:	initial state
- * SYN_SENT:	SYN-only packet seen 
+ * SYN_SENT:	SYN-only packet seen
  * SYN_RECV:	SYN-ACK packet seen
  * ESTABLISHED:	ACK packet seen
  * FIN_WAIT:	FIN packet seen
- * CLOSE_WAIT:	ACK seen (after FIN) 
+ * CLOSE_WAIT:	ACK seen (after FIN)
  * LAST_ACK:	FIN seen (after FIN)
  * TIME_WAIT:	last ACK seen
  * CLOSE:	closed connection
@@ -167,8 +167,8 @@ enum tcp_bit_set {
  * LISTEN state is not used.
  *
  * Packets marked as IGNORED (sIG):
- *	if they may be either invalid or valid 
- *	and the receiver may send back a connection 
+ *	if they may be either invalid or valid
+ *	and the receiver may send back a connection
  *	closing RST or a SYN/ACK.
  *
  * Packets marked as INVALID (sIV):
@@ -185,7 +185,7 @@ static enum tcp_conntrack tcp_conntracks
  *	sSS -> sSS	Retransmitted SYN
  *	sSR -> sIG	Late retransmitted SYN?
  *	sES -> sIG	Error: SYNs in window outside the SYN_SENT state
- *			are errors. Receiver will reply with RST 
+ *			are errors. Receiver will reply with RST
  *			and close the connection.
  *			Or we are not in sync and hold a dead connection.
  *	sFW -> sIG
@@ -198,10 +198,10 @@ static enum tcp_conntrack tcp_conntracks
 /*synack*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV },
 /*
  * A SYN/ACK from the client is always invalid:
- *	- either it tries to set up a simultaneous open, which is 
+ *	- either it tries to set up a simultaneous open, which is
  *	  not supported;
  *	- or the firewall has just been inserted between the two hosts
- *	  during the session set-up. The SYN will be retransmitted 
+ *	  during the session set-up. The SYN will be retransmitted
  *	  by the true client (or it'll time out).
  */
 /* 	     sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI	*/
@@ -213,7 +213,7 @@ static enum tcp_conntrack tcp_conntracks
  *	sSR -> sFW	Close started.
  *	sES -> sFW
  *	sFW -> sLA	FIN seen in both directions, waiting for
- *			the last ACK. 
+ *			the last ACK.
  *			Migth be a retransmitted FIN as well...
  *	sCW -> sLA
  *	sLA -> sLA	Retransmitted FIN. Remain in the same state.
@@ -291,7 +291,7 @@ static enum tcp_conntrack tcp_conntracks
 /* 	     sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI	*/
 /*rst*/    { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV },
 /*none*/   { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
-  	}
+	}
 };
 
 static int tcp_pkt_to_tuple(const struct sk_buff *skb,
@@ -352,21 +352,21 @@ static unsigned int get_conntrack_index(
 
 /* TCP connection tracking based on 'Real Stateful TCP Packet Filtering
    in IP Filter' by Guido van Rooij.
-   
+
    http://www.nluug.nl/events/sane2000/papers.html
    http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz
-   
+
    The boundaries and the conditions are changed according to RFC793:
    the packet must intersect the window (i.e. segments may be
    after the right or before the left edge) and thus receivers may ACK
    segments after the right edge of the window.
 
-   	td_maxend = max(sack + max(win,1)) seen in reply packets
+	td_maxend = max(sack + max(win,1)) seen in reply packets
 	td_maxwin = max(max(win, 1)) + (sack - ack) seen in sent packets
 	td_maxwin += seq + len - sender.td_maxend
 			if seq + len > sender.td_maxend
 	td_end    = max(seq + len) seen in sent packets
-   
+
    I.   Upper bound for valid data:	seq <= sender.td_maxend
    II.  Lower bound for valid data:	seq + len >= sender.td_end - receiver.td_maxwin
    III.	Upper bound for valid ack:      sack <= receiver.td_end
@@ -374,8 +374,8 @@ static unsigned int get_conntrack_index(
 
    where sack is the highest right edge of sack block found in the packet.
 
-   The upper bound limit for a valid ack is not ignored - 
-   we doesn't have to deal with fragments. 
+   The upper bound limit for a valid ack is not ignored -
+   we doesn't have to deal with fragments.
 */
 
 static inline __u32 segment_seq_plus_len(__u32 seq,
@@ -388,19 +388,19 @@ static inline __u32 segment_seq_plus_len
 	return (seq + len - dataoff - tcph->doff*4
 		+ (tcph->syn ? 1 : 0) + (tcph->fin ? 1 : 0));
 }
-  
+
 /* Fixme: what about big packets? */
 #define MAXACKWINCONST			66000
 #define MAXACKWINDOW(sender)						\
 	((sender)->td_maxwin > MAXACKWINCONST ? (sender)->td_maxwin	\
 					      : MAXACKWINCONST)
-  
+
 /*
  * Simplified tcp_parse_options routine from tcp_input.c
  */
 static void tcp_options(const struct sk_buff *skb,
 			unsigned int dataoff,
-			struct tcphdr *tcph, 
+			struct tcphdr *tcph,
 			struct ip_ct_tcp_state *state)
 {
 	unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
@@ -414,7 +414,7 @@ static void tcp_options(const struct sk_
 				 length, buff);
 	BUG_ON(ptr == NULL);
 
-	state->td_scale = 
+	state->td_scale =
 	state->flags = 0;
 
 	while (length > 0) {
@@ -434,7 +434,7 @@ static void tcp_options(const struct sk_
 			if (opsize > length)
 				break;	/* don't parse partial options */
 
-			if (opcode == TCPOPT_SACK_PERM 
+			if (opcode == TCPOPT_SACK_PERM
 			    && opsize == TCPOLEN_SACK_PERM)
 				state->flags |= IP_CT_TCP_FLAG_SACK_PERM;
 			else if (opcode == TCPOPT_WINDOW
@@ -457,7 +457,7 @@ static void tcp_options(const struct sk_
 static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
 		     struct tcphdr *tcph, __u32 *sack)
 {
-        unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
+	unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
 	unsigned char *ptr;
 	int length = (tcph->doff*4) - sizeof(struct tcphdr);
 	__u32 tmp;
@@ -472,10 +472,10 @@ static void tcp_sack(const struct sk_buf
 	/* Fast path for timestamp-only option */
 	if (length == TCPOLEN_TSTAMP_ALIGNED*4
 	    && *(__be32 *)ptr ==
-	        __constant_htonl((TCPOPT_NOP << 24)
-	        		 | (TCPOPT_NOP << 16)
-	        		 | (TCPOPT_TIMESTAMP << 8)
-	        		 | TCPOLEN_TIMESTAMP))
+		__constant_htonl((TCPOPT_NOP << 24)
+				 | (TCPOPT_NOP << 16)
+				 | (TCPOPT_TIMESTAMP << 8)
+				 | TCPOLEN_TIMESTAMP))
 		return;
 
 	while (length > 0) {
@@ -495,15 +495,15 @@ static void tcp_sack(const struct sk_buf
 			if (opsize > length)
 				break;	/* don't parse partial options */
 
-			if (opcode == TCPOPT_SACK 
-			    && opsize >= (TCPOLEN_SACK_BASE 
-			    		  + TCPOLEN_SACK_PERBLOCK)
-			    && !((opsize - TCPOLEN_SACK_BASE) 
-			    	 % TCPOLEN_SACK_PERBLOCK)) {
-			    	for (i = 0;
-			    	     i < (opsize - TCPOLEN_SACK_BASE);
-			    	     i += TCPOLEN_SACK_PERBLOCK) {
-				     	tmp = ntohl(*((__be32 *)(ptr+i)+1));
+			if (opcode == TCPOPT_SACK
+			    && opsize >= (TCPOLEN_SACK_BASE
+					  + TCPOLEN_SACK_PERBLOCK)
+			    && !((opsize - TCPOLEN_SACK_BASE)
+				 % TCPOLEN_SACK_PERBLOCK)) {
+				for (i = 0;
+				     i < (opsize - TCPOLEN_SACK_BASE);
+				     i += TCPOLEN_SACK_PERBLOCK) {
+					tmp = ntohl(*((__be32 *)(ptr+i)+1));
 
 					if (after(tmp, *sack))
 						*sack = tmp;
@@ -516,12 +516,12 @@ static void tcp_sack(const struct sk_buf
 	}
 }
 
-static int tcp_in_window(struct ip_ct_tcp *state, 
-                         enum ip_conntrack_dir dir,
-                         unsigned int index,
-                         const struct sk_buff *skb,
+static int tcp_in_window(struct ip_ct_tcp *state,
+			 enum ip_conntrack_dir dir,
+			 unsigned int index,
+			 const struct sk_buff *skb,
 			 unsigned int dataoff,
-                         struct tcphdr *tcph,
+			 struct tcphdr *tcph,
 			 int pf)
 {
 	struct ip_ct_tcp_state *sender = &state->seen[dir];
@@ -543,14 +543,14 @@ static int tcp_in_window(struct ip_ct_tc
 	DEBUGP("tcp_in_window: START\n");
 	DEBUGP("tcp_in_window: src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu "
 	       "seq=%u ack=%u sack=%u win=%u end=%u\n",
-		NIPQUAD(iph->saddr), ntohs(tcph->source), 
+		NIPQUAD(iph->saddr), ntohs(tcph->source),
 		NIPQUAD(iph->daddr), ntohs(tcph->dest),
 		seq, ack, sack, win, end);
 	DEBUGP("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
 	       "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
 		sender->td_end, sender->td_maxend, sender->td_maxwin,
-		sender->td_scale, 
-		receiver->td_end, receiver->td_maxend, receiver->td_maxwin, 
+		sender->td_scale,
+		receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
 		receiver->td_scale);
 
