Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

			return -ENOMEM;

		for_each_possible_cpu(i) {

			newinfo->chainstack[i] =

			  vmalloc(array_size(udc_cnt, sizeof(*(newinfo->chainstack[0]))));

			  vmalloc_node(array_size(udc_cnt,

					  sizeof(*(newinfo->chainstack[0]))),

				       cpu_to_node(i));

			if (!newinfo->chainstack[i]) {

				while (i)

					vfree(newinfo->chainstack[--i]);

static inline bool

segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)

{

	bool r;

	pr_debug("segsleft_match:%c 0x%x <= 0x%x <= 0x%x\n",

		 invert ? '!' : ' ', min, id, max);

	r = (id >= min && id <= max) ^ invert;

	pr_debug(" result %s\n", r ? "PASS" : "FAILED");

	return r;

	return (id >= min && id <= max) ^ invert;

}

static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)

		return false;

	}

	pr_debug("IPv6 RT LEN %u %u ", hdrlen, rh->hdrlen);

	pr_debug("TYPE %04X ", rh->type);

	pr_debug("SGS_LEFT %u %02X\n", rh->segments_left, rh->segments_left);

	pr_debug("IPv6 RT segsleft %02X ",

		 segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1],

				rh->segments_left,

				!!(rtinfo->invflags & IP6T_RT_INV_SGS)));

	pr_debug("type %02X %02X %02X ",

		 rtinfo->rt_type, rh->type,

		 (!(rtinfo->flags & IP6T_RT_TYP) ||

		  ((rtinfo->rt_type == rh->type) ^

		   !!(rtinfo->invflags & IP6T_RT_INV_TYP))));

	pr_debug("len %02X %04X %02X ",

		 rtinfo->hdrlen, hdrlen,

		 !(rtinfo->flags & IP6T_RT_LEN) ||

		  ((rtinfo->hdrlen == hdrlen) ^

		   !!(rtinfo->invflags & IP6T_RT_INV_LEN)));

	pr_debug("res %02X %02X %02X ",

		 rtinfo->flags & IP6T_RT_RES,

		 ((const struct rt0_hdr *)rh)->reserved,

		 !((rtinfo->flags & IP6T_RT_RES) &&

		   (((const struct rt0_hdr *)rh)->reserved)));

	ret = (segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1],

			      rh->segments_left,

			      !!(rtinfo->invflags & IP6T_RT_INV_SGS))) &&

						       reserved),

					sizeof(_reserved),

					&_reserved);

		if (!rp) {

			par->hotdrop = true;

			return false;

		}

		ret = (*rp == 0);

	}

	pr_debug("#%d ", rtinfo->addrnr);

	if (!(rtinfo->flags & IP6T_RT_FST)) {

		return ret;

	} else if (rtinfo->flags & IP6T_RT_FST_NSTRICT) {

		pr_debug("Not strict ");

		if (rtinfo->addrnr > (unsigned int)((hdrlen - 8) / 16)) {

			pr_debug("There isn't enough space\n");

			return false;

		} else {

			unsigned int i = 0;

			pr_debug("#%d ", rtinfo->addrnr);

			for (temp = 0;

			     temp < (unsigned int)((hdrlen - 8) / 16);

			     temp++) {

					return false;

				}

				if (ipv6_addr_equal(ap, &rtinfo->addrs[i])) {

					pr_debug("i=%d temp=%d;\n", i, temp);

				if (ipv6_addr_equal(ap, &rtinfo->addrs[i]))

					i++;

				}

				if (i == rtinfo->addrnr)

					break;

			}

			pr_debug("i=%d #%d\n", i, rtinfo->addrnr);

			if (i == rtinfo->addrnr)

				return ret;

			else

				return false;

		}

	} else {

		pr_debug("Strict ");

		if (rtinfo->addrnr > (unsigned int)((hdrlen - 8) / 16)) {

			pr_debug("There isn't enough space\n");

			return false;

		} else {

			pr_debug("#%d ", rtinfo->addrnr);

			for (temp = 0; temp < rtinfo->addrnr; temp++) {

				ap = skb_header_pointer(skb,

							ptr

				if (!ipv6_addr_equal(ap, &rtinfo->addrs[temp]))

					break;

			}

			pr_debug("temp=%d #%d\n", temp, rtinfo->addrnr);

			if (temp == rtinfo->addrnr &&

			    temp == (unsigned int)((hdrlen - 8) / 16))

				return ret;

config NF_CONNTRACK_SECMARK

	bool  'Connection tracking security mark support'

	depends on NETWORK_SECMARK

	default m if NETFILTER_ADVANCED=n

	default y if NETFILTER_ADVANCED=n

	help

	  This option enables security markings to be applied to

	  connections.  Typically they are copied to connections from

	tbl[idx++].data = &ipvs->sysctl_conn_reuse_mode;

	tbl[idx++].data = &ipvs->sysctl_schedule_icmp;

	tbl[idx++].data = &ipvs->sysctl_ignore_tunneled;

#ifdef CONFIG_IP_VS_DEBUG

	/* Global sysctls must be ro in non-init netns */

	if (!net_eq(net, &init_net))

		tbl[idx++].mode = 0444;

#endif

	ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl);

	if (ipvs->sysctl_hdr == NULL) {

		return;

	}

	/* UNREGISTER events are also happening on netns exit.

	 *

	 * Although nf_tables core releases all tables/chains, only this event

	 * handler provides guarantee that hook->ops.dev is still accessible,

	 * so we cannot skip exiting net namespaces.

	 */

	__nft_release_basechain(ctx);

}

	    event != NETDEV_CHANGENAME)

		return NOTIFY_DONE;

	if (!check_net(ctx.net))

		return NOTIFY_DONE;

	nft_net = nft_pernet(ctx.net);

	mutex_lock(&nft_net->commit_mutex);

	list_for_each_entry(table, &nft_net->tables, list) {