[PATCH v9 nf 05/15] netfilter: nft_chain_filter: Add bridge double vlan and pppoe

[PATCH v9 nf 00/15] bridge-fastpath and related improvements · Eric Woudstra <hidden> · 2025-03-05
[PATCH v9 nf 01/15] net: pppoe: avoid zero-length arrays in struct pppoe_hdr · Eric Woudstra <hidden> · 2025-03-05
[PATCH v9 nf 02/15] netfilter: nf_flow_table_offload: Add nf_flow_encap_push() for xmit direct · Eric Woudstra <hidden> · 2025-03-05
[PATCH v9 nf 03/15] netfilter: flow: remove hw_outdev, out.hw_ifindex and out.hw_ifidx · Eric Woudstra <hidden> · 2025-03-05
[PATCH v9 nf 04/15] netfilter: bridge: Add conntrack double vlan and pppoe · Eric Woudstra <hidden> · 2025-03-05
[PATCH v9 nf 05/15] netfilter: nft_chain_filter: Add bridge double vlan and pppoe · Eric Woudstra <hidden> · 2025-03-05
[PATCH v9 nf 06/15] bridge: Add filling forward path from port to port · Eric Woudstra <hidden> · 2025-03-05
[PATCH v9 nf 07/15] net: core: dev: Add dev_fill_bridge_path() · Eric Woudstra <hidden> · 2025-03-05
[PATCH v9 nf 08/15] netfilter :nf_flow_table_offload: Add nf_flow_rule_bridge() · Eric Woudstra <hidden> · 2025-03-05
[PATCH v9 nf 09/15] netfilter: nf_flow_table_inet: Add nf_flowtable_type flowtable_bridge · Eric Woudstra <hidden> · 2025-03-05
[PATCH v9 nf 10/15] netfilter: nft_flow_offload: Add NFPROTO_BRIDGE to validate · Eric Woudstra <hidden> · 2025-03-05
[PATCH v9 nf 11/15] netfilter: nft_flow_offload: Add DEV_PATH_MTK_WDMA to nft_dev_path_info() · Eric Woudstra <hidden> · 2025-03-05
[PATCH v9 nf 12/15] netfilter: nft_flow_offload: No ingress_vlan forward info for dsa user port · Eric Woudstra <hidden> · 2025-03-05
[PATCH v9 nf 13/15] bridge: No DEV_PATH_BR_VLAN_UNTAG_HW for dsa foreign · Eric Woudstra <hidden> · 2025-03-05
[PATCH v9 nf 14/15] bridge: Introduce DEV_PATH_BR_VLAN_KEEP_HW for bridge-fastpath · Eric Woudstra <hidden> · 2025-03-05
[PATCH v9 nf 15/15] netfilter: nft_flow_offload: Add bridgeflow to nft_flow_offload_eval() · Eric Woudstra <hidden> · 2025-03-05
Re: [PATCH v9 nf 00/15] bridge-fastpath and related improvements · Eric Woudstra <hidden> · 2025-03-11
Re: [PATCH v9 nf 00/15] bridge-fastpath and related improvements · Pablo Neira Ayuso <pablo@netfilter.org> · 2025-03-11
Re: [PATCH v9 nf 00/15] bridge-fastpath and related improvements · Eric Woudstra <hidden> · 2025-03-12
Re: [PATCH v9 nf 00/15] bridge-fastpath and related improvements · Pablo Neira Ayuso <pablo@netfilter.org> · 2025-03-12
Re: [PATCH v9 nf 00/15] bridge-fastpath and related improvements · Eric Woudstra <hidden> · 2025-03-13
Re: [PATCH v9 nf 00/15] bridge-fastpath and related improvements · Pablo Neira Ayuso <pablo@netfilter.org> · 2025-03-14

STALE442d REVIEWED: 2 (2M)

Revisions (9)

2024-10-13 v1 [diff vs current]
2024-11-19 v2 [diff vs current]
2024-12-10 v3 [diff vs current]
2025-01-07 v4 [diff vs current]
2025-02-04 v5 [diff vs current]
2025-02-09 v6 [diff vs current]
2025-02-25 v7 [diff vs current]
2025-02-28 v8 [diff vs current]
2025-03-05 v9 current

From: Eric Woudstra <hidden>
Date: 2025-03-05 10:30:11
Also in: bridge, linux-arm-kernel, linux-hardening, linux-mediatek, lkml, netfilter-devel
Subsystem: netfilter, networking [general], the rest · Maintainers: Pablo Neira Ayuso, Florian Westphal, "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds

This adds the capability to evaluate 802.1ad, QinQ, PPPoE and PPPoE-in-Q
packets in the bridge filter chain.

Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Eric Woudstra <redacted>
---
 net/netfilter/nft_chain_filter.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c
index 19a553550c76..7c7080c1a67d 100644
--- a/net/netfilter/nft_chain_filter.c
+++ b/net/netfilter/nft_chain_filter.c

@@ -232,11 +232,27 @@ nft_do_chain_bridge(void *priv,
 		    struct sk_buff *skb,
 		    const struct nf_hook_state *state)
 {
+	struct ethhdr *ethh = eth_hdr(skb);
 	struct nft_pktinfo pkt;
+	int thoff;
 
 	nft_set_pktinfo(&pkt, skb, state);
 
-	switch (eth_hdr(skb)->h_proto) {
+	switch (ethh->h_proto) {
+	case htons(ETH_P_PPP_SES):
+		thoff = PPPOE_SES_HLEN;
+		ethh += thoff;
+		break;
+	case htons(ETH_P_8021Q):
+		thoff = VLAN_HLEN;
+		ethh += thoff;
+		break;
+	default:
+		thoff = 0;
+		break;
+	}
+
+	switch (ethh->h_proto) {
 	case htons(ETH_P_IP):
 		nft_set_pktinfo_ipv4_validate(&pkt);
 		break;

@@ -248,6 +264,8 @@ nft_do_chain_bridge(void *priv,
 		break;
 	}
 
+	pkt.thoff += thoff;
+
 	return nft_do_chain(&pkt, priv);
 }

-- 
2.47.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help