- updated to 2.6.27.21

[packages/kernel.git] / kernel-routes.patch

diff -urp v2.6.27/linux/include/linux/rtnetlink.h linux/include/linux/rtnetlink.h
--- v2.6.27/linux/include/linux/rtnetlink.h	2008-10-11 12:46:15.000000000 +0300
+++ linux/include/linux/rtnetlink.h	2008-10-11 13:50:41.000000000 +0300
@@ -304,6 +304,8 @@ struct rtnexthop
 #define RTNH_F_DEAD		1	/* Nexthop is dead (used by multipath)	*/
 #define RTNH_F_PERVASIVE	2	/* Do recursive gateway lookup	*/
 #define RTNH_F_ONLINK		4	/* Gateway is forced on link	*/
+#define RTNH_F_SUSPECT		8	/* We don't know the real state	*/
+#define RTNH_F_BADSTATE		(RTNH_F_DEAD | RTNH_F_SUSPECT)
 
 /* Macros to handle hexthops */
 
diff -urp v2.6.27/linux/include/net/flow.h linux/include/net/flow.h
--- v2.6.27/linux/include/net/flow.h	2008-10-11 12:46:15.000000000 +0300
+++ linux/include/net/flow.h	2008-10-11 13:51:37.000000000 +0300
@@ -19,6 +19,8 @@ struct flowi {
 		struct {
 			__be32			daddr;
 			__be32			saddr;
+			__be32			lsrc;
+			__be32			gw;
 			__u8			tos;
 			__u8			scope;
 		} ip4_u;
@@ -43,6 +45,8 @@ struct flowi {
 #define fl6_flowlabel	nl_u.ip6_u.flowlabel
 #define fl4_dst		nl_u.ip4_u.daddr
 #define fl4_src		nl_u.ip4_u.saddr
+#define fl4_lsrc	nl_u.ip4_u.lsrc
+#define fl4_gw		nl_u.ip4_u.gw
 #define fl4_tos		nl_u.ip4_u.tos
 #define fl4_scope	nl_u.ip4_u.scope
 
diff -urp v2.6.27/linux/include/net/ip_fib.h linux/include/net/ip_fib.h
--- v2.6.27/linux/include/net/ip_fib.h	2008-04-17 09:58:08.000000000 +0300
+++ linux/include/net/ip_fib.h	2008-10-11 13:50:41.000000000 +0300
@@ -207,6 +207,8 @@ extern int fib_lookup(struct net *n, str
 extern struct fib_table *fib_new_table(struct net *net, u32 id);
 extern struct fib_table *fib_get_table(struct net *net, u32 id);
 
+extern int fib_result_table(struct fib_result *res);
+
 #endif /* CONFIG_IP_MULTIPLE_TABLES */
 
 /* Exported by fib_frontend.c */
@@ -276,4 +278,6 @@ static inline void fib_proc_exit(struct 
 }
 #endif
 
+extern rwlock_t fib_nhflags_lock;
+
 #endif  /* _NET_FIB_H */
diff -urp v2.6.27/linux/include/net/netfilter/nf_nat.h linux/include/net/netfilter/nf_nat.h
--- v2.6.27/linux/include/net/netfilter/nf_nat.h	2008-04-17 09:58:08.000000000 +0300
+++ linux/include/net/netfilter/nf_nat.h	2008-10-11 13:51:37.000000000 +0300
@@ -77,6 +77,13 @@ struct nf_conn_nat
 #endif
 };
 
+/* Call input routing for SNAT-ed traffic */
+extern unsigned int ip_nat_route_input(unsigned int hooknum,
+				       struct sk_buff *skb,
+				       const struct net_device *in,
+				       const struct net_device *out,
+				       int (*okfn)(struct sk_buff *));
+
 /* Set up the info structure to map into this range. */
 extern unsigned int nf_nat_setup_info(struct nf_conn *ct,
 				      const struct nf_nat_range *range,
diff -urp v2.6.27/linux/include/net/route.h linux/include/net/route.h
--- v2.6.27/linux/include/net/route.h	2008-10-11 12:46:15.000000000 +0300
+++ linux/include/net/route.h	2008-10-11 13:51:37.000000000 +0300
@@ -116,6 +116,7 @@ extern int		__ip_route_output_key(struct
 extern int		ip_route_output_key(struct net *, struct rtable **, struct flowi *flp);
 extern int		ip_route_output_flow(struct net *, struct rtable **rp, struct flowi *flp, struct sock *sk, int flags);
 extern int		ip_route_input(struct sk_buff*, __be32 dst, __be32 src, u8 tos, struct net_device *devin);
+extern int		ip_route_input_lookup(struct sk_buff*, __be32 dst, __be32 src, u8 tos, struct net_device *devin, __be32 lsrc);
 extern unsigned short	ip_rt_frag_needed(struct net *net, struct iphdr *iph, unsigned short new_mtu, struct net_device *dev);
 extern void		ip_rt_send_redirect(struct sk_buff *skb);
 
diff -urp v2.6.27/linux/net/bridge/br_netfilter.c linux/net/bridge/br_netfilter.c
--- v2.6.27/linux/net/bridge/br_netfilter.c	2008-10-11 12:46:16.000000000 +0300
+++ linux/net/bridge/br_netfilter.c	2008-10-11 13:51:37.000000000 +0300
@@ -328,6 +328,10 @@ static int br_nf_pre_routing_finish(stru
 	struct nf_bridge_info *nf_bridge = skb->nf_bridge;
 	int err;
 
+	/* Old skb->dst is not expected, it is lost in all cases */
+	dst_release(skb->dst);
+	skb->dst = NULL;
+
 	if (nf_bridge->mask & BRNF_PKT_TYPE) {
 		skb->pkt_type = PACKET_OTHERHOST;
 		nf_bridge->mask ^= BRNF_PKT_TYPE;
diff -urp v2.6.27/linux/net/ipv4/fib_frontend.c linux/net/ipv4/fib_frontend.c
--- v2.6.27/linux/net/ipv4/fib_frontend.c	2008-10-11 12:46:16.000000000 +0300
+++ linux/net/ipv4/fib_frontend.c	2008-10-11 13:50:41.000000000 +0300
@@ -47,6 +47,8 @@
 
 #ifndef CONFIG_IP_MULTIPLE_TABLES
 
+#define FIB_RES_TABLE(r) (RT_TABLE_MAIN)
+
 static int __net_init fib4_rules_init(struct net *net)
 {
 	struct fib_table *local_table, *main_table;
@@ -71,6 +73,8 @@ fail:
 }
 #else
 
+#define FIB_RES_TABLE(r) (fib_result_table(r))
+
 struct fib_table *fib_new_table(struct net *net, u32 id)
 {
 	struct fib_table *tb;
@@ -125,7 +129,8 @@ void fib_select_default(struct net *net,
 	table = res->r->table;
 #endif
 	tb = fib_get_table(net, table);
-	if (FIB_RES_GW(*res) && FIB_RES_NH(*res).nh_scope == RT_SCOPE_LINK)
+	if ((FIB_RES_GW(*res) && FIB_RES_NH(*res).nh_scope == RT_SCOPE_LINK) ||
+	    FIB_RES_NH(*res).nh_scope == RT_SCOPE_HOST)
 		tb->tb_select_default(tb, flp, res);
 }
 
@@ -239,6 +244,9 @@ int fib_validate_source(__be32 src, __be
 					.tos = tos } },
 			    .iif = oif };
 	struct fib_result res;
+	int table;
+	unsigned char prefixlen;
+	unsigned char scope;
 	int no_addr, rpf;
 	int ret;
 	struct net *net;
@@ -262,31 +270,35 @@ int fib_validate_source(__be32 src, __be
 		goto e_inval_res;
 	*spec_dst = FIB_RES_PREFSRC(res);
 	fib_combine_itag(itag, &res);
-#ifdef CONFIG_IP_ROUTE_MULTIPATH
-	if (FIB_RES_DEV(res) == dev || res.fi->fib_nhs > 1)
-#else
 	if (FIB_RES_DEV(res) == dev)
-#endif
 	{
 		ret = FIB_RES_NH(res).nh_scope >= RT_SCOPE_HOST;
 		fib_res_put(&res);
 		return ret;
 	}
+	table = FIB_RES_TABLE(&res);
+	prefixlen = res.prefixlen;
+	scope = res.scope;
 	fib_res_put(&res);
 	if (no_addr)
 		goto last_resort;
-	if (rpf)
-		goto e_inval;
 	fl.oif = dev->ifindex;
 
 	ret = 0;
 	if (fib_lookup(net, &fl, &res) == 0) {
-		if (res.type == RTN_UNICAST) {
+		if (res.type == RTN_UNICAST &&
+		    ((table == FIB_RES_TABLE(&res) &&
+		      res.prefixlen >= prefixlen && res.scope >= scope) ||
+		     !rpf)) {
 			*spec_dst = FIB_RES_PREFSRC(res);
 			ret = FIB_RES_NH(res).nh_scope >= RT_SCOPE_HOST;
+			fib_res_put(&res);
+			return ret;
 		}
 		fib_res_put(&res);
 	}
+	if (rpf)
+		goto e_inval;
 	return ret;
 
 last_resort:
@@ -909,9 +921,7 @@ static int fib_inetaddr_event(struct not
 	switch (event) {
 	case NETDEV_UP:
 		fib_add_ifaddr(ifa);
-#ifdef CONFIG_IP_ROUTE_MULTIPATH
 		fib_sync_up(dev);
-#endif
 		rt_cache_flush(dev_net(dev), -1);
 		break;
 	case NETDEV_DOWN:
@@ -947,9 +957,7 @@ static int fib_netdev_event(struct notif
 		for_ifa(in_dev) {
 			fib_add_ifaddr(ifa);
 		} endfor_ifa(in_dev);
-#ifdef CONFIG_IP_ROUTE_MULTIPATH
 		fib_sync_up(dev);
-#endif
 		rt_cache_flush(dev_net(dev), -1);
 		break;
 	case NETDEV_DOWN:
diff -urp v2.6.27/linux/net/ipv4/fib_hash.c linux/net/ipv4/fib_hash.c
--- v2.6.27/linux/net/ipv4/fib_hash.c	2008-10-11 12:46:16.000000000 +0300
+++ linux/net/ipv4/fib_hash.c	2008-10-11 13:50:41.000000000 +0300
@@ -278,25 +278,35 @@ out:
 static void
 fn_hash_select_default(struct fib_table *tb, const struct flowi *flp, struct fib_result *res)
 {
-	int order, last_idx;
+	int order, last_idx, last_dflt, last_nhsel;
+	struct fib_alias *first_fa = NULL;
+	struct hlist_head *head;
 	struct hlist_node *node;
 	struct fib_node *f;
 	struct fib_info *fi = NULL;
 	struct fib_info *last_resort;
 	struct fn_hash *t = (struct fn_hash*)tb->tb_data;
-	struct fn_zone *fz = t->fn_zones[0];
+	struct fn_zone *fz = t->fn_zones[res->prefixlen];
+	__be32 k;
 
 	if (fz == NULL)
 		return;
 
+	k = fz_key(flp->fl4_dst, fz);
+	last_dflt = -2;
+	last_nhsel = 0;
 	last_idx = -1;
 	last_resort = NULL;
 	order = -1;
 
 	read_lock(&fib_hash_lock);
-	hlist_for_each_entry(f, node, &fz->fz_hash[0], fn_hash) {
+	head = &fz->fz_hash[fn_hash(k, fz)];
+	hlist_for_each_entry(f, node, head, fn_hash) {
 		struct fib_alias *fa;
 
+		if (f->fn_key != k)
+			continue;
+
 		list_for_each_entry(fa, &f->fn_alias, fa_list) {
 			struct fib_info *next_fi = fa->fa_info;
 
@@ -304,42 +314,56 @@ fn_hash_select_default(struct fib_table 
 			    fa->fa_type != RTN_UNICAST)
 				continue;
 
+			if (fa->fa_tos &&
+			    fa->fa_tos != flp->fl4_tos)
+				continue;
 			if (next_fi->fib_priority > res->fi->fib_priority)
 				break;
-			if (!next_fi->fib_nh[0].nh_gw ||
-			    next_fi->fib_nh[0].nh_scope != RT_SCOPE_LINK)
-				continue;
 			fa->fa_state |= FA_S_ACCESSED;
 
-			if (fi == NULL) {
-				if (next_fi != res->fi)
-					break;
-			} else if (!fib_detect_death(fi, order, &last_resort,
-						&last_idx, tb->tb_default)) {
+			if (!first_fa) {
+				last_dflt = fa->fa_last_dflt;
+				first_fa = fa;
+			}
+			if (fi && !fib_detect_death(fi, order, &last_resort,
+				&last_idx, &last_dflt, &last_nhsel, flp)) {
 				fib_result_assign(res, fi);
-				tb->tb_default = order;
+				first_fa->fa_last_dflt = order;
 				goto out;
 			}
 			fi = next_fi;
 			order++;
 		}
+		break;
 	}
 
 	if (order <= 0 || fi == NULL) {
-		tb->tb_default = -1;
+		if (fi && fi->fib_nhs > 1 &&
+		    fib_detect_death(fi, order, &last_resort, &last_idx,
+			&last_dflt, &last_nhsel, flp) &&
+		    last_resort == fi) {
+			read_lock_bh(&fib_nhflags_lock);
+			fi->fib_nh[last_nhsel].nh_flags &= ~RTNH_F_SUSPECT;
+			read_unlock_bh(&fib_nhflags_lock);
+		}
+		if (first_fa) first_fa->fa_last_dflt = -1;
 		goto out;
 	}
 
 	if (!fib_detect_death(fi, order, &last_resort, &last_idx,
-				tb->tb_default)) {
+			      &last_dflt, &last_nhsel, flp)) {
 		fib_result_assign(res, fi);
-		tb->tb_default = order;
+		first_fa->fa_last_dflt = order;
 		goto out;
 	}
 
-	if (last_idx >= 0)
+	if (last_idx >= 0) {
 		fib_result_assign(res, last_resort);
-	tb->tb_default = last_idx;
+		read_lock_bh(&fib_nhflags_lock);
+		last_resort->fib_nh[last_nhsel].nh_flags &= ~RTNH_F_SUSPECT;
+		read_unlock_bh(&fib_nhflags_lock);
+		first_fa->fa_last_dflt = last_idx;
+	}
 out:
 	read_unlock(&fib_hash_lock);
 }
@@ -463,6 +487,7 @@ static int fn_hash_insert(struct fib_tab
 			write_lock_bh(&fib_hash_lock);
 			fi_drop = fa->fa_info;
 			fa->fa_info = fi;
+			fa->fa_last_dflt = -1;
 			fa->fa_type = cfg->fc_type;
 			fa->fa_scope = cfg->fc_scope;
 			state = fa->fa_state;
@@ -517,6 +542,7 @@ static int fn_hash_insert(struct fib_tab
 	new_fa->fa_type = cfg->fc_type;
 	new_fa->fa_scope = cfg->fc_scope;
 	new_fa->fa_state = 0;
+	new_fa->fa_last_dflt = -1;
 
 	/*
 	 * Insert new entry to the list.
diff -urp v2.6.27/linux/net/ipv4/fib_lookup.h linux/net/ipv4/fib_lookup.h
--- v2.6.27/linux/net/ipv4/fib_lookup.h	2008-04-17 09:58:09.000000000 +0300
+++ linux/net/ipv4/fib_lookup.h	2008-10-11 13:50:41.000000000 +0300
@@ -8,6 +8,7 @@
 struct fib_alias {
 	struct list_head	fa_list;
 	struct fib_info		*fa_info;
+	int			fa_last_dflt;
 	u8			fa_tos;
 	u8			fa_type;
 	u8			fa_scope;
@@ -38,7 +39,8 @@ extern struct fib_alias *fib_find_alias(
 					u8 tos, u32 prio);
 extern int fib_detect_death(struct fib_info *fi, int order,
 			    struct fib_info **last_resort,
-			    int *last_idx, int dflt);
+			    int *last_idx, int *dflt, int *last_nhsel,
+			    const struct flowi *flp);
 
 static inline void fib_result_assign(struct fib_result *res,
 				     struct fib_info *fi)
diff -urp v2.6.27/linux/net/ipv4/fib_rules.c linux/net/ipv4/fib_rules.c
--- v2.6.27/linux/net/ipv4/fib_rules.c	2008-10-11 12:46:16.000000000 +0300
+++ linux/net/ipv4/fib_rules.c	2008-10-11 13:50:41.000000000 +0300
@@ -54,6 +54,11 @@ u32 fib_rules_tclass(struct fib_result *
 }
 #endif
 
+int fib_result_table(struct fib_result *res)
+{
+	return res->r->table;
+}
+
 int fib_lookup(struct net *net, struct flowi *flp, struct fib_result *res)
 {
 	struct fib_lookup_arg arg = {
diff -urp v2.6.27/linux/net/ipv4/fib_semantics.c linux/net/ipv4/fib_semantics.c
--- v2.6.27/linux/net/ipv4/fib_semantics.c	2008-10-11 12:46:16.000000000 +0300
+++ linux/net/ipv4/fib_semantics.c	2008-10-11 13:51:37.000000000 +0300
@@ -50,6 +50,7 @@ static struct hlist_head *fib_info_hash;
 static struct hlist_head *fib_info_laddrhash;
 static unsigned int fib_hash_size;
 static unsigned int fib_info_cnt;
+rwlock_t fib_nhflags_lock = RW_LOCK_UNLOCKED;
 
 #define DEVINDEX_HASHBITS 8
 #define DEVINDEX_HASHSIZE (1U << DEVINDEX_HASHBITS)
@@ -186,7 +187,7 @@ static __inline__ int nh_comp(const stru
 #ifdef CONFIG_NET_CLS_ROUTE
 		    nh->nh_tclassid != onh->nh_tclassid ||
 #endif
-		    ((nh->nh_flags^onh->nh_flags)&~RTNH_F_DEAD))
+		    ((nh->nh_flags^onh->nh_flags)&~RTNH_F_BADSTATE))
 			return -1;
 		onh++;
 	} endfor_nexthops(fi);
@@ -237,7 +238,7 @@ static struct fib_info *fib_find_info(co
 		    nfi->fib_priority == fi->fib_priority &&
 		    memcmp(nfi->fib_metrics, fi->fib_metrics,
 			   sizeof(fi->fib_metrics)) == 0 &&
-		    ((nfi->fib_flags^fi->fib_flags)&~RTNH_F_DEAD) == 0 &&
+		    ((nfi->fib_flags^fi->fib_flags)&~RTNH_F_BADSTATE) == 0 &&
 		    (nfi->fib_nhs == 0 || nh_comp(fi, nfi) == 0))
 			return fi;
 	}
@@ -348,26 +349,70 @@ struct fib_alias *fib_find_alias(struct 
 }
 
 int fib_detect_death(struct fib_info *fi, int order,
-		     struct fib_info **last_resort, int *last_idx, int dflt)
+		     struct fib_info **last_resort, int *last_idx, int *dflt,
+		     int *last_nhsel, const struct flowi *flp)
 {
 	struct neighbour *n;
-	int state = NUD_NONE;
+	int nhsel;
+	int state;
+	struct fib_nh * nh;
+	__be32 dst;
+	int flag, dead = 1;
+
+	/* change_nexthops(fi) { */
+	for (nhsel = 0, nh = fi->fib_nh; nhsel < fi->fib_nhs; nh++, nhsel++) {
+		if (flp->oif && flp->oif != nh->nh_oif)
+			continue;
+		if (flp->fl4_gw && flp->fl4_gw != nh->nh_gw && nh->nh_gw &&
+		    nh->nh_scope == RT_SCOPE_LINK)
+			continue;
+		if (nh->nh_flags & RTNH_F_DEAD)
+			continue;
 
-	n = neigh_lookup(&arp_tbl, &fi->fib_nh[0].nh_gw, fi->fib_dev);
-	if (n) {
-		state = n->nud_state;
-		neigh_release(n);
-	}
-	if (state==NUD_REACHABLE)
-		return 0;
-	if ((state&NUD_VALID) && order != dflt)
-		return 0;
-	if ((state&NUD_VALID) ||
-	    (*last_idx<0 && order > dflt)) {
-		*last_resort = fi;
-		*last_idx = order;
+		flag = 0;
+		if (nh->nh_dev->flags & IFF_NOARP) {
+			dead = 0;
+			goto setfl;
+		}
+
+		dst = nh->nh_gw;
+		if (!nh->nh_gw || nh->nh_scope != RT_SCOPE_LINK)
+			dst = flp->fl4_dst;
+
+		state = NUD_NONE;
+		n = neigh_lookup(&arp_tbl, &dst, nh->nh_dev);
+		if (n) {
+			state = n->nud_state;
+			neigh_release(n);
+		}
+		if (state==NUD_REACHABLE ||
+			((state&NUD_VALID) && order != *dflt)) {
+			dead = 0;
+			goto setfl;
+		}
+		if (!(state&NUD_VALID))
+			flag = 1;
+		if (!dead)
+			goto setfl;
+		if ((state&NUD_VALID) ||
+		    (*last_idx<0 && order >= *dflt)) {
+			*last_resort = fi;
+			*last_idx = order;
+			*last_nhsel = nhsel;
+		}
+
+		setfl:
+
+		read_lock_bh(&fib_nhflags_lock);
+		if (flag)
+			nh->nh_flags |= RTNH_F_SUSPECT;
+		else
+			nh->nh_flags &= ~RTNH_F_SUSPECT;
+		read_unlock_bh(&fib_nhflags_lock);
 	}
-	return 1;
+	/* } endfor_nexthops(fi) */
+
+	return dead;
 }
 