 	if (sender->td_end == 0) {
@@ -561,26 +561,26 @@ static int tcp_in_window(struct ip_ct_tc
 			/*
 			 * Outgoing SYN-ACK in reply to a SYN.
 			 */
-			sender->td_end = 
+			sender->td_end =
 			sender->td_maxend = end;
 			sender->td_maxwin = (win == 0 ? 1 : win);
 
 			tcp_options(skb, dataoff, tcph, sender);
-			/* 
+			/*
 			 * RFC 1323:
 			 * Both sides must send the Window Scale option
 			 * to enable window scaling in either direction.
 			 */
 			if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE
 			      && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE))
-				sender->td_scale = 
+				sender->td_scale =
 				receiver->td_scale = 0;
 		} else {
 			/*
 			 * We are in the middle of a connection,
 			 * its history is lost for us.
 			 * Let's try to use the data from the packet.
-		 	 */
+			 */
 			sender->td_end = end;
 			sender->td_maxwin = (win == 0 ? 1 : win);
 			sender->td_maxend = end + sender->td_maxwin;
@@ -592,7 +592,7 @@ static int tcp_in_window(struct ip_ct_tc
 		   && after(end, sender->td_end)) {
 		/*
 		 * RFC 793: "if a TCP is reinitialized ... then it need
-		 * not wait at all; it must only be sure to use sequence 
+		 * not wait at all; it must only be sure to use sequence
 		 * numbers larger than those recently used."
 		 */
 		sender->td_end =
@@ -607,8 +607,8 @@ static int tcp_in_window(struct ip_ct_tc
 		 * If there is no ACK, just pretend it was set and OK.
 		 */
 		ack = sack = receiver->td_end;
-	} else if (((tcp_flag_word(tcph) & (TCP_FLAG_ACK|TCP_FLAG_RST)) == 
-		    (TCP_FLAG_ACK|TCP_FLAG_RST)) 
+	} else if (((tcp_flag_word(tcph) & (TCP_FLAG_ACK|TCP_FLAG_RST)) ==
+		    (TCP_FLAG_ACK|TCP_FLAG_RST))
 		   && (ack == 0)) {
 		/*
 		 * Broken TCP stacks, that set ACK in RST packets as well
@@ -637,21 +637,21 @@ static int tcp_in_window(struct ip_ct_tc
 	DEBUGP("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
 	       "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
 		sender->td_end, sender->td_maxend, sender->td_maxwin,
-		sender->td_scale, 
+		sender->td_scale,
 		receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
 		receiver->td_scale);
 
 	DEBUGP("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
 		before(seq, sender->td_maxend + 1),
 		after(end, sender->td_end - receiver->td_maxwin - 1),
-	    	before(sack, receiver->td_end + 1),
-	    	after(ack, receiver->td_end - MAXACKWINDOW(sender)));
+		before(sack, receiver->td_end + 1),
+		after(ack, receiver->td_end - MAXACKWINDOW(sender)));
 
 	if (before(seq, sender->td_maxend + 1) &&
 	    after(end, sender->td_end - receiver->td_maxwin - 1) &&
 	    before(sack, receiver->td_end + 1) &&
 	    after(ack, receiver->td_end - MAXACKWINDOW(sender))) {
-	    	/*
+		/*
 		 * Take into account window scaling (RFC 1323).
 		 */
 		if (!tcph->syn)
@@ -676,7 +676,7 @@ static int tcp_in_window(struct ip_ct_tc
 				receiver->td_maxend++;
 		}
 
-		/* 
+		/*
 		 * Check retransmissions.
 		 */
 		if (index == TCP_ACK_SET) {
@@ -712,11 +712,11 @@ static int tcp_in_window(struct ip_ct_tc
 			: "ACK is over the upper bound (ACKed data not seen yet)"
 			: "SEQ is under the lower bound (already ACKed data retransmitted)"
 			: "SEQ is over the upper bound (over the window of the receiver)");
-  	}
-  
+	}
+
 	DEBUGP("tcp_in_window: res=%i sender end=%u maxend=%u maxwin=%u "
 	       "receiver end=%u maxend=%u maxwin=%u\n",
-		res, sender->td_end, sender->td_maxend, sender->td_maxwin, 
+		res, sender->td_end, sender->td_maxend, sender->td_maxwin,
 		receiver->td_end, receiver->td_maxend, receiver->td_maxwin);
 
 	return res;
@@ -727,7 +727,7 @@ #ifdef CONFIG_NF_NAT_NEEDED
 /* Caller must linearize skb at tcp header. */
 void nf_conntrack_tcp_update(struct sk_buff *skb,
 			     unsigned int dataoff,
-			     struct nf_conn *conntrack, 
+			     struct nf_conn *conntrack,
 			     int dir)
 {
 	struct tcphdr *tcph = (void *)skb->data + dataoff;
@@ -750,7 +750,7 @@ #endif
 	DEBUGP("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i "
 	       "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
 		sender->td_end, sender->td_maxend, sender->td_maxwin,
-		sender->td_scale, 
+		sender->td_scale,
 		receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
 		receiver->td_scale);
 }
@@ -804,8 +804,8 @@ static int tcp_error(struct sk_buff *skb
 			nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
 				"nf_ct_tcp: short packet ");
 		return -NF_ACCEPT;
-  	}
-  
+	}
+
 	/* Not whole TCP header or malformed packet */
 	if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) {
 		if (LOG_INVALID(IPPROTO_TCP))
@@ -813,7 +813,7 @@ static int tcp_error(struct sk_buff *skb
 				"nf_ct_tcp: truncated/malformed packet ");
 		return -NF_ACCEPT;
 	}
-  
+
 	/* Checksum invalid? Ignore.
 	 * We skip checking packets on the outgoing path
 	 * because the checksum is assumed to be correct.
@@ -870,28 +870,28 @@ static int tcp_packet(struct nf_conn *co
 		 *
 		 * a) SYN in ORIGINAL
 		 * b) SYN/ACK in REPLY
-		 * c) ACK in reply direction after initial SYN in original. 
+		 * c) ACK in reply direction after initial SYN in original.
 		 */
 		if (index == TCP_SYNACK_SET
 		    && conntrack->proto.tcp.last_index == TCP_SYN_SET
 		    && conntrack->proto.tcp.last_dir != dir
 		    && ntohl(th->ack_seq) ==
-		    	     conntrack->proto.tcp.last_end) {
-			/* This SYN/ACK acknowledges a SYN that we earlier 
+			     conntrack->proto.tcp.last_end) {
+			/* This SYN/ACK acknowledges a SYN that we earlier
 			 * ignored as invalid. This means that the client and
 			 * the server are both in sync, while the firewall is
 			 * not. We kill this session and block the SYN/ACK so
-			 * that the client cannot but retransmit its SYN and 
+			 * that the client cannot but retransmit its SYN and
 			 * thus initiate a clean new session.
 			 */
-		    	write_unlock_bh(&tcp_lock);
+			write_unlock_bh(&tcp_lock);
 			if (LOG_INVALID(IPPROTO_TCP))
 				nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
 					  "nf_ct_tcp: killing out of sync session ");
-		    	if (del_timer(&conntrack->timeout))
-		    		conntrack->timeout.function((unsigned long)
-		    					    conntrack);
-		    	return -NF_DROP;
+			if (del_timer(&conntrack->timeout))
+				conntrack->timeout.function((unsigned long)
+							    conntrack);
+			return -NF_DROP;
 		}
 		conntrack->proto.tcp.last_index = index;
 		conntrack->proto.tcp.last_dir = dir;
@@ -921,13 +921,13 @@ static int tcp_packet(struct nf_conn *co
 			IP_CT_TCP_FLAG_CLOSE_INIT)
 		    || after(ntohl(th->seq),
 			     conntrack->proto.tcp.seen[dir].td_end)) {
-		    	/* Attempt to reopen a closed connection.
-		    	* Delete this connection and look up again. */
-		    	write_unlock_bh(&tcp_lock);
-		    	if (del_timer(&conntrack->timeout))
-		    		conntrack->timeout.function((unsigned long)
-		    					    conntrack);
-		    	return -NF_REPEAT;
+			/* Attempt to reopen a closed connection.
+			* Delete this connection and look up again. */
+			write_unlock_bh(&tcp_lock);
+			if (del_timer(&conntrack->timeout))
+				conntrack->timeout.function((unsigned long)
+							    conntrack);
+			return -NF_REPEAT;
 		} else {
 			write_unlock_bh(&tcp_lock);
 			if (LOG_INVALID(IPPROTO_TCP))
@@ -938,9 +938,9 @@ static int tcp_packet(struct nf_conn *co
 	case TCP_CONNTRACK_CLOSE:
 		if (index == TCP_RST_SET
 		    && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)
-		         && conntrack->proto.tcp.last_index == TCP_SYN_SET)
-		        || (!test_bit(IPS_ASSURED_BIT, &conntrack->status)
-		            && conntrack->proto.tcp.last_index == TCP_ACK_SET))
+			 && conntrack->proto.tcp.last_index == TCP_SYN_SET)
+			|| (!test_bit(IPS_ASSURED_BIT, &conntrack->status)
+			    && conntrack->proto.tcp.last_index == TCP_ACK_SET))
 		    && ntohl(th->ack_seq) == conntrack->proto.tcp.last_end) {
 			/* RST sent to invalid SYN or ACK we had let through
 			 * at a) and c) above:
@@ -1005,8 +1005,8 @@ static int tcp_packet(struct nf_conn *co
 		   && (old_state == TCP_CONNTRACK_SYN_RECV
 		       || old_state == TCP_CONNTRACK_ESTABLISHED)
 		   && new_state == TCP_CONNTRACK_ESTABLISHED) {
-		/* Set ASSURED if we see see valid ack in ESTABLISHED 
-		   after SYN_RECV or a valid answer for a picked up 
+		/* Set ASSURED if we see see valid ack in ESTABLISHED
+		   after SYN_RECV or a valid answer for a picked up
 		   connection. */
 		set_bit(IPS_ASSURED_BIT, &conntrack->status);
 		nf_conntrack_event_cache(IPCT_STATUS, skb);
@@ -1015,7 +1015,7 @@ static int tcp_packet(struct nf_conn *co
 
 	return NF_ACCEPT;
 }
- 
+
 /* Called when a new connection for this protocol found. */
 static int tcp_new(struct nf_conn *conntrack,
 		   const struct sk_buff *skb,
@@ -1071,7 +1071,7 @@ #endif
 		if (conntrack->proto.tcp.seen[0].td_maxwin == 0)
 			conntrack->proto.tcp.seen[0].td_maxwin = 1;
 		conntrack->proto.tcp.seen[0].td_maxend =
-			conntrack->proto.tcp.seen[0].td_end + 
+			conntrack->proto.tcp.seen[0].td_end +
 			conntrack->proto.tcp.seen[0].td_maxwin;
 		conntrack->proto.tcp.seen[0].td_scale = 0;
 
