Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for your net-next
tree. Basically, improvements for the packet rejection infrastructure,
deprecation of CLUSTERIP, cleanups for nf_tables and some untangling for
br_netfilter. More specifically they are:

1) Send packet to reset flow if checksum is valid, from Florian Westphal.

2) Fix nf_tables reject bridge from the input chain, also from Florian.

3) Deprecate the CLUSTERIP target, the cluster match supersedes it in
   functionality and it's known to have problems.

4) A couple of cleanups for nf_tables rule tracing infrastructure, from
   Patrick McHardy.

5) Another cleanup to place transaction declarations at the bottom of
   nf_tables.h, also from Patrick.

6) Consolidate Kconfig dependencies wrt. NF_TABLES.

7) Limit table names to 32 bytes in nf_tables.

8) mac header copying in bridge netfilter is already required when
   calling ip_fragment(), from Florian Westphal.

9) move nf_bridge_update_protocol() to br_netfilter.c, also from
   Florian.

10) Small refactor in br_netfilter in the transmission path, again from
    Florian.

11) Move br_nf_pre_routing_finish_bridge_slow() to br_netfilter.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

diff --combined net/bridge/br_forward.c
index 1238fabff87485c52506818c824f211e013d4e9d,32541d4f72e83d49258d73a460ee5ea2250ce835..3304a544233174a3d1c7474cb19fffc05483be78
--- 1/net/bridge/br_forward.c
--- 2/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@@ -37,9 -37,7 +37,7 @@@ static inline int should_deliver(const 
  
  int br_dev_queue_push_xmit(struct sk_buff *skb)
  {
-       /* ip_fragment doesn't copy the MAC header */
-       if (nf_bridge_maybe_copy_header(skb) ||
-           !is_skb_forwardable(skb->dev, skb)) {
+       if (!is_skb_forwardable(skb->dev, skb)) {
                kfree_skb(skb);
        } else {
                skb_push(skb, ETH_HLEN);
@@@ -188,9 -186,6 +186,9 @@@ static void br_flood(struct net_bridge 
                /* Do not flood to ports that enable proxy ARP */
                if (p->flags & BR_PROXYARP)
                        continue;
 +              if ((p->flags & BR_PROXYARP_WIFI) &&
 +                  BR_INPUT_SKB_CB(skb)->proxyarp_replied)
 +                      continue;
  
                prev = maybe_deliver(prev, p, skb, __packet_hook);
                if (IS_ERR(prev))

diff --combined net/bridge/br_private.h
index c32e279c62f8d61ade1706333b301feafa296c9c,d63fc17fe4f4402494b002683c28016d51a01cb1..f0a0438dbd6d78fd89dd4d9353c31895379d7e29
--- 1/net/bridge/br_private.h
--- 2/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@@ -305,7 -305,6 +305,7 @@@ struct br_input_skb_cb 
  #endif
  
        u16 frag_max_size;
 +      bool proxyarp_replied;
  
  #ifdef CONFIG_BRIDGE_VLAN_FILTERING
        bool vlan_filtered;
@@@ -765,10 -764,15 +765,15 @@@ static inline int br_vlan_enabled(struc
  
  /* br_netfilter.c */
  #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
+ int br_nf_prerouting_finish_bridge(struct sk_buff *skb);
  int br_nf_core_init(void);
  void br_nf_core_fini(void);
  void br_netfilter_rtable_init(struct net_bridge *);
  #else
+ static inline int br_nf_prerouting_finish_bridge(struct sk_buff *skb)
+ {
+         return 0;
+ }
  static inline int br_nf_core_init(void) { return 0; }
  static inline void br_nf_core_fini(void) {}
  #define br_netfilter_rtable_init(x)