[3/3] netfilter: enable reject with bridge vlan

Message ID	1b723dbc8a1a5124794bc3deb7dedf8d46dafcbc.1588758255.git.michael-dev@fami-braun.de
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Michael Braun <michael-dev@fami-braun.de> To: netfilter-devel@vger.kernel.org Cc: Michael Braun <michael-dev@fami-braun.de> Subject: [PATCH 3/3] netfilter: enable reject with bridge vlan Date: Wed, 6 May 2020 11:46:25 +0200 Message-Id: <1b723dbc8a1a5124794bc3deb7dedf8d46dafcbc.1588758255.git.michael-dev@fami-braun.de> In-Reply-To: <cover.1588758255.git.michael-dev@fami-braun.de> References: <cover.1588758255.git.michael-dev@fami-braun.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	Avoid gretap fragmentation with nftables on bridge \| expand [0/3] Avoid gretap fragmentation with nftables on bridge [1/3] nftables: add frag-needed (ipv4) to reject options [2/3] nftables: enable reject with 802.1q [3/3] netfilter: enable reject with bridge vlan

Message ID

1b723dbc8a1a5124794bc3deb7dedf8d46dafcbc.1588758255.git.michael-dev@fami-braun.de

State

Accepted

Delegated to:

Pablo Neira

Headers

From: Michael Braun <michael-dev@fami-braun.de>
To: netfilter-devel@vger.kernel.org
Cc: Michael Braun <michael-dev@fami-braun.de>
Subject: [PATCH 3/3] netfilter: enable reject with bridge vlan
Date: Wed,  6 May 2020 11:46:25 +0200
Message-Id: 
 <1b723dbc8a1a5124794bc3deb7dedf8d46dafcbc.1588758255.git.michael-dev@fami-braun.de>
In-Reply-To: <cover.1588758255.git.michael-dev@fami-braun.de>
References: <cover.1588758255.git.michael-dev@fami-braun.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Series

Avoid gretap fragmentation with nftables on bridge | expand

Commit Message

michael-dev May 6, 2020, 9:46 a.m. UTC

Currently, using the bridge reject target with tagged packets
results in untagged packets being sent back.

Fix this by mirroring the vlan id as well.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
---
 net/bridge/netfilter/nft_reject_bridge.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Pablo Neira Ayuso May 25, 2020, 6:40 p.m. UTC | #1

On Wed, May 06, 2020 at 11:46:25AM +0200, Michael Braun wrote:
> Currently, using the bridge reject target with tagged packets
> results in untagged packets being sent back.
> 
> Fix this by mirroring the vlan id as well.

Applied, thanks.

diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
index b325b569e761..f48cf4cfb80f 100644
--- a/net/bridge/netfilter/nft_reject_bridge.c
+++ b/net/bridge/netfilter/nft_reject_bridge.c
@@ -31,6 +31,12 @@  static void nft_reject_br_push_etherhdr(struct sk_buff *oldskb,
 	ether_addr_copy(eth->h_dest, eth_hdr(oldskb)->h_source);
 	eth->h_proto = eth_hdr(oldskb)->h_proto;
 	skb_pull(nskb, ETH_HLEN);
+
+	if (skb_vlan_tag_present(oldskb)) {
+		u16 vid = skb_vlan_tag_get(oldskb);
+
+		__vlan_hwaccel_put_tag(nskb, oldskb->vlan_proto, vid);
+	}
 }
 
 static int nft_bridge_iphdr_validate(struct sk_buff *skb)

[3/3] netfilter: enable reject with bridge vlan

Commit Message

Comments

Patch