@@ -1081,20 +1081,20 @@ #endif
 		conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM |
 						     IP_CT_TCP_FLAG_BE_LIBERAL;
 	}
-    
+
 	conntrack->proto.tcp.seen[1].td_end = 0;
 	conntrack->proto.tcp.seen[1].td_maxend = 0;
 	conntrack->proto.tcp.seen[1].td_maxwin = 1;
-	conntrack->proto.tcp.seen[1].td_scale = 0;      
+	conntrack->proto.tcp.seen[1].td_scale = 0;
 
 	/* tcp_packet will set them */
 	conntrack->proto.tcp.state = TCP_CONNTRACK_NONE;
 	conntrack->proto.tcp.last_index = TCP_NONE_SET;
-	 
+
 	DEBUGP("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i "
 	       "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
 		sender->td_end, sender->td_maxend, sender->td_maxwin,
-		sender->td_scale, 
+		sender->td_scale,
 		receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
 		receiver->td_scale);
 	return 1;
@@ -1110,7 +1110,7 @@ static int tcp_to_nfattr(struct sk_buff 
 			 const struct nf_conn *ct)
 {
 	struct nfattr *nest_parms;
-	
+
 	read_lock_bh(&tcp_lock);
 	nest_parms = NFA_NEST(skb, CTA_PROTOINFO_TCP);
 	NFA_PUT(skb, CTA_PROTOINFO_TCP_STATE, sizeof(u_int8_t),
@@ -1140,7 +1140,7 @@ static int nfattr_to_tcp(struct nfattr *
 	if (!attr)
 		return 0;
 
-        nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr);
+	nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr);
 
 	if (nfattr_bad_size(tb, CTA_PROTOINFO_TCP_MAX, cta_min_tcp))
 		return -EINVAL;
@@ -1149,7 +1149,7 @@ static int nfattr_to_tcp(struct nfattr *
 		return -EINVAL;
 
 	write_lock_bh(&tcp_lock);
-	ct->proto.tcp.state = 
+	ct->proto.tcp.state =
 		*(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]);
 	write_unlock_bh(&tcp_lock);
 
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 9dec115..7aaa8c9 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -341,7 +341,7 @@ int ct_sip_get_info(struct nf_conn *ct,
 			continue;
 		}
 		aux = ct_sip_search(hnfo->ln_str, dptr, hnfo->ln_strlen,
-		                    ct_sip_lnlen(dptr, limit),
+				    ct_sip_lnlen(dptr, limit),
 				    hnfo->case_sensitive);
 		if (!aux) {
 			DEBUGP("'%s' not found in '%s'.\n", hnfo->ln_str,
@@ -451,12 +451,12 @@ static int sip_help(struct sk_buff **psk
 
 		/* We'll drop only if there are parse problems. */
 		if (!parse_addr(ct, dptr + matchoff, NULL, &addr,
-			        dptr + datalen)) {
+				dptr + datalen)) {
 			ret = NF_DROP;
 			goto out;
 		}
 		if (ct_sip_get_info(ct, dptr, datalen, &matchoff, &matchlen,
-		                    POS_MEDIA) > 0) {
+				    POS_MEDIA) > 0) {
 
 			port = simple_strtoul(dptr + matchoff, NULL, 10);
 			if (port < 1024) {
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index f1cb60f..7661246 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -472,7 +472,7 @@ #endif /* CNFIG_PROC_FS */
 static void __exit nf_conntrack_standalone_fini(void)
 {
 #ifdef CONFIG_SYSCTL
- 	unregister_sysctl_table(nf_ct_sysctl_header);
+	unregister_sysctl_table(nf_ct_sysctl_header);
 #endif
 #ifdef CONFIG_PROC_FS
 	remove_proc_entry("nf_conntrack", proc_net_stat);
diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack_tftp.c
index f5bffe2..37c4542 100644
--- a/net/netfilter/nf_conntrack_tftp.c
+++ b/net/netfilter/nf_conntrack_tftp.c
@@ -31,7 +31,7 @@ MODULE_PARM_DESC(ports, "Port numbers of
 
 #if 0
 #define DEBUGP(format, args...) printk("%s:%s:" format, \
-                                       __FILE__, __FUNCTION__ , ## args)
+				       __FILE__, __FUNCTION__ , ## args)
 #else
 #define DEBUGP(format, args...)
 #endif
diff --git a/net/netfilter/nf_internals.h b/net/netfilter/nf_internals.h
index a981971..0df7fff 100644
--- a/net/netfilter/nf_internals.h
+++ b/net/netfilter/nf_internals.h
@@ -24,7 +24,7 @@ extern unsigned int nf_iterate(struct li
 
 /* nf_queue.c */
 extern int nf_queue(struct sk_buff *skb,
-		    struct list_head *elem, 
+		    struct list_head *elem,
 		    int pf, unsigned int hook,
 		    struct net_device *indev,
 		    struct net_device *outdev,
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 0db2fd8..90a1d74 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -41,7 +41,7 @@ int nf_log_register(int pf, struct nf_lo
 
 	mutex_unlock(&nf_log_mutex);
 	return ret;
-}		
+}
 EXPORT_SYMBOL(nf_log_register);
 
 void nf_log_unregister_pf(int pf)
@@ -83,7 +83,7 @@ void nf_log_packet(int pf,
 	va_list args;
 	char prefix[NF_LOG_PREFIXLEN];
 	struct nf_logger *logger;
-	
+
 	rcu_read_lock();
 	logger = rcu_dereference(nf_loggers[pf]);
 	if (logger) {
@@ -136,7 +136,7 @@ static int seq_show(struct seq_file *s, 
 
 	if (!logger)
 		return seq_printf(s, "%2lld NONE\n", *pos);
-	
+
 	return seq_printf(s, "%2lld %s\n", *pos, logger->name);
 }
 
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 4d8936e..fb467b4 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -10,7 +10,7 @@ #include <net/protocol.h>
 
 #include "nf_internals.h"
 
-/* 
+/*
  * A queue handler may be registered for each protocol.  Each is protected by
  * long term mutex.  The handler must provide an an outfn() to accept packets
  * for queueing and must reinject all packets it receives, no matter what.
@@ -22,7 +22,7 @@ static DEFINE_RWLOCK(queue_handler_lock)
 /* return EBUSY when somebody else is registered, return EEXIST if the
  * same handler is registered, return 0 in case of success. */
 int nf_register_queue_handler(int pf, struct nf_queue_handler *qh)
-{      
+{
 	int ret;
 
 	if (pf >= NPROTO)
@@ -52,7 +52,7 @@ int nf_unregister_queue_handler(int pf)
 	write_lock_bh(&queue_handler_lock);
 	queue_handler[pf] = NULL;
 	write_unlock_bh(&queue_handler_lock);
-	
+
 	return 0;
 }
 EXPORT_SYMBOL(nf_unregister_queue_handler);
@@ -70,8 +70,8 @@ void nf_unregister_queue_handlers(struct
 }
 EXPORT_SYMBOL_GPL(nf_unregister_queue_handlers);
 
-/* 
- * Any packet that leaves via this function must come back 
+/*
+ * Any packet that leaves via this function must come back
  * through nf_reinject().
  */
 static int __nf_queue(struct sk_buff *skb,
@@ -115,7 +115,7 @@ #endif
 		return 1;
 	}
 
-	*info = (struct nf_info) { 
+	*info = (struct nf_info) {
 		(struct nf_hook_ops *)elem, pf, hook, indev, outdev, okfn };
 
 	/* If it's going away, ignore hook. */
@@ -226,10 +226,10 @@ #endif
 	module_put(info->elem->owner);
 
 	list_for_each_rcu(i, &nf_hooks[info->pf][info->hook]) {
-		if (i == elem) 
-  			break;
-  	}
-  
+		if (i == elem)
+			break;
+	}
+
 	if (i == &nf_hooks[info->pf][info->hook]) {
 		/* The module which sent it to userspace is gone. */
 		NFDEBUG("%s: module disappeared, dropping packet.\n",
@@ -252,7 +252,7 @@ #endif
 	if (verdict == NF_ACCEPT) {
 	next_hook:
 		verdict = nf_iterate(&nf_hooks[info->pf][info->hook],
-				     &skb, info->hook, 
+				     &skb, info->hook,
 				     info->indev, info->outdev, &elem,
 				     info->okfn, INT_MIN);
 	}
diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c
index c2e44e9..8b8ece7 100644
--- a/net/netfilter/nf_sockopt.c
+++ b/net/netfilter/nf_sockopt.c
@@ -32,13 +32,13 @@ int nf_register_sockopt(struct nf_sockop
 	list_for_each(i, &nf_sockopts) {
 		struct nf_sockopt_ops *ops = (struct nf_sockopt_ops *)i;
 		if (ops->pf == reg->pf
-		    && (overlap(ops->set_optmin, ops->set_optmax, 
+		    && (overlap(ops->set_optmin, ops->set_optmax,
 				reg->set_optmin, reg->set_optmax)
-			|| overlap(ops->get_optmin, ops->get_optmax, 
+			|| overlap(ops->get_optmin, ops->get_optmax,
 				   reg->get_optmin, reg->get_optmax))) {
 			NFDEBUG("nf_sock overlap: %u-%u/%u-%u v %u-%u/%u-%u\n",
-				ops->set_optmin, ops->set_optmax, 
-				ops->get_optmin, ops->get_optmax, 
+				ops->set_optmin, ops->set_optmax,
+				ops->get_optmin, ops->get_optmax,
 				reg->set_optmin, reg->set_optmax,
 				reg->get_optmin, reg->get_optmax);
 			ret = -EBUSY;
@@ -73,7 +73,7 @@ void nf_unregister_sockopt(struct nf_soc
 EXPORT_SYMBOL(nf_unregister_sockopt);
 
