Hi, This patchset adds native connection tracking support for the bridge. Patch #1 and #2 extract code from IPv4/IPv6 fragmentation core and introduce the fraglist splitter. That splits a skbuff fraglist into independent fragments. Patch #3 and #4 also extract code from IPv4/IPv6 fragmentation core and introduce the skbuff into fragments transformer. This can be used by linearized skbuffs (eg. coming from nfqueue and ct helpers) as well as cloned skbuffs (that are either seen either with taps or with bridge port flooding). Patch #5 moves the specific IPCB() code from these new fragment splitter/transformer APIs into the IPv4 stack. The bridge has a different control buffer layout and it starts using this new APIs in this patchset. Patch #6 adds basic infrastructure that allows to register bridge conntrack support. Patch #7 adds bridge conntrack support (only for IPv4 in this patch). Patch #8 adds IPv6 support for the bridge conntrack support. Patch #9 registers the IPv4/IPv6 conntrack hooks in case the bridge conntrack is used to deal with local traffic, ie. prerouting -> input bridge hook path. This cover the bridge interface has a IP address scenario. Before this patchset, only chance for people to do stateful filtering is to use the `br_netfilter` emulation layer, that turns bridge frame into IPv4/IPv6 packets and inject them into the IPv4/IPv6 hooks. Apparently, this module allows users to use iptables and all of its feature-set from the bridge, including stateful filtering. However, this approach is flawed in many aspects that have been discussed many times. This is a step forward to deprecate `br_netfilter'. v2: Fix English typo in commit message. v3: Fix another English typo in commit message. Please, apply. Thanks. Pablo Neira Ayuso (9): net: ipv4: add skbuff fraglist splitter net: ipv6: add skbuff fraglist splitter net: ipv4: split skbuff into fragments transformer net: ipv6: split skbuff into fragments transformer net: ipv4: place control buffer handling away from fragmentation iterators netfilter: nf_conntrack: allow to register bridge support netfilter: bridge: add connection tracking system netfilter: nf_conntrack_bridge: add support for IPv6 netfilter: nf_conntrack_bridge: register inet conntrack for bridge include/linux/netfilter_ipv6.h | 50 ++++ include/net/ip.h | 39 +++ include/net/ipv6.h | 44 +++ include/net/netfilter/nf_conntrack.h | 1 + include/net/netfilter/nf_conntrack_bridge.h | 20 ++ include/net/netfilter/nf_conntrack_core.h | 3 + net/bridge/br_device.c | 1 + net/bridge/br_private.h | 1 + net/bridge/netfilter/Kconfig | 14 + net/bridge/netfilter/Makefile | 3 + net/bridge/netfilter/nf_conntrack_bridge.c | 433 ++++++++++++++++++++++++++++ net/ipv4/ip_output.c | 309 ++++++++++++-------- net/ipv6/ip6_output.c | 315 +++++++++++--------- net/ipv6/netfilter.c | 123 ++++++++ net/netfilter/nf_conntrack_proto.c | 126 ++++++-- 15 files changed, 1206 insertions(+), 276 deletions(-) create mode 100644 include/net/netfilter/nf_conntrack_bridge.h create mode 100644 net/bridge/netfilter/nf_conntrack_bridge.c -- 2.11.0
