redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity

netfilter: nft_reject_bridge: enable reject with bridge vlan 

commit e9c284ec4b upstream.

Currently, using the bridge reject target with tagged packets
results in untagged packets being sent back.

Fix this by mirroring the vlan id as well.

Fixes: 85f5b3086a ("netfilter: bridge: add reject support")
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5.4-rM2-2.2.x-imx-squashed
Michael Braun 2020-05-06 11:46:25 +02:00 committed by Greg Kroah-Hartman
parent 26e28c10e7
commit 25f629a706
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
net/bridge/netfilter/nft_reject_bridge.c
View File

@ -31,6 +31,12 @@ static void nft_reject_br_push_etherhdr(struct sk_buff *oldskb,
ether_addr_copy(eth->h_dest, eth_hdr(oldskb)->h_source);
eth->h_proto = eth_hdr(oldskb)->h_proto;
skb_pull(nskb, ETH_HLEN);
if (skb_vlan_tag_present(oldskb)) {
u16 vid = skb_vlan_tag_get(oldskb);
__vlan_hwaccel_put_tag(nskb, oldskb->vlan_proto, vid);
}
}
static int nft_bridge_iphdr_validate(struct sk_buff *skb)