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
@@ -539,8 +584,11 @@ static int fib_check_nh(struct fib_confi
 				return -EINVAL;
 			if ((dev = __dev_get_by_index(net, nh->nh_oif)) == NULL)
 				return -ENODEV;
-			if (!(dev->flags&IFF_UP))
-				return -ENETDOWN;
+			if (!(dev->flags&IFF_UP)) {
+				if (fi->fib_protocol != RTPROT_STATIC)
+					return -ENETDOWN;
+				nh->nh_flags |= RTNH_F_DEAD;
+			}
 			nh->nh_dev = dev;
 			dev_hold(dev);
 			nh->nh_scope = RT_SCOPE_LINK;
@@ -560,24 +608,48 @@ static int fib_check_nh(struct fib_confi
 			/* It is not necessary, but requires a bit of thinking */
 			if (fl.fl4_scope < RT_SCOPE_LINK)
 				fl.fl4_scope = RT_SCOPE_LINK;
-			if ((err = fib_lookup(net, &fl, &res)) != 0)
-				return err;
+			err = fib_lookup(net, &fl, &res);
 		}
-		err = -EINVAL;
-		if (res.type != RTN_UNICAST && res.type != RTN_LOCAL)
-			goto out;
-		nh->nh_scope = res.scope;
-		nh->nh_oif = FIB_RES_OIF(res);
-		if ((nh->nh_dev = FIB_RES_DEV(res)) == NULL)
-			goto out;
-		dev_hold(nh->nh_dev);
-		err = -ENETDOWN;
-		if (!(nh->nh_dev->flags & IFF_UP))
-			goto out;
-		err = 0;
+		if (err) {
+			struct in_device *in_dev;
+
+			if (err != -ENETUNREACH ||
+			    fi->fib_protocol != RTPROT_STATIC)
+				return err;
+
+			in_dev = inetdev_by_index(net, nh->nh_oif);
+			if (in_dev == NULL ||
+			    in_dev->dev->flags & IFF_UP) {
+				if (in_dev)
+					in_dev_put(in_dev);
+				return err;
+			}
+			nh->nh_flags |= RTNH_F_DEAD;
+			nh->nh_scope = RT_SCOPE_LINK;
+			nh->nh_dev = in_dev->dev;
+			dev_hold(nh->nh_dev);
+			in_dev_put(in_dev);
+		} else {
+			err = -EINVAL;
+			if (res.type != RTN_UNICAST && res.type != RTN_LOCAL)
+				goto out;
+			nh->nh_scope = res.scope;
+			nh->nh_oif = FIB_RES_OIF(res);
+			if ((nh->nh_dev = FIB_RES_DEV(res)) == NULL)
+				goto out;
+			dev_hold(nh->nh_dev);
+			if (!(nh->nh_dev->flags & IFF_UP)) {
+				if (fi->fib_protocol != RTPROT_STATIC) {
+					err = -ENETDOWN;
+					goto out;
+				}
+				nh->nh_flags |= RTNH_F_DEAD;
+			}
+			err = 0;
 out:
-		fib_res_put(&res);
-		return err;
+			fib_res_put(&res);
+			return err;
+		}
 	} else {
 		struct in_device *in_dev;
 
@@ -588,8 +660,11 @@ out:
 		if (in_dev == NULL)
 			return -ENODEV;
 		if (!(in_dev->dev->flags&IFF_UP)) {
-			in_dev_put(in_dev);
-			return -ENETDOWN;
+			if (fi->fib_protocol != RTPROT_STATIC) {
+				in_dev_put(in_dev);
+				return -ENETDOWN;
+			}
+			nh->nh_flags |= RTNH_F_DEAD;
 		}
 		nh->nh_dev = in_dev->dev;
 		dev_hold(nh->nh_dev);
@@ -899,8 +974,12 @@ int fib_semantic_match(struct list_head 
 				for_nexthops(fi) {
 					if (nh->nh_flags&RTNH_F_DEAD)
 						continue;
-					if (!flp->oif || flp->oif == nh->nh_oif)
-						break;
+					if (flp->oif && flp->oif != nh->nh_oif)
+						continue;
+					if (flp->fl4_gw && flp->fl4_gw != nh->nh_gw &&
+					    nh->nh_gw && nh->nh_scope == RT_SCOPE_LINK)
+						continue;
+					break;
 				}
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
 				if (nhsel < fi->fib_nhs) {
@@ -1080,18 +1159,29 @@ int fib_sync_down_dev(struct net_device 
 		prev_fi = fi;
 		dead = 0;
 		change_nexthops(fi) {
-			if (nh->nh_flags&RTNH_F_DEAD)
-				dead++;
-			else if (nh->nh_dev == dev &&
-					nh->nh_scope != scope) {
-				nh->nh_flags |= RTNH_F_DEAD;
+			if (nh->nh_flags&RTNH_F_DEAD) {
+				if (fi->fib_protocol!=RTPROT_STATIC ||
+				    nh->nh_dev == NULL ||
+				    __in_dev_get_rtnl(nh->nh_dev) == NULL ||
+				    nh->nh_dev->flags&IFF_UP)
+					dead++;
+			} else if (nh->nh_dev == dev &&
+				   nh->nh_scope != scope) {
+				write_lock_bh(&fib_nhflags_lock);
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
-				spin_lock_bh(&fib_multipath_lock);
+				spin_lock(&fib_multipath_lock);
+				nh->nh_flags |= RTNH_F_DEAD;
 				fi->fib_power -= nh->nh_power;
 				nh->nh_power = 0;
-				spin_unlock_bh(&fib_multipath_lock);
+				spin_unlock(&fib_multipath_lock);
+#else
+				nh->nh_flags |= RTNH_F_DEAD;
 #endif
-				dead++;
+				write_unlock_bh(&fib_nhflags_lock);
+				if (fi->fib_protocol!=RTPROT_STATIC ||
+				    force ||
+				    __in_dev_get_rtnl(dev) == NULL)
+					dead++;
 			}
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
 			if (force > 1 && nh->nh_dev == dev) {
@@ -1109,11 +1199,8 @@ int fib_sync_down_dev(struct net_device 
 	return ret;
 }
 
-#ifdef CONFIG_IP_ROUTE_MULTIPATH
-
 /*
-   Dead device goes up. We wake up dead nexthops.
-   It takes sense only on multipath routes.
+   Dead device goes up or new address is added. We wake up dead nexthops.
  */
 
 int fib_sync_up(struct net_device *dev)
@@ -1123,8 +1210,10 @@ int fib_sync_up(struct net_device *dev)
 	struct hlist_head *head;
 	struct hlist_node *node;
 	struct fib_nh *nh;
-	int ret;
+	struct fib_result res;
+	int ret, rep;
 
+repeat:
 	if (!(dev->flags&IFF_UP))
 		return 0;
 
