From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ej1-f51.google.com (mail-ej1-f51.google.com [209.85.218.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CD20135BDBC for ; Sun, 22 Feb 2026 19:59:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771790349; cv=none; b=tZ+n6VZpOuYa5oWa2Euw4gaNdRHy+f+4ai1/Vh2sj/uXkV08erBk8KPxxulZ89RhVjPnhbmZR7hxaHvy6q8uNOUVWGXHtPmobj8wEQG2GuZn7W1BZubdfxxPF8GlJWMNaiDWPurT8XzHOqGvWmZQjwBYz9IWCNlShc4bzzpQcdM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771790349; c=relaxed/simple; bh=otw/sidfsrVAXpxIAPSAHcc1JnUEwkQzo3iMewEEbLs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lNDt9d04pUP+nHiHBuWBaz3NpRH4voYuYSJytcyFt0qkp3djRWtaIwkn4ySq+4bq7SalvzhbTD3vFgdahFA1qlDWWlyud8k17ylS6YVwSaeE3KlD4s99tU/PhOqZm2UycLKepB+3URQLUlCQixz0WzgDLIoCp2qJX5gzkOIkyPM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=U4p4TMDV; arc=none smtp.client-ip=209.85.218.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="U4p4TMDV" Received: by mail-ej1-f51.google.com with SMTP id a640c23a62f3a-b8fbb24a9a9so676146266b.0 for ; Sun, 22 Feb 2026 11:59:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771790346; x=1772395146; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=coP60IDvUwENZ4G8REzPur6qzEmmqfojoUutShryN4c=; b=U4p4TMDVXOX8tlyznO4pGpYlq2u/vqSP3x7/wVv1pTs+c47Rv5CCc5/3PWgvh/G6Fg cjRR//410wSU0It4WkOcEjzmNtR7v9YEmmCfzW8ajR1eUdXDJZwqDw+YuVeiX1dGylAv vJRAW6il44jDmqYbcNDT+gxLMEHiG0LpwoASzgavKYtVNzkevof//eLyITh92sF0sM/g l6AesyU4/JtviweOwGQf6KCopBm7ZQCSXXha8hL14FE3Dy1edAfqOIO/LZ6uyEy/YX4w go8b38NAMjPEtbTKg4shTOA9TrwPCNU/BKr0OkyQjuzgN0FdrXWW6AQqB2ojJPg01SQr tGFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771790346; x=1772395146; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=coP60IDvUwENZ4G8REzPur6qzEmmqfojoUutShryN4c=; b=Wd+etLkyY8Ll4P0Q3siu/ZVx5lfPOfrtLiYa3BEJNbxWJhAzVDFZw1ZDkjGD+t1Is/ iKvotp7fMa00V/of8bSFK4hGTMuHco31oS47zPB95dBX474snXIrrwh60NRJ+18kazlT 2tNuKEhVQwMcsoxUWa3c+78L5d7oqg+Dg/zuPdxg8PaP6PeTbSZhlhRUuLo+GzlTvZR4 Kxrp4G0yfC7m21sRXsqadfT8Jk2kCBjeAIt6i3/gADVNgXMx7tVhEF7vVTOJ5YTxyx9l c6H07HgIB9rfYjVaUZCdu66/RcZD3x29mb6sHnWiFNJ+8eSHWI4eos4ARbmDAbst3p/m EPDQ== X-Forwarded-Encrypted: i=1; AJvYcCUJRzmP9/veKiw7L8rKh+UU38msQK3YR+abisImKwSP3PbXeZmq00pDieAHv1jycuhb305FUDg=@vger.kernel.org X-Gm-Message-State: AOJu0Yx+aFp+7xR6SciHfiaRYOAZp6q3oADHXI+MvhxUO8g/vn/P1SWJ uNCef43L7yPWrFTMnSXm76n7nadedqple/BpIA/GsJesGTYuM6R9lBTt X-Gm-Gg: AZuq6aI8QuECCMd2xSs6r+U/8cvAGEbJC2QYtomFfto9fEHgaQtUlSