| From e9c284ec4b41c827f4369973d2792992849e4fa5 Mon Sep 17 00:00:00 2001 |
| From: Michael Braun <michael-dev@fami-braun.de> |
| Date: Wed, 6 May 2020 11:46:25 +0200 |
| Subject: netfilter: nft_reject_bridge: enable reject with bridge vlan |
| |
| From: Michael Braun <michael-dev@fami-braun.de> |
| |
| commit e9c284ec4b41c827f4369973d2792992849e4fa5 upstream. |
| |
| Currently, using the bridge reject target with tagged packets |
| results in untagged packets being sent back. |
| |
| Fix this by mirroring the vlan id as well. |
| |
| Fixes: 85f5b3086a04 ("netfilter: bridge: add reject support") |
| Signed-off-by: Michael Braun <michael-dev@fami-braun.de> |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/bridge/netfilter/nft_reject_bridge.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| --- a/net/bridge/netfilter/nft_reject_bridge.c |
| +++ b/net/bridge/netfilter/nft_reject_bridge.c |
| @@ -34,6 +34,12 @@ static void nft_reject_br_push_etherhdr( |
| ether_addr_copy(eth->h_dest, eth_hdr(oldskb)->h_source); |
| eth->h_proto = eth_hdr(oldskb)->h_proto; |
| skb_pull(nskb, ETH_HLEN); |
| + |
| + if (skb_vlan_tag_present(oldskb)) { |
| + u16 vid = skb_vlan_tag_get(oldskb); |
| + |
| + __vlan_hwaccel_put_tag(nskb, oldskb->vlan_proto, vid); |
| + } |
| } |
| |
| static int nft_bridge_iphdr_validate(struct sk_buff *skb) |