@@ -1132,6 +1221,7 @@ int fib_sync_up(struct net_device *dev)
 	hash = fib_devindex_hashfn(dev->ifindex);
 	head = &fib_info_devhash[hash];
 	ret = 0;
+	rep = 0;
 
 	hlist_for_each_entry(nh, node, head, nh_hash) {
 		struct fib_info *fi = nh->nh_parent;
@@ -1144,19 +1234,39 @@ int fib_sync_up(struct net_device *dev)
 		prev_fi = fi;
 		alive = 0;
 		change_nexthops(fi) {
-			if (!(nh->nh_flags&RTNH_F_DEAD)) {
-				alive++;
+			if (!(nh->nh_flags&RTNH_F_DEAD))
 				continue;
-			}
 			if (nh->nh_dev == NULL || !(nh->nh_dev->flags&IFF_UP))
 				continue;
 			if (nh->nh_dev != dev || !__in_dev_get_rtnl(dev))
 				continue;
+			if (nh->nh_gw && fi->fib_protocol == RTPROT_STATIC) {
+				struct flowi fl = {
+					.nl_u = { .ip4_u =
+						  { .daddr = nh->nh_gw,
+						    .scope = nh->nh_scope } },
+					.oif =  nh->nh_oif,
+				};
+				if (fib_lookup(dev_net(dev), &fl, &res) != 0)
+					continue;
+				if (res.type != RTN_UNICAST &&
+				    res.type != RTN_LOCAL) {
+					fib_res_put(&res);
+					continue;
+				}
+				nh->nh_scope = res.scope;
+				fib_res_put(&res);
+				rep = 1;
+			}
 			alive++;
+#ifdef CONFIG_IP_ROUTE_MULTIPATH
 			spin_lock_bh(&fib_multipath_lock);
 			nh->nh_power = 0;
+#endif
 			nh->nh_flags &= ~RTNH_F_DEAD;
+#ifdef CONFIG_IP_ROUTE_MULTIPATH
 			spin_unlock_bh(&fib_multipath_lock);
+#endif
 		} endfor_nexthops(fi)
 
 		if (alive > 0) {
@@ -1164,10 +1274,14 @@ int fib_sync_up(struct net_device *dev)
 			ret++;
 		}
 	}
+	if (rep)
+		goto repeat;
 
 	return ret;
 }
 
+#ifdef CONFIG_IP_ROUTE_MULTIPATH
+
 /*
    The algorithm is suboptimal, but it provides really
    fair weighted route distribution.
@@ -1176,24 +1290,45 @@ int fib_sync_up(struct net_device *dev)
 void fib_select_multipath(const struct flowi *flp, struct fib_result *res)
 {
 	struct fib_info *fi = res->fi;
-	int w;
+	int w, alive;
 
 	spin_lock_bh(&fib_multipath_lock);
+	if (flp->oif) {
+		int sel = -1;
+		w = -1;
+		change_nexthops(fi) {
+			if (flp->oif != nh->nh_oif)
+				continue;
+			if (flp->fl4_gw && flp->fl4_gw != nh->nh_gw &&
+			    nh->nh_gw && nh->nh_scope == RT_SCOPE_LINK)
+				continue;
+			if (!(nh->nh_flags&RTNH_F_BADSTATE)) {
+				if (nh->nh_power > w) {
+					w = nh->nh_power;
+					sel = nhsel;
+				}
+			}
+		} endfor_nexthops(fi);
+		if (sel >= 0) {
+			spin_unlock_bh(&fib_multipath_lock);
+			res->nh_sel = sel;
+			return;
+		}
+		goto last_resort;
+	}
+
+repeat:
 	if (fi->fib_power <= 0) {
 		int power = 0;
 		change_nexthops(fi) {
-			if (!(nh->nh_flags&RTNH_F_DEAD)) {
+			if (!(nh->nh_flags&RTNH_F_BADSTATE)) {
 				power += nh->nh_weight;
 				nh->nh_power = nh->nh_weight;
 			}
 		} endfor_nexthops(fi);
 		fi->fib_power = power;
-		if (power <= 0) {
-			spin_unlock_bh(&fib_multipath_lock);
-			/* Race condition: route has just become dead. */
-			res->nh_sel = 0;
-			return;
-		}
+		if (power <= 0)
+			goto last_resort;
 	}
 
 
@@ -1203,20 +1338,40 @@ void fib_select_multipath(const struct f
 
 	w = jiffies % fi->fib_power;
 
+	alive = 0;
 	change_nexthops(fi) {
-		if (!(nh->nh_flags&RTNH_F_DEAD) && nh->nh_power) {
+		if (!(nh->nh_flags&RTNH_F_BADSTATE) && nh->nh_power) {
 			if ((w -= nh->nh_power) <= 0) {
 				nh->nh_power--;
 				fi->fib_power--;
-				res->nh_sel = nhsel;
 				spin_unlock_bh(&fib_multipath_lock);
+				res->nh_sel = nhsel;
 				return;
 			}
+			alive = 1;
+		}
+	} endfor_nexthops(fi);
+	if (alive) {
+		fi->fib_power = 0;
+		goto repeat;
+	}
+
+last_resort:
+
+	for_nexthops(fi) {
+		if (!(nh->nh_flags&RTNH_F_DEAD)) {
+			if (flp->oif && flp->oif != nh->nh_oif)
+				continue;
+			if (flp->fl4_gw && flp->fl4_gw != nh->nh_gw &&
+			    nh->nh_gw && nh->nh_scope == RT_SCOPE_LINK)
+				continue;
+			spin_unlock_bh(&fib_multipath_lock);
+			res->nh_sel = nhsel;
+			return;
 		}
 	} endfor_nexthops(fi);
 
 	/* Race condition: route has just become dead. */
-	res->nh_sel = 0;
 	spin_unlock_bh(&fib_multipath_lock);
 }
 #endif
diff -urp v2.6.27/linux/net/ipv4/fib_trie.c linux/net/ipv4/fib_trie.c
--- v2.6.27/linux/net/ipv4/fib_trie.c	2008-10-11 12:46:16.000000000 +0300
+++ linux/net/ipv4/fib_trie.c	2008-10-11 13:50:41.000000000 +0300
@@ -1261,6 +1261,7 @@ static int fn_trie_insert(struct fib_tab
 			fi_drop = fa->fa_info;
 			new_fa->fa_tos = fa->fa_tos;
 			new_fa->fa_info = fi;
+			new_fa->fa_last_dflt = -1;
 			new_fa->fa_type = cfg->fc_type;
 			new_fa->fa_scope = cfg->fc_scope;
 			state = fa->fa_state;
@@ -1301,6 +1302,7 @@ static int fn_trie_insert(struct fib_tab
 	new_fa->fa_type = cfg->fc_type;
 	new_fa->fa_scope = cfg->fc_scope;
 	new_fa->fa_state = 0;
+	new_fa->fa_last_dflt = -1;
 	/*
 	 * Insert new entry to the list.
 	 */
@@ -1802,24 +1804,31 @@ static void fn_trie_select_default(struc
 				   struct fib_result *res)
 {
 	struct trie *t = (struct trie *) tb->tb_data;
-	int order, last_idx;
+	int order, last_idx, last_dflt, last_nhsel;
+	struct fib_alias *first_fa = NULL;
 	struct fib_info *fi = NULL;
 	struct fib_info *last_resort;
 	struct fib_alias *fa = NULL;
 	struct list_head *fa_head;
 	struct leaf *l;
+	u32 key, mask;
 
