Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

424eff97 · David S. Miller · 55dbabee · 3666ed1c · 424eff97 · 424eff97
Commit 424eff97 authored Dec 03, 2009 by David S. Miller
32 changed files
--- a/include/linux/netfilter/nf_conntrack_tcp.h
+++ b/include/linux/netfilter/nf_conntrack_tcp.h
@@ -66,6 +66,9 @@ struct ip_ct_tcp {
 	u_int32_t	last_ack;	/* Last sequence number seen in opposite dir */
 	u_int32_t	last_end;	/* Last seq + len */
 	u_int16_t	last_win;	/* Last window advertisement seen in dir */
+	/* For SYN packets while we may be out-of-sync */
+	u_int8_t	last_wscale;	/* Last window scaling factor seen */
+	u_int8_t	last_flags;	/* Last flags set */
 };
 #endif /* __KERNEL__ */

--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -384,11 +384,11 @@ static int mark_source_chains(struct xt_table_info *newinfo,
 				|= ((1 << hook) | (1 << NF_ARP_NUMHOOKS));
 			/* Unconditional return/END. */
-			if ((e->target_offset == sizeof(struct arpt_entry)
+			if ((e->target_offset == sizeof(struct arpt_entry) &&
-			    && (strcmp(t->target.u.user.name,
+			     (strcmp(t->target.u.user.name,
-				       ARPT_STANDARD_TARGET) == 0)
+				     ARPT_STANDARD_TARGET) == 0) &&
-			    && t->verdict < 0
+			     t->verdict < 0 && unconditional(&e->arp)) ||
-			    && unconditional(&e->arp)) || visited) {
+			    visited) {
 				unsigned int oldpos, size;
 				if ((strcmp(t->target.u.user.name,
@@ -427,8 +427,8 @@ static int mark_source_chains(struct xt_table_info *newinfo,
 				int newpos = t->verdict;
 				if (strcmp(t->target.u.user.name,
-					   ARPT_STANDARD_TARGET) == 0
+					   ARPT_STANDARD_TARGET) == 0 &&
-				    && newpos >= 0) {
+				    newpos >= 0) {
 					if (newpos > newinfo->size -
 						sizeof(struct arpt_entry)) {
 						duprintf("mark_source_chains: "
@@ -559,8 +559,8 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
 {
 	unsigned int h;
-	if ((unsigned long)e % __alignof__(struct arpt_entry) != 0
+	if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||
-	    || (unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
+	    (unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
 		duprintf("Bad offset %p\n", e);
 		return -EINVAL;
 	}
@@ -1251,8 +1251,8 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
 	int ret, off, h;
 	duprintf("check_compat_entry_size_and_hooks %p\n", e);
-	if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0
+	if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 ||
-	    || (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) {
+	    (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) {
 		duprintf("Bad offset %p, limit = %p\n", e, limit);
 		return -EINVAL;
 	}

--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -497,8 +497,7 @@ ipq_rcv_nl_event(struct notifier_block *this,
 {
 	struct netlink_notify *n = ptr;
-	if (event == NETLINK_URELEASE &&
+	if (event == NETLINK_URELEASE && n->protocol == NETLINK_FIREWALL) {
-	    n->protocol == NETLINK_FIREWALL && n->pid) {
 		write_lock_bh(&queue_lock);
 		if ((net_eq(n->net, &init_net)) && (n->pid == peer_pid))
 			__ipq_reset();
@@ -622,7 +621,7 @@ cleanup_netlink_notifier:
 static void __exit ip_queue_fini(void)
 {
 	nf_unregister_queue_handlers(&nfqh);
-	synchronize_net();
 	ipq_flush(NULL, 0);
 #ifdef CONFIG_SYSCTL

--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -89,9 +89,9 @@ ip_packet_match(const struct iphdr *ip,
 #define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
 	if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
-		  IPT_INV_SRCIP)
+		  IPT_INV_SRCIP) ||
-	    || FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
+	    FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
-		     IPT_INV_DSTIP)) {
+		  IPT_INV_DSTIP)) {
 		dprintf("Source or dest mismatch.\n");
 		dprintf("SRC: %pI4. Mask: %pI4. Target: %pI4.%s\n",
@@ -122,8 +122,8 @@ ip_packet_match(const struct iphdr *ip,
 	}
 	/* Check specific protocol */
-	if (ipinfo->proto
+	if (ipinfo->proto &&
-	    && FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
+	    FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
 		dprintf("Packet protocol %hi does not match %hi.%s\n",
 			ip->protocol, ipinfo->proto,
 			ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
@@ -246,11 +246,11 @@ get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e,
 	} else if (s == e) {
 		(*rulenum)++;
-		if (s->target_offset == sizeof(struct ipt_entry)
+		if (s->target_offset == sizeof(struct ipt_entry) &&
-		   && strcmp(t->target.u.kernel.target->name,
+		    strcmp(t->target.u.kernel.target->name,
-			     IPT_STANDARD_TARGET) == 0
+			   IPT_STANDARD_TARGET) == 0 &&
-		   && t->verdict < 0
+		   t->verdict < 0 &&
-		   && unconditional(&s->ip)) {
+		   unconditional(&s->ip)) {
 			/* Tail of chains: STANDARD target (return/policy) */
 			*comment = *chainname == hookname
 				? comments[NF_IP_TRACE_COMMENT_POLICY]
@@ -388,8 +388,8 @@ ipt_do_table(struct sk_buff *skb,
 				back = get_entry(table_base, back->comefrom);
 				continue;
 			}
-			if (table_base + v != ipt_next_entry(e)
+			if (table_base + v != ipt_next_entry(e) &&
-			    && !(e->ip.flags & IPT_F_GOTO)) {
+			    !(e->ip.flags & IPT_F_GOTO)) {
 				/* Save old back ptr in next entry */
 				struct ipt_entry *next = ipt_next_entry(e);
 				next->comefrom = (void *)back - table_base;
@@ -473,11 +473,11 @@ mark_source_chains(struct xt_table_info *newinfo,
 			e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
 			/* Unconditional return/END. */
-			if ((e->target_offset == sizeof(struct ipt_entry)
+			if ((e->target_offset == sizeof(struct ipt_entry) &&
-			    && (strcmp(t->target.u.user.name,
+			     (strcmp(t->target.u.user.name,
-				       IPT_STANDARD_TARGET) == 0)
+				     IPT_STANDARD_TARGET) == 0) &&
-			    && t->verdict < 0
+			     t->verdict < 0 && unconditional(&e->ip)) ||
-			    && unconditional(&e->ip)) || visited) {
+			    visited) {
 				unsigned int oldpos, size;
 				if ((strcmp(t->target.u.user.name,
@@ -524,8 +524,8 @@ mark_source_chains(struct xt_table_info *newinfo,
 				int newpos = t->verdict;
 				if (strcmp(t->target.u.user.name,
-					   IPT_STANDARD_TARGET) == 0
+					   IPT_STANDARD_TARGET) == 0 &&
-				    && newpos >= 0) {
+				    newpos >= 0) {
 					if (newpos > newinfo->size -
 						sizeof(struct ipt_entry)) {
 						duprintf("mark_source_chains: "
@@ -735,8 +735,8 @@ check_entry_size_and_hooks(struct ipt_entry *e,
 {
 	unsigned int h;
-	if ((unsigned long)e % __alignof__(struct ipt_entry) != 0
+	if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
-	    || (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
+	    (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
 		duprintf("Bad offset %p\n", e);
 		return -EINVAL;
 	}
@@ -1548,8 +1548,8 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
 	int ret, off, h;
 	duprintf("check_compat_entry_size_and_hooks %p\n", e);
-	if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
+	if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
-	    || (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
+	    (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
 		duprintf("Bad offset %p, limit = %p\n", e, limit);
 		return -EINVAL;
 	}

