Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
If time allows, please consider pulling the following patchset contains two
late Netfilter fixes, they are:

* Skip broadcast/multicast locally generated traffic in the rpfilter,
  (closes netfilter bugzilla #814), from Florian Westphal.

* Fix missing elements in the listing of ipset bitmap ip,mac set
  type with timeout support enabled, from Jozsef Kadlecsik.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

3 files changed, 19 insertions, 3 deletions

diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index c30130062cd6..c49dcd0284a0 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -66,6 +66,12 @@ static bool rpfilter_lookup_reverse(struct flowi4 *fl4,
         return dev_match;
 }
 
+static bool rpfilter_is_local(const struct sk_buff *skb)
+{
+        const struct rtable *rt = skb_rtable(skb);
+        return rt && (rt->rt_flags & RTCF_LOCAL);
+}
+
 static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
         const struct xt_rpfilter_info *info;
@@ -76,7 +82,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
         info = par->matchinfo;
         invert = info->flags & XT_RPFILTER_INVERT;
 
-        if (par->in->flags & IFF_LOOPBACK)
+        if (rpfilter_is_local(skb))
                 return true ^ invert;
 
         iph = ip_hdr(skb);
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
index 5060d54199ab..e0983f3648a6 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -71,6 +71,12 @@ static bool rpfilter_lookup_reverse6(const struct sk_buff *skb,
         return ret;
 }
 
+static bool rpfilter_is_local(const struct sk_buff *skb)
+{
+        const struct rt6_info *rt = (const void *) skb_dst(skb);
+        return rt && (rt->rt6i_flags & RTF_LOCAL);
+}
+
 static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
         const struct xt_rpfilter_info *info = par->matchinfo;
@@ -78,7 +84,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
         struct ipv6hdr *iph;
         bool invert = info->flags & XT_RPFILTER_INVERT;
 
-        if (par->in->flags & IFF_LOOPBACK)
+        if (rpfilter_is_local(skb))
                 return true ^ invert;
 
         iph = ipv6_hdr(skb);
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index 0f92dc24cb89..d7df6ac2c6f1 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -339,7 +339,11 @@ bitmap_ipmac_tlist(const struct ip_set *set,
 nla_put_failure:
         nla_nest_cancel(skb, nested);
         ipset_nest_end(skb, atd);
-        return -EMSGSIZE;
+        if (unlikely(id == first)) {
+                cb->args[2] = 0;
+                return -EMSGSIZE;
+        }
+        return 0;
 }
 
 static int