Last adjustment before tagging.

diff --git a/linux-2.6-520-vnet+.patch b/linux-2.6-520-vnet+.patch
index e067083..f425f62 100644 (file)
--- a/linux-2.6-520-vnet+.patch
+++ b/linux-2.6-520-vnet+.patch
@@ -707,7 +707,7 @@ diff -Nurb linux-2.6.22-510/net/netfilter/xt_SETXID.c linux-2.6.22-520/net/netfi
 +module_exit(fini);
 diff -Nurb linux-2.6.22-510/net/packet/af_packet.c linux-2.6.22-520/net/packet/af_packet.c
 --- linux-2.6.22-510/net/packet/af_packet.c    2007-07-08 19:32:17.000000000 -0400
-+++ linux-2.6.22-520/net/packet/af_packet.c    2008-06-06 17:07:56.000000000 -0400
++++ linux-2.6.22-520/net/packet/af_packet.c    2008-06-07 18:30:41.000000000 -0400
 @@ -78,6 +78,7 @@
  #include <linux/poll.h>
  #include <linux/module.h>
@@ -716,7 +716,44 @@ diff -Nurb linux-2.6.22-510/net/packet/af_packet.c linux-2.6.22-520/net/packet/a
  
  #ifdef CONFIG_INET
  #include <net/inet_common.h>
-@@ -324,6 +325,9 @@
+@@ -246,10 +247,13 @@
+ 
+ static const struct proto_ops packet_ops_spkt;
+ 
++extern DEFINE_PER_CPU(int, sknid_elevator);
+ static int packet_rcv_spkt(struct sk_buff *skb, struct net_device *dev,  struct packet_type *pt, struct net_device *orig_dev)
+ {
+       struct sock *sk;
+       struct sockaddr_pkt *spkt;
++      int tag = skb->skb_tag;
++      int *elevator=&__get_cpu_var(sknid_elevator);
+ 
+       /*
+        *      When we registered the protocol we saved the socket in the data
+@@ -269,6 +273,22 @@
+        *      so that this procedure is noop.
+        */
+ 
++      /* 
++       * (18:05:41) daniel_hozac: where?
++       * (18:05:58) daniel_hozac: we already have filters on PF_PACKET, don't we?
++       * (18:05:58) er: in packet_rcv_skpt
++       * (18:07:33) daniel_hozac: oh, that's evil. 
++       */
++
++      if (sk->sk_nx_info && !(tag == 1 || sk->sk_nid == tag)) {
++              *elevator=-2;
++              goto out;
++      }
++      else if (!sk->sk_nx_info && *elevator) {
++              /* Root has already seen this packet */
++              goto out;
++      }
++
+       if (skb->pkt_type == PACKET_LOOPBACK)
+               goto out;
+ 
+@@ -324,6 +344,9 @@
        __be16 proto=0;
        int err;
  
@@ -726,12 +763,7 @@ diff -Nurb linux-2.6.22-510/net/packet/af_packet.c linux-2.6.22-520/net/packet/a
        /*
         *      Get and verify the address.
         */
-@@ -416,10 +420,22 @@
-       return err;
- }
- 
-+extern DEFINE_PER_CPU(int, sknid_elevator);
- static inline unsigned int run_filter(struct sk_buff *skb, struct sock *sk,
+@@ -420,6 +443,17 @@
                                      unsigned int res)
  {
        struct sk_filter *filter;
@@ -749,7 +781,7 @@ diff -Nurb linux-2.6.22-510/net/packet/af_packet.c linux-2.6.22-520/net/packet/a
  
        rcu_read_lock_bh();
        filter = rcu_dereference(sk->sk_filter);
-@@ -711,6 +727,9 @@
+@@ -711,6 +745,9 @@
        unsigned char *addr;
        int ifindex, err, reserve = 0;
  
@@ -759,12 +791,14 @@ diff -Nurb linux-2.6.22-510/net/packet/af_packet.c linux-2.6.22-520/net/packet/a
        /*
         *      Get and verify the address.
         */
-@@ -984,7 +1003,7 @@
+@@ -984,8 +1021,9 @@
        __be16 proto = (__force __be16)protocol; /* weird, but documented */
        int err;
  
 -      if (!capable(CAP_NET_RAW))
 +      if (!nx_capable(CAP_NET_RAW, NXC_RAW_SOCKET))
                return -EPERM;
++              
        if (sock->type != SOCK_DGRAM && sock->type != SOCK_RAW &&
            sock->type != SOCK_PACKET)
+               return -ESOCKTNOSUPPORT;