5 files changed, 52 insertions, 11 deletions

diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 68f8128147be..5ca74a0e595f 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -3,6 +3,7 @@
 #
 #
 config NF_TABLES_BRIDGE
+        depends on NF_TABLES
         tristate "Ethernet Bridge nf_tables support"
 
 menuconfig BRIDGE_NF_EBTABLES
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index e8cb016fa34d..cf54b22818c8 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
+ * Copyright (c) 2013 Pablo Neira Ayuso <pablo@netfilter.org>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -47,14 +48,50 @@ static struct pernet_operations nf_tables_bridge_net_ops = {
         .exit   = nf_tables_bridge_exit_net,
 };
 
+static unsigned int
+nft_do_chain_bridge(const struct nf_hook_ops *ops,
+                    struct sk_buff *skb,
+                    const struct net_device *in,
+                    const struct net_device *out,
+                    int (*okfn)(struct sk_buff *))
+{
+        struct nft_pktinfo pkt;
+
+        nft_set_pktinfo(&pkt, ops, skb, in, out);
+
+        return nft_do_chain_pktinfo(&pkt, ops);
+}
+
+static struct nf_chain_type filter_bridge = {
+        .family         = NFPROTO_BRIDGE,
+        .name           = "filter",
+        .type           = NFT_CHAIN_T_DEFAULT,
+        .hook_mask      = (1 << NF_BR_LOCAL_IN) |
+                          (1 << NF_BR_FORWARD) |
+                          (1 << NF_BR_LOCAL_OUT),
+        .fn             = {
+                [NF_BR_LOCAL_IN]        = nft_do_chain_bridge,
+                [NF_BR_FORWARD]         = nft_do_chain_bridge,
+                [NF_BR_LOCAL_OUT]       = nft_do_chain_bridge,
+        },
+};
+
 static int __init nf_tables_bridge_init(void)
 {
-        return register_pernet_subsys(&nf_tables_bridge_net_ops);
+        int ret;
+
+        nft_register_chain_type(&filter_bridge);
+        ret = register_pernet_subsys(&nf_tables_bridge_net_ops);
+        if (ret < 0)
+                nft_unregister_chain_type(&filter_bridge);
+
+        return ret;
 }
 
 static void __exit nf_tables_bridge_exit(void)
 {
-        return unregister_pernet_subsys(&nf_tables_bridge_net_ops);
+        unregister_pernet_subsys(&nf_tables_bridge_net_ops);
+        nft_unregister_chain_type(&filter_bridge);
 }
 
 module_init(nf_tables_bridge_init);
diff --git a/net/ipv4/netfilter/nf_tables_ipv4.c b/net/ipv4/netfilter/nf_tables_ipv4.c
index 8f7536be1322..0f4cbfeb19bd 100644
--- a/net/ipv4/netfilter/nf_tables_ipv4.c
+++ b/net/ipv4/netfilter/nf_tables_ipv4.c
@@ -16,7 +16,6 @@
 #include <net/netfilter/nf_tables.h>
 #include <net/net_namespace.h>
 #include <net/ip.h>
-#include <net/net_namespace.h>
 #include <net/netfilter/nf_tables_ipv4.h>
 
 static unsigned int nft_ipv4_output(const struct nf_hook_ops *ops,
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 4811f762e060..a82667c64729 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -634,9 +634,9 @@ nft_match_select_ops(const struct nft_ctx *ctx,
 
 static void nft_match_release(void)
 {
-        struct nft_xt *nft_match;
+        struct nft_xt *nft_match, *tmp;
 
-        list_for_each_entry(nft_match, &nft_match_list, head)
+        list_for_each_entry_safe(nft_match, tmp, &nft_match_list, head)
                 kfree(nft_match);
 }
 
@@ -705,9 +705,9 @@ nft_target_select_ops(const struct nft_ctx *ctx,
 
 static void nft_target_release(void)
 {
-        struct nft_xt *nft_target;
+        struct nft_xt *nft_target, *tmp;
 
-        list_for_each_entry(nft_target, &nft_target_list, head)
+        list_for_each_entry_safe(nft_target, tmp, &nft_target_list, head)
                 kfree(nft_target);
 }
 
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index b0b87b2d2411..d3b1ffe26181 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -47,8 +47,10 @@ static void nft_nat_eval(const struct nft_expr *expr,
         memset(&range, 0, sizeof(range));
         if (priv->sreg_addr_min) {
                 if (priv->family == AF_INET) {
-                        range.min_addr.ip = data[priv->sreg_addr_min].data[0];
-                        range.max_addr.ip = data[priv->sreg_addr_max].data[0];
+                        range.min_addr.ip = (__force __be32)
+                                        data[priv->sreg_addr_min].data[0];
+                        range.max_addr.ip = (__force __be32)
+                                        data[priv->sreg_addr_max].data[0];
 
                 } else {
                         memcpy(range.min_addr.ip6,
@@ -62,8 +64,10 @@ static void nft_nat_eval(const struct nft_expr *expr,
         }
 
         if (priv->sreg_proto_min) {
-                range.min_proto.all = data[priv->sreg_proto_min].data[0];
-                range.max_proto.all = data[priv->sreg_proto_max].data[0];
+                range.min_proto.all = (__force __be16)
+                                        data[priv->sreg_proto_min].data[0];
+                range.max_proto.all = (__force __be16)
+                                        data[priv->sreg_proto_max].data[0];
                 range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
         }