+	last_dflt = -2;
+	last_nhsel = 0;
 	last_idx = -1;
 	last_resort = NULL;
 	order = -1;
 
+	mask = inet_make_mask(res->prefixlen);
+	key = ntohl(flp->fl4_dst & mask);
+
 	rcu_read_lock();
 
-	l = fib_find_node(t, 0);
+	l = fib_find_node(t, key);
 	if (!l)
 		goto out;
 
-	fa_head = get_fa_head(l, 0);
+	fa_head = get_fa_head(l, res->prefixlen);
 	if (!fa_head)
 		goto out;
 
@@ -1833,39 +1842,52 @@ static void fn_trie_select_default(struc
 		    fa->fa_type != RTN_UNICAST)
 			continue;
 
+		if (fa->fa_tos &&
+		    fa->fa_tos != flp->fl4_tos)
+			continue;
 		if (next_fi->fib_priority > res->fi->fib_priority)
 			break;
-		if (!next_fi->fib_nh[0].nh_gw ||
-		    next_fi->fib_nh[0].nh_scope != RT_SCOPE_LINK)
-			continue;
 		fa->fa_state |= FA_S_ACCESSED;
 
-		if (fi == NULL) {
-			if (next_fi != res->fi)
-				break;
-		} else if (!fib_detect_death(fi, order, &last_resort,
-					     &last_idx, tb->tb_default)) {
+		if (!first_fa) {
+			last_dflt = fa->fa_last_dflt;
+			first_fa = fa;
+		}
+		if (fi && !fib_detect_death(fi, order, &last_resort,
+		    &last_idx, &last_dflt, &last_nhsel, flp)) {
 			fib_result_assign(res, fi);
-			tb->tb_default = order;
+			first_fa->fa_last_dflt = order;
 			goto out;
 		}
 		fi = next_fi;
 		order++;
 	}
 	if (order <= 0 || fi == NULL) {
-		tb->tb_default = -1;
+		if (fi && fi->fib_nhs > 1 &&
+		    fib_detect_death(fi, order, &last_resort, &last_idx,
+				     &last_dflt, &last_nhsel, flp) &&
+		    last_resort == fi) {
+			read_lock_bh(&fib_nhflags_lock);
+			fi->fib_nh[last_nhsel].nh_flags &= ~RTNH_F_SUSPECT;
+			read_unlock_bh(&fib_nhflags_lock);
+		}
+		if (first_fa) first_fa->fa_last_dflt = -1;
 		goto out;
 	}
 
 	if (!fib_detect_death(fi, order, &last_resort, &last_idx,
-				tb->tb_default)) {
+				&last_dflt, &last_nhsel, flp)) {
 		fib_result_assign(res, fi);
-		tb->tb_default = order;
+		first_fa->fa_last_dflt = order;
 		goto out;
 	}
-	if (last_idx >= 0)
+	if (last_idx >= 0) {
 		fib_result_assign(res, last_resort);
-	tb->tb_default = last_idx;
+		read_lock_bh(&fib_nhflags_lock);
+		last_resort->fib_nh[last_nhsel].nh_flags &= ~RTNH_F_SUSPECT;
+		read_unlock_bh(&fib_nhflags_lock);
+		first_fa->fa_last_dflt = last_idx;
+	}
 out:
 	rcu_read_unlock();
 }
diff -urp v2.6.27/linux/net/ipv4/netfilter/ipt_MASQUERADE.c linux/net/ipv4/netfilter/ipt_MASQUERADE.c
--- v2.6.27/linux/net/ipv4/netfilter/ipt_MASQUERADE.c	2008-10-11 12:46:16.000000000 +0300
+++ linux/net/ipv4/netfilter/ipt_MASQUERADE.c	2008-10-11 13:51:37.000000000 +0300
@@ -59,7 +59,7 @@ masquerade_tg(struct sk_buff *skb, const
 	enum ip_conntrack_info ctinfo;
 	struct nf_nat_range newrange;
 	const struct nf_nat_multi_range_compat *mr;
-	const struct rtable *rt;
+	struct rtable *rt;
 	__be32 newsrc;
 
 	NF_CT_ASSERT(hooknum == NF_INET_POST_ROUTING);
@@ -77,13 +77,28 @@ masquerade_tg(struct sk_buff *skb, const
 		return NF_ACCEPT;
 
 	mr = targinfo;
-	rt = skb->rtable;
-	newsrc = inet_select_addr(out, rt->rt_gateway, RT_SCOPE_UNIVERSE);
-	if (!newsrc) {
-		printk("MASQUERADE: %s ate my IP address\n", out->name);
-		return NF_DROP;
+
+	{
+		struct flowi fl = { .nl_u = { .ip4_u =
+					      { .daddr = ip_hdr(skb)->daddr,
+						.tos = (RT_TOS(ip_hdr(skb)->tos) |
+							RTO_CONN),
+						.gw = skb->rtable->rt_gateway,
+					      } },
+				    .mark = skb->mark,
+				    .oif = out->ifindex };
+		if (ip_route_output_key(dev_net(out), &rt, &fl) != 0) {
+			/* Funky routing can do this. */
+			if (net_ratelimit())
+				printk("MASQUERADE:"
+				       " No route: Rusty's brain broke!\n");
+			return NF_DROP;
+		}
 	}
 
+	newsrc = rt->rt_src;
+	ip_rt_put(rt);
+
 	write_lock_bh(&masq_lock);
 	nat->masq_index = out->ifindex;
 	write_unlock_bh(&masq_lock);
diff -urp v2.6.27/linux/net/ipv4/netfilter/nf_nat_core.c linux/net/ipv4/netfilter/nf_nat_core.c
--- v2.6.27/linux/net/ipv4/netfilter/nf_nat_core.c	2008-10-11 12:46:16.000000000 +0300
+++ linux/net/ipv4/netfilter/nf_nat_core.c	2008-10-11 13:51:37.000000000 +0300
@@ -583,6 +583,52 @@ static struct nf_ct_ext_type nat_extend 
 	.flags		= NF_CT_EXT_F_PREALLOC,
 };
 