--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -303,9 +303,9 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
 	/* special case: ICMP error handling. conntrack distinguishes between
 	 * error messages (RELATED) and information requests (see below) */
-	if (ip_hdr(skb)->protocol == IPPROTO_ICMP
+	if (ip_hdr(skb)->protocol == IPPROTO_ICMP &&
-	    && (ctinfo == IP_CT_RELATED
+	    (ctinfo == IP_CT_RELATED ||
-		|| ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY))
+	     ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY))
 		return XT_CONTINUE;
 	/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
@@ -362,8 +362,8 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par)
 		return false;
 	}
-	if (e->ip.dmsk.s_addr != htonl(0xffffffff)
+	if (e->ip.dmsk.s_addr != htonl(0xffffffff) ||
-	    || e->ip.dst.s_addr == 0) {
+	    e->ip.dst.s_addr == 0) {
 		printk(KERN_ERR "CLUSTERIP: Please specify destination IP\n");
 		return false;
 	}
@@ -495,14 +495,14 @@ arp_mangle(unsigned int hook,
 	struct clusterip_config *c;
 	/* we don't care about non-ethernet and non-ipv4 ARP */
-	if (arp->ar_hrd != htons(ARPHRD_ETHER)
+	if (arp->ar_hrd != htons(ARPHRD_ETHER) ||
-	    || arp->ar_pro != htons(ETH_P_IP)
+	    arp->ar_pro != htons(ETH_P_IP) ||
-	    || arp->ar_pln != 4 || arp->ar_hln != ETH_ALEN)
+	    arp->ar_pln != 4 || arp->ar_hln != ETH_ALEN)
 		return NF_ACCEPT;
 	/* we only want to mangle arp requests and replies */
-	if (arp->ar_op != htons(ARPOP_REPLY)
+	if (arp->ar_op != htons(ARPOP_REPLY) &&
-	    && arp->ar_op != htons(ARPOP_REQUEST))
+	    arp->ar_op != htons(ARPOP_REQUEST))
 		return NF_ACCEPT;
 	payload = (void *)(arp+1);

--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -85,8 +85,8 @@ ecn_tg(struct sk_buff *skb, const struct xt_target_param *par)
 		if (!set_ect_ip(skb, einfo))
 			return NF_DROP;
-	if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR)
+	if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR) &&
-	    && ip_hdr(skb)->protocol == IPPROTO_TCP)
+	    ip_hdr(skb)->protocol == IPPROTO_TCP)
 		if (!set_ect_tcp(skb, einfo))
 			return NF_DROP;
@@ -108,8 +108,8 @@ static bool ecn_tg_check(const struct xt_tgchk_param *par)
 			einfo->ip_ect);
 		return false;
 	}
-	if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
+	if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
-	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
+	    (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
 		printk(KERN_WARNING "ECN: cannot use TCP operations on a "
 		       "non-tcp rule\n");
 		return false;