 /* Call get/setsockopt() */
-static int nf_sockopt(struct sock *sk, int pf, int val, 
+static int nf_sockopt(struct sock *sk, int pf, int val,
 		      char __user *opt, int *len, int get)
 {
 	struct list_head *i;
@@ -107,7 +107,7 @@ static int nf_sockopt(struct sock *sk, i
 	}
 	mutex_unlock(&nf_sockopt_mutex);
 	return -ENOPROTOOPT;
-	
+
  out:
 	mutex_lock(&nf_sockopt_mutex);
 	ops->use--;
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 52fdfa2..f42bb13 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -105,7 +105,7 @@ static inline struct nfnl_callback *
 nfnetlink_find_client(u_int16_t type, struct nfnetlink_subsystem *ss)
 {
 	u_int8_t cb_id = NFNL_MSG_TYPE(type);
-	
+
 	if (cb_id >= ss->cb_count) {
 		DEBUGP("msgtype %u >= %u, returning\n", type, ss->cb_count);
 		return NULL;
@@ -187,7 +187,7 @@ nfnetlink_check_attributes(struct nfnetl
 	/* implicit: if nlmsg_len == min_len, we return 0, and an empty
 	 * (zeroed) cda[] array. The message is valid, but empty. */
 
-        return 0;
+	return 0;
 }
 
 int nfnetlink_has_listeners(unsigned int group)
@@ -268,12 +268,12 @@ #endif
 	}
 
 	{
-		u_int16_t attr_count = 
+		u_int16_t attr_count =
 			ss->cb[NFNL_MSG_TYPE(nlh->nlmsg_type)].attr_count;
 		struct nfattr *cda[attr_count];
 
 		memset(cda, 0, sizeof(struct nfattr *) * attr_count);
-		
+
 		err = nfnetlink_check_attributes(ss, nlh, cda);
 		if (err < 0)
 			goto err_inval;
@@ -357,7 +357,7 @@ static int __init nfnetlink_init(void)
 	printk("Netfilter messages via NETLINK v%s.\n", nfversion);
 
 	nfnl = netlink_kernel_create(NETLINK_NETFILTER, NFNLGRP_MAX,
-	                             nfnetlink_rcv, THIS_MODULE);
+				     nfnetlink_rcv, THIS_MODULE);
 	if (!nfnl) {
 		printk(KERN_ERR "cannot initialize nfnetlink!\n");
 		return -1;
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 6511bb0..f2298a6 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -75,7 +75,7 @@ struct nfulnl_instance {
 	u_int32_t seq;			/* instance-local sequential counter */
 	u_int16_t group_num;		/* number of this queue */
 	u_int16_t flags;
-	u_int8_t copy_mode;	
+	u_int8_t copy_mode;
 };
 
 static DEFINE_RWLOCK(instances_lock);
@@ -146,7 +146,7 @@ instance_create(u_int16_t group_num, int
 	UDEBUG("entering (group_num=%u, pid=%d)\n", group_num,
 		pid);
 
-	write_lock_bh(&instances_lock);	
+	write_lock_bh(&instances_lock);
 	if (__instance_lookup(group_num)) {
 		inst = NULL;
 		UDEBUG("aborting, instance already exists\n");
@@ -179,10 +179,10 @@ instance_create(u_int16_t group_num, int
 	if (!try_module_get(THIS_MODULE))
 		goto out_free;
 
-	hlist_add_head(&inst->hlist, 
+	hlist_add_head(&inst->hlist,
 		       &instance_table[instance_hashfn(group_num)]);
 
-	UDEBUG("newly added node: %p, next=%p\n", &inst->hlist, 
+	UDEBUG("newly added node: %p, next=%p\n", &inst->hlist,
 		inst->hlist.next);
 
 	write_unlock_bh(&instances_lock);
@@ -251,14 +251,14 @@ nfulnl_set_mode(struct nfulnl_instance *
 	int status = 0;
 
 	spin_lock_bh(&inst->lock);
-	
+
 	switch (mode) {
 	case NFULNL_COPY_NONE:
 	case NFULNL_COPY_META:
 		inst->copy_mode = mode;
 		inst->copy_range = 0;
 		break;
-		
+
 	case NFULNL_COPY_PACKET:
 		inst->copy_mode = mode;
 		/* we're using struct nfattr which has 16bit nfa_len */
@@ -267,7 +267,7 @@ nfulnl_set_mode(struct nfulnl_instance *
 		else
 			inst->copy_range = range;
 		break;
-		
+
 	default:
 		status = -EINVAL;
 		break;
@@ -327,7 +327,7 @@ nfulnl_set_flags(struct nfulnl_instance 
 	return 0;
 }
 
-static struct sk_buff *nfulnl_alloc_skb(unsigned int inst_size, 
+static struct sk_buff *nfulnl_alloc_skb(unsigned int inst_size,
 					unsigned int pkt_size)
 {
 	struct sk_buff *skb;
@@ -387,7 +387,7 @@ __nfulnl_send(struct nfulnl_instance *in
 
 static void nfulnl_timer(unsigned long data)
 {
-	struct nfulnl_instance *inst = (struct nfulnl_instance *)data; 
+	struct nfulnl_instance *inst = (struct nfulnl_instance *)data;
 
 	UDEBUG("timer function called, flushing buffer\n");
 
@@ -399,9 +399,9 @@ static void nfulnl_timer(unsigned long d
 
 /* This is an inline function, we don't really care about a long
  * list of arguments */
-static inline int 
+static inline int
 __build_packet_message(struct nfulnl_instance *inst,
-			const struct sk_buff *skb, 
+			const struct sk_buff *skb,
 			unsigned int data_len,
 			unsigned int pf,
 			unsigned int hooknum,
@@ -417,9 +417,9 @@ __build_packet_message(struct nfulnl_ins
 	__be32 tmp_uint;
 
 	UDEBUG("entered\n");
-		
+
 	old_tail = inst->skb->tail;
-	nlh = NLMSG_PUT(inst->skb, 0, 0, 
+	nlh = NLMSG_PUT(inst->skb, 0, 0,
 			NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET,
 			sizeof(struct nfgenmsg));
 	nfmsg = NLMSG_DATA(nlh);
@@ -457,7 +457,7 @@ #else
 			NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV,
 				sizeof(tmp_uint), &tmp_uint);
 			if (skb->nf_bridge && skb->nf_bridge->physindev) {
-				tmp_uint = 
+				tmp_uint =
 				    htonl(skb->nf_bridge->physindev->ifindex);
 				NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSINDEV,
 					sizeof(tmp_uint), &tmp_uint);
@@ -488,7 +488,7 @@ #else
 			NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV,
 				sizeof(tmp_uint), &tmp_uint);
 			if (skb->nf_bridge) {
-				tmp_uint = 
+				tmp_uint =
 				    htonl(skb->nf_bridge->physoutdev->ifindex);
 				NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,
 					sizeof(tmp_uint), &tmp_uint);
@@ -558,7 +558,7 @@ #endif
 		if (skb_copy_bits(skb, 0, NFA_DATA(nfa), data_len))
 			BUG();
 	}
-		
+
 	nlh->nlmsg_len = inst->skb->tail - old_tail;
 	return 0;
 
@@ -599,7 +599,7 @@ nfulnl_log_packet(unsigned int pf,
 	unsigned int nlbufsiz;
 	unsigned int plen;
 
-	if (li_user && li_user->type == NF_LOG_TYPE_ULOG) 
+	if (li_user && li_user->type == NF_LOG_TYPE_ULOG)
 		li = li_user;
 	else
 		li = &default_loginfo;
@@ -648,24 +648,24 @@ #endif
 	/* per-rule qthreshold overrides per-instance */
 	if (qthreshold > li->u.ulog.qthreshold)
 		qthreshold = li->u.ulog.qthreshold;
-	
+
 	switch (inst->copy_mode) {
 	case NFULNL_COPY_META:
 	case NFULNL_COPY_NONE:
 		data_len = 0;
 		break;
-	
+
 	case NFULNL_COPY_PACKET:
-		if (inst->copy_range == 0 
+		if (inst->copy_range == 0
 		    || inst->copy_range > skb->len)
 			data_len = skb->len;
 		else
 			data_len = inst->copy_range;
-		
+
 		size += NFA_SPACE(data_len);
 		UDEBUG("copy_packet, therefore size now %u\n", size);
 		break;
-	
+
 	default:
 		spin_unlock_bh(&inst->lock);
 		instance_put(inst);
@@ -991,9 +991,9 @@ static int seq_show(struct seq_file *s, 
 {
 	const struct nfulnl_instance *inst = v;
 