+unsigned int
+ip_nat_route_input(unsigned int hooknum,
+		struct sk_buff *skb,
+		const struct net_device *in,
+		const struct net_device *out,
+		int (*okfn)(struct sk_buff *))
+{
+	struct iphdr *iph;
+	struct nf_conn *conn;
+	enum ip_conntrack_info ctinfo;
+	enum ip_conntrack_dir dir;
+	unsigned long statusbit;
+	__be32 saddr;
+
+	if (!(conn = nf_ct_get(skb, &ctinfo)))
+		return NF_ACCEPT;
+
+	if (!(conn->status & IPS_NAT_DONE_MASK))
+		return NF_ACCEPT;
+	dir = CTINFO2DIR(ctinfo);
+	statusbit = IPS_SRC_NAT;
+	if (dir == IP_CT_DIR_REPLY)
+		statusbit ^= IPS_NAT_MASK;
+	if (!(conn->status & statusbit))
+		return NF_ACCEPT;
+
+	if (skb->dst)
+		return NF_ACCEPT;
+
+	if (skb->len < sizeof(struct iphdr))
+		return NF_ACCEPT;
+
+	/* use daddr in other direction as masquerade address (lsrc) */
+	iph = ip_hdr(skb);
+	saddr = conn->tuplehash[!dir].tuple.dst.u3.ip;
+	if (saddr == iph->saddr)
+		return NF_ACCEPT;
+
+	if (ip_route_input_lookup(skb, iph->daddr, iph->saddr, iph->tos,
+	    skb->dev, saddr))
+		return NF_DROP;
+
+	return NF_ACCEPT;
+}
+EXPORT_SYMBOL_GPL(ip_nat_route_input);
+
 static int __init nf_nat_init(void)
 {
 	size_t i;
diff -urp v2.6.27/linux/net/ipv4/netfilter/nf_nat_standalone.c linux/net/ipv4/netfilter/nf_nat_standalone.c
--- v2.6.27/linux/net/ipv4/netfilter/nf_nat_standalone.c	2008-07-14 09:58:50.000000000 +0300
+++ linux/net/ipv4/netfilter/nf_nat_standalone.c	2008-10-11 13:51:37.000000000 +0300
@@ -256,6 +256,14 @@ static struct nf_hook_ops nf_nat_ops[] _
 		.hooknum	= NF_INET_PRE_ROUTING,
 		.priority	= NF_IP_PRI_NAT_DST,
 	},
+	/* Before routing, route before mangling */
+	{
+		.hook		= ip_nat_route_input,
+		.owner		= THIS_MODULE,
+		.pf		= PF_INET,
+		.hooknum	= NF_INET_PRE_ROUTING,
+		.priority	= NF_IP_PRI_LAST-1,
+	},
 	/* After packet filtering, change source */
 	{
 		.hook		= nf_nat_out,
diff -urp v2.6.27/linux/net/ipv4/route.c linux/net/ipv4/route.c
--- v2.6.27/linux/net/ipv4/route.c	2008-10-11 12:46:16.000000000 +0300
+++ linux/net/ipv4/route.c	2008-10-11 13:51:37.000000000 +0300
@@ -1276,6 +1276,7 @@ void ip_rt_redirect(__be32 old_gw, __be3
 
 				/* Gateway is different ... */
 				rt->rt_gateway		= new_gw;
+				if (rt->fl.fl4_gw) rt->fl.fl4_gw = new_gw;
 
 				/* Redirect received -> path was valid */
 				dst_confirm(&rth->u.dst);
@@ -1725,6 +1726,7 @@ static int ip_route_input_mc(struct sk_b
 	rth->fl.fl4_tos	= tos;
 	rth->fl.mark    = skb->mark;
 	rth->fl.fl4_src	= saddr;
+	rth->fl.fl4_lsrc = 0;
 	rth->rt_src	= saddr;
 #ifdef CONFIG_NET_CLS_ROUTE
 	rth->u.dst.tclassid = itag;
@@ -1735,6 +1737,7 @@ static int ip_route_input_mc(struct sk_b
 	dev_hold(rth->u.dst.dev);
 	rth->idev	= in_dev_get(rth->u.dst.dev);
 	rth->fl.oif	= 0;
+	rth->fl.fl4_gw	= 0;
 	rth->rt_gateway	= daddr;
 	rth->rt_spec_dst= spec_dst;
 	rth->rt_genid	= rt_genid(dev_net(dev));
@@ -1800,7 +1803,7 @@ static int __mkroute_input(struct sk_buf
 			   struct fib_result *res,
 			   struct in_device *in_dev,
 			   __be32 daddr, __be32 saddr, u32 tos,
-			   struct rtable **result)
+			   __be32 lsrc, struct rtable **result)
 {
 
 	struct rtable *rth;
@@ -1834,6 +1837,7 @@ static int __mkroute_input(struct sk_buf
 		flags |= RTCF_DIRECTSRC;
 
 	if (out_dev == in_dev && err &&
+	    !lsrc &&
 	    (IN_DEV_SHARED_MEDIA(out_dev) ||
 	     inet_addr_onlink(out_dev, saddr, FIB_RES_GW(*res))))
 		flags |= RTCF_DOREDIRECT;
@@ -1867,6 +1871,7 @@ static int __mkroute_input(struct sk_buf
 	rth->fl.mark    = skb->mark;
 	rth->fl.fl4_src	= saddr;
 	rth->rt_src	= saddr;
+	rth->fl.fl4_lsrc	= lsrc;
 	rth->rt_gateway	= daddr;
 	rth->rt_iif 	=
 		rth->fl.iif	= in_dev->dev->ifindex;
@@ -1874,6 +1879,7 @@ static int __mkroute_input(struct sk_buf
 	dev_hold(rth->u.dst.dev);
 	rth->idev	= in_dev_get(rth->u.dst.dev);
 	rth->fl.oif 	= 0;
+	rth->fl.fl4_gw	= 0;
 	rth->rt_spec_dst= spec_dst;
 
 	rth->u.dst.input = ip_forward;
@@ -1894,21 +1900,23 @@ static int __mkroute_input(struct sk_buf
 
 static int ip_mkroute_input(struct sk_buff *skb,
 			    struct fib_result *res,
+			    struct net *net,
 			    const struct flowi *fl,
 			    struct in_device *in_dev,
-			    __be32 daddr, __be32 saddr, u32 tos)
+			    __be32 daddr, __be32 saddr, u32 tos, __be32 lsrc)
 {
 	struct rtable* rth = NULL;
 	int err;
 	unsigned hash;
 
+	fib_select_default(net, fl, res);
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
-	if (res->fi && res->fi->fib_nhs > 1 && fl->oif == 0)
+	if (res->fi && res->fi->fib_nhs > 1)
 		fib_select_multipath(fl, res);
 #endif
 
 	/* create a routing cache entry */
-	err = __mkroute_input(skb, res, in_dev, daddr, saddr, tos, &rth);
+	err = __mkroute_input(skb, res, in_dev, daddr, saddr, tos, lsrc, &rth);
 	if (err)
 		return err;
 
@@ -1929,18 +1937,19 @@ static int ip_mkroute_input(struct sk_bu
  */
 
 static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
-			       u8 tos, struct net_device *dev)
+			       u8 tos, struct net_device *dev, __be32 lsrc)
 {
 	struct fib_result res;
 	struct in_device *in_dev = in_dev_get(dev);
 	struct flowi fl = { .nl_u = { .ip4_u =
 				      { .daddr = daddr,
-					.saddr = saddr,
+					.saddr = lsrc? : saddr,
 					.tos = tos,
 					.scope = RT_SCOPE_UNIVERSE,
 				      } },
 			    .mark = skb->mark,
-			    .iif = dev->ifindex };
+			    .iif = lsrc?
+				dev_net(dev)->loopback_dev->ifindex : dev->ifindex };
 	unsigned	flags = 0;
 	u32		itag = 0;
 	struct rtable * rth;
@@ -1976,6 +1985,12 @@ static int ip_route_input_slow(struct sk
 	    ipv4_is_loopback(daddr))
 		goto martian_destination;
 