--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -74,8 +74,8 @@ static void dump_packet(const struct nf_loginfo *info,
 	if (ntohs(ih->frag_off) & IP_OFFSET)
 		printk("FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET);
-	if ((logflags & IPT_LOG_IPOPT)
+	if ((logflags & IPT_LOG_IPOPT) &&
-	    && ih->ihl * 4 > sizeof(struct iphdr)) {
+	    ih->ihl * 4 > sizeof(struct iphdr)) {
 		const unsigned char *op;
 		unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
 		unsigned int i, optsize;
@@ -146,8 +146,8 @@ static void dump_packet(const struct nf_loginfo *info,
 		/* Max length: 11 "URGP=65535 " */
 		printk("URGP=%u ", ntohs(th->urg_ptr));
-		if ((logflags & IPT_LOG_TCPOPT)
+		if ((logflags & IPT_LOG_TCPOPT) &&
-		    && th->doff * 4 > sizeof(struct tcphdr)) {
+		    th->doff * 4 > sizeof(struct tcphdr)) {
 			unsigned char _opt[4 * 15 - sizeof(struct tcphdr)];
 			const unsigned char *op;
 			unsigned int i, optsize;
@@ -238,9 +238,9 @@ static void dump_packet(const struct nf_loginfo *info,
 		printk("TYPE=%u CODE=%u ", ich->type, ich->code);
 		/* Max length: 25 "INCOMPLETE [65535 bytes] " */
-		if (ich->type <= NR_ICMP_TYPES
+		if (ich->type <= NR_ICMP_TYPES &&
-		    && required_len[ich->type]
+		    required_len[ich->type] &&
-		    && skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) {
+		    skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) {
 			printk("INCOMPLETE [%u bytes] ",
 			       skb->len - iphoff - ih->ihl*4);
 			break;
@@ -276,8 +276,8 @@ static void dump_packet(const struct nf_loginfo *info,
 			}
 			/* Max length: 10 "MTU=65535 " */
-			if (ich->type == ICMP_DEST_UNREACH
+			if (ich->type == ICMP_DEST_UNREACH &&
-			    && ich->code == ICMP_FRAG_NEEDED)
+			    ich->code == ICMP_FRAG_NEEDED)
 				printk("MTU=%u ", ntohs(ich->un.frag.mtu));
 		}
 		break;
@@ -407,8 +407,8 @@ ipt_log_packet(u_int8_t pf,
 	if (in && !out) {
 		/* MAC logging for input chain only. */
 		printk("MAC=");
-		if (skb->dev && skb->dev->hard_header_len
+		if (skb->dev && skb->dev->hard_header_len &&
-		    && skb->mac_header != skb->network_header) {
+		    skb->mac_header != skb->network_header) {
 			int i;
 			const unsigned char *p = skb_mac_header(skb);
 			for (i = 0; i < skb->dev->hard_header_len; i++,p++)

--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -59,8 +59,8 @@ masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par)
 	ct = nf_ct_get(skb, &ctinfo);
 	nat = nfct_nat(ct);
-	NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED
+	NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
-			    || ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
+			    ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
 	/* Source address is 0.0.0.0 - locally generated packet that is
 	 * probably not supposed to be masqueraded.

--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -184,8 +184,8 @@ static bool reject_tg_check(const struct xt_tgchk_param *par)
 		return false;
 	} else if (rejinfo->with == IPT_TCP_RESET) {
 		/* Must specify that it's a TCP packet */
-		if (e->ip.proto != IPPROTO_TCP
+		if (e->ip.proto != IPPROTO_TCP ||
-		    || (e->ip.invflags & XT_INV_PROTO)) {
+		    (e->ip.invflags & XT_INV_PROTO)) {
 			printk("ipt_REJECT: TCP_RESET invalid for non-tcp\n");
 			return false;
 		}

--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -226,9 +226,9 @@ static void ipt_ulog_packet(unsigned int hooknum,
 	else
 		*(pm->prefix) = '\0';
-	if (in && in->hard_header_len > 0
+	if (in && in->hard_header_len > 0 &&
-	    && skb->mac_header != skb->network_header
+	    skb->mac_header != skb->network_header &&
-	    && in->hard_header_len <= ULOG_MAC_LEN) {
+	    in->hard_header_len <= ULOG_MAC_LEN) {
 		memcpy(pm->mac, skb_mac_header(skb), in->hard_header_len);
 		pm->mac_len = in->hard_header_len;
 	} else

--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -96,8 +96,8 @@ static bool ecn_mt_check(const struct xt_mtchk_param *par)
 	if (info->invert & IPT_ECN_OP_MATCH_MASK)
 		return false;
-	if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)
+	if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
-	    && ip->proto != IPPROTO_TCP) {
+	    ip->proto != IPPROTO_TCP) {
 		printk(KERN_WARNING "ipt_ecn: can't match TCP bits in rule for"
 		       " non-tcp packets\n");
 		return false;

--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -130,8 +130,8 @@ ipt_local_hook(unsigned int hook,
 	u_int32_t mark;
 	/* root is playing with raw sockets. */
-	if (skb->len < sizeof(struct iphdr)
+	if (skb->len < sizeof(struct iphdr) ||
-	    || ip_hdrlen(skb) < sizeof(struct iphdr))
+	    ip_hdrlen(skb) < sizeof(struct iphdr))
 		return NF_ACCEPT;
 	/* Save things which could affect route */

--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -94,8 +94,8 @@ ipt_local_out_hook(unsigned int hook,
 		   int (*okfn)(struct sk_buff *))
 {
 	/* Somebody is playing with raw sockets. */
-	if (skb->len < sizeof(struct iphdr)
+	if (skb->len < sizeof(struct iphdr) ||
-	    || ip_hdrlen(skb) < sizeof(struct iphdr))
+	    ip_hdrlen(skb) < sizeof(struct iphdr))
 		return NF_ACCEPT;
 	return ipt_do_table(skb, hook, in, out,
 			    dev_net(out)->ipv4.iptable_security);

