[NETFILTER 00/05]: updated nf_nat patch

[NETFILTER 00/05]: updated nf_nat patch

[Patrick McHardy]

I've updated your nf_nat patch to apply on top of Martin's patches
(on top of the current git tree) and merged the changes we had in
IPv4 NAT since then.

I've also reviewed the patch a bit, the main problem I found so
far is the nf_conntrack allocation scheme, which requires all
features to be known at creation time, so it doesn't allow
nf_conntrack_alter_reply to assign a helper to a connection
that previously didn't have one (same problem for helpers
like H.323 which manually assign helpers in their expectfns).

Other than that it seems (and works) fine so far, if we find
a good solution for the helper problem I would like to merge
this as fast as possible if you don't have any objections.


 include/linux/netfilter/nf_conntrack_ftp.h     |    6 
 include/net/netfilter/ipv4/nf_conntrack_ipv4.h |   20 
 include/net/netfilter/nf_conntrack.h           |   28 
 include/net/netfilter/nf_conntrack_core.h      |    3 
 include/net/netfilter/nf_conntrack_expect.h    |    2 
 include/net/netfilter/nf_nat.h                 |   88 ++-
 include/net/netfilter/nf_nat_core.h            |   34 +
 include/net/netfilter/nf_nat_helper.h          |   33 +
 include/net/netfilter/nf_nat_protocol.h        |   74 ++
 include/net/netfilter/nf_nat_rule.h            |   38 +
 net/ipv4/netfilter/Kconfig                     |   73 +-
 net/ipv4/netfilter/Makefile                    |   12 
 net/ipv4/netfilter/ipt_MASQUERADE.c            |   29 -
 net/ipv4/netfilter/ipt_NETMAP.c                |    4 
 net/ipv4/netfilter/ipt_REDIRECT.c              |    6 
 net/ipv4/netfilter/ipt_SAME.c                  |   12 
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |    7 
 net/ipv4/netfilter/nf_nat_core.c               |  725 +++++++++++++++++++++++--
 net/ipv4/netfilter/nf_nat_ftp.c                |  192 ++++++
 net/ipv4/netfilter/nf_nat_helper.c             |  531 +++++++++++++++++-
 net/ipv4/netfilter/nf_nat_proto_icmp.c         |   99 +++
 net/ipv4/netfilter/nf_nat_proto_tcp.c          |  168 +++++
 net/ipv4/netfilter/nf_nat_proto_udp.c          |  159 +++++
 net/ipv4/netfilter/nf_nat_proto_unknown.c      |   55 +
 net/ipv4/netfilter/nf_nat_rule.c               |  349 +++++++++++-
 net/ipv4/netfilter/nf_nat_standalone.c         |  428 ++++++++++++++
 net/netfilter/Kconfig                          |   47 +
 net/netfilter/nf_conntrack_core.c              |   20 
 net/netfilter/nf_conntrack_netlink.c           |   48 -
 net/netfilter/nf_conntrack_proto_tcp.c         |    2 
 net/netfilter/nf_conntrack_standalone.c        |    5 
 31 files changed, 3096 insertions(+), 201 deletions(-)

Patrick McHardy:
      [NETFILTER]: The IPv4 NAT ported to nf_conntrack
      [NETFILTER]: nf_nat: get rid of HW checksum invalidation
      [NETFILTER]: nf_nat: use tcp_sack_block_wire
      [NETFILTER]: nf_nat: NAT annotations
      [NETFILTER]: nf_nat: work around crash in nf_conntrack_alter_reply

[NETFILTER 02/05]: nf_nat: get rid of HW checksum invalidation

[Patrick McHardy]

[NETFILTER]: nf_nat: get rid of HW checksum invalidation

Sync with commit 4cf411de49c65140b3c259748629b561c0d3340f:

Update hardware checksums incrementally to avoid breaking GSO.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit b4b1bd0185d4054accbd925298f21b4d9eddfeec
tree 3058d0fbd03317712053af5b205d25a6e1f096d9
parent 64b20779232063e38df3a589f2dd8e1c26650921
author Patrick McHardy <kaber@trash.net> Fri, 03 Nov 2006 17:27:19 +0100
committer Patrick McHardy <kaber@trash.net> Fri, 03 Nov 2006 17:27:19 +0100

 include/net/netfilter/nf_nat.h         |    4 --
 include/net/netfilter/nf_nat_core.h    |    8 ++--
 net/ipv4/netfilter/nf_nat_core.c       |   52 +++++++++++-----------------
 net/ipv4/netfilter/nf_nat_helper.c     |   59 +++++++++++++++++++++++---------
 net/ipv4/netfilter/nf_nat_proto_icmp.c |    8 ++--
 net/ipv4/netfilter/nf_nat_proto_tcp.c  |    7 ++--
 net/ipv4/netfilter/nf_nat_proto_udp.c  |   14 +++++---
 net/ipv4/netfilter/nf_nat_standalone.c |    4 +-
 8 files changed, 84 insertions(+), 72 deletions(-)

diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index a4e2a1f..633f666 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -72,10 +72,6 @@ extern unsigned int nf_nat_setup_info(st
 extern int nf_nat_used_tuple(const struct nf_conntrack_tuple *tuple,
 			     const struct nf_conn *ignored_conntrack);
 
-/* Calculate relative checksum. */
-extern u_int16_t nf_nat_cheat_check(u_int32_t oldvalinv,
-				    u_int32_t newval,
-				    u_int16_t oldcheck);
 #else  /* !__KERNEL__: iptables wants this to compile. */
 #define nf_nat_multi_range nf_nat_multi_range_compat
 #endif /*__KERNEL__*/
diff --git a/include/net/netfilter/nf_nat_core.h b/include/net/netfilter/nf_nat_core.h
index 6f2faa6..63f1635 100644
--- a/include/net/netfilter/nf_nat_core.h
+++ b/include/net/netfilter/nf_nat_core.h
@@ -11,10 +11,10 @@ extern unsigned int nf_nat_packet(struct
 			       unsigned int hooknum,
 			       struct sk_buff **pskb);
 
