[NETFILTER]: nf_conntrack_sip: RTP routing optimization

[linux-2.6-omap-h63xx.git] / net / netfilter / core.c

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 631d26948314a55d51a6ba09e55fe816a0db8029..292fa28146fb33cfe5beb77e70c95a4f8caa96e2 100644 (file)
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -26,10 +26,10 @@
 
 static DEFINE_MUTEX(afinfo_mutex);
 
-struct nf_afinfo *nf_afinfo[NPROTO] __read_mostly;
+const struct nf_afinfo *nf_afinfo[NPROTO] __read_mostly;
 EXPORT_SYMBOL(nf_afinfo);
 
-int nf_register_afinfo(struct nf_afinfo *afinfo)
+int nf_register_afinfo(const struct nf_afinfo *afinfo)
 {
        int err;
 
@@ -42,7 +42,7 @@ int nf_register_afinfo(struct nf_afinfo *afinfo)
 }
 EXPORT_SYMBOL_GPL(nf_register_afinfo);
 
-void nf_unregister_afinfo(struct nf_afinfo *afinfo)
+void nf_unregister_afinfo(const struct nf_afinfo *afinfo)
 {
        mutex_lock(&afinfo_mutex);
        rcu_assign_pointer(nf_afinfo[afinfo->family], NULL);
@@ -51,28 +51,23 @@ void nf_unregister_afinfo(struct nf_afinfo *afinfo)
 }
 EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
 
-/* In this code, we can be waiting indefinitely for userspace to
- * service a packet if a hook returns NF_QUEUE.  We could keep a count
- * of skbuffs queued for userspace, and not deregister a hook unless
- * this is zero, but that sucks.  Now, we simply check when the
- * packets come back: if the hook is gone, the packet is discarded. */
 struct list_head nf_hooks[NPROTO][NF_MAX_HOOKS] __read_mostly;
 EXPORT_SYMBOL(nf_hooks);
 static DEFINE_MUTEX(nf_hook_mutex);
 
 int nf_register_hook(struct nf_hook_ops *reg)
 {
-       struct list_head *i;
+       struct nf_hook_ops *elem;
        int err;
 
        err = mutex_lock_interruptible(&nf_hook_mutex);
        if (err < 0)
                return err;
-       list_for_each(i, &nf_hooks[reg->pf][reg->hooknum]) {
-               if (reg->priority < ((struct nf_hook_ops *)i)->priority)
+       list_for_each_entry(elem, &nf_hooks[reg->pf][reg->hooknum], list) {
+               if (reg->priority < elem->priority)
                        break;
        }
-       list_add_rcu(&reg->list, i->prev);
+       list_add_rcu(&reg->list, elem->list.prev);
        mutex_unlock(&nf_hook_mutex);
        return 0;
 }
@@ -170,6 +165,14 @@ int nf_hook_slow(int pf, unsigned int hook, struct sk_buff *skb,
        unsigned int verdict;
        int ret = 0;
 
+#ifdef CONFIG_NET_NS
+       struct net *net;
+
+       net = indev == NULL ? dev_net(outdev) : dev_net(indev);
+       if (net != &init_net)
+               return 1;
+#endif
+
        /* We may already have this, but read-locks nest anyway */
        rcu_read_lock();
 
@@ -183,8 +186,7 @@ next_hook:
        } else if (verdict == NF_DROP) {
                kfree_skb(skb);
                ret = -EPERM;
-       } else if ((verdict & NF_VERDICT_MASK)  == NF_QUEUE) {
-               NFDEBUG("nf_hook: Verdict = QUEUE.\n");
+       } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
                if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
                              verdict >> NF_VERDICT_BITS))
                        goto next_hook;
@@ -278,3 +280,12 @@ void __init netfilter_init(void)
        if (netfilter_log_init() < 0)
                panic("cannot initialize nf_log");
 }
+
+#ifdef CONFIG_SYSCTL
+struct ctl_path nf_net_netfilter_sysctl_path[] = {
+       { .procname = "net", .ctl_name = CTL_NET, },
+       { .procname = "netfilter", .ctl_name = NET_NETFILTER, },
+       { }
+};
+EXPORT_SYMBOL_GPL(nf_net_netfilter_sysctl_path);
+#endif /* CONFIG_SYSCTL */