--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -54,8 +54,8 @@ static const u_int8_t invmap[] = {
 static bool icmp_invert_tuple(struct nf_conntrack_tuple *tuple,
 			      const struct nf_conntrack_tuple *orig)
 {
-	if (orig->dst.u.icmp.type >= sizeof(invmap)
+	if (orig->dst.u.icmp.type >= sizeof(invmap) ||
-	    || !invmap[orig->dst.u.icmp.type])
+	    !invmap[orig->dst.u.icmp.type])
 		return false;
 	tuple->src.u.icmp.id = orig->src.u.icmp.id;
@@ -101,8 +101,8 @@ static bool icmp_new(struct nf_conn *ct, const struct sk_buff *skb,
 		[ICMP_ADDRESS] = 1
 	};
-	if (ct->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new)
+	if (ct->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new) ||
-	    || !valid_new[ct->tuplehash[0].tuple.dst.u.icmp.type]) {
+	    !valid_new[ct->tuplehash[0].tuple.dst.u.icmp.type]) {
 		/* Can't create a new ICMP `conn' with this. */
 		pr_debug("icmp: can't create new conn with type %u\n",
 			 ct->tuplehash[0].tuple.dst.u.icmp.type);
@@ -201,11 +201,11 @@ icmp_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
 	}
 	/* Need to track icmp error message? */
-	if (icmph->type != ICMP_DEST_UNREACH
+	if (icmph->type != ICMP_DEST_UNREACH &&
-	    && icmph->type != ICMP_SOURCE_QUENCH
+	    icmph->type != ICMP_SOURCE_QUENCH &&
-	    && icmph->type != ICMP_TIME_EXCEEDED
+	    icmph->type != ICMP_TIME_EXCEEDED &&
-	    && icmph->type != ICMP_PARAMETERPROB
+	    icmph->type != ICMP_PARAMETERPROB &&
-	    && icmph->type != ICMP_REDIRECT)
+	    icmph->type != ICMP_REDIRECT)
 		return NF_ACCEPT;
 	return icmp_error_message(net, skb, ctinfo, hooknum);
@@ -238,17 +238,17 @@ static const struct nla_policy icmp_nla_policy[CTA_PROTO_MAX+1] = {
 static int icmp_nlattr_to_tuple(struct nlattr *tb[],
 				struct nf_conntrack_tuple *tuple)
 {
-	if (!tb[CTA_PROTO_ICMP_TYPE]
+	if (!tb[CTA_PROTO_ICMP_TYPE] ||
-	    || !tb[CTA_PROTO_ICMP_CODE]
+	    !tb[CTA_PROTO_ICMP_CODE] ||
-	    || !tb[CTA_PROTO_ICMP_ID])
+	    !tb[CTA_PROTO_ICMP_ID])
 		return -EINVAL;
 	tuple->dst.u.icmp.type = nla_get_u8(tb[CTA_PROTO_ICMP_TYPE]);
 	tuple->dst.u.icmp.code = nla_get_u8(tb[CTA_PROTO_ICMP_CODE]);
 	tuple->src.u.icmp.id = nla_get_be16(tb[CTA_PROTO_ICMP_ID]);
-	if (tuple->dst.u.icmp.type >= sizeof(invmap)
+	if (tuple->dst.u.icmp.type >= sizeof(invmap) ||
-	    || !invmap[tuple->dst.u.icmp.type])
+	    !invmap[tuple->dst.u.icmp.type])
 		return -EINVAL;
 	return 0;

--- a/net/ipv4/netfilter/nf_nat_helper.c
+++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -41,18 +41,14 @@ adjust_tcp_sequence(u32 seq,
 		    struct nf_conn *ct,
 		    enum ip_conntrack_info ctinfo)
 {
-	int dir;
+	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
-	struct nf_nat_seq *this_way, *other_way;
 	struct nf_conn_nat *nat = nfct_nat(ct);
+	struct nf_nat_seq *this_way = &nat->seq[dir];
-	pr_debug("adjust_tcp_sequence: seq = %u, sizediff = %d\n", seq, seq);
+	pr_debug("adjust_tcp_sequence: seq = %u, sizediff = %d\n",
+		 seq, sizediff);
-	dir = CTINFO2DIR(ctinfo);
-	this_way = &nat->seq[dir];
-	other_way = &nat->seq[!dir];
-	pr_debug("nf_nat_resize_packet: Seq_offset before: ");
+	pr_debug("adjust_tcp_sequence: Seq_offset before: ");
 	DUMP_OFFSET(this_way);
 	spin_lock_bh(&nf_nat_seqofs_lock);
@@ -63,13 +59,13 @@ adjust_tcp_sequence(u32 seq,
 	 * retransmit */
 	if (this_way->offset_before == this_way->offset_after ||
 	    before(this_way->correction_pos, seq)) {
-		   this_way->correction_pos = seq;
+		this_way->correction_pos = seq;
-		   this_way->offset_before = this_way->offset_after;
+		this_way->offset_before = this_way->offset_after;
-		   this_way->offset_after += sizediff;
+		this_way->offset_after += sizediff;
 	}
 	spin_unlock_bh(&nf_nat_seqofs_lock);
-	pr_debug("nf_nat_resize_packet: Seq_offset after: ");
+	pr_debug("adjust_tcp_sequence: Seq_offset after: ");
 	DUMP_OFFSET(this_way);
 }

--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -197,11 +197,11 @@ nf_nat_out(unsigned int hooknum,
 	    (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
 		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
-		if (ct->tuplehash[dir].tuple.src.u3.ip !=
+		if ((ct->tuplehash[dir].tuple.src.u3.ip !=
-		    ct->tuplehash[!dir].tuple.dst.u3.ip
+		     ct->tuplehash[!dir].tuple.dst.u3.ip) ||
-		    || ct->tuplehash[dir].tuple.src.u.all !=
+		    (ct->tuplehash[dir].tuple.src.u.all !=
-		       ct->tuplehash[!dir].tuple.dst.u.all
+		     ct->tuplehash[!dir].tuple.dst.u.all)
-		    )
+		   )
 			return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP;
 	}
 #endif

--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -499,8 +499,7 @@ ipq_rcv_nl_event(struct notifier_block *this,
 {
 	struct netlink_notify *n = ptr;
-	if (event == NETLINK_URELEASE &&
+	if (event == NETLINK_URELEASE && n->protocol == NETLINK_IP6_FW) {
-	    n->protocol == NETLINK_IP6_FW && n->pid) {
 		write_lock_bh(&queue_lock);
 		if ((net_eq(n->net, &init_net)) && (n->pid == peer_pid))
 			__ipq_reset();
@@ -625,7 +624,7 @@ cleanup_netlink_notifier:
 static void __exit ip6_queue_fini(void)
 {
 	nf_unregister_queue_handlers(&nfqh);
-	synchronize_net();
 	ipq_flush(NULL, 0);
 #ifdef CONFIG_SYSCTL

