diff mbox series

[2/3] nftables: enable reject with 802.1q

Message ID ab66a06ae60d84577e0802ab989658d7b651d7a2.1588758255.git.michael-dev@fami-braun.de
State Accepted
Delegated to: Pablo Neira
Headers show
Series Avoid gretap fragmentation with nftables on bridge | expand

Commit Message

michael-dev May 6, 2020, 9:46 a.m. UTC 
This enables the use nft bridge reject with bridge vlan filtering.

It depends on a kernel patch to make the kernel preserve the
vlan id in nft bridge reject generation.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
---
 src/evaluate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/src/evaluate.c b/src/evaluate.c
index ec96dd58..20849ef3 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2635,7 +2635,7 @@  static int stmt_evaluate_reject_bridge(struct eval_ctx *ctx, struct stmt *stmt,
 	const struct proto_desc *desc;
 
 	desc = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
-	if (desc != &proto_eth)
+	if (desc != &proto_eth && desc != &proto_vlan)
 		return stmt_binary_error(ctx,
 					 &ctx->pctx.protocol[PROTO_BASE_LL_HDR],
 					 stmt, "unsupported link layer protocol");