Conntrack bridge only tracks untagged and 802.1q. To make the bridge-fastpath experience more similar to the forward-fastpath experience, add double vlan, pppoe and pppoe-in-q tagged packets to bridge conntrack and to bridge filter chain.
Changes in v14: - nf_checksum(_patial): Use DEBUG_NET_WARN_ON_ONCE( !skb_pointer_if_linear()) instead of pskb_may_pull(). - nft_do_chain_bridge: Added default case ph->proto is neither ipv4 nor ipv6. - nft_do_chain_bridge: only reset network header when ret == NF_ACCEPT. Changes in v13: - Do not use pull/push before/after calling nf_conntrack_in() or nft_do_chain(). - Add patch to correct calculating checksum when skb->data != skb_network_header(skb). Changes in v12: - Only allow tracking this traffic when a conntrack zone is set. - nf_ct_bridge_pre(): skb pull/push without touching the checksum, because the pull is always restored with push. - nft_do_chain_bridge(): handle the extra header similar to nf_ct_bridge_pre(), using pull/push. Changes in v11: - nft_do_chain_bridge(): Proper readout of encapsulated proto. - nft_do_chain_bridge(): Use skb_set_network_header() instead of thoff. - removed test script, it is now in separate patch. v10 split from patch-set: bridge-fastpath and related improvements v9 Eric Woudstra (3): netfilter: utils: nf_checksum(_partial) correct data!=networkheader netfilter: bridge: Add conntrack double vlan and pppoe netfilter: nft_chain_filter: Add bridge double vlan and pppoe net/bridge/netfilter/nf_conntrack_bridge.c | 88 ++++++++++++++++++---- net/netfilter/nft_chain_filter.c | 59 ++++++++++++++- net/netfilter/utils.c | 20 +++-- 3 files changed, 144 insertions(+), 23 deletions(-) -- 2.47.1
