Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for net-next:

1) Replace unnecessary list_for_each_entry_continue() in nf_tables,
   from Jakob Koschel.

2) Add struct nf_conntrack_net_ecache to conntrack event cache and
   use it, from Florian Westphal.

3) Refactor ctnetlink_dump_list(), also from Florian.

4) Bump module reference counter on cttimeout object addition/removal,
   from Florian.

5) Consolidate nf_log MAC printer, from Phil Sutter.

6) Add basic logging support for unknown ethertype, from Phil Sutter.

7) Consolidate check for sysctl nf_log_all_netns toggle, also from Phil.

8) Replace hardcode value in nft_bitwise, from Jeremy Sowden.

9) Rename BASIC-like goto tags in nft_bitwise to more meaningful names,
   also from Jeremy.

10) nft_fib support for reverse path filtering with policy-based routing
    on iif. Extend selftests to cover for this new usecase, from Florian.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

diff --combined net/netfilter/nf_tables_api.c
index 128ee3b300d610d0993886b69f2b1971ddd4a92a,060aa56e54d9b12a039da9a17fb5c7d11781fa0d..217006faebded20ed0f13a57191909825ec940d8
--- 1/net/netfilter/nf_tables_api.c
--- 2/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@@ -5526,7 -5526,7 +5526,7 @@@ int nft_set_elem_expr_clone(const struc
        int err, i, k;
  
        for (i = 0; i < set->num_exprs; i++) {
 -              expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL);
 +              expr = kzalloc(set->exprs[i]->ops->size, GFP_KERNEL_ACCOUNT);
                if (!expr)
                        goto err_expr;
  
@@@ -8367,10 -8367,8 +8367,8 @@@ static int nf_tables_commit_chain_prepa
        if (chain->blob_next || !nft_is_active_next(net, chain))
                return 0;
  
-       rule = list_entry(&chain->rules, struct nft_rule, list);
- 
        data_size = 0;
-       list_for_each_entry_continue(rule, &chain->rules, list) {
+       list_for_each_entry(rule, &chain->rules, list) {
                if (nft_is_active_next(net, rule)) {
                        data_size += sizeof(*prule) + rule->dlen;
                        if (data_size > INT_MAX)
@@@ -8387,7 -8385,7 +8385,7 @@@
        data_boundary = data + data_size;
        size = 0;
  
-       list_for_each_entry_continue(rule, &chain->rules, list) {
+       list_for_each_entry(rule, &chain->rules, list) {
                if (!nft_is_active_next(net, rule))
                        continue;
  

diff --combined net/netfilter/nft_bitwise.c
index f590ee1c8a1be46e59c20ca3ab0d9faa23b7dc5b,d72143622f22e0b5800ee1263a8198c711c81101..83590afe3768e1f13a5868b6210fb0916ecb25da
--- 1/net/netfilter/nft_bitwise.c
--- 2/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@@ -30,7 -30,7 +30,7 @@@ static void nft_bitwise_eval_bool(u32 *
  {
        unsigned int i;
  
-       for (i = 0; i < DIV_ROUND_UP(priv->len, 4); i++)
+       for (i = 0; i < DIV_ROUND_UP(priv->len, sizeof(u32)); i++)
                dst[i] = (src[i] & priv->mask.data[i]) ^ priv->xor.data[i];
  }
  
@@@ -109,22 -109,23 +109,23 @@@ static int nft_bitwise_init_bool(struc
                return err;
        if (mask.type != NFT_DATA_VALUE || mask.len != priv->len) {
                err = -EINVAL;
-               goto err1;
+               goto err_mask_release;
        }
  
        err = nft_data_init(NULL, &priv->xor, sizeof(priv->xor), &xor,
                            tb[NFTA_BITWISE_XOR]);
        if (err < 0)
-               goto err1;
+               goto err_mask_release;
        if (xor.type != NFT_DATA_VALUE || xor.len != priv->len) {
                err = -EINVAL;
-               goto err2;
+               goto err_xor_release;
        }
  
        return 0;
- err2:
+ 
+ err_xor_release:
        nft_data_release(&priv->xor, xor.type);
- err1:
+ err_mask_release:
        nft_data_release(&priv->mask, mask.type);
        return err;
  }
@@@ -290,7 -291,7 +291,7 @@@ static bool nft_bitwise_reduce(struct n
        if (!track->regs[priv->sreg].selector)
                return false;
  
 -      bitwise = nft_expr_priv(expr);
 +      bitwise = nft_expr_priv(track->regs[priv->dreg].selector);
        if (track->regs[priv->sreg].selector == track->regs[priv->dreg].selector &&
            track->regs[priv->sreg].num_reg == 0 &&
            track->regs[priv->dreg].bitwise &&
@@@ -442,7 -443,7 +443,7 @@@ static bool nft_bitwise_fast_reduce(str
        if (!track->regs[priv->sreg].selector)
                return false;
  
 -      bitwise = nft_expr_priv(expr);
 +      bitwise = nft_expr_priv(track->regs[priv->dreg].selector);
        if (track->regs[priv->sreg].selector == track->regs[priv->dreg].selector &&
            track->regs[priv->dreg].bitwise &&
            track->regs[priv->dreg].bitwise->ops == expr->ops &&