On Tue, Jun 18, 2019 at 08:43:59PM +0200, Florian Westphal wrote: > On families other than 'ip', the rule > > ip protocol icmp > > needs a dependency on the ip protocol so we do not treat e.g. an ipv6 > header as ip. > > Bridge currently uses eth_hdr.type for this, but that will cause the > rule above to not match in case the ip packet is within a VLAN tagged > frame -- ether.type will appear as ETH_P_8021Q. > > Due to vlan tag stripping, skb->protocol will be ETH_P_IP -- so prefer > to use this instead. > > Signed-off-by: Florian Westphal <f...@strlen.de>
Acked-by: Pablo Neira Ayuso <pa...@netfilter.org>
