Message ID | ab66a06ae60d84577e0802ab989658d7b651d7a2.1588758255.git.michael-dev@fami-braun.de |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
Series | Avoid gretap fragmentation with nftables on bridge | expand |
diff --git a/src/evaluate.c b/src/evaluate.c index ec96dd58..20849ef3 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2635,7 +2635,7 @@ static int stmt_evaluate_reject_bridge(struct eval_ctx *ctx, struct stmt *stmt, const struct proto_desc *desc; desc = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc; - if (desc != &proto_eth) + if (desc != &proto_eth && desc != &proto_vlan) return stmt_binary_error(ctx, &ctx->pctx.protocol[PROTO_BASE_LL_HDR], stmt, "unsupported link layer protocol");
This enables the use nft bridge reject with bridge vlan filtering. It depends on a kernel patch to make the kernel preserve the vlan id in nft bridge reject generation. Signed-off-by: Michael Braun <michael-dev@fami-braun.de> --- src/evaluate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)