-	return seq_printf(s, "%5d %6d %5d %1d %5d %6d %2d\n", 
+	return seq_printf(s, "%5d %6d %5d %1d %5d %6d %2d\n",
 			  inst->group_num,
-			  inst->peer_pid, inst->qlen, 
+			  inst->peer_pid, inst->qlen,
 			  inst->copy_mode, inst->copy_range,
 			  inst->flushtimeout, atomic_read(&inst->use));
 }
@@ -1041,10 +1041,10 @@ static int __init nfnetlink_log_init(voi
 #ifdef CONFIG_PROC_FS
 	struct proc_dir_entry *proc_nful;
 #endif
-	
+
 	for (i = 0; i < INSTANCE_BUCKETS; i++)
 		INIT_HLIST_HEAD(&instance_table[i]);
-	
+
 	/* it's not really all that important to have a random value, so
 	 * we can do this from the init function, even if there hasn't
 	 * been that much entropy yet */
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index a88a017..2ea362c 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -129,7 +129,7 @@ instance_create(u_int16_t queue_num, int
 
 	QDEBUG("entering for queue_num=%u, pid=%d\n", queue_num, pid);
 
-	write_lock_bh(&instances_lock);	
+	write_lock_bh(&instances_lock);
 	if (__instance_lookup(queue_num)) {
 		inst = NULL;
 		QDEBUG("aborting, instance already exists\n");
@@ -154,7 +154,7 @@ instance_create(u_int16_t queue_num, int
 	if (!try_module_get(THIS_MODULE))
 		goto out_free;
 
-	hlist_add_head(&inst->hlist, 
+	hlist_add_head(&inst->hlist,
 		       &instance_table[instance_hashfn(queue_num)]);
 
 	write_unlock_bh(&instances_lock);
@@ -239,14 +239,14 @@ __enqueue_entry(struct nfqnl_instance *q
  * entry if cmpfn is NULL.
  */
 static inline struct nfqnl_queue_entry *
-__find_entry(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn, 
+__find_entry(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn,
 		   unsigned long data)
 {
 	struct list_head *p;
 
 	list_for_each_prev(p, &queue->queue_list) {
 		struct nfqnl_queue_entry *entry = (struct nfqnl_queue_entry *)p;
-		
+
 		if (!cmpfn || cmpfn(entry, data))
 			return entry;
 	}
@@ -279,7 +279,7 @@ static inline void
 __nfqnl_flush(struct nfqnl_instance *queue, int verdict)
 {
 	struct nfqnl_queue_entry *entry;
-	
+
 	while ((entry = __find_dequeue_entry(queue, NULL, 0)))
 		issue_verdict(entry, verdict);
 }
@@ -289,14 +289,14 @@ __nfqnl_set_mode(struct nfqnl_instance *
 		 unsigned char mode, unsigned int range)
 {
 	int status = 0;
-	
+
 	switch (mode) {
 	case NFQNL_COPY_NONE:
 	case NFQNL_COPY_META:
 		queue->copy_mode = mode;
 		queue->copy_range = 0;
 		break;
-		
+
 	case NFQNL_COPY_PACKET:
 		queue->copy_mode = mode;
 		/* we're using struct nfattr which has 16bit nfa_len */
@@ -305,7 +305,7 @@ __nfqnl_set_mode(struct nfqnl_instance *
 		else
 			queue->copy_range = range;
 		break;
-		
+
 	default:
 		status = -EINVAL;
 
@@ -318,7 +318,7 @@ find_dequeue_entry(struct nfqnl_instance
 			 nfqnl_cmpfn cmpfn, unsigned long data)
 {
 	struct nfqnl_queue_entry *entry;
-	
+
 	spin_lock_bh(&queue->lock);
 	entry = __find_dequeue_entry(queue, cmpfn, data);
 	spin_unlock_bh(&queue->lock);
@@ -369,13 +369,13 @@ #endif
 	outdev = entinf->outdev;
 
 	spin_lock_bh(&queue->lock);
-	
+
 	switch (queue->copy_mode) {
 	case NFQNL_COPY_META:
 	case NFQNL_COPY_NONE:
 		data_len = 0;
 		break;
-	
+
 	case NFQNL_COPY_PACKET:
 		if ((entskb->ip_summed == CHECKSUM_PARTIAL ||
 		     entskb->ip_summed == CHECKSUM_COMPLETE) &&
@@ -383,15 +383,15 @@ #endif
 			spin_unlock_bh(&queue->lock);
 			return NULL;
 		}
-		if (queue->copy_range == 0 
+		if (queue->copy_range == 0
 		    || queue->copy_range > entskb->len)
 			data_len = entskb->len;
 		else
 			data_len = queue->copy_range;
-		
+
 		size += NFA_SPACE(data_len);
 		break;
-	
+
 	default:
 		*errp = -EINVAL;
 		spin_unlock_bh(&queue->lock);
@@ -403,9 +403,9 @@ #endif
 	skb = alloc_skb(size, GFP_ATOMIC);
 	if (!skb)
 		goto nlmsg_failure;
-		
+
 	old_tail= skb->tail;
-	nlh = NLMSG_PUT(skb, 0, 0, 
+	nlh = NLMSG_PUT(skb, 0, 0,
 			NFNL_SUBSYS_QUEUE << 8 | NFQNL_MSG_PACKET,
 			sizeof(struct nfgenmsg));
 	nfmsg = NLMSG_DATA(nlh);
@@ -427,9 +427,9 @@ #ifndef CONFIG_BRIDGE_NETFILTER
 #else
 		if (entinf->pf == PF_BRIDGE) {
 			/* Case 1: indev is physical input device, we need to
-			 * look for bridge group (when called from 
+			 * look for bridge group (when called from
 			 * netfilter_bridge) */
-			NFA_PUT(skb, NFQA_IFINDEX_PHYSINDEV, sizeof(tmp_uint), 
+			NFA_PUT(skb, NFQA_IFINDEX_PHYSINDEV, sizeof(tmp_uint),
 				&tmp_uint);
 			/* this is the bridge group "brX" */
 			tmp_uint = htonl(indev->br_port->br->dev->ifindex);
@@ -457,7 +457,7 @@ #ifndef CONFIG_BRIDGE_NETFILTER
 #else
 		if (entinf->pf == PF_BRIDGE) {
 			/* Case 1: outdev is physical output device, we need to
-			 * look for bridge group (when called from 
+			 * look for bridge group (when called from
 			 * netfilter_bridge) */
 			NFA_PUT(skb, NFQA_IFINDEX_PHYSOUTDEV, sizeof(tmp_uint),
 				&tmp_uint);
@@ -490,7 +490,7 @@ #endif
 		struct nfqnl_msg_packet_hw phw;
 
 		int len = entskb->dev->hard_header_parse(entskb,
-			                                   phw.hw_addr);
+							   phw.hw_addr);
 		phw.hw_addrlen = htons(len);
 		NFA_PUT(skb, NFQA_HWADDR, sizeof(phw), &phw);
 	}
@@ -520,7 +520,7 @@ #endif
 		if (skb_copy_bits(entskb, 0, NFA_DATA(nfa), data_len))
 			BUG();
 	}
-		
+
 	nlh->nlmsg_len = skb->tail - old_tail;
 	return skb;
 
@@ -535,7 +535,7 @@ nfattr_failure:
 }
 
 static int
-nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info, 
+nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info,
 		     unsigned int queuenum, void *data)
 {
 	int status = -EINVAL;
@@ -560,7 +560,7 @@ nfqnl_enqueue_packet(struct sk_buff *skb
 	entry = kmalloc(sizeof(*entry), GFP_ATOMIC);
 	if (entry == NULL) {
 		if (net_ratelimit())
-			printk(KERN_ERR 
+			printk(KERN_ERR
 				"nf_queue: OOM in nfqnl_enqueue_packet()\n");
 		status = -ENOMEM;
 		goto err_out_put;
@@ -573,18 +573,18 @@ nfqnl_enqueue_packet(struct sk_buff *skb
 	nskb = nfqnl_build_packet_message(queue, entry, &status);
 	if (nskb == NULL)
 		goto err_out_free;
-		
+
 	spin_lock_bh(&queue->lock);
-	
+
 	if (!queue->peer_pid)
-		goto err_out_free_nskb; 
+		goto err_out_free_nskb;
 
 	if (queue->queue_total >= queue->queue_maxlen) {
-                queue->queue_dropped++;
+		queue->queue_dropped++;
 		status = -ENOSPC;
 		if (net_ratelimit())
-		          printk(KERN_WARNING "nf_queue: full at %d entries, "
-				 "dropping packets(s). Dropped: %d\n", 
+			  printk(KERN_WARNING "nf_queue: full at %d entries, "
+				 "dropping packets(s). Dropped: %d\n",
 				 queue->queue_total, queue->queue_dropped);
 		goto err_out_free_nskb;
 	}
@@ -592,7 +592,7 @@ nfqnl_enqueue_packet(struct sk_buff *skb
 	/* nfnetlink_unicast will either free the nskb or add it to a socket */
 	status = nfnetlink_unicast(nskb, queue->peer_pid, MSG_DONTWAIT);
 	if (status < 0) {
-	        queue->queue_user_dropped++;
+		queue->queue_user_dropped++;
 		goto err_out_unlock;
 	}
 
@@ -603,8 +603,8 @@ nfqnl_enqueue_packet(struct sk_buff *skb
 	return status;
 
 err_out_free_nskb:
-	kfree_skb(nskb); 
-	
+	kfree_skb(nskb);
+
 err_out_unlock:
 	spin_unlock_bh(&queue->lock);
 
@@ -629,11 +629,11 @@ nfqnl_mangle(void *data, int data_len, s
 			return -EINVAL;
 		if (diff > skb_tailroom(e->skb)) {
 			struct sk_buff *newskb;
-			
+
 			newskb = skb_copy_expand(e->skb,
-			                         skb_headroom(e->skb),
-			                         diff,
-			                         GFP_ATOMIC);
+						 skb_headroom(e->skb),
+						 diff,
+						 GFP_ATOMIC);
 			if (newskb == NULL) {
 				printk(KERN_WARNING "nf_queue: OOM "
 				      "in mangle, dropping packet\n");
@@ -676,7 +676,7 @@ static int
 dev_cmp(struct nfqnl_queue_entry *entry, unsigned long ifindex)
 {
 	struct nf_info *entinf = entry->info;
-	
+
 	if (entinf->indev)
 		if (entinf->indev->ifindex == ifindex)
 			return 1;
@@ -702,7 +702,7 @@ static void
 nfqnl_dev_drop(int ifindex)
 {
 	int i;
-	
+
 	QDEBUG("entering for ifindex %u\n", ifindex);
 
