+commit f0b4eeced518c632210ef2aea44fc92cc9e86cce
+Author: Linus Lüssing <linus.luessing@web.de>
+Date: Mon Nov 17 12:20:28 2014 +0100
+
+ bridge: fix netfilter/NF_BR_LOCAL_OUT for own, locally generated queries
+
+ Ebtables on the OUTPUT chain (NF_BR_LOCAL_OUT) would not work as expected
+ for both locally generated IGMP and MLD queries. The IP header specific
+ filter options are off by 14 Bytes for netfilter (actual output on
+ interfaces is fine).
+
+ NF_HOOK() expects the skb->data to point to the IP header, not the
+ ethernet one (while dev_queue_xmit() does not). Luckily there is an
+ br_dev_queue_push_xmit() helper function already - let's just use that.
+
+ Introduced by eb1d16414339a6e113d89e2cca2556005d7ce919
+ ("bridge: Add core IGMP snooping support")
+
+ Ebtables example:
+
+ $ ebtables -I OUTPUT -p IPv6 -o eth1 --logical-out br0 \
+ --log --log-level 6 --log-ip6 --log-prefix="~EBT: " -j DROP
+
+ before (broken):
+
+ ~EBT: IN= OUT=eth1 MAC source = 02:04:64:a4:39:c2 \
+ MAC dest = 33:33:00:00:00:01 proto = 0x86dd IPv6 \
+ SRC=64a4:39c2:86dd:6000:0000:0020:0001:fe80 IPv6 \
+ DST=0000:0000:0000:0004:64ff:fea4:39c2:ff02, \
+ IPv6 priority=0x3, Next Header=2
+
+ after (working):
+
+ ~EBT: IN= OUT=eth1 MAC source = 02:04:64:a4:39:c2 \
+ MAC dest = 33:33:00:00:00:01 proto = 0x86dd IPv6 \
+ SRC=fe80:0000:0000:0000:0004:64ff:fea4:39c2 IPv6 \
+ DST=ff02:0000:0000:0000:0000:0000:0000:0001, \
+ IPv6 priority=0x0, Next Header=0
+
+ Signed-off-by: Linus Lüssing <linus.luessing@web.de>
+ Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 20a599bec95a52fa72432b2376a2ce47c5bb68fb
+Author: Linus Lüssing <linus.luessing@web.de>
+Date: Mon Mar 10 22:25:25 2014 +0100
+
+ bridge: multicast: enable snooping on general queries only
+
+ Without this check someone could easily create a denial of service
+ by injecting multicast-specific queries to enable the bridge
+ snooping part if no real querier issuing periodic general queries
+ is present on the link which would result in the bridge wrongly
+ shutting down ports for multicast traffic as the bridge did not learn
+ about these listeners.
+
+ With this patch the snooping code is enabled upon receiving valid,
+ general queries only.
+
+ Signed-off-by: Linus Lüssing <linus.luessing@web.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+
+commit 9ed973cc40c588abeaa58aea0683ea665132d11d
+Author: Linus Lüssing <linus.luessing@web.de>
+Date: Mon Mar 10 22:25:24 2014 +0100
+
+ bridge: multicast: add sanity check for general query destination
+
+ General IGMP and MLD queries are supposed to have the multicast
+ link-local all-nodes address as their destination according to RFC2236
+ section 9, RFC3376 section 4.1.12/9.1, RFC2710 section 8 and RFC3810
+ section 5.1.15.
+
+ Without this check, such malformed IGMP/MLD queries can result in a
+ denial of service: The queries are ignored by most IGMP/MLD listeners
+ therefore they will not respond with an IGMP/MLD report. However,
+ without this patch these malformed MLD queries would enable the
+ snooping part in the bridge code, potentially shutting down the
+ according ports towards these hosts for multicast traffic as the
+ bridge did not learn about these listeners.
+
+ Reported-by: Jan Stancek <jstancek@redhat.com>
+ Signed-off-by: Linus Lüssing <linus.luessing@web.de>
+ Signed-off-by: David S. Miller <davem@davemloft.net>
+