-extern int nf_nat_icmp_reply_translation(struct sk_buff **pskb,
-					 struct nf_conn *ct,
-					 enum nf_nat_manip_type manip,
-					 enum ip_conntrack_dir dir);
+extern int nf_nat_icmp_reply_translation(struct nf_conn *ct,
+					 enum ip_conntrack_info ctinfo,
+					 unsigned int hooknum,
+					 struct sk_buff **pskb);
 
 static inline int nf_nat_initialized(struct nf_conn *conntrack,
 				     enum nf_nat_manip_type manip)
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 34c2cd0..7b9f572 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -103,18 +103,6 @@ static void nf_nat_cleanup_conntrack(str
 	write_unlock_bh(&nf_nat_lock);
 }
 
-/* We do checksum mangling, so if they were wrong before they're still
- * wrong.  Also works for incomplete packets (eg. ICMP dest
- * unreachables.) */
-u_int16_t
-nf_nat_cheat_check(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
-{
-	u_int32_t diffs[] = { oldvalinv, newval };
-	return csum_fold(csum_partial((char *)diffs, sizeof(diffs),
-				      oldcheck^0xFFFF));
-}
-EXPORT_SYMBOL(nf_nat_cheat_check);
-
 /* Is this tuple already taken? (not by us) */
 int
 nf_nat_used_tuple(const struct nf_conntrack_tuple *tuple,
@@ -383,12 +371,12 @@ manip_pkt(u_int16_t proto,
 	iph = (void *)(*pskb)->data + iphdroff;
 
 	if (maniptype == IP_NAT_MANIP_SRC) {
-		iph->check = nf_nat_cheat_check(~iph->saddr, target->src.u3.ip,
-						iph->check);
+		iph->check = nf_csum_update(~iph->saddr, target->src.u3.ip,
+					    iph->check);
 		iph->saddr = target->src.u3.ip;
 	} else {
-		iph->check = nf_nat_cheat_check(~iph->daddr, target->dst.u3.ip,
-						iph->check);
+		iph->check = nf_csum_update(~iph->daddr, target->dst.u3.ip,
+					    iph->check);
 		iph->daddr = target->dst.u3.ip;
 	}
 	return 1;
@@ -428,10 +416,10 @@ unsigned int nf_nat_packet(struct nf_con
 EXPORT_SYMBOL_GPL(nf_nat_packet);
 
 /* Dir is direction ICMP is coming from (opposite to packet it contains) */
-int nf_nat_icmp_reply_translation(struct sk_buff **pskb,
-				  struct nf_conn *ct,
-				  enum nf_nat_manip_type manip,
-				  enum ip_conntrack_dir dir)
+int nf_nat_icmp_reply_translation(struct nf_conn *ct,
+				  enum ip_conntrack_info ctinfo,
+				  unsigned int hooknum,
+				  struct sk_buff **pskb)
 {
 	struct {
 		struct icmphdr icmp;
@@ -439,7 +427,9 @@ int nf_nat_icmp_reply_translation(struct
 	} *inside;
 	struct nf_conntrack_tuple inner, target;
 	int hdrlen = (*pskb)->nh.iph->ihl * 4;
+	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 	unsigned long statusbit;
+	enum nf_nat_manip_type manip = HOOK2MANIP(hooknum);
 
 	if (!skb_make_writable(pskb, hdrlen + sizeof(*inside)))
 		return 0;
@@ -448,12 +438,8 @@ int nf_nat_icmp_reply_translation(struct
 
 	/* We're actually going to mangle it beyond trivial checksum
 	   adjustment, so make sure the current checksum is correct. */
-	if ((*pskb)->ip_summed != CHECKSUM_UNNECESSARY) {
-		hdrlen = (*pskb)->nh.iph->ihl * 4;
-		if ((u16)csum_fold(skb_checksum(*pskb, hdrlen,
-						(*pskb)->len - hdrlen, 0)))
-			return 0;
-	}
+	if (nf_ip_checksum(*pskb, hooknum, hdrlen, 0))
+		return 0;
 
 	/* Must be RELATED */
 	NF_CT_ASSERT((*pskb)->nfctinfo == IP_CT_RELATED ||
@@ -498,12 +484,14 @@ int nf_nat_icmp_reply_translation(struct
 		       !manip))
 		return 0;
 
-	/* Reloading "inside" here since manip_pkt inner. */
-	inside = (void *)(*pskb)->data + (*pskb)->nh.iph->ihl*4;
-	inside->icmp.checksum = 0;
-	inside->icmp.checksum = csum_fold(skb_checksum(*pskb, hdrlen,
-						       (*pskb)->len - hdrlen,
-						       0));
+	if ((*pskb)->ip_summed != CHECKSUM_PARTIAL) {
+		/* Reloading "inside" here since manip_pkt inner. */
+		inside = (void *)(*pskb)->data + (*pskb)->nh.iph->ihl*4;
+		inside->icmp.checksum = 0;
+		inside->icmp.checksum = csum_fold(skb_checksum(*pskb, hdrlen,
+							       (*pskb)->len - hdrlen,
+							       0));
+	}
 
 	/* Change outer to look the reply to an incoming packet
 	 * (proto 0 means don't invert per-proto part). */
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c
index 4c9c88b..ccc39e6 100644
--- a/net/ipv4/netfilter/nf_nat_helper.c
+++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -163,7 +163,7 @@ nf_nat_mangle_tcp_packet(struct sk_buff 
 {
 	struct iphdr *iph;
 	struct tcphdr *tcph;
-	int datalen;
+	int oldlen, datalen;
 
 	if (!skb_make_writable(pskb, (*pskb)->len))
 		return 0;
@@ -178,13 +178,22 @@ nf_nat_mangle_tcp_packet(struct sk_buff 
 	iph = (*pskb)->nh.iph;
 	tcph = (void *)iph + iph->ihl*4;
 
