inet netfilter: Prefer state->hook to ops->hooknum

				      struct sk_buff *skb,

				      struct sk_buff *skb,

				      const struct nf_hook_state *state)

				      const struct nf_hook_state *state)

{

{

	return nf_conntrack_in(state->net, PF_INET, ops->hooknum, skb);

	return nf_conntrack_in(state->net, PF_INET, state->hook, skb);

}

}

static unsigned int ipv4_conntrack_local(const struct nf_hook_ops *ops,

static unsigned int ipv4_conntrack_local(const struct nf_hook_ops *ops,

	if (skb->len < sizeof(struct iphdr) ||

	if (skb->len < sizeof(struct iphdr) ||

	    ip_hdrlen(skb) < sizeof(struct iphdr))

	    ip_hdrlen(skb) < sizeof(struct iphdr))

		return NF_ACCEPT;

		return NF_ACCEPT;

	return nf_conntrack_in(state->net, PF_INET, ops->hooknum, skb);

	return nf_conntrack_in(state->net, PF_INET, state->hook, skb);

}

}

/* Connection tracking may drop packets, but never alters them, so

/* Connection tracking may drop packets, but never alters them, so

	/* Gather fragments. */

	/* Gather fragments. */

	if (ip_is_fragment(ip_hdr(skb))) {

	if (ip_is_fragment(ip_hdr(skb))) {

		enum ip_defrag_users user =

		enum ip_defrag_users user =

			nf_ct_defrag_user(ops->hooknum, skb);

			nf_ct_defrag_user(state->hook, skb);

		if (nf_ct_ipv4_gather_frags(skb, user))

		if (nf_ct_ipv4_gather_frags(skb, user))

			return NF_STOLEN;

			return NF_STOLEN;

	enum ip_conntrack_info ctinfo;

	enum ip_conntrack_info ctinfo;

	struct nf_conn_nat *nat;

	struct nf_conn_nat *nat;

	/* maniptype == SRC for postrouting. */

	/* maniptype == SRC for postrouting. */

	enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);

	enum nf_nat_manip_type maniptype = HOOK2MANIP(state->hook);

	/* We never see fragments: conntrack defrags on pre-routing

	/* We never see fragments: conntrack defrags on pre-routing

	 * and local-out, and nf_nat_out protects post-routing.

	 * and local-out, and nf_nat_out protects post-routing.

	case IP_CT_RELATED_REPLY:

	case IP_CT_RELATED_REPLY:

		if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {

		if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {

			if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,

			if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,

							   ops->hooknum))

							   state->hook))

				return NF_DROP;

				return NF_DROP;

			else

			else

				return NF_ACCEPT;

				return NF_ACCEPT;

			if (ret != NF_ACCEPT)

			if (ret != NF_ACCEPT)

				return ret;

				return ret;

			if (nf_nat_initialized(ct, HOOK2MANIP(ops->hooknum)))

			if (nf_nat_initialized(ct, HOOK2MANIP(state->hook)))

				break;

				break;

			ret = nf_nat_alloc_null_binding(ct, ops->hooknum);

			ret = nf_nat_alloc_null_binding(ct, state->hook);

			if (ret != NF_ACCEPT)

			if (ret != NF_ACCEPT)

				return ret;

				return ret;

		} else {

		} else {

			pr_debug("Already setup manip %s for ct %p\n",

			pr_debug("Already setup manip %s for ct %p\n",

				 maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",

				 maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",

				 ct);

				 ct);

			if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat,

			if (nf_nat_oif_changed(state->hook, ctinfo, nat,

					       state->out))

					       state->out))

				goto oif_changed;

				goto oif_changed;

		}

		}

		/* ESTABLISHED */

		/* ESTABLISHED */

		NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||

		NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||

			     ctinfo == IP_CT_ESTABLISHED_REPLY);

			     ctinfo == IP_CT_ESTABLISHED_REPLY);

		if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, state->out))

		if (nf_nat_oif_changed(state->hook, ctinfo, nat, state->out))

			goto oif_changed;

			goto oif_changed;

	}

	}

	return nf_nat_packet(ct, ctinfo, ops->hooknum, skb);

	return nf_nat_packet(ct, ctinfo, state->hook, skb);

oif_changed:

oif_changed:

	nf_ct_kill_acct(ct, ctinfo, skb);

	nf_ct_kill_acct(ct, ctinfo, skb);

				      struct sk_buff *skb,

				      struct sk_buff *skb,

				      const struct nf_hook_state *state)

				      const struct nf_hook_state *state)

{

{

	return nf_conntrack_in(state->net, PF_INET6, ops->hooknum, skb);

	return nf_conntrack_in(state->net, PF_INET6, state->hook, skb);

}

}

static unsigned int ipv6_conntrack_local(const struct nf_hook_ops *ops,

static unsigned int ipv6_conntrack_local(const struct nf_hook_ops *ops,

		net_notice_ratelimited("ipv6_conntrack_local: packet too short\n");

		net_notice_ratelimited("ipv6_conntrack_local: packet too short\n");

		return NF_ACCEPT;

		return NF_ACCEPT;

	}

	}

	return nf_conntrack_in(state->net, PF_INET6, ops->hooknum, skb);

	return nf_conntrack_in(state->net, PF_INET6, state->hook, skb);

}

}

static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {

static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {

		return NF_ACCEPT;

		return NF_ACCEPT;

#endif

#endif

	reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(ops->hooknum, skb));

	reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(state->hook, skb));

	/* queued */

	/* queued */

	if (reasm == NULL)

	if (reasm == NULL)

		return NF_STOLEN;

		return NF_STOLEN;

	nf_ct_frag6_consume_orig(reasm);

	nf_ct_frag6_consume_orig(reasm);

	NF_HOOK_THRESH(NFPROTO_IPV6, ops->hooknum, state->net, state->sk, reasm,

	NF_HOOK_THRESH(NFPROTO_IPV6, state->hook, state->net, state->sk, reasm,

		       state->in, state->out,

		       state->in, state->out,

		       state->okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1);

		       state->okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1);