This adds the capability to evaluate 802.1ad, QinQ, PPPoE and PPPoE-in-Q
packets in the bridge filter chain.
Signed-off-by: Eric Woudstra <ericwo...@gmail.com>
---
net/netfilter/nft_chain_filter.c | 37 ++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c
index 19a553550c76..fe0b12f748dc 100644
--- a/net/netfilter/nft_chain_filter.c
+++ b/net/netfilter/nft_chain_filter.c
@@ -233,10 +233,47 @@ nft_do_chain_bridge(void *priv,
const struct nf_hook_state *state)
{
struct nft_pktinfo pkt;
+ __be16 proto;
nft_set_pktinfo(&pkt, skb, state);
switch (eth_hdr(skb)->h_proto) {
+ case htons(ETH_P_PPP_SES): {
+ struct ppp_hdr {
+ struct pppoe_hdr hdr;
+ __be16 proto;
+ } *ph = (struct ppp_hdr *)(skb->data);
+
+ skb_set_network_header(skb, PPPOE_SES_HLEN);
+ switch (ph->proto) {
+ case htons(PPP_IP):
+ proto = htons(ETH_P_IP);
+ skb->protocol = proto;
+ break;
+ case htons(PPP_IPV6):
+ proto = htons(ETH_P_IPV6);
+ skb->protocol = proto;
+ break;
+ default:
+ proto = 0;
+ break;
+ }
+ break;
+ }
+ case htons(ETH_P_8021Q): {
+ struct vlan_hdr *vhdr = (struct vlan_hdr *)(skb->data);
+
+ skb_set_network_header(skb, VLAN_HLEN);
+ proto = vhdr->h_vlan_encapsulated_proto;
+ skb->protocol = proto;
+ break;
+ }
+ default:
+ proto = eth_hdr(skb)->h_proto;
+ break;
+ }
+
+ switch (proto) {
case htons(ETH_P_IP):
nft_set_pktinfo_ipv4_validate(&pkt);
break;
--
2.47.1