+	oldlen = (*pskb)->len - iph->ihl*4;
 	mangle_contents(*pskb, iph->ihl*4 + tcph->doff*4,
 			match_offset, match_len, rep_buffer, rep_len);
 
 	datalen = (*pskb)->len - iph->ihl*4;
-	tcph->check = 0;
-	tcph->check = tcp_v4_check(tcph, datalen, iph->saddr, iph->daddr,
-				   csum_partial((char *)tcph, datalen, 0));
+	if ((*pskb)->ip_summed != CHECKSUM_PARTIAL) {
+		tcph->check = 0;
+		tcph->check = tcp_v4_check(tcph, datalen,
+					   iph->saddr, iph->daddr,
+					   csum_partial((char *)tcph,
+					   		datalen, 0));
+	} else
+		tcph->check = nf_proto_csum_update(*pskb,
+						   htons(oldlen) ^ 0xFFFF,
+						   htons(datalen),
+						   tcph->check, 1);
 
 	if (rep_len != match_len) {
 		set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
@@ -222,6 +231,7 @@ nf_nat_mangle_udp_packet(struct sk_buff 
 {
 	struct iphdr *iph;
 	struct udphdr *udph;
+	int datalen, oldlen;
 
 	/* UDP helpers might accidentally mangle the wrong packet */
 	iph = (*pskb)->nh.iph;
@@ -239,21 +249,32 @@ nf_nat_mangle_udp_packet(struct sk_buff 
 
 	iph = (*pskb)->nh.iph;
 	udph = (void *)iph + iph->ihl*4;
+
+	oldlen = (*pskb)->len - iph->ihl*4;
 	mangle_contents(*pskb, iph->ihl*4 + sizeof(*udph),
 			match_offset, match_len, rep_buffer, rep_len);
 
 	/* update the length of the UDP packet */
-	udph->len = htons((*pskb)->len - iph->ihl*4);
+	datalen = (*pskb)->len - iph->ihl*4;
+	udph->len = htons(datalen);
 
 	/* fix udp checksum if udp checksum was previously calculated */
-	if (udph->check) {
-		int datalen = (*pskb)->len - iph->ihl * 4;
+	if (!udph->check && (*pskb)->ip_summed != CHECKSUM_PARTIAL)
+		return 1;
+
+	if ((*pskb)->ip_summed != CHECKSUM_PARTIAL) {
 		udph->check = 0;
 		udph->check = csum_tcpudp_magic(iph->saddr, iph->daddr,
 		                                datalen, IPPROTO_UDP,
 		                                csum_partial((char *)udph,
 		                                             datalen, 0));
-	}
+		if (!udph->check)
+			udph->check = -1;
+	} else
+		udph->check = nf_proto_csum_update(*pskb,
+						   htons(oldlen) ^ 0xFFFF,
+						   htons(datalen),
+						   udph->check, 1);
 
 	return 1;
 }
@@ -294,11 +315,15 @@ sack_adjust(struct sk_buff *skb,
 			ntohl(sack->start_seq), new_start_seq,
 			ntohl(sack->end_seq), new_end_seq);
 
-		tcph->check = 
-			nf_nat_cheat_check(~sack->start_seq, new_start_seq,
-					   nf_nat_cheat_check(~sack->end_seq, 
-						   	      new_end_seq,
-							      tcph->check));
+		tcph->check = nf_proto_csum_update(skb,
+						   ~sack->start_seq,
+						   new_start_seq,
+						   tcph->check, 0);
+		tcph->check = nf_proto_csum_update(skb,
+						   ~sack->end_seq,
+						   new_end_seq,
+						   tcph->check, 0);
+
 		sack->start_seq = new_start_seq;
 		sack->end_seq = new_end_seq;
 		sackoff += sizeof(*sack);
@@ -384,10 +409,10 @@ nf_nat_seq_adjust(struct sk_buff **pskb,
 		newack = ntohl(tcph->ack_seq) - other_way->offset_before;
 	newack = htonl(newack);
 
-	tcph->check = nf_nat_cheat_check(~tcph->seq, newseq,
-					 nf_nat_cheat_check(~tcph->ack_seq, 
-					 		    newack, 
-							    tcph->check));
+	tcph->check = nf_proto_csum_update(*pskb, ~tcph->seq, newseq,
+					   tcph->check, 0);
+	tcph->check = nf_proto_csum_update(*pskb, ~tcph->ack_seq, newack,
+					   tcph->check, 0);
 
 	DEBUGP("Adjusting sequence number from %u->%u, ack from %u->%u\n",
 		ntohl(tcph->seq), ntohl(newseq), ntohl(tcph->ack_seq),
diff --git a/net/ipv4/netfilter/nf_nat_proto_icmp.c b/net/ipv4/netfilter/nf_nat_proto_icmp.c
index 6a2cf9f..cb7ce9a 100644
--- a/net/ipv4/netfilter/nf_nat_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_nat_proto_icmp.c
@@ -66,10 +66,10 @@ icmp_manip_pkt(struct sk_buff **pskb,
 		return 0;
 
 	hdr = (struct icmphdr *)((*pskb)->data + hdroff);
-
-	hdr->checksum = nf_nat_cheat_check(hdr->un.echo.id ^ 0xFFFF,
-					    tuple->src.u.icmp.id,
-					    hdr->checksum);
+	hdr->checksum = nf_proto_csum_update(*pskb,
+					     hdr->un.echo.id ^ 0xFFFF,
+					     tuple->src.u.icmp.id,
+					     hdr->checksum, 0);
 	hdr->un.echo.id = tuple->src.u.icmp.id;
 	return 1;
 }
diff --git a/net/ipv4/netfilter/nf_nat_proto_tcp.c b/net/ipv4/netfilter/nf_nat_proto_tcp.c
index f8474d2..0a8edde 100644
--- a/net/ipv4/netfilter/nf_nat_proto_tcp.c
+++ b/net/ipv4/netfilter/nf_nat_proto_tcp.c
@@ -129,10 +129,9 @@ tcp_manip_pkt(struct sk_buff **pskb,
 	if (hdrsize < sizeof(*hdr))
 		return 1;
 