 	/* this only looks like we have to hold the readlock for a way too long
@@ -717,7 +717,7 @@ nfqnl_dev_drop(int ifindex)
 
 		hlist_for_each_entry(inst, tmp, head, hlist) {
 			struct nfqnl_queue_entry *entry;
-			while ((entry = find_dequeue_entry(inst, dev_cmp, 
+			while ((entry = find_dequeue_entry(inst, dev_cmp,
 							   ifindex)) != NULL)
 				issue_verdict(entry, NF_DROP);
 		}
@@ -835,8 +835,8 @@ nfqnl_recv_verdict(struct sock *ctnl, st
 
 	if (nfqa[NFQA_MARK-1])
 		entry->skb->mark = ntohl(*(__be32 *)
-		                         NFA_DATA(nfqa[NFQA_MARK-1]));
-		
+					 NFA_DATA(nfqa[NFQA_MARK-1]));
+
 	issue_verdict(entry, verdict);
 	instance_put(queue);
 	return 0;
@@ -1093,7 +1093,7 @@ static int __init nfnetlink_queue_init(v
 #ifdef CONFIG_PROC_FS
 	struct proc_dir_entry *proc_nfqueue;
 #endif
-	
+
 	for (i = 0; i < INSTANCE_BUCKETS; i++)
 		INIT_HLIST_HEAD(&instance_table[i]);
 
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 8996584..6d04e35 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -305,7 +305,7 @@ int xt_find_revision(int af, const char 
 EXPORT_SYMBOL_GPL(xt_find_revision);
 
 int xt_check_match(const struct xt_match *match, unsigned short family,
-                   unsigned int size, const char *table, unsigned int hook_mask,
+		   unsigned int size, const char *table, unsigned int hook_mask,
 		   unsigned short proto, int inv_proto)
 {
 	if (XT_ALIGN(match->matchsize) != size) {
@@ -377,7 +377,7 @@ int xt_compat_match_to_user(struct xt_en
 
 	if (copy_to_user(cm, m, sizeof(*cm)) ||
 	    put_user(msize, &cm->u.user.match_size))
-	    	return -EFAULT;
+		return -EFAULT;
 
 	if (match->compat_to_user) {
 		if (match->compat_to_user((void __user *)cm->data, m->data))
@@ -432,7 +432,7 @@ int xt_compat_target_offset(struct xt_ta
 EXPORT_SYMBOL_GPL(xt_compat_target_offset);
 
 void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
-			        int *size)
+				int *size)
 {
 	struct xt_target *target = t->u.kernel.target;
 	struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
@@ -467,7 +467,7 @@ int xt_compat_target_to_user(struct xt_e
 
 	if (copy_to_user(ct, t, sizeof(*ct)) ||
 	    put_user(tsize, &ct->u.user.target_size))
-	    	return -EFAULT;
+		return -EFAULT;
 
 	if (target->compat_to_user) {
 		if (target->compat_to_user((void __user *)ct->data, t->data))
@@ -710,7 +710,7 @@ static void *xt_tgt_seq_start(struct seq
 
 	if (mutex_lock_interruptible(&xt[af].mutex) != 0)
 		return NULL;
-	
+
 	return xt_get_idx(list, seq, *pos);
 }
 
@@ -723,7 +723,7 @@ static void *xt_tgt_seq_next(struct seq_
 
 	if (af >= NPROTO)
 		return NULL;
-	
+
 	list = type2list(af, type);
 	if (!list)
 		return NULL;
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 4007bbe..3088483 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -48,7 +48,7 @@ static struct xt_target xt_classify_targ
 		.table		= "mangle",
 		.hooks		= (1 << NF_IP_LOCAL_OUT) |
 				  (1 << NF_IP_FORWARD) |
-			          (1 << NF_IP_POST_ROUTING),
+				  (1 << NF_IP_POST_ROUTING),
 		.me 		= THIS_MODULE,
 	},
 	{
@@ -59,7 +59,7 @@ static struct xt_target xt_classify_targ
 		.table		= "mangle",
 		.hooks		= (1 << NF_IP6_LOCAL_OUT) |
 				  (1 << NF_IP6_FORWARD) |
-			          (1 << NF_IP6_POST_ROUTING),
+				  (1 << NF_IP6_POST_ROUTING),
 		.me 		= THIS_MODULE,
 	},
 };
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
index cfc45af..4381780 100644
--- a/net/netfilter/xt_MARK.c
+++ b/net/netfilter/xt_MARK.c
@@ -50,11 +50,11 @@ target_v1(struct sk_buff **pskb,
 	case XT_MARK_SET:
 		mark = markinfo->mark;
 		break;
-		
+
 	case XT_MARK_AND:
 		mark = (*pskb)->mark & markinfo->mark;
 		break;
-		
+
 	case XT_MARK_OR:
 		mark = (*pskb)->mark | markinfo->mark;
 		break;
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 39e1175..201155b 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -3,9 +3,9 @@
  * (C) 2005 by Harald Welte <laforge@netfilter.org>
  *
  * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as 
+ * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
- * 
+ *
  */
 
 #include <linux/module.h>
diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c
index 6d00dca..b874a20 100644
--- a/net/netfilter/xt_NOTRACK.c
+++ b/net/netfilter/xt_NOTRACK.c
@@ -22,8 +22,8 @@ target(struct sk_buff **pskb,
 	if ((*pskb)->nfct != NULL)
 		return XT_CONTINUE;
 
-	/* Attach fake conntrack entry. 
-	   If there is a real ct entry correspondig to this packet, 
+	/* Attach fake conntrack entry.
+	   If there is a real ct entry correspondig to this packet,
 	   it'll hang aroun till timing out. We don't deal with it
 	   for performance reasons. JK */
 	nf_ct_untrack(*pskb);
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index f1131c3..705f0e8 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -55,7 +55,7 @@ static int checkentry_selinux(struct xt_
 {
 	int err;
 	struct xt_secmark_target_selinux_info *sel = &info->u.sel;
-	
+
 	sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0';
 
 	err = selinux_string_to_sid(sel->selctx, &sel->selsid);
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 3dc2357..2885c37 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -51,10 +51,10 @@ #define FWINV(bool, invflg) ((bool) ^ !!
 	if (ct == &ip_conntrack_untracked)
 		statebit = XT_CONNTRACK_STATE_UNTRACKED;
 	else if (ct)
- 		statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
- 	else
- 		statebit = XT_CONNTRACK_STATE_INVALID;
- 
+		statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
+	else
+		statebit = XT_CONNTRACK_STATE_INVALID;
+
 	if (sinfo->flags & XT_CONNTRACK_STATE) {
 		if (ct) {
 			if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
@@ -77,7 +77,7 @@ #define FWINV(bool, invflg) ((bool) ^ !!
 	    FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum !=
 		  sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum,
 		  XT_CONNTRACK_PROTO))
-                return 0;
+		return 0;
 
 	if (sinfo->flags & XT_CONNTRACK_ORIGSRC &&
 	    FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip &
@@ -147,10 +147,10 @@ #define FWINV(bool,invflg) ((bool) ^ !!(
 	if (ct == &nf_conntrack_untracked)
 		statebit = XT_CONNTRACK_STATE_UNTRACKED;
 	else if (ct)
- 		statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
- 	else
- 		statebit = XT_CONNTRACK_STATE_INVALID;
- 
+		statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
+	else
+		statebit = XT_CONNTRACK_STATE_INVALID;
+
 	if (sinfo->flags & XT_CONNTRACK_STATE) {
 		if (ct) {
 			if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
@@ -171,41 +171,41 @@ #define FWINV(bool,invflg) ((bool) ^ !!(
 
 	if (sinfo->flags & XT_CONNTRACK_PROTO &&
 	    FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum !=
-	    	  sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum,
+		  sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum,
 		  XT_CONNTRACK_PROTO))
-                return 0;
+		return 0;
 
 	if (sinfo->flags & XT_CONNTRACK_ORIGSRC &&
 	    FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip &
-	    	   sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
+		   sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
 		  sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
 		  XT_CONNTRACK_ORIGSRC))
 		return 0;
 
 	if (sinfo->flags & XT_CONNTRACK_ORIGDST &&
 	    FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip &
-	    	   sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
+		   sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
 		  sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
 		  XT_CONNTRACK_ORIGDST))
 		return 0;
 
 	if (sinfo->flags & XT_CONNTRACK_REPLSRC &&
 	    FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip &
-	    	   sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) !=
+		   sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) !=
 		  sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
 		  XT_CONNTRACK_REPLSRC))
 		return 0;
 
 	if (sinfo->flags & XT_CONNTRACK_REPLDST &&
 	    FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip &
-	    	   sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) !=
+		   sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) !=
 		  sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
 		  XT_CONNTRACK_REPLDST))
 		return 0;
 
 	if (sinfo->flags & XT_CONNTRACK_STATUS &&
 	    FWINV((ct->status & sinfo->statusmask) == 0,
-	    	  XT_CONNTRACK_STATUS))
+		  XT_CONNTRACK_STATUS))
 		return 0;
 
 	if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 3e6cf43..2c9c0de 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -26,7 +26,7 @@ MODULE_DESCRIPTION("Match for DCCP proto
 MODULE_ALIAS("ipt_dccp");
 