--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -105,9 +105,9 @@ ip6_packet_match(const struct sk_buff *skb,
 #define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
 	if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
-				       &ip6info->src), IP6T_INV_SRCIP)
+				       &ip6info->src), IP6T_INV_SRCIP) ||
-	    || FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
+	    FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
-					  &ip6info->dst), IP6T_INV_DSTIP)) {
+				       &ip6info->dst), IP6T_INV_DSTIP)) {
 		dprintf("Source or dest mismatch.\n");
 /*
 		dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
@@ -277,11 +277,11 @@ get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e,
 	} else if (s == e) {
 		(*rulenum)++;
-		if (s->target_offset == sizeof(struct ip6t_entry)
+		if (s->target_offset == sizeof(struct ip6t_entry) &&
-		   && strcmp(t->target.u.kernel.target->name,
+		    strcmp(t->target.u.kernel.target->name,
-			     IP6T_STANDARD_TARGET) == 0
+			   IP6T_STANDARD_TARGET) == 0 &&
-		   && t->verdict < 0
+		    t->verdict < 0 &&
-		   && unconditional(&s->ipv6)) {
+		    unconditional(&s->ipv6)) {
 			/* Tail of chains: STANDARD target (return/policy) */
 			*comment = *chainname == hookname
 				? comments[NF_IP6_TRACE_COMMENT_POLICY]
@@ -418,8 +418,8 @@ ip6t_do_table(struct sk_buff *skb,
 				back = get_entry(table_base, back->comefrom);
 				continue;
 			}
-			if (table_base + v != ip6t_next_entry(e)
+			if (table_base + v != ip6t_next_entry(e) &&
-			    && !(e->ipv6.flags & IP6T_F_GOTO)) {
+			    !(e->ipv6.flags & IP6T_F_GOTO)) {
 				/* Save old back ptr in next entry */
 				struct ip6t_entry *next = ip6t_next_entry(e);
 				next->comefrom = (void *)back - table_base;
@@ -505,11 +505,11 @@ mark_source_chains(struct xt_table_info *newinfo,
 			e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
 			/* Unconditional return/END. */
-			if ((e->target_offset == sizeof(struct ip6t_entry)
+			if ((e->target_offset == sizeof(struct ip6t_entry) &&
-			    && (strcmp(t->target.u.user.name,
+			     (strcmp(t->target.u.user.name,
-				       IP6T_STANDARD_TARGET) == 0)
+				     IP6T_STANDARD_TARGET) == 0) &&
-			    && t->verdict < 0
+			     t->verdict < 0 &&
-			    && unconditional(&e->ipv6)) || visited) {
+			     unconditional(&e->ipv6)) || visited) {
 				unsigned int oldpos, size;
 				if ((strcmp(t->target.u.user.name,
@@ -556,8 +556,8 @@ mark_source_chains(struct xt_table_info *newinfo,
 				int newpos = t->verdict;
 				if (strcmp(t->target.u.user.name,
-					   IP6T_STANDARD_TARGET) == 0
+					   IP6T_STANDARD_TARGET) == 0 &&
-				    && newpos >= 0) {
+				    newpos >= 0) {
 					if (newpos > newinfo->size -
 						sizeof(struct ip6t_entry)) {
 						duprintf("mark_source_chains: "
@@ -767,8 +767,8 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
 {
 	unsigned int h;
-	if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0
+	if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
-	    || (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
+	    (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
 		duprintf("Bad offset %p\n", e);
 		return -EINVAL;
 	}
@@ -1584,8 +1584,8 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
 	int ret, off, h;
 	duprintf("check_compat_entry_size_and_hooks %p\n", e);
-	if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0
+	if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
-	    || (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
+	    (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
 		duprintf("Bad offset %p, limit = %p\n", e, limit);
 		return -EINVAL;
 	}

--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -249,8 +249,8 @@ static void dump_packet(const struct nf_loginfo *info,
 		/* Max length: 11 "URGP=65535 " */
 		printk("URGP=%u ", ntohs(th->urg_ptr));
-		if ((logflags & IP6T_LOG_TCPOPT)
+		if ((logflags & IP6T_LOG_TCPOPT) &&
-		    && th->doff * 4 > sizeof(struct tcphdr)) {
+		    th->doff * 4 > sizeof(struct tcphdr)) {
 			u_int8_t _opt[60 - sizeof(struct tcphdr)];
 			const u_int8_t *op;
 			unsigned int i;

--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -223,8 +223,8 @@ static bool reject_tg6_check(const struct xt_tgchk_param *par)
 		return false;
 	} else if (rejinfo->with == IP6T_TCP_RESET) {
 		/* Must specify that it's a TCP packet */
-		if (e->ipv6.proto != IPPROTO_TCP
+		if (e->ipv6.proto != IPPROTO_TCP ||
-		    || (e->ipv6.invflags & XT_INV_PROTO)) {
+		    (e->ipv6.invflags & XT_INV_PROTO)) {
 			printk("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
 			return false;
 		}

--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -77,17 +77,14 @@ static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 		 ahinfo->hdrres, ah->reserved,
 		 !(ahinfo->hdrres && ah->reserved));
-	return (ah != NULL)
+	return (ah != NULL) &&
-	       &&
+		spi_match(ahinfo->spis[0], ahinfo->spis[1],
-	       spi_match(ahinfo->spis[0], ahinfo->spis[1],
+			  ntohl(ah->spi),
-			 ntohl(ah->spi),
+			  !!(ahinfo->invflags & IP6T_AH_INV_SPI)) &&
-			 !!(ahinfo->invflags & IP6T_AH_INV_SPI))
+		(!ahinfo->hdrlen ||
-	       &&
+		 (ahinfo->hdrlen == hdrlen) ^
-	       (!ahinfo->hdrlen ||
+		 !!(ahinfo->invflags & IP6T_AH_INV_LEN)) &&
-		(ahinfo->hdrlen == hdrlen) ^
+		!(ahinfo->hdrres && ah->reserved);
-		!!(ahinfo->invflags & IP6T_AH_INV_LEN))
-	       &&
-	       !(ahinfo->hdrres && ah->reserved);
 }
 static bool ah_mt6_check(const struct xt_mtchk_param *par)