-	hdr->check = nf_nat_cheat_check(~oldip, newip,
-					nf_nat_cheat_check(oldport ^ 0xFFFF,
-							   newport,
-							   hdr->check));
+	hdr->check = nf_proto_csum_update(*pskb, ~oldip, newip, hdr->check, 1);
+	hdr->check = nf_proto_csum_update(*pskb, oldport ^ 0xFFFF, newport,
+					  hdr->check, 0);
 	return 1;
 }
 
diff --git a/net/ipv4/netfilter/nf_nat_proto_udp.c b/net/ipv4/netfilter/nf_nat_proto_udp.c
index f9a2b12..99d0ac1 100644
--- a/net/ipv4/netfilter/nf_nat_proto_udp.c
+++ b/net/ipv4/netfilter/nf_nat_proto_udp.c
@@ -113,11 +113,15 @@ udp_manip_pkt(struct sk_buff **pskb,
 		newport = tuple->dst.u.udp.port;
 		portptr = &hdr->dest;
 	}
-	if (hdr->check) /* 0 is a special case meaning no checksum */
-		hdr->check = nf_nat_cheat_check(~oldip, newip,
-					nf_nat_cheat_check(*portptr ^ 0xFFFF,
-							   newport,
-							   hdr->check));
+	if (hdr->check || (*pskb)->ip_summed == CHECKSUM_PARTIAL) {
+		hdr->check = nf_proto_csum_update(*pskb, ~oldip, newip,
+						  hdr->check, 1);
+		hdr->check = nf_proto_csum_update(*pskb,
+						  *portptr ^ 0xFFFF, newport,
+						  hdr->check, 0);
+		if (!hdr->check)
+			hdr->check = -1;
+	}
 	*portptr = newport;
 	return 1;
 }
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 7310014..8d83c54 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -142,8 +142,8 @@ nf_nat_fn(unsigned int hooknum,
 	case IP_CT_RELATED:
 	case IP_CT_RELATED+IP_CT_IS_REPLY:
 		if ((*pskb)->nh.iph->protocol == IPPROTO_ICMP) {
-			if (!nf_nat_icmp_reply_translation(pskb, ct, maniptype,
-							   CTINFO2DIR(ctinfo)))
+			if (!nf_nat_icmp_reply_translation(ct, ctinfo,
+							   hooknum, pskb))
 				return NF_DROP;
 			else
 				return NF_ACCEPT;

[NETFILTER 03/05]: nf_nat: use tcp_sack_block_wire

[Patrick McHardy]

[NETFILTER]: nf_nat: use tcp_sack_block_wire

Sync with commit 269bd27e66037a7932cee6d6aa7ef7defd0bfe38:

[TCP]: struct tcp_sack_block annotations

Some of the instances of tcp_sack_block are host-endian, some - net-endian.
Define struct tcp_sack_block_wire identical to struct tcp_sack_block
with u32 replaced with __be32; annotate uses of tcp_sack_block replacing
net-endian ones with tcp_sack_block_wire.  Change is obviously safe since
for cc(1) __be32 is typedefed to u32.

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit ce071a4e6fcee746b64936ac5c02317cbafdc4ab
tree dfe3fa259ef970d558a6f1a2d7bd0548f0a3140c
parent b4b1bd0185d4054accbd925298f21b4d9eddfeec
author Patrick McHardy <kaber@trash.net> Fri, 03 Nov 2006 17:27:33 +0100
committer Patrick McHardy <kaber@trash.net> Fri, 03 Nov 2006 17:27:33 +0100

 net/ipv4/netfilter/nf_nat_helper.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c
index ccc39e6..94aa972 100644
--- a/net/ipv4/netfilter/nf_nat_helper.c
+++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -289,7 +289,7 @@ sack_adjust(struct sk_buff *skb,
 	    struct nf_nat_seq *natseq)
 {
 	while (sackoff < sackend) {
-		struct tcp_sack_block *sack;
+		struct tcp_sack_block_wire *sack;
 		u_int32_t new_start_seq, new_end_seq;
 
 		sack = (void *)skb->data + sackoff;

[NETFILTER 04/05]: nf_nat: NAT annotations

[Patrick McHardy]

[NETFILTER]: nf_nat: NAT annotations

Sync with commit a76b11dd25957287af12ce6855be6d7fd415b3a9

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit aa3104784034fe4a9971de642e962c18b51f5a00
tree 7fc7312ddfc241db4bd0032fb67bfdc66b2b8db8
parent ce071a4e6fcee746b64936ac5c02317cbafdc4ab
author Patrick McHardy <kaber@trash.net> Fri, 03 Nov 2006 17:27:44 +0100
committer Patrick McHardy <kaber@trash.net> Fri, 03 Nov 2006 17:27:44 +0100

 include/net/netfilter/nf_nat.h         |    2 +-
 net/ipv4/netfilter/nf_nat_core.c       |   14 ++++++------
 net/ipv4/netfilter/nf_nat_ftp.c        |   10 ++++-----
 net/ipv4/netfilter/nf_nat_helper.c     |   37 +++++++++++++++-----------------
 net/ipv4/netfilter/nf_nat_proto_icmp.c |    2 +-
 net/ipv4/netfilter/nf_nat_proto_tcp.c  |   10 ++++-----
 net/ipv4/netfilter/nf_nat_proto_udp.c  |    8 +++----
 net/ipv4/netfilter/nf_nat_rule.c       |    6 +++--
 net/ipv4/netfilter/nf_nat_standalone.c |    2 +-
 9 files changed, 44 insertions(+), 47 deletions(-)

diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index 633f666..b617949 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -33,7 +33,7 @@ struct nf_nat_range
 	unsigned int flags;
 