 #define DCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \
-		                  || (!!((invflag) & (option)) ^ (cond)))
+				  || (!!((invflag) & (option)) ^ (cond)))
 
 static unsigned char *dccp_optbuf;
 static DEFINE_SPINLOCK(dccp_buflock);
@@ -67,9 +67,9 @@ dccp_find_option(u_int8_t option,
 			return 1;
 		}
 
-		if (op[i] < 2) 
+		if (op[i] < 2)
 			i++;
-		else 
+		else
 			i += op[i+1]?:1;
 	}
 
@@ -106,18 +106,18 @@ match(const struct sk_buff *skb,
 
 	if (offset)
 		return 0;
-	
+
 	dh = skb_header_pointer(skb, protoff, sizeof(_dh), &_dh);
 	if (dh == NULL) {
 		*hotdrop = 1;
 		return 0;
-       	}
+	}
 
-	return  DCCHECK(((ntohs(dh->dccph_sport) >= info->spts[0]) 
-			&& (ntohs(dh->dccph_sport) <= info->spts[1])), 
-		   	XT_DCCP_SRC_PORTS, info->flags, info->invflags)
-		&& DCCHECK(((ntohs(dh->dccph_dport) >= info->dpts[0]) 
-			&& (ntohs(dh->dccph_dport) <= info->dpts[1])), 
+	return  DCCHECK(((ntohs(dh->dccph_sport) >= info->spts[0])
+			&& (ntohs(dh->dccph_sport) <= info->spts[1])),
+			XT_DCCP_SRC_PORTS, info->flags, info->invflags)
+		&& DCCHECK(((ntohs(dh->dccph_dport) >= info->dpts[0])
+			&& (ntohs(dh->dccph_dport) <= info->dpts[1])),
 			XT_DCCP_DEST_PORTS, info->flags, info->invflags)
 		&& DCCHECK(match_types(dh, info->typemask),
 			   XT_DCCP_TYPE, info->flags, info->invflags)
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index bd1f7a2..852e405 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -208,7 +208,7 @@ static int htable_create(struct xt_hashl
 	spin_lock_init(&hinfo->lock);
 	hinfo->pde = create_proc_entry(minfo->name, 0,
 				       family == AF_INET ? hashlimit_procdir4 :
-				       			   hashlimit_procdir6);
+							   hashlimit_procdir6);
 	if (!hinfo->pde) {
 		vfree(hinfo);
 		return -1;
@@ -240,7 +240,7 @@ static int select_gc(struct xt_hashlimit
 }
 
 static void htable_selective_cleanup(struct xt_hashlimit_htable *ht,
-		 		int (*select)(struct xt_hashlimit_htable *ht,
+				int (*select)(struct xt_hashlimit_htable *ht,
 					      struct dsthash_ent *he))
 {
 	unsigned int i;
@@ -279,7 +279,7 @@ static void htable_destroy(struct xt_has
 	/* remove proc entry */
 	remove_proc_entry(hinfo->pde->name,
 			  hinfo->family == AF_INET ? hashlimit_procdir4 :
-			  			     hashlimit_procdir6);
+						     hashlimit_procdir6);
 	htable_selective_cleanup(hinfo, select_all);
 	vfree(hinfo);
 }
@@ -483,7 +483,7 @@ hashlimit_match(const struct sk_buff *sk
 		return 1;
 	}
 
-       	spin_unlock_bh(&hinfo->lock);
+	spin_unlock_bh(&hinfo->lock);
 
 	/* default case: we're overlimit, thus don't match */
 	return 0;
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 04bc32b..407d1d5 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -53,7 +53,7 @@ match(const struct sk_buff *skb,
 	struct ip_conntrack *ct;
 	enum ip_conntrack_info ctinfo;
 	int ret = info->invert;
-	
+
 	ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
 	if (!ct) {
 		DEBUGP("xt_helper: Eek! invalid conntrack?\n");
@@ -67,19 +67,19 @@ match(const struct sk_buff *skb,
 
 	read_lock_bh(&ip_conntrack_lock);
 	if (!ct->master->helper) {
-		DEBUGP("xt_helper: master ct %p has no helper\n", 
+		DEBUGP("xt_helper: master ct %p has no helper\n",
 			exp->expectant);
 		goto out_unlock;
 	}
 
-	DEBUGP("master's name = %s , info->name = %s\n", 
+	DEBUGP("master's name = %s , info->name = %s\n",
 		ct->master->helper->name, info->name);
 
 	if (info->name[0] == '\0')
 		ret ^= 1;
 	else
-		ret ^= !strncmp(ct->master->helper->name, info->name, 
-		                strlen(ct->master->helper->name));
+		ret ^= !strncmp(ct->master->helper->name, info->name,
+				strlen(ct->master->helper->name));
 out_unlock:
 	read_unlock_bh(&ip_conntrack_lock);
 	return ret;
@@ -102,7 +102,7 @@ match(const struct sk_buff *skb,
 	struct nf_conn_help *master_help;
 	enum ip_conntrack_info ctinfo;
 	int ret = info->invert;
-	
+
 	ct = nf_ct_get((struct sk_buff *)skb, &ctinfo);
 	if (!ct) {
 		DEBUGP("xt_helper: Eek! invalid conntrack?\n");
@@ -117,19 +117,19 @@ match(const struct sk_buff *skb,
 	read_lock_bh(&nf_conntrack_lock);
 	master_help = nfct_help(ct->master);
 	if (!master_help || !master_help->helper) {
-		DEBUGP("xt_helper: master ct %p has no helper\n", 
+		DEBUGP("xt_helper: master ct %p has no helper\n",
 			exp->expectant);
 		goto out_unlock;
 	}
 
-	DEBUGP("master's name = %s , info->name = %s\n", 
+	DEBUGP("master's name = %s , info->name = %s\n",
 		ct->master->helper->name, info->name);
 
 	if (info->name[0] == '\0')
 		ret ^= 1;
 	else
 		ret ^= !strncmp(master_help->helper->name, info->name,
-		                strlen(master_help->helper->name));
+				strlen(master_help->helper->name));
 out_unlock:
 	read_unlock_bh(&nf_conntrack_lock);
 	return ret;
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index 67fd30d..32fb998 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -32,7 +32,7 @@ match(const struct sk_buff *skb,
 {
 	const struct xt_length_info *info = matchinfo;
 	u_int16_t pktlen = ntohs(skb->nh.iph->tot_len);
-	
+
 	return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
 }
 
@@ -48,7 +48,7 @@ match6(const struct sk_buff *skb,
 {
 	const struct xt_length_info *info = matchinfo;
 	u_int16_t pktlen = ntohs(skb->nh.ipv6h->payload_len) + sizeof(struct ipv6hdr);
-	
+
 	return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
 }
 
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index fda7b7d..6fd8347 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -89,7 +89,7 @@ ipt_limit_match(const struct sk_buff *sk
 		return 1;
 	}
 
-       	spin_unlock_bh(&limit_lock);
+	spin_unlock_bh(&limit_lock);
 	return 0;
 }
 
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index dfa1ee6..39911dd 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -36,10 +36,10 @@ match(const struct sk_buff *skb,
 
 static int
 checkentry(const char *tablename,
-           const void *entry,
+	   const void *entry,
 	   const struct xt_match *match,
-           void *matchinfo,
-           unsigned int hook_mask)
+	   void *matchinfo,
+	   unsigned int hook_mask)
 {
 	const struct xt_mark_info *minfo = matchinfo;
 
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index 1602086..4dce2a8 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -91,7 +91,7 @@ ports_match_v1(const struct xt_multiport
 		}
 	}
 
- 	return minfo->invert;
+	return minfo->invert;
 }
 
 static int
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index b9b3ffc..35a0fe2 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -117,7 +117,7 @@ checkentry(const char *tablename,
 	    (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
 	     info->invert & XT_PHYSDEV_OP_BRIDGED) &&
 	    hook_mask & ((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
-	                 (1 << NF_IP_POST_ROUTING))) {
+			 (1 << NF_IP_POST_ROUTING))) {
 		printk(KERN_WARNING "physdev match: using --physdev-out in the "
 		       "OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
 		       "traffic is not supported anymore.\n");
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 46bde2b..15b45a9 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -109,13 +109,13 @@ match_policy_out(const struct sk_buff *s
 }
 
 static int match(const struct sk_buff *skb,
-                 const struct net_device *in,
-                 const struct net_device *out,
-                 const struct xt_match *match,
-                 const void *matchinfo,
-                 int offset,
-                 unsigned int protoff,
-                 int *hotdrop)
+		 const struct net_device *in,
+		 const struct net_device *out,
+		 const struct xt_match *match,
+		 const void *matchinfo,
+		 int offset,
+		 unsigned int protoff,
+		 int *hotdrop)
 {
 	const struct xt_policy_info *info = matchinfo;
 	int ret;
@@ -134,27 +134,27 @@ static int match(const struct sk_buff *s
 }
 
 static int checkentry(const char *tablename, const void *ip_void,
-                      const struct xt_match *match,
-                      void *matchinfo, unsigned int hook_mask)
+		      const struct xt_match *match,
+		      void *matchinfo, unsigned int hook_mask)
 {
 	struct xt_policy_info *info = matchinfo;
 
 	if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
 		printk(KERN_ERR "xt_policy: neither incoming nor "
-		                "outgoing policy selected\n");
+				"outgoing policy selected\n");
 		return 0;
 	}
 	/* hook values are equal for IPv4 and IPv6 */
 	if (hook_mask & (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_LOCAL_IN)
 	    && info->flags & XT_POLICY_MATCH_OUT) {
 		printk(KERN_ERR "xt_policy: output policy not valid in "
-		                "PRE_ROUTING and INPUT\n");
+				"PRE_ROUTING and INPUT\n");
 		return 0;
 	}
 	if (hook_mask & (1 << NF_IP_POST_ROUTING | 1 << NF_IP_LOCAL_OUT)
 	    && info->flags & XT_POLICY_MATCH_IN) {
 		printk(KERN_ERR "xt_policy: input policy not valid in "
-		                "POST_ROUTING and OUTPUT\n");
+				"POST_ROUTING and OUTPUT\n");
 		return 0;
 	}
 	if (info->len > XT_POLICY_MAX_ELEM) {
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index b75fa2c..bfdde06 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -30,8 +30,8 @@ match(const struct sk_buff *skb,
 		q->quota -= skb->len;
 		ret ^= 1;
 	} else {
-	        /* we do not allow even small packets from now on */
-	        q->quota = 0;
+		/* we do not allow even small packets from now on */
+		q->quota = 0;
 	}
 	spin_unlock_bh(&quota_lock);
 
