Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for your net tree, a
rather large batch of fixes targeted to nf_tables, conntrack and bridge
netfilter. More specifically, they are:

1) Don't track fragmented packets if the socket option IP_NODEFRAG is set.
   From Florian Westphal.

2) SCTP protocol tracker assumes that ICMP error messages contain the
   checksum field, what results in packet drops. From Ying Xue.

3) Fix inconsistent handling of AH traffic from nf_tables.

4) Fix new bitmap set representation with big endian. Fix mismatches in
   nf_tables due to incorrect big endian handling too. Both patches
   from Liping Zhang.

5) Bridge netfilter doesn't honor maximum fragment size field, cap to
   largest fragment seen. From Florian Westphal.

6) Fake conntrack entry needs to be aligned to 8 bytes since the 3 LSB
   bits are now used to store the ctinfo. From Steven Rostedt.

7) Fix element comments with the bitmap set type. Revert the flush
   field in the nft_set_iter structure, not required anymore after
   fixing up element comments.

8) Missing error on invalid conntrack direction from nft_ct, also from
   Liping Zhang.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

diff --combined net/bridge/br_netfilter_hooks.c
index fa87fbd62bb788a27b8fd749d59c292aedd4fb69,3c5185021c1c0d3d8d5ba42a898bc328c4696d47..1f1e62095464f99eaca8de49a772289f057bd943
--- 1/net/bridge/br_netfilter_hooks.c
--- 2/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@@ -521,6 -521,21 +521,6 @@@ static unsigned int br_nf_pre_routing(v
  }
  
  
 -/* PF_BRIDGE/LOCAL_IN ************************************************/
 -/* The packet is locally destined, which requires a real
 - * dst_entry, so detach the fake one.  On the way up, the
 - * packet would pass through PRE_ROUTING again (which already
 - * took place when the packet entered the bridge), but we
 - * register an IPv4 PRE_ROUTING 'sabotage' hook that will
 - * prevent this from happening. */
 -static unsigned int br_nf_local_in(void *priv,
 -                                 struct sk_buff *skb,
 -                                 const struct nf_hook_state *state)
 -{
 -      br_drop_fake_rtable(skb);
 -      return NF_ACCEPT;
 -}
 -
  /* PF_BRIDGE/FORWARD *************************************************/
  static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
  {
@@@ -706,18 -721,20 +706,20 @@@ static unsigned int nf_bridge_mtu_reduc
  
  static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)
  {
-       struct nf_bridge_info *nf_bridge;
-       unsigned int mtu_reserved;
+       struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
+       unsigned int mtu, mtu_reserved;
  
        mtu_reserved = nf_bridge_mtu_reduction(skb);
+       mtu = skb->dev->mtu;
+ 
+       if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu)
+               mtu = nf_bridge->frag_max_size;
  
-       if (skb_is_gso(skb) || skb->len + mtu_reserved <= skb->dev->mtu) {
+       if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) {
                nf_bridge_info_free(skb);
                return br_dev_queue_push_xmit(net, sk, skb);
        }
  
-       nf_bridge = nf_bridge_info_get(skb);
- 
        /* This is wrong! We should preserve the original fragment
         * boundaries by preserving frag_list rather than refragmenting.
         */
@@@ -892,6 -909,12 +894,6 @@@ static struct nf_hook_ops br_nf_ops[] _
                .hooknum = NF_BR_PRE_ROUTING,
                .priority = NF_BR_PRI_BRNF,
        },
 -      {
 -              .hook = br_nf_local_in,
 -              .pf = NFPROTO_BRIDGE,
 -              .hooknum = NF_BR_LOCAL_IN,
 -              .priority = NF_BR_PRI_BRNF,
 -      },
        {
                .hook = br_nf_forward_ip,
                .pf = NFPROTO_BRIDGE,