 	/* Inclusive: network order. */
-	u_int32_t min_ip, max_ip;
+	__be32 min_ip, max_ip;
 
 	/* Inclusive: network order */
 	union nf_conntrack_man_proto min, max;
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 7b9f572..ce59301 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -86,7 +86,7 @@ static inline unsigned int
 hash_by_src(const struct nf_conntrack_tuple *tuple)
 {
 	/* Original src, to ensure we map it consistently if poss. */
-	return jhash_3words(tuple->src.u3.ip, tuple->src.u.all,
+	return jhash_3words((__force u32)tuple->src.u3.ip, tuple->src.u.all,
 			    tuple->dst.protonum, 0) % nf_nat_htable_size;
 }
 
@@ -198,7 +198,7 @@ find_best_ips_proto(struct nf_conntrack_
 		    const struct nf_conn *conntrack,
 		    enum nf_nat_manip_type maniptype)
 {
-	u_int32_t *var_ipp;
+	__be32 *var_ipp;
 	/* Host order */
 	u_int32_t minip, maxip, j;
 
@@ -225,7 +225,7 @@ find_best_ips_proto(struct nf_conntrack_
 	 * like this), even across reboots. */
 	minip = ntohl(range->min_ip);
 	maxip = ntohl(range->max_ip);
-	j = jhash_2words(tuple->src.u3.ip, tuple->dst.u3.ip, 0);
+	j = jhash_2words((__force u32)tuple->src.u3.ip, tuple->dst.u3.ip, 0);
 	*var_ipp = htonl(minip + j % (maxip - minip + 1));
 }
 
@@ -549,9 +549,9 @@ int
 nf_nat_port_range_to_nfattr(struct sk_buff *skb, 
 			    const struct nf_nat_range *range)
 {
-	NFA_PUT(skb, CTA_PROTONAT_PORT_MIN, sizeof(u_int16_t),
+	NFA_PUT(skb, CTA_PROTONAT_PORT_MIN, sizeof(__be16),
 		&range->min.tcp.port);
-	NFA_PUT(skb, CTA_PROTONAT_PORT_MAX, sizeof(u_int16_t),
+	NFA_PUT(skb, CTA_PROTONAT_PORT_MAX, sizeof(__be16),
 		&range->max.tcp.port);
 
 	return 0;
@@ -570,7 +570,7 @@ nf_nat_port_nfattr_to_range(struct nfatt
 	if (tb[CTA_PROTONAT_PORT_MIN-1]) {
 		ret = 1;
 		range->min.tcp.port = 
-			*(u_int16_t *)NFA_DATA(tb[CTA_PROTONAT_PORT_MIN-1]);
+			*(__be16 *)NFA_DATA(tb[CTA_PROTONAT_PORT_MIN-1]);
 	}
 	
 	if (!tb[CTA_PROTONAT_PORT_MAX-1]) {
@@ -579,7 +579,7 @@ nf_nat_port_nfattr_to_range(struct nfatt
 	} else {
 		ret = 1;
 		range->max.tcp.port = 
-			*(u_int16_t *)NFA_DATA(tb[CTA_PROTONAT_PORT_MAX-1]);
+			*(__be16 *)NFA_DATA(tb[CTA_PROTONAT_PORT_MAX-1]);
 	}
 
 	return ret;
diff --git a/net/ipv4/netfilter/nf_nat_ftp.c b/net/ipv4/netfilter/nf_nat_ftp.c
index d2d8497..eab6e07 100644
--- a/net/ipv4/netfilter/nf_nat_ftp.c
+++ b/net/ipv4/netfilter/nf_nat_ftp.c
@@ -35,7 +35,7 @@ #endif
 
 static int
 mangle_rfc959_packet(struct sk_buff **pskb,
-		     u_int32_t newip,
+		     __be32 newip,
 		     u_int16_t port,
 		     unsigned int matchoff,
 		     unsigned int matchlen,
@@ -58,7 +58,7 @@ mangle_rfc959_packet(struct sk_buff **ps
 /* |1|132.235.1.2|6275| */
 static int
 mangle_eprt_packet(struct sk_buff **pskb,
-		   u_int32_t newip,
+		   __be32 newip,
 		   u_int16_t port,
 		   unsigned int matchoff,
 		   unsigned int matchlen,
@@ -80,7 +80,7 @@ mangle_eprt_packet(struct sk_buff **pskb
 /* |1|132.235.1.2|6275| */
 static int
 mangle_epsv_packet(struct sk_buff **pskb,
-		   u_int32_t newip,
+		   __be32 newip,
 		   u_int16_t port,
 		   unsigned int matchoff,
 		   unsigned int matchlen,
@@ -99,7 +99,7 @@ mangle_epsv_packet(struct sk_buff **pskb
 					matchlen, buffer, strlen(buffer));
 }
 
-static int (*mangle[])(struct sk_buff **, u_int32_t, u_int16_t,
+static int (*mangle[])(struct sk_buff **, __be32, u_int16_t,
 		     unsigned int,
 		     unsigned int,
 		     struct nf_conn *,
@@ -121,7 +121,7 @@ static unsigned int nf_nat_ftp(struct sk
 			       struct nf_conntrack_expect *exp,
 			       u32 *seq)
 {
-	u_int32_t newip;
+	__be32 newip;
 	u_int16_t port;
 	int dir = CTINFO2DIR(ctinfo);
 	struct nf_conn *ct = exp->master;
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c
index 94aa972..e7bc82d 100644
--- a/net/ipv4/netfilter/nf_nat_helper.c
+++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -191,7 +191,7 @@ nf_nat_mangle_tcp_packet(struct sk_buff 
 					   		datalen, 0));
 	} else
 		tcph->check = nf_proto_csum_update(*pskb,
-						   htons(oldlen) ^ 0xFFFF,
+						   htons(oldlen) ^ htons(0xFFFF),
 						   htons(datalen),
 						   tcph->check, 1);
 