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index a80b7d1..97ffc2f 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -35,7 +35,7 @@ match(const struct sk_buff *skb,
 {
 	const struct xt_realm_info *info = matchinfo;
 	struct dst_entry *dst = skb->dst;
-    
+
 	return (info->id == (dst->tclassid & info->mask)) ^ info->invert;
 }
 
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index 71bf036..f86d8d7 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -66,9 +66,9 @@ #endif
 			duprintf("Dropping invalid SCTP packet.\n");
 			*hotdrop = 1;
 			return 0;
-        	}
+		}
 
-		duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n", 
+		duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n",
 				++i, offset, sch->type, htons(sch->length), sch->flags);
 
 		offset += (ntohs(sch->length) + 3) & ~3;
@@ -78,21 +78,21 @@ #endif
 		if (SCTP_CHUNKMAP_IS_SET(chunkmap, sch->type)) {
 			switch (chunk_match_type) {
 			case SCTP_CHUNK_MATCH_ANY:
-				if (match_flags(flag_info, flag_count, 
+				if (match_flags(flag_info, flag_count,
 					sch->type, sch->flags)) {
 					return 1;
 				}
 				break;
 
 			case SCTP_CHUNK_MATCH_ALL:
-				if (match_flags(flag_info, flag_count, 
+				if (match_flags(flag_info, flag_count,
 					sch->type, sch->flags)) {
 					SCTP_CHUNKMAP_CLEAR(chunkmapcopy, sch->type);
 				}
 				break;
 
 			case SCTP_CHUNK_MATCH_ONLY:
-				if (!match_flags(flag_info, flag_count, 
+				if (!match_flags(flag_info, flag_count,
 					sch->type, sch->flags)) {
 					return 0;
 				}
@@ -136,24 +136,24 @@ match(const struct sk_buff *skb,
 		duprintf("Dropping non-first fragment.. FIXME\n");
 		return 0;
 	}
-	
+
 	sh = skb_header_pointer(skb, protoff, sizeof(_sh), &_sh);
 	if (sh == NULL) {
 		duprintf("Dropping evil TCP offset=0 tinygram.\n");
 		*hotdrop = 1;
 		return 0;
-       	}
+	}
 	duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
 
-	return  SCCHECK(((ntohs(sh->source) >= info->spts[0]) 
-			&& (ntohs(sh->source) <= info->spts[1])), 
-		   	XT_SCTP_SRC_PORTS, info->flags, info->invflags)
-		&& SCCHECK(((ntohs(sh->dest) >= info->dpts[0]) 
-			&& (ntohs(sh->dest) <= info->dpts[1])), 
+	return  SCCHECK(((ntohs(sh->source) >= info->spts[0])
+			&& (ntohs(sh->source) <= info->spts[1])),
+			XT_SCTP_SRC_PORTS, info->flags, info->invflags)
+		&& SCCHECK(((ntohs(sh->dest) >= info->dpts[0])
+			&& (ntohs(sh->dest) <= info->dpts[1])),
 			XT_SCTP_DEST_PORTS, info->flags, info->invflags)
 		&& SCCHECK(match_packet(skb, protoff + sizeof (sctp_sctphdr_t),
 					info->chunkmap, info->chunk_match_type,
- 					info->flag_info, info->flag_count, 
+					info->flag_info, info->flag_count,
 					hotdrop),
 			   XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
 }
@@ -170,9 +170,9 @@ checkentry(const char *tablename,
 	return !(info->flags & ~XT_SCTP_VALID_FLAGS)
 		&& !(info->invflags & ~XT_SCTP_VALID_FLAGS)
 		&& !(info->invflags & ~info->flags)
-		&& ((!(info->flags & XT_SCTP_CHUNK_TYPES)) || 
+		&& ((!(info->flags & XT_SCTP_CHUNK_TYPES)) ||
 			(info->chunk_match_type &
-				(SCTP_CHUNK_MATCH_ALL 
+				(SCTP_CHUNK_MATCH_ALL
 				| SCTP_CHUNK_MATCH_ANY
 				| SCTP_CHUNK_MATCH_ONLY)));
 }
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index 4453252..999a005 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -1,5 +1,5 @@
 /* String matching match for iptables
- * 
+ *
  * (C) 2005 Pablo Neira Ayuso <pablo@eurodev.net>
  *
  * This program is free software; you can redistribute it and/or modify
@@ -35,8 +35,8 @@ static int match(const struct sk_buff *s
 
 	memset(&state, 0, sizeof(struct ts_state));
 
-	return (skb_find_text((struct sk_buff *)skb, conf->from_offset, 
-			     conf->to_offset, conf->config, &state) 
+	return (skb_find_text((struct sk_buff *)skb, conf->from_offset,
+			     conf->to_offset, conf->config, &state)
 			     != UINT_MAX) ^ conf->invert;
 }
 
@@ -55,7 +55,7 @@ static int checkentry(const char *tablen
 	if (conf->from_offset > conf->to_offset)
 		return 0;
 	if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0')
-	    	return 0;
+		return 0;
 	if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE)
 		return 0;
 	ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen,
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index a3682fe..80571d0 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -64,9 +64,9 @@ match(const struct sk_buff *skb,
 			u_int16_t mssval;
 
 			mssval = (op[i+2] << 8) | op[i+3];
-			
+
 			return (mssval >= info->mss_min &&
-			        mssval <= info->mss_max) ^ info->invert;
+				mssval <= info->mss_max) ^ info->invert;
 		}
 		if (op[i] < 2)
 			i++;

[NETFILTER 21/22]: ip6t_mh: drop piggyback payload packet on MH packets

[Patrick McHardy]

[NETFILTER]: ip6t_mh: drop piggyback payload packet on MH packets

Regarding RFC3775, MH payload proto field should be IPPROTO_NONE. Otherwise
it must be discarded (and the receiver should send ICMP error).

We assume filter should drop such piggyback everytime to disallow slipping
through firewall rules, even the final receiver will discard it.

Signed-off-by: Masahide NAKAMURA <nakam@linux-ipv6.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit a7b4ff1031d3e62fad2b7da2068bb5deb2041325
tree ba6d4b4517999ebf0876a5618640276a6a251503
parent 353c941b0735b883510bfd7bb98fcd4fc8a0ee08
author Masahide NAKAMURA <nakam@linux-ipv6.org> Mon, 12 Feb 2007 11:08:11 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:08:11 +0100

 net/ipv6/netfilter/ip6t_mh.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index 2c7efc6..c2a9098 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -66,6 +66,13 @@ match(const struct sk_buff *skb,
 		return 0;
 	}
 
+	if (mh->ip6mh_proto != IPPROTO_NONE) {
+		duprintf("Dropping invalid MH Payload Proto: %u\n",
+			 mh->ip6mh_proto);
+		*hotdrop = 1;
+		return 0;
+	}
+
 	return type_match(mhinfo->types[0], mhinfo->types[1], mh->ip6mh_type,
 			  !!(mhinfo->invflags & IP6T_MH_INV_TYPE));
 }

[NETFILTER 22/22]: nf_conntrack_tcp: make sysctl variables static

[Patrick McHardy]

[NETFILTER]: nf_conntrack_tcp: make sysctl variables static

sysctls are registered by the protocol module itself since 2.6.19, no need
to have them visible to others.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit ebdb23c15670f1d49d7466856f4db8fd00f6c3a9
tree 005b35c07855e3723b9d94ea77f203fb4e829924
parent a7b4ff1031d3e62fad2b7da2068bb5deb2041325
author Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:08:17 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 12 Feb 2007 11:08:17 +0100

 net/netfilter/nf_conntrack_proto_tcp.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index c2884f9..aff65aa 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -58,16 +58,16 @@ static DEFINE_RWLOCK(tcp_lock);
 /* "Be conservative in what you do,
     be liberal in what you accept from others."
     If it's non-zero, we mark only out of window RST segments as INVALID. */
-int nf_ct_tcp_be_liberal __read_mostly = 0;
+static int nf_ct_tcp_be_liberal __read_mostly = 0;
 
 /* If it is set to zero, we disable picking up already established
    connections. */
-int nf_ct_tcp_loose __read_mostly = 1;
+static int nf_ct_tcp_loose __read_mostly = 1;
 
 /* Max number of the retransmitted packets without receiving an (acceptable)
    ACK from the destination. If this number is reached, a shorter timer
    will be started. */
-int nf_ct_tcp_max_retrans __read_mostly = 3;
+static int nf_ct_tcp_max_retrans __read_mostly = 3;
 
   /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
      closely.  They're more complex. --RR */

Re: [NETFILTER 00/22]: Netfilter update/fixes

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 12 Feb 2007 11:36:21 +0100 (MET)

> Hi Dave,
> 
> following are a number of fixes for netfilter, fixing RCU issues all over the
> place, including the invalid preemption assumptions in the NF_CT_STAT_INC macro.
> Additionally there are a few minor enhancements for things I noticed while going
> over the code: replacement of a few unnecessary spinlocks by mutexes, some
> cleanup for nf_log.c and some return value cleanup for unregistration functions.
> 
> With these patches I think there should be nothing left holding back the
> preemptable RCU merge from netfilter's perspective.
> 
> Please apply, thanks.

Thanks a lot for doing this work Patrick.

All applied, thanks again.