+	if (lsrc) {
+		if (ipv4_is_multicast(lsrc) || ipv4_is_lbcast(lsrc) ||
+		    ipv4_is_zeronet(lsrc) || ipv4_is_loopback(lsrc))
+			goto e_inval;
+	}
+
 	/*
 	 *	Now we are ready to route packet.
 	 */
@@ -1985,6 +2000,8 @@ static int ip_route_input_slow(struct sk
 		goto no_route;
 	}
 	free_res = 1;
+	fl.iif = dev->ifindex;
+	fl.fl4_src = saddr;
 
 	RT_CACHE_STAT_INC(in_slow_tot);
 
@@ -2009,7 +2026,7 @@ static int ip_route_input_slow(struct sk
 	if (res.type != RTN_UNICAST)
 		goto martian_destination;
 
-	err = ip_mkroute_input(skb, &res, &fl, in_dev, daddr, saddr, tos);
+	err = ip_mkroute_input(skb, &res, net, &fl, in_dev, daddr, saddr, tos, lsrc);
 done:
 	in_dev_put(in_dev);
 	if (free_res)
@@ -2019,6 +2036,8 @@ out:	return err;
 brd_input:
 	if (skb->protocol != htons(ETH_P_IP))
 		goto e_inval;
+	if (lsrc)
+		goto e_inval;
 
 	if (ipv4_is_zeronet(saddr))
 		spec_dst = inet_select_addr(dev, 0, RT_SCOPE_LINK);
@@ -2060,6 +2079,7 @@ local_input:
 	rth->u.dst.dev	= net->loopback_dev;
 	dev_hold(rth->u.dst.dev);
 	rth->idev	= in_dev_get(rth->u.dst.dev);
+	rth->fl.fl4_gw	= 0;
 	rth->rt_gateway	= daddr;
 	rth->rt_spec_dst= spec_dst;
 	rth->u.dst.input= ip_local_deliver;
@@ -2111,8 +2131,9 @@ martian_source:
 	goto e_inval;
 }
 
-int ip_route_input(struct sk_buff *skb, __be32 daddr, __be32 saddr,
-		   u8 tos, struct net_device *dev)
+static inline int
+ip_route_input_cached(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+		   u8 tos, struct net_device *dev, __be32 lsrc)
 {
 	struct rtable * rth;
 	unsigned	hash;
@@ -2129,6 +2150,7 @@ int ip_route_input(struct sk_buff *skb, 
 		if (((rth->fl.fl4_dst ^ daddr) |
 		     (rth->fl.fl4_src ^ saddr) |
 		     (rth->fl.iif ^ iif) |
+		     (rth->fl.fl4_lsrc ^ lsrc) |
 		     rth->fl.oif |
 		     (rth->fl.fl4_tos ^ tos)) == 0 &&
 		    rth->fl.mark == skb->mark &&
@@ -2176,7 +2198,19 @@ int ip_route_input(struct sk_buff *skb, 
 		rcu_read_unlock();
 		return -EINVAL;
 	}
-	return ip_route_input_slow(skb, daddr, saddr, tos, dev);
+	return ip_route_input_slow(skb, daddr, saddr, tos, dev, lsrc);
+}
+
+int ip_route_input(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+		   u8 tos, struct net_device *dev)
+{
+	return ip_route_input_cached(skb, daddr, saddr, tos, dev, 0);
+}
+
+int ip_route_input_lookup(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+			  u8 tos, struct net_device *dev, __be32 lsrc)
+{
+	return ip_route_input_cached(skb, daddr, saddr, tos, dev, lsrc);
 }
 
 static int __mkroute_output(struct rtable **result,
@@ -2248,6 +2282,7 @@ static int __mkroute_output(struct rtabl
 	rth->fl.fl4_tos	= tos;
 	rth->fl.fl4_src	= oldflp->fl4_src;
 	rth->fl.oif	= oldflp->oif;
+	rth->fl.fl4_gw	= oldflp->fl4_gw;
 	rth->fl.mark    = oldflp->mark;
 	rth->rt_dst	= fl->fl4_dst;
 	rth->rt_src	= fl->fl4_src;
@@ -2329,6 +2364,7 @@ static int ip_route_output_slow(struct n
 	struct flowi fl = { .nl_u = { .ip4_u =
 				      { .daddr = oldflp->fl4_dst,
 					.saddr = oldflp->fl4_src,
+					.gw = oldflp->fl4_gw,
 					.tos = tos & IPTOS_RT_MASK,
 					.scope = ((tos & RTO_ONLINK) ?
 						  RT_SCOPE_LINK :
@@ -2434,6 +2470,7 @@ static int ip_route_output_slow(struct n
 		dev_out = net->loopback_dev;
 		dev_hold(dev_out);
 		fl.oif = net->loopback_dev->ifindex;
+		fl.fl4_gw = 0;
 		res.type = RTN_LOCAL;
 		flags |= RTCF_LOCAL;
 		goto make_route;
@@ -2441,7 +2478,7 @@ static int ip_route_output_slow(struct n
 
 	if (fib_lookup(net, &fl, &res)) {
 		res.fi = NULL;
-		if (oldflp->oif) {
+		if (oldflp->oif && dev_out->flags & IFF_UP) {
 			/* Apparently, routing tables are wrong. Assume,
 			   that the destination is on link.
 
@@ -2481,6 +2518,7 @@ static int ip_route_output_slow(struct n
 		dev_out = net->loopback_dev;
 		dev_hold(dev_out);
 		fl.oif = dev_out->ifindex;
+		fl.fl4_gw = 0;
 		if (res.fi)
 			fib_info_put(res.fi);
 		res.fi = NULL;
@@ -2488,13 +2526,12 @@ static int ip_route_output_slow(struct n
 		goto make_route;
 	}
 
+	if (res.type == RTN_UNICAST)
+		fib_select_default(net, &fl, &res);
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
-	if (res.fi->fib_nhs > 1 && fl.oif == 0)
+	if (res.fi->fib_nhs > 1)
 		fib_select_multipath(&fl, &res);
-	else
 #endif
-	if (!res.prefixlen && res.type == RTN_UNICAST && !fl.oif)
-		fib_select_default(net, &fl, &res);
 
 	if (!fl.fl4_src)
 		fl.fl4_src = FIB_RES_PREFSRC(res);
@@ -2532,6 +2569,7 @@ int __ip_route_output_key(struct net *ne
 		    rth->fl.fl4_src == flp->fl4_src &&
 		    rth->fl.iif == 0 &&
 		    rth->fl.oif == flp->oif &&
+		    rth->fl.fl4_gw == flp->fl4_gw &&
 		    rth->fl.mark == flp->mark &&
 		    !((rth->fl.fl4_tos ^ flp->fl4_tos) &
 			    (IPTOS_RT_MASK | RTO_ONLINK)) &&
@@ -3310,3 +3348,4 @@ void __init ip_static_sysctl_init(void)
 EXPORT_SYMBOL(__ip_select_ident);
 EXPORT_SYMBOL(ip_route_input);
 EXPORT_SYMBOL(ip_route_output_key);
+EXPORT_SYMBOL(ip_route_input_lookup);