@@ -272,7 +272,7 @@ nf_nat_mangle_udp_packet(struct sk_buff 
 			udph->check = -1;
 	} else
 		udph->check = nf_proto_csum_update(*pskb,
-						   htons(oldlen) ^ 0xFFFF,
+						   htons(oldlen) ^ htons(0xFFFF),
 						   htons(datalen),
 						   udph->check, 1);
 
@@ -290,26 +290,24 @@ sack_adjust(struct sk_buff *skb,
 {
 	while (sackoff < sackend) {
 		struct tcp_sack_block_wire *sack;
-		u_int32_t new_start_seq, new_end_seq;
+		__be32 new_start_seq, new_end_seq;
 
 		sack = (void *)skb->data + sackoff;
 		if (after(ntohl(sack->start_seq) - natseq->offset_before,
 			  natseq->correction_pos))
-			new_start_seq = ntohl(sack->start_seq) 
-					- natseq->offset_after;
+			new_start_seq = htonl(ntohl(sack->start_seq)
+					- natseq->offset_after);
 		else
-			new_start_seq = ntohl(sack->start_seq) 
-					- natseq->offset_before;
-		new_start_seq = htonl(new_start_seq);
+			new_start_seq = htonl(ntohl(sack->start_seq)
+					- natseq->offset_before);
 
 		if (after(ntohl(sack->end_seq) - natseq->offset_before,
 			  natseq->correction_pos))
-			new_end_seq = ntohl(sack->end_seq)
-				      - natseq->offset_after;
+			new_end_seq = htonl(ntohl(sack->end_seq)
+				      - natseq->offset_after);
 		else
-			new_end_seq = ntohl(sack->end_seq)
-				      - natseq->offset_before;
-		new_end_seq = htonl(new_end_seq);
+			new_end_seq = htonl(ntohl(sack->end_seq)
+				      - natseq->offset_before);
 
 		DEBUGP("sack_adjust: start_seq: %d->%d, end_seq: %d->%d\n",
 			ntohl(sack->start_seq), new_start_seq,
@@ -383,7 +381,8 @@ nf_nat_seq_adjust(struct sk_buff **pskb,
 		  enum ip_conntrack_info ctinfo)
 {
 	struct tcphdr *tcph;
-	int dir, newseq, newack;
+	int dir;
+	__be32 newseq, newack;
 	struct nf_conn_nat *nat = nfct_nat(ct);
 	struct nf_nat_seq *this_way, *other_way;	
 
@@ -397,17 +396,15 @@ nf_nat_seq_adjust(struct sk_buff **pskb,
 
 	tcph = (void *)(*pskb)->data + (*pskb)->nh.iph->ihl*4;
 	if (after(ntohl(tcph->seq), this_way->correction_pos))
-		newseq = ntohl(tcph->seq) + this_way->offset_after;
+		newseq = htonl(ntohl(tcph->seq) + this_way->offset_after);
 	else
-		newseq = ntohl(tcph->seq) + this_way->offset_before;
-	newseq = htonl(newseq);
+		newseq = htonl(ntohl(tcph->seq) + this_way->offset_before);
 
 	if (after(ntohl(tcph->ack_seq) - other_way->offset_before,
 		  other_way->correction_pos))
-		newack = ntohl(tcph->ack_seq) - other_way->offset_after;
+		newack = htonl(ntohl(tcph->ack_seq) - other_way->offset_after);
 	else
-		newack = ntohl(tcph->ack_seq) - other_way->offset_before;
-	newack = htonl(newack);
+		newack = htonl(ntohl(tcph->ack_seq) - other_way->offset_before);
 
 	tcph->check = nf_proto_csum_update(*pskb, ~tcph->seq, newseq,
 					   tcph->check, 0);
diff --git a/net/ipv4/netfilter/nf_nat_proto_icmp.c b/net/ipv4/netfilter/nf_nat_proto_icmp.c
index cb7ce9a..c28b0d2 100644
--- a/net/ipv4/netfilter/nf_nat_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_nat_proto_icmp.c
@@ -67,7 +67,7 @@ icmp_manip_pkt(struct sk_buff **pskb,
 
 	hdr = (struct icmphdr *)((*pskb)->data + hdroff);
 	hdr->checksum = nf_proto_csum_update(*pskb,
-					     hdr->un.echo.id ^ 0xFFFF,
+					     hdr->un.echo.id ^ htons(0xFFFF),
 					     tuple->src.u.icmp.id,
 					     hdr->checksum, 0);
 	hdr->un.echo.id = tuple->src.u.icmp.id;
diff --git a/net/ipv4/netfilter/nf_nat_proto_tcp.c b/net/ipv4/netfilter/nf_nat_proto_tcp.c
index 0a8edde..b516de0 100644
--- a/net/ipv4/netfilter/nf_nat_proto_tcp.c
+++ b/net/ipv4/netfilter/nf_nat_proto_tcp.c
@@ -24,7 +24,7 @@ tcp_in_range(const struct nf_conntrack_t
 	     const union nf_conntrack_man_proto *min,
 	     const union nf_conntrack_man_proto *max)
 {
-	u_int16_t port;
+	__be16 port;
 
 	if (maniptype == IP_NAT_MANIP_SRC)
 		port = tuple->src.u.tcp.port;
@@ -42,7 +42,7 @@ tcp_unique_tuple(struct nf_conntrack_tup
 		 const struct nf_conn *conntrack)
 {
 	static u_int16_t port;
-	u_int16_t *portptr;
+	__be16 *portptr;
 	unsigned int range_size, min, i;
 
 	if (maniptype == IP_NAT_MANIP_SRC)
@@ -93,8 +93,8 @@ tcp_manip_pkt(struct sk_buff **pskb,
 	struct iphdr *iph = (struct iphdr *)((*pskb)->data + iphdroff);
 	struct tcphdr *hdr;
 	unsigned int hdroff = iphdroff + iph->ihl*4;
-	u32 oldip, newip;
-	u16 *portptr, newport, oldport;
+	__be32 oldip, newip;
+	__be16 *portptr, newport, oldport;
 	int hdrsize = 8; /* TCP connection tracking guarantees this much */
 
