Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for your net tree,
they are:

* Fix nf_trace in nftables if XT_TRACE=n, from Florian Westphal.

* Don't use the fast payload operation in nf_tables if the length is
  not power of 2 or it is not aligned, from Nikolay Aleksandrov.

* Fix missing break statement the inet flavour of nft_reject, which
  results in evaluating IPv4 packets with the IPv6 evaluation routine,
  from Patrick McHardy.

* Fix wrong kconfig symbol in nft_meta to match the routing realm,
  from Paul Bolle.

* Allocate the NAT null binding when creating new conntracks via
  ctnetlink to avoid that several packets race at initializing the
  the conntrack NAT extension, original patch from Florian Westphal,
  revisited version from me.

* Fix DNAT handling in the snmp NAT helper, the same handling was being
  done for SNAT and DNAT and 2.4 already contains that fix, from
  Francois-Xavier Le Bail.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

diff --combined include/linux/skbuff.h
index 3ebbbe7b6d05fadbccaf66bac9ad1d8cfe7c5c17,d40d40b2915b217930f77f2501656908e5a78459..5e1e6f2d98c2ae5b45b8a3ec5565eb793e840a68
--- 1/include/linux/skbuff.h
--- 2/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@@ -2725,7 -2725,7 +2725,7 @@@ static inline void nf_reset(struct sk_b
  
  static inline void nf_reset_trace(struct sk_buff *skb)
  {
- #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
+ #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || defined(CONFIG_NF_TABLES)
        skb->nf_trace = 0;
  #endif
  }
@@@ -2742,6 -2742,9 +2742,9 @@@ static inline void __nf_copy(struct sk_
        dst->nf_bridge  = src->nf_bridge;
        nf_bridge_get(src->nf_bridge);
  #endif
+ #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE) || defined(CONFIG_NF_TABLES)
+       dst->nf_trace = src->nf_trace;
+ #endif
  }
  
  static inline void nf_copy(struct sk_buff *dst, const struct sk_buff *src)
@@@ -2916,22 -2919,5 +2919,22 @@@ static inline bool skb_head_is_locked(c
  {
        return !skb->head_frag || skb_cloned(skb);
  }
 +
 +/**
 + * skb_gso_network_seglen - Return length of individual segments of a gso packet
 + *
 + * @skb: GSO skb
 + *
 + * skb_gso_network_seglen is used to determine the real size of the
 + * individual segments, including Layer3 (IP, IPv6) and L4 headers (TCP/UDP).
 + *
 + * The MAC/L2 header is not accounted for.
 + */
 +static inline unsigned int skb_gso_network_seglen(const struct sk_buff *skb)
 +{
 +      unsigned int hdr_len = skb_transport_header(skb) -
 +                             skb_network_header(skb);
 +      return hdr_len + skb_gso_transport_seglen(skb);
 +}
  #endif        /* __KERNEL__ */
  #endif        /* _LINUX_SKBUFF_H */

diff --combined net/ipv6/ip6_output.c
index 070a2fae2375cd5f6c4ad8109887dc6236ee5b08,4cfbe0f3793a7ed5dcdd518ea0e38f021aa70e08..16f91a2e788819b6b1755ef65a98c8cb699e0597
--- 1/net/ipv6/ip6_output.c
--- 2/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@@ -342,20 -342,6 +342,20 @@@ static unsigned int ip6_dst_mtu_forward
        return mtu;
  }
  
 +static bool ip6_pkt_too_big(const struct sk_buff *skb, unsigned int mtu)
 +{
 +      if (skb->len <= mtu || skb->local_df)
 +              return false;
 +
 +      if (IP6CB(skb)->frag_max_size && IP6CB(skb)->frag_max_size > mtu)
 +              return true;
 +
 +      if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu)
 +              return false;
 +
 +      return true;
 +}
 +
  int ip6_forward(struct sk_buff *skb)
  {
        struct dst_entry *dst = skb_dst(skb);
@@@ -480,7 -466,8 +480,7 @@@
        if (mtu < IPV6_MIN_MTU)
                mtu = IPV6_MIN_MTU;
  
 -      if ((!skb->local_df && skb->len > mtu && !skb_is_gso(skb)) ||
 -          (IP6CB(skb)->frag_max_size && IP6CB(skb)->frag_max_size > mtu)) {
 +      if (ip6_pkt_too_big(skb, mtu)) {
                /* Again, force OUTPUT device used as source address */
                skb->dev = dst->dev;
                icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
@@@ -530,9 -517,6 +530,6 @@@ static void ip6_copy_metadata(struct sk
        to->tc_index = from->tc_index;
  #endif
        nf_copy(to, from);
- #if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
-       to->nf_trace = from->nf_trace;
- #endif
        skb_copy_secmark(to, from);
  }