Message ID | 1b723dbc8a1a5124794bc3deb7dedf8d46dafcbc.1588758255.git.michael-dev@fami-braun.de |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
Series | Avoid gretap fragmentation with nftables on bridge | expand |
On Wed, May 06, 2020 at 11:46:25AM +0200, Michael Braun wrote: > Currently, using the bridge reject target with tagged packets > results in untagged packets being sent back. > > Fix this by mirroring the vlan id as well. Applied, thanks.
diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c index b325b569e761..f48cf4cfb80f 100644 --- a/net/bridge/netfilter/nft_reject_bridge.c +++ b/net/bridge/netfilter/nft_reject_bridge.c @@ -31,6 +31,12 @@ static void nft_reject_br_push_etherhdr(struct sk_buff *oldskb, ether_addr_copy(eth->h_dest, eth_hdr(oldskb)->h_source); eth->h_proto = eth_hdr(oldskb)->h_proto; skb_pull(nskb, ETH_HLEN); + + if (skb_vlan_tag_present(oldskb)) { + u16 vid = skb_vlan_tag_get(oldskb); + + __vlan_hwaccel_put_tag(nskb, oldskb->vlan_proto, vid); + } } static int nft_bridge_iphdr_validate(struct sk_buff *skb)
Currently, using the bridge reject target with tagged packets results in untagged packets being sent back. Fix this by mirroring the vlan id as well. Signed-off-by: Michael Braun <michael-dev@fami-braun.de> --- net/bridge/netfilter/nft_reject_bridge.c | 6 ++++++ 1 file changed, 6 insertions(+)