 	/* this could be a inner header returned in icmp packet; in such
@@ -130,7 +130,7 @@ tcp_manip_pkt(struct sk_buff **pskb,
 		return 1;
 
 	hdr->check = nf_proto_csum_update(*pskb, ~oldip, newip, hdr->check, 1);
-	hdr->check = nf_proto_csum_update(*pskb, oldport ^ 0xFFFF, newport,
+	hdr->check = nf_proto_csum_update(*pskb, oldport ^ htons(0xFFFF), newport,
 					  hdr->check, 0);
 	return 1;
 }
diff --git a/net/ipv4/netfilter/nf_nat_proto_udp.c b/net/ipv4/netfilter/nf_nat_proto_udp.c
index 99d0ac1..b269bd9 100644
--- a/net/ipv4/netfilter/nf_nat_proto_udp.c
+++ b/net/ipv4/netfilter/nf_nat_proto_udp.c
@@ -24,7 +24,7 @@ udp_in_range(const struct nf_conntrack_t
 	     const union nf_conntrack_man_proto *min,
 	     const union nf_conntrack_man_proto *max)
 {
-	u_int16_t port;
+	__be16 port;
 
 	if (maniptype == IP_NAT_MANIP_SRC)
 		port = tuple->src.u.udp.port;
@@ -42,7 +42,7 @@ udp_unique_tuple(struct nf_conntrack_tup
 		 const struct nf_conn *conntrack)
 {
 	static u_int16_t port;
-	u_int16_t *portptr;
+	__be16 *portptr;
 	unsigned int range_size, min, i;
 
 	if (maniptype == IP_NAT_MANIP_SRC)
@@ -117,8 +117,8 @@ udp_manip_pkt(struct sk_buff **pskb,
 		hdr->check = nf_proto_csum_update(*pskb, ~oldip, newip,
 						  hdr->check, 1);
 		hdr->check = nf_proto_csum_update(*pskb,
-						  *portptr ^ 0xFFFF, newport,
-						  hdr->check, 0);
+						  *portptr ^ htons(0xFFFF),
+						  newport, hdr->check, 0);
 		if (!hdr->check)
 			hdr->check = -1;
 	}
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 4ce2ddf..a83310a 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -152,7 +152,7 @@ static unsigned int ipt_snat_target(stru
 }
 
 /* Before 2.6.11 we did implicit source NAT if required. Warn about change. */
-static void warn_if_extra_mangle(u32 dstip, u32 srcip)
+static void warn_if_extra_mangle(__be32 dstip, __be32 srcip)
 {
 	static int warned = 0;
 	struct flowi fl = { .nl_u = { .ip4_u = { .daddr = dstip } } };
@@ -238,7 +238,7 @@ alloc_null_binding(struct nf_conn *connt
 	   per-proto parts (hence not IP_NAT_RANGE_PROTO_SPECIFIED).
 	   Use reply in case it's already been mangled (eg local packet).
 	*/
-	u_int32_t ip
+	__be32 ip
 		= (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC
 		   ? conntrack->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip
 		   : conntrack->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip);
@@ -255,7 +255,7 @@ alloc_null_binding_confirmed(struct nf_c
                              struct nf_nat_info *info,
                              unsigned int hooknum)
 {
-	u_int32_t ip
+	__be32 ip
 		= (HOOK2MANIP(hooknum) == IP_NAT_MANIP_SRC
 		   ? conntrack->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip
 		   : conntrack->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip);
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 8d83c54..f0391c1 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -197,7 +197,7 @@ nf_nat_in(unsigned int hooknum,
           int (*okfn)(struct sk_buff *))
 {
 	unsigned int ret;
-	u_int32_t daddr = (*pskb)->nh.iph->daddr;
+	__be32 daddr = (*pskb)->nh.iph->daddr;
 
 	ret = nf_nat_fn(hooknum, pskb, in, out, okfn);
 	if (ret != NF_DROP && ret != NF_STOLEN

[NETFILTER 05/05]: nf_nat: work around crash in nf_conntrack_alter_reply

[Patrick McHardy]

nf_conntrack_alter_reply crashes if no helper is present. Disable
helper assignment since it doesn't work with the current conntrack
allocation scheme anyway.

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 1f1c257..31a4472 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -855,7 +855,7 @@ void nf_conntrack_alter_reply(struct nf_
 	NF_CT_DUMP_TUPLE(newreply);
 
 	conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;
-	if (!conntrack->master && help->expecting == 0)
+	if (!conntrack->master && 0 && help->expecting == 0)
 		help->helper = __nf_ct_helper_find(newreply);
 	write_unlock_bh(&nf_conntrack_lock);
 }

Re: [NETFILTER 01/05]: The IPv4 NAT ported to nf_conntrack

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 102 bytes --]

Patrick McHardy wrote:
> [garbage ...]

Sending .bz files inline doesn't seem to be a good idea :)




[-- Attachment #2: 01.diff.bz2 --]
[-- Type: application/octet-stream, Size: 22584 bytes --]

Re: [NETFILTER 00/05]: updated nf_nat patch

[Yasuyuki KOZAKAI]

From: Patrick McHardy <kaber@trash.net>
Date: Fri,  3 Nov 2006 17:46:24 +0100 (MET)

> I've updated your nf_nat patch to apply on top of Martin's patches
> (on top of the current git tree) and merged the changes we had in
> IPv4 NAT since then.

Great!

> I've also reviewed the patch a bit, the main problem I found so
> far is the nf_conntrack allocation scheme, which requires all
> features to be known at creation time, so it doesn't allow
> nf_conntrack_alter_reply to assign a helper to a connection
> that previously didn't have one (same problem for helpers
> like H.323 which manually assign helpers in their expectfns).