--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -70,41 +70,36 @@ frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 	pr_debug("res %02X %02X%04X %02X ",
 		 fraginfo->flags & IP6T_FRAG_RES, fh->reserved,
 		 ntohs(fh->frag_off) & 0x6,
-		 !((fraginfo->flags & IP6T_FRAG_RES)
+		 !((fraginfo->flags & IP6T_FRAG_RES) &&
-		   && (fh->reserved || (ntohs(fh->frag_off) & 0x06))));
+		   (fh->reserved || (ntohs(fh->frag_off) & 0x06))));
 	pr_debug("first %02X %02X %02X ",
 		 fraginfo->flags & IP6T_FRAG_FST,
 		 ntohs(fh->frag_off) & ~0x7,
-		 !((fraginfo->flags & IP6T_FRAG_FST)
+		 !((fraginfo->flags & IP6T_FRAG_FST) &&
-		   && (ntohs(fh->frag_off) & ~0x7)));
+		   (ntohs(fh->frag_off) & ~0x7)));
 	pr_debug("mf %02X %02X %02X ",
 		 fraginfo->flags & IP6T_FRAG_MF,
 		 ntohs(fh->frag_off) & IP6_MF,
-		 !((fraginfo->flags & IP6T_FRAG_MF)
+		 !((fraginfo->flags & IP6T_FRAG_MF) &&
-		   && !((ntohs(fh->frag_off) & IP6_MF))));
+		   !((ntohs(fh->frag_off) & IP6_MF))));
 	pr_debug("last %02X %02X %02X\n",
 		 fraginfo->flags & IP6T_FRAG_NMF,
 		 ntohs(fh->frag_off) & IP6_MF,
-		 !((fraginfo->flags & IP6T_FRAG_NMF)
+		 !((fraginfo->flags & IP6T_FRAG_NMF) &&
-		   && (ntohs(fh->frag_off) & IP6_MF)));
+		   (ntohs(fh->frag_off) & IP6_MF)));
-	return (fh != NULL)
+	return (fh != NULL) &&
-	       &&
+		id_match(fraginfo->ids[0], fraginfo->ids[1],
-	       id_match(fraginfo->ids[0], fraginfo->ids[1],
+			 ntohl(fh->identification),
-			ntohl(fh->identification),
+			 !!(fraginfo->invflags & IP6T_FRAG_INV_IDS)) &&
-			!!(fraginfo->invflags & IP6T_FRAG_INV_IDS))
+		!((fraginfo->flags & IP6T_FRAG_RES) &&
-	       &&
+		  (fh->reserved || (ntohs(fh->frag_off) & 0x6))) &&
-	       !((fraginfo->flags & IP6T_FRAG_RES)
+		!((fraginfo->flags & IP6T_FRAG_FST) &&
-		 && (fh->reserved || (ntohs(fh->frag_off) & 0x6)))
+		  (ntohs(fh->frag_off) & ~0x7)) &&
-	       &&
+		!((fraginfo->flags & IP6T_FRAG_MF) &&
-	       !((fraginfo->flags & IP6T_FRAG_FST)
+		  !(ntohs(fh->frag_off) & IP6_MF)) &&
-		 && (ntohs(fh->frag_off) & ~0x7))
+		!((fraginfo->flags & IP6T_FRAG_NMF) &&
-	       &&
+		  (ntohs(fh->frag_off) & IP6_MF));
-	       !((fraginfo->flags & IP6T_FRAG_MF)
-		 && !(ntohs(fh->frag_off) & IP6_MF))
-	       &&
-	       !((fraginfo->flags & IP6T_FRAG_NMF)
-		 && (ntohs(fh->frag_off) & IP6_MF));
 }
 static bool frag_mt6_check(const struct xt_mtchk_param *par)

--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -92,16 +92,13 @@ static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
 		 !((rtinfo->flags & IP6T_RT_RES) &&
 		   (((const struct rt0_hdr *)rh)->reserved)));
-	ret = (rh != NULL)
+	ret = (rh != NULL) &&
-	      &&
 	      (segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1],
 			      rh->segments_left,
-			      !!(rtinfo->invflags & IP6T_RT_INV_SGS)))
+			      !!(rtinfo->invflags & IP6T_RT_INV_SGS))) &&
-	      &&
 	      (!(rtinfo->flags & IP6T_RT_LEN) ||
 	       ((rtinfo->hdrlen == hdrlen) ^
-		!!(rtinfo->invflags & IP6T_RT_INV_LEN)))
+		!!(rtinfo->invflags & IP6T_RT_INV_LEN))) &&
-	      &&
 	      (!(rtinfo->flags & IP6T_RT_TYP) ||
 	       ((rtinfo->rt_type == rh->type) ^
 		!!(rtinfo->invflags & IP6T_RT_INV_TYP)));

--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -79,8 +79,8 @@ ip6t_local_out_hook(unsigned int hook,
 {
 #if 0
 	/* root is playing with raw sockets. */
-	if (skb->len < sizeof(struct iphdr)
+	if (skb->len < sizeof(struct iphdr) ||
-	    || ip_hdrlen(skb) < sizeof(struct iphdr)) {
+	    ip_hdrlen(skb) < sizeof(struct iphdr)) {
 		if (net_ratelimit())
 			printk("ip6t_hook: happy cracking.\n");
 		return NF_ACCEPT;

