4 files changed, 25 insertions, 4 deletions

diff --git a/include/net/ip.h b/include/net/ip.h
index e6b9d12d5f62..85108cfbb1ae 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -337,6 +337,7 @@ enum ip_defrag_users {
         IP_DEFRAG_CALL_RA_CHAIN,
         IP_DEFRAG_CONNTRACK_IN,
         IP_DEFRAG_CONNTRACK_OUT,
+        IP_DEFRAG_CONNTRACK_BRIDGE_IN,
         IP_DEFRAG_VS_IN,
         IP_DEFRAG_VS_OUT,
         IP_DEFRAG_VS_FWD
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index d6916035bcea..ccab5946c830 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -354,6 +354,7 @@ enum ip6_defrag_users {
         IP6_DEFRAG_LOCAL_DELIVER,
         IP6_DEFRAG_CONNTRACK_IN,
         IP6_DEFRAG_CONNTRACK_OUT,
+        IP6_DEFRAG_CONNTRACK_BRIDGE_IN,
 };
 
 struct ip6_create_arg {
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index fa2d6b6fc3e5..331ead3ebd1b 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -14,6 +14,7 @@
 #include <net/route.h>
 #include <net/ip.h>
 
+#include <linux/netfilter_bridge.h>
 #include <linux/netfilter_ipv4.h>
 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
 
@@ -34,6 +35,20 @@ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
         return err;
 }
 
+static enum ip_defrag_users nf_ct_defrag_user(unsigned int hooknum,
+                                              struct sk_buff *skb)
+{
+#ifdef CONFIG_BRIDGE_NETFILTER
+        if (skb->nf_bridge &&
+            skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)
+                return IP_DEFRAG_CONNTRACK_BRIDGE_IN;
+#endif
+        if (hooknum == NF_INET_PRE_ROUTING)
+                return IP_DEFRAG_CONNTRACK_IN;
+        else
+                return IP_DEFRAG_CONNTRACK_OUT;
+}
+
 static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
                                           struct sk_buff *skb,
                                           const struct net_device *in,
@@ -50,10 +65,8 @@ static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
 #endif
         /* Gather fragments. */
         if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
-                if (nf_ct_ipv4_gather_frags(skb,
-                                            hooknum == NF_INET_PRE_ROUTING ?
-                                            IP_DEFRAG_CONNTRACK_IN :
-                                            IP_DEFRAG_CONNTRACK_OUT))
+                enum ip_defrag_users user = nf_ct_defrag_user(hooknum, skb);
+                if (nf_ct_ipv4_gather_frags(skb, user))
                         return NF_STOLEN;
         }
         return NF_ACCEPT;
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index c0a82fe78321..0956ebabbff2 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -20,6 +20,7 @@
 #include <net/ipv6.h>
 #include <net/inet_frag.h>
 
+#include <linux/netfilter_bridge.h>
 #include <linux/netfilter_ipv6.h>
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_helper.h>
@@ -190,6 +191,11 @@ out:
 static enum ip6_defrag_users nf_ct6_defrag_user(unsigned int hooknum,
                                                 struct sk_buff *skb)
 {
+#ifdef CONFIG_BRIDGE_NETFILTER
+        if (skb->nf_bridge &&
+            skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)
+                return IP6_DEFRAG_CONNTRACK_BRIDGE_IN;
+#endif
         if (hooknum == NF_INET_PRE_ROUTING)
                 return IP6_DEFRAG_CONNTRACK_IN;
         else