It might be the time to add something like Rusty's ct_extend.

My temporary idea is forcing to allocate area for helper in all
conntrack after H.323 helper is loaded.

-- Yasuyuki Kozakai

Re: [NETFILTER 00/05]: updated nf_nat patch

[Jozsef Kadlecsik]

On Fri, 3 Nov 2006, Patrick McHardy wrote:

> I've updated your nf_nat patch to apply on top of Martin's patches
> (on top of the current git tree) and merged the changes we had in
> IPv4 NAT since then.

Simply great!
 
> I've also reviewed the patch a bit, the main problem I found so
> far is the nf_conntrack allocation scheme, which requires all
> features to be known at creation time, so it doesn't allow
> nf_conntrack_alter_reply to assign a helper to a connection
> that previously didn't have one (same problem for helpers
> like H.323 which manually assign helpers in their expectfns).

Yes, that's a problem. I believe it can be solved by re-arranging the 
instructions in init_conntrack and changing expectfn itself/adding a new 
glue function.
 
> Other than that it seems (and works) fine so far, if we find
> a good solution for the helper problem I would like to merge
> this as fast as possible if you don't have any objections.

Nothing against it at all. But the other helpers besides the ported FTP 
one are missing too. I'll look into it, because that can uncover other
unresolved issues.
 
Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [NETFILTER 00/05]: updated nf_nat patch

[Jozsef Kadlecsik]

Hi Yasuyuki,

On Sat, 4 Nov 2006, Yasuyuki KOZAKAI wrote:

> > I've also reviewed the patch a bit, the main problem I found so
> > far is the nf_conntrack allocation scheme, which requires all
> > features to be known at creation time, so it doesn't allow
> > nf_conntrack_alter_reply to assign a helper to a connection
> > that previously didn't have one (same problem for helpers
> > like H.323 which manually assign helpers in their expectfns).
> 
> It might be the time to add something like Rusty's ct_extend.
> 
> My temporary idea is forcing to allocate area for helper in all
> conntrack after H.323 helper is loaded.

No, that'd be overkill: we'd be back where we were at before 
introducing the different sized conntrack entries. Something like

static struct nf_conn *
__nf_conntrack_alloc(const struct nf_conntrack_tuple *orig,
                     const struct nf_conntrack_tuple *repl,
                     const struct nf_conntrack_l3proto *l3proto,
		     int helperfn)
{
	....
        if (helper || helperfn)
                features |= NF_CT_F_HELP;
	...
}

static struct nf_conntrack_tuple_hash *
init_conntrack(const struct nf_conntrack_tuple *tuple,
               struct nf_conntrack_l3proto *l3proto,
               struct nf_conntrack_protocol *protocol,
               struct sk_buff *skb,
               unsigned int dataoff)
{
        struct nf_conn *conntrack;
        struct nf_conntrack_tuple repl_tuple;
        struct nf_conntrack_expect *exp;

        if (!nf_ct_invert_tuple(&repl_tuple, tuple, l3proto, protocol)) {
                DEBUGP("Can't invert tuple.\n");
                return NULL;
        }

        write_lock_bh(&nf_conntrack_lock);
        exp = find_expectation(tuple);
	write_unlock_bh(&nf_conntrack_lock);

	conntrack = __nf_conntrack_alloc(tuple, &repl_tuple, l3proto,
					 exp->helperfn != NULL);
	...
}

where 'helperfn' replaces 'assign helper dinamically' from expectfn might 
work.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [NETFILTER 00/05]: updated nf_nat patch

[Yasuyuki KOZAKAI]

From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Fri, 3 Nov 2006 22:03:30 +0100 (CET)

> > My temporary idea is forcing to allocate area for helper in all
> > conntrack after H.323 helper is loaded.
>
> No, that'd be overkill: we'd be back where we were at before 
> introducing the different sized conntrack entries. Something like
> 
> static struct nf_conn *
> __nf_conntrack_alloc(const struct nf_conntrack_tuple *orig,
>                      const struct nf_conntrack_tuple *repl,
>                      const struct nf_conntrack_l3proto *l3proto,
> 		     int helperfn)
> {
> 	....
>         if (helper || helperfn)
>                 features |= NF_CT_F_HELP;
> 	...
> }
> 
> static struct nf_conntrack_tuple_hash *
> init_conntrack(const struct nf_conntrack_tuple *tuple,
>                struct nf_conntrack_l3proto *l3proto,
>                struct nf_conntrack_protocol *protocol,
>                struct sk_buff *skb,
>                unsigned int dataoff)
> {
>         struct nf_conn *conntrack;
>         struct nf_conntrack_tuple repl_tuple;
>         struct nf_conntrack_expect *exp;
> 
>         if (!nf_ct_invert_tuple(&repl_tuple, tuple, l3proto, protocol)) {
>                 DEBUGP("Can't invert tuple.\n");
>                 return NULL;
>         }
> 
>         write_lock_bh(&nf_conntrack_lock);
>         exp = find_expectation(tuple);
> 	write_unlock_bh(&nf_conntrack_lock);
> 
> 	conntrack = __nf_conntrack_alloc(tuple, &repl_tuple, l3proto,
> 					 exp->helperfn != NULL);
> 	...
> }
> 
> where 'helperfn' replaces 'assign helper dinamically' from expectfn might 
> work.

Good. write_lock_bh area would be better to cover the codes after
'if(exp) ...', I think.

The other issue that Patrick's pointed out originally needs other solution.
init_conntrack() cannot figure out whether nf_conntrack_alter_reply() will
allocate helper to it or not in future. Any conntrack has possibility to be
allocated helper by nf_conntrack_alter_reply(). My idea is that
__nf_conntrack_alloc() allocates the space for helper in all IPv4
conntrack, if any helper module which handles IPv4 conntrack is
loaded. That was I want to say, and above my sentence looks wrong, sorry.


-- Yasuyuki Kozakai