On 7/9/25 12:02 AM, Florian Westphal wrote: > Eric Woudstra <ericwo...@gmail.com> wrote: >> + if (!pskb_may_pull(skb, VLAN_HLEN)) >> + break; >> + vhdr = (struct vlan_hdr *)(skb->data); >> + offset = VLAN_HLEN; >> + outer_proto = skb->protocol; >> + proto = vhdr->h_vlan_encapsulated_proto; >> + skb_set_network_header(skb, offset); >> + skb->protocol = proto; > > Why is skb->protocol munged? Also applies to the previous patch, > I forgot to ask.
In the previous patch in nf_ct_bridge_pre(), indeed, no need to munge skb->protocol. So I'll change that. But in nft_do_chain_bridge() it is needed in the case of matching 'ip saddr', 'ip daddr', 'ip6 saddr' or 'ip6 daddr'. I suspect all ip/ip6 matches are suffering. So still matching is something like: tcp dport 8080 counter name "check" But no match when: ip saddr 192.168.1.1 tcp dport 8080 counter name "check" After munging skb->protocol, I do get the match. I haven't found where yet, but It seems nft is checking skb->protocol, before it tries to match the ip(6) saddr/daddr. And to answer a question in the other patch: this issue is found by using my script bridge_fastpath.sh. It first checks the connection, conntrack and nft-chain are functional in all testcases. So, it tests the functionality of the patches in this patch-set. I want to improve the script on a few more issues and then send a non-rfc.