Merge branch 'nf' of git://1984.lsi.us.es/net

	struct module *me;

};

#define EBT_ALIGN(s) (((s) + (__alignof__(struct ebt_replace)-1)) & \

		     ~(__alignof__(struct ebt_replace)-1))

#define EBT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) & \

		     ~(__alignof__(struct _xt_align)-1))

extern struct ebt_table *ebt_register_table(struct net *net,

					    const struct ebt_table *table);

extern void ebt_unregister_table(struct net *net, struct ebt_table *table);

	__be16 dport = 0;		/* destination port to forward */

	unsigned int flags;

	struct ip_vs_conn_param param;

	const union nf_inet_addr fwmark = { .ip = htonl(svc->fwmark) };

	union nf_inet_addr snet;	/* source network of the client,

					   after masking */

	{

		int protocol = iph.protocol;

		const union nf_inet_addr *vaddr = &iph.daddr;

		const union nf_inet_addr fwmark = { .ip = htonl(svc->fwmark) };

		__be16 vport = 0;

		if (dst_port == svc->port) {

						    nf_ct_protonum(ct));

		if (helper == NULL) {

			rcu_read_unlock();

			spin_unlock_bh(&nf_conntrack_lock);

#ifdef CONFIG_MODULES

			if (request_module("nfct-helper-%s", helpname) < 0) {

				spin_lock_bh(&nf_conntrack_lock);

				err = -EOPNOTSUPP;

				goto err1;

			}

			spin_lock_bh(&nf_conntrack_lock);

			rcu_read_lock();

			helper = __nf_conntrack_helper_find(helpname,

							    nf_ct_l3num(ct),

		tstamp->start = ktime_to_ns(ktime_get_real());

	add_timer(&ct->timeout);

	spin_lock_bh(&nf_conntrack_lock);

	nf_conntrack_hash_insert(ct);

	nf_conntrack_get(&ct->ct_general);

	spin_unlock_bh(&nf_conntrack_lock);

	rcu_read_unlock();

	return ct;

	struct nf_conntrack_tuple otuple, rtuple;

	struct nf_conntrack_tuple_hash *h = NULL;

	struct nfgenmsg *nfmsg = nlmsg_data(nlh);

	struct nf_conn *ct;

	u_int8_t u3 = nfmsg->nfgen_family;

	u16 zone;

	int err;

	spin_lock_bh(&nf_conntrack_lock);

	if (cda[CTA_TUPLE_ORIG])

		h = __nf_conntrack_find(net, zone, &otuple);

		h = nf_conntrack_find_get(net, zone, &otuple);

	else if (cda[CTA_TUPLE_REPLY])

		h = __nf_conntrack_find(net, zone, &rtuple);

		h = nf_conntrack_find_get(net, zone, &rtuple);

	spin_unlock_bh(&nf_conntrack_lock);

	if (h == NULL) {

		err = -ENOENT;

		if (nlh->nlmsg_flags & NLM_F_CREATE) {

			struct nf_conn *ct;

			enum ip_conntrack_events events;

			ct = ctnetlink_create_conntrack(net, zone, cda, &otuple,

							&rtuple, u3);

			if (IS_ERR(ct)) {

				err = PTR_ERR(ct);

				goto out_unlock;

			}

			if (IS_ERR(ct))

				return PTR_ERR(ct);

			err = 0;

			nf_conntrack_get(&ct->ct_general);

			spin_unlock_bh(&nf_conntrack_lock);

			if (test_bit(IPS_EXPECTED_BIT, &ct->status))

				events = IPCT_RELATED;

			else

						      ct, NETLINK_CB(skb).pid,

						      nlmsg_report(nlh));

			nf_ct_put(ct);

		} else

			spin_unlock_bh(&nf_conntrack_lock);

		}

		return err;

	}

	/* implicit 'else' */

	/* We manipulate the conntrack inside the global conntrack table lock,

	 * so there's no need to increase the refcount */

	err = -EEXIST;

	ct = nf_ct_tuplehash_to_ctrack(h);

	if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {

		struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);

		spin_lock_bh(&nf_conntrack_lock);

		err = ctnetlink_change_conntrack(ct, cda);

		if (err == 0) {

			nf_conntrack_get(&ct->ct_general);

		spin_unlock_bh(&nf_conntrack_lock);

		if (err == 0) {

			nf_conntrack_eventmask_report((1 << IPCT_REPLY) |

						      (1 << IPCT_ASSURED) |

						      (1 << IPCT_HELPER) |

						      (1 << IPCT_MARK),

						      ct, NETLINK_CB(skb).pid,

						      nlmsg_report(nlh));

			nf_ct_put(ct);

		} else

			spin_unlock_bh(&nf_conntrack_lock);

		return err;

		}

	}

out_unlock:

	spin_unlock_bh(&nf_conntrack_lock);

	nf_ct_put(ct);

	return err;

}

	return status;

}

#ifdef CONFIG_BRIDGE_NETFILTER

/* When called from bridge netfilter, skb->data must point to MAC header

 * before calling skb_gso_segment(). Else, original MAC header is lost

 * and segmented skbs will be sent to wrong destination.

 */

static void nf_bridge_adjust_skb_data(struct sk_buff *skb)

{

	if (skb->nf_bridge)

		__skb_push(skb, skb->network_header - skb->mac_header);

}

static void nf_bridge_adjust_segmented_data(struct sk_buff *skb)

{

	if (skb->nf_bridge)

		__skb_pull(skb, skb->network_header - skb->mac_header);

}

#else

#define nf_bridge_adjust_skb_data(s) do {} while (0)

#define nf_bridge_adjust_segmented_data(s) do {} while (0)

#endif

int nf_queue(struct sk_buff *skb,

	     struct list_head *elem,

	     u_int8_t pf, unsigned int hook,

	     unsigned int queuenum)

{

	struct sk_buff *segs;

	int err;

	int err = -EINVAL;

	unsigned int queued;

	if (!skb_is_gso(skb))

		break;

	}

	nf_bridge_adjust_skb_data(skb);

	segs = skb_gso_segment(skb, 0);

	/* Does not use PTR_ERR to limit the number of error codes that can be

	 * returned by nf_queue.  For instance, callers rely on -ECANCELED to mean

	 * 'ignore this hook'.

	 */

	if (IS_ERR(segs))

		return -EINVAL;

		goto out_err;

	queued = 0;

	err = 0;

	do {

		struct sk_buff *nskb = segs->next;

		segs->next = NULL;

		if (err == 0)

		if (err == 0) {

			nf_bridge_adjust_segmented_data(segs);

			err = __nf_queue(segs, elem, pf, hook, indev,

					   outdev, okfn, queuenum);

		}

		if (err == 0)

			queued++;

		else

		segs = nskb;

	} while (segs);

	/* also free orig skb if only some segments were queued */

	if (unlikely(err && queued))

		err = 0;

	if (err == 0)

	if (queued) {

		kfree_skb(skb);

		return 0;

	}

  out_err:

	nf_bridge_adjust_segmented_data(skb);

	return err;

}