From b9ec7294bc08fb4844fc02377f0b12fc8cc5b46f Mon Sep 17 00:00:00 2001
From: Sapan Bhatia <sapanb@cs.princeton.edu>
Date: Sat, 7 Jun 2008 22:51:05 +0000
Subject: [PATCH] Last adjustment before tagging.

---
 linux-2.6-520-vnet+.patch | 54 +++++++++++++++++++++++++++++++--------
 1 file changed, 44 insertions(+), 10 deletions(-)

diff --git a/linux-2.6-520-vnet+.patch b/linux-2.6-520-vnet+.patch
index e06708354..f425f62a9 100644
--- a/linux-2.6-520-vnet+.patch
+++ b/linux-2.6-520-vnet+.patch
@@ -707,7 +707,7 @@ diff -Nurb linux-2.6.22-510/net/netfilter/xt_SETXID.c linux-2.6.22-520/net/netfi
 +module_exit(fini);
 diff -Nurb linux-2.6.22-510/net/packet/af_packet.c linux-2.6.22-520/net/packet/af_packet.c
 --- linux-2.6.22-510/net/packet/af_packet.c	2007-07-08 19:32:17.000000000 -0400
-+++ linux-2.6.22-520/net/packet/af_packet.c	2008-06-06 17:07:56.000000000 -0400
++++ linux-2.6.22-520/net/packet/af_packet.c	2008-06-07 18:30:41.000000000 -0400
 @@ -78,6 +78,7 @@
  #include <linux/poll.h>
  #include <linux/module.h>
@@ -716,7 +716,44 @@ diff -Nurb linux-2.6.22-510/net/packet/af_packet.c linux-2.6.22-520/net/packet/a
  
  #ifdef CONFIG_INET
  #include <net/inet_common.h>
-@@ -324,6 +325,9 @@
+@@ -246,10 +247,13 @@
+ 
+ static const struct proto_ops packet_ops_spkt;
+ 
++extern DEFINE_PER_CPU(int, sknid_elevator);
+ static int packet_rcv_spkt(struct sk_buff *skb, struct net_device *dev,  struct packet_type *pt, struct net_device *orig_dev)
+ {
+ 	struct sock *sk;
+ 	struct sockaddr_pkt *spkt;
++	int tag = skb->skb_tag;
++	int *elevator=&__get_cpu_var(sknid_elevator);
+ 
+ 	/*
+ 	 *	When we registered the protocol we saved the socket in the data
+@@ -269,6 +273,22 @@
+ 	 *	so that this procedure is noop.
+ 	 */
+ 
++	/* 
++	 * (18:05:41) daniel_hozac: where?
++	 * (18:05:58) daniel_hozac: we already have filters on PF_PACKET, don't we?
++	 * (18:05:58) er: in packet_rcv_skpt
++	 * (18:07:33) daniel_hozac: oh, that's evil. 
++	 */
++
++	if (sk->sk_nx_info && !(tag == 1 || sk->sk_nid == tag)) {
++		*elevator=-2;
++		goto out;
++	}
++	else if (!sk->sk_nx_info && *elevator) {
++		/* Root has already seen this packet */
++		goto out;
++	}
++
+ 	if (skb->pkt_type == PACKET_LOOPBACK)
+ 		goto out;
+ 
+@@ -324,6 +344,9 @@
  	__be16 proto=0;
  	int err;
  
@@ -726,12 +763,7 @@ diff -Nurb linux-2.6.22-510/net/packet/af_packet.c linux-2.6.22-520/net/packet/a
  	/*
  	 *	Get and verify the address.
  	 */
-@@ -416,10 +420,22 @@
- 	return err;
- }
- 
-+extern DEFINE_PER_CPU(int, sknid_elevator);
- static inline unsigned int run_filter(struct sk_buff *skb, struct sock *sk,
+@@ -420,6 +443,17 @@
  				      unsigned int res)
  {
  	struct sk_filter *filter;
@@ -749,7 +781,7 @@ diff -Nurb linux-2.6.22-510/net/packet/af_packet.c linux-2.6.22-520/net/packet/a
  
  	rcu_read_lock_bh();
  	filter = rcu_dereference(sk->sk_filter);
-@@ -711,6 +727,9 @@
+@@ -711,6 +745,9 @@
  	unsigned char *addr;
  	int ifindex, err, reserve = 0;
  
@@ -759,12 +791,14 @@ diff -Nurb linux-2.6.22-510/net/packet/af_packet.c linux-2.6.22-520/net/packet/a
  	/*
  	 *	Get and verify the address.
  	 */
-@@ -984,7 +1003,7 @@
+@@ -984,8 +1021,9 @@
  	__be16 proto = (__force __be16)protocol; /* weird, but documented */
  	int err;
  
 -	if (!capable(CAP_NET_RAW))
 +	if (!nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET))
  		return -EPERM;
++		
  	if (sock->type != SOCK_DGRAM && sock->type != SOCK_RAW &&
  	    sock->type != SOCK_PACKET)
+ 		return -ESOCKTNOSUPPORT;
-- 
2.47.0