--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -102,8 +102,8 @@ ip6t_local_out_hook(unsigned int hook,
 #if 0
 	/* root is playing with raw sockets. */
-	if (skb->len < sizeof(struct iphdr)
+	if (skb->len < sizeof(struct iphdr) ||
-	    || ip_hdrlen(skb) < sizeof(struct iphdr)) {
+	    ip_hdrlen(skb) < sizeof(struct iphdr)) {
 		if (net_ratelimit())
 			printk("ip6t_hook: happy cracking.\n");
 		return NF_ACCEPT;
@@ -122,11 +122,11 @@ ip6t_local_out_hook(unsigned int hook,
 	ret = ip6t_do_table(skb, hook, in, out,
 			    dev_net(out)->ipv6.ip6table_mangle);
-	if (ret != NF_DROP && ret != NF_STOLEN
+	if (ret != NF_DROP && ret != NF_STOLEN &&
-		&& (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr))
+	    (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) ||
-		    || memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr))
+	     memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) ||
-		    || skb->mark != mark
+	     skb->mark != mark ||
-		    || ipv6_hdr(skb)->hop_limit != hop_limit))
+	     ipv6_hdr(skb)->hop_limit != hop_limit))
 		return ip6_route_me_harder(skb) == 0 ? ret : NF_DROP;
 	return ret;

--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -244,18 +244,18 @@ static const struct nla_policy icmpv6_nla_policy[CTA_PROTO_MAX+1] = {
 static int icmpv6_nlattr_to_tuple(struct nlattr *tb[],
 				struct nf_conntrack_tuple *tuple)
 {
-	if (!tb[CTA_PROTO_ICMPV6_TYPE]
+	if (!tb[CTA_PROTO_ICMPV6_TYPE] ||
-	    || !tb[CTA_PROTO_ICMPV6_CODE]
+	    !tb[CTA_PROTO_ICMPV6_CODE] ||
-	    || !tb[CTA_PROTO_ICMPV6_ID])
+	    !tb[CTA_PROTO_ICMPV6_ID])
 		return -EINVAL;
 	tuple->dst.u.icmp.type = nla_get_u8(tb[CTA_PROTO_ICMPV6_TYPE]);
 	tuple->dst.u.icmp.code = nla_get_u8(tb[CTA_PROTO_ICMPV6_CODE]);
 	tuple->src.u.icmp.id = nla_get_be16(tb[CTA_PROTO_ICMPV6_ID]);
-	if (tuple->dst.u.icmp.type < 128
+	if (tuple->dst.u.icmp.type < 128 ||
-	    || tuple->dst.u.icmp.type - 128 >= sizeof(invmap)
+	    tuple->dst.u.icmp.type - 128 >= sizeof(invmap) ||
-	    || !invmap[tuple->dst.u.icmp.type - 128])
+	    !invmap[tuple->dst.u.icmp.type - 128])
 		return -EINVAL;
 	return 0;

--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -512,11 +512,17 @@ static noinline int early_drop(struct net *net, unsigned int hash)
 			cnt++;
 		}
-		if (ct && unlikely(nf_ct_is_dying(ct) ||
+		if (ct != NULL) {
-				   !atomic_inc_not_zero(&ct->ct_general.use)))
+			if (likely(!nf_ct_is_dying(ct) &&
-			ct = NULL;
+				   atomic_inc_not_zero(&ct->ct_general.use)))
-		if (ct || cnt >= NF_CT_EVICTION_RANGE)
+				break;
+			else
+				ct = NULL;
+		}
+		if (cnt >= NF_CT_EVICTION_RANGE)
 			break;
 		hash = (hash + 1) % nf_conntrack_htable_size;
 	}
 	rcu_read_unlock();

--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -896,23 +896,54 @@ static int tcp_packet(struct nf_conn *ct,
 			/* b) This SYN/ACK acknowledges a SYN that we earlier
 			 * ignored as invalid. This means that the client and
 			 * the server are both in sync, while the firewall is
-			 * not. We kill this session and block the SYN/ACK so
+			 * not. We get in sync from the previously annotated
-			 * that the client cannot but retransmit its SYN and
+			 * values.
-			 * thus initiate a clean new session.
 			 */
-			spin_unlock_bh(&ct->lock);
+			old_state = TCP_CONNTRACK_SYN_SENT;
-			if (LOG_INVALID(net, IPPROTO_TCP))
+			new_state = TCP_CONNTRACK_SYN_RECV;
-				nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
+			ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_end =
-					  "nf_ct_tcp: killing out of sync session ");
+				ct->proto.tcp.last_end;
-			nf_ct_kill(ct);
+			ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxend =
-			return NF_DROP;
+				ct->proto.tcp.last_end;
+			ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxwin =
+				ct->proto.tcp.last_win == 0 ?
+					1 : ct->proto.tcp.last_win;
+			ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_scale =
+				ct->proto.tcp.last_wscale;
+			ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =
+				ct->proto.tcp.last_flags;
+			memset(&ct->proto.tcp.seen[dir], 0,
+			       sizeof(struct ip_ct_tcp_state));
+			break;
 		}
 		ct->proto.tcp.last_index = index;
 		ct->proto.tcp.last_dir = dir;
 		ct->proto.tcp.last_seq = ntohl(th->seq);
 		ct->proto.tcp.last_end =
 		    segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th);
+		ct->proto.tcp.last_win = ntohs(th->window);
+		/* a) This is a SYN in ORIGINAL. The client and the server
+		 * may be in sync but we are not. In that case, we annotate
+		 * the TCP options and let the packet go through. If it is a
+		 * valid SYN packet, the server will reply with a SYN/ACK, and
+		 * then we'll get in sync. Otherwise, the server ignores it. */
+		if (index == TCP_SYN_SET && dir == IP_CT_DIR_ORIGINAL) {
+			struct ip_ct_tcp_state seen = {};
+			ct->proto.tcp.last_flags =
+			ct->proto.tcp.last_wscale = 0;
+			tcp_options(skb, dataoff, th, &seen);
+			if (seen.flags & IP_CT_TCP_FLAG_WINDOW_SCALE) {
+				ct->proto.tcp.last_flags |=
+					IP_CT_TCP_FLAG_WINDOW_SCALE;
+				ct->proto.tcp.last_wscale = seen.td_scale;
+			}
+			if (seen.flags & IP_CT_TCP_FLAG_SACK_PERM) {
+				ct->proto.tcp.last_flags |=
+					IP_CT_TCP_FLAG_SACK_PERM;
+			}
+		}
 		spin_unlock_bh(&ct->lock);
 		if (LOG_INVALID(net, IPPROTO_TCP))
 			nf_log_packet(pf, 0, skb, NULL, NULL, NULL,

--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -666,8 +666,7 @@ nfulnl_rcv_nl_event(struct notifier_block *this,
 {
 	struct netlink_notify *n = ptr;
-	if (event == NETLINK_URELEASE &&
+	if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) {
-	    n->protocol == NETLINK_NETFILTER && n->pid) {
 		int i;
 		/* destroy all instances for this pid */

--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -574,8 +574,7 @@ nfqnl_rcv_nl_event(struct notifier_block *this,
 {
 	struct netlink_notify *n = ptr;
-	if (event == NETLINK_URELEASE &&
+	if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) {
-	    n->protocol == NETLINK_NETFILTER && n->pid) {
 		int i;
 		/* destroy all instances for this pid */

--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -113,7 +113,8 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
 }
 static bool
-conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par,
+             u16 state_mask, u16 status_mask)
 {
 	const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
 	enum ip_conntrack_info ctinfo;
@@ -136,7 +137,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 			if (test_bit(IPS_DST_NAT_BIT, &ct->status))
 				statebit |= XT_CONNTRACK_STATE_DNAT;
 		}
-		if (!!(info->state_mask & statebit) ^
+		if (!!(state_mask & statebit) ^
 		    !(info->invert_flags & XT_CONNTRACK_STATE))
 			return false;
 	}
@@ -172,7 +173,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 		return false;
 	if ((info->match_flags & XT_CONNTRACK_STATUS) &&
-	    (!!(info->status_mask & ct->status) ^
+	    (!!(status_mask & ct->status) ^
 	    !(info->invert_flags & XT_CONNTRACK_STATUS)))
 		return false;
@@ -192,11 +193,17 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 static bool
 conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
 {
-	const struct xt_conntrack_mtinfo2 *const *info = par->matchinfo;
+	const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
-	struct xt_match_param newpar = *par;
-	newpar.matchinfo = *info;
+	return conntrack_mt(skb, par, info->state_mask, info->status_mask);
-	return conntrack_mt(skb, &newpar);
+}
+static bool
+conntrack_mt_v2(const struct sk_buff *skb, const struct xt_match_param *par)
+{
+	const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
+	return conntrack_mt(skb, par, info->state_mask, info->status_mask);
 }
 static bool conntrack_mt_check(const struct xt_mtchk_param *par)
@@ -209,45 +216,11 @@ static bool conntrack_mt_check(const struct xt_mtchk_param *par)
 	return true;
 }
-static bool conntrack_mt_check_v1(const struct xt_mtchk_param *par)
-{
-	struct xt_conntrack_mtinfo1 *info = par->matchinfo;
-	struct xt_conntrack_mtinfo2 *up;
-	int ret = conntrack_mt_check(par);
-	if (ret < 0)
-		return ret;
-	up = kmalloc(sizeof(*up), GFP_KERNEL);
-	if (up == NULL) {
-		nf_ct_l3proto_module_put(par->family);
-		return -ENOMEM;
-	}
-	/*
-	 * The strategy here is to minimize the overhead of v1 matching,
-	 * by prebuilding a v2 struct and putting the pointer into the
-	 * v1 dataspace.
-	 */
-	memcpy(up, info, offsetof(typeof(*info), state_mask));
-	up->state_mask  = info->state_mask;
-	up->status_mask = info->status_mask;
-	*(void **)info  = up;
-	return true;
-}
 static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
 {
 	nf_ct_l3proto_module_put(par->family);
 }
-static void conntrack_mt_destroy_v1(const struct xt_mtdtor_param *par)
-{
-	struct xt_conntrack_mtinfo2 **info = par->matchinfo;
-	kfree(*info);
-	conntrack_mt_destroy(par);
-}
 static struct xt_match conntrack_mt_reg[] __read_mostly = {
 	{
 		.name       = "conntrack",
@@ -255,8 +228,8 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
 		.family     = NFPROTO_UNSPEC,
 		.matchsize  = sizeof(struct xt_conntrack_mtinfo1),
 		.match      = conntrack_mt_v1,
-		.checkentry = conntrack_mt_check_v1,
+		.checkentry = conntrack_mt_check,
-		.destroy    = conntrack_mt_destroy_v1,
+		.destroy    = conntrack_mt_destroy,
 		.me         = THIS_MODULE,
 	},
 	{
@@ -264,7 +237,7 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
 		.revision   = 2,
 		.family     = NFPROTO_UNSPEC,
 		.matchsize  = sizeof(struct xt_conntrack_mtinfo2),
-		.match      = conntrack_mt,
+		.match      = conntrack_mt_v2,
 		.checkentry = conntrack_mt_check,
 		.destroy    = conntrack_mt_destroy,
 		.me         = THIS_MODULE,

--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -192,7 +192,8 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
 		.revision	= 0,
 		.family		= NFPROTO_IPV4,
 		.match		= socket_mt_v0,
-		.hooks		= 1 << NF_INET_PRE_ROUTING,
+		.hooks		= (1 << NF_INET_PRE_ROUTING) |
+				  (1 << NF_INET_LOCAL_IN),
 		.me		= THIS_MODULE,
 	},
 	{
@@ -201,7 +202,8 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
 		.family		= NFPROTO_IPV4,
 		.match		= socket_mt_v1,
 		.matchsize	= sizeof(struct xt_socket_mtinfo1),
-		.hooks		= 1 << NF_INET_PRE_ROUTING,
+		.hooks		= (1 << NF_INET_PRE_ROUTING) |
+				  (1 << NF_INET_LOCAL_IN),
 		.me		= THIS_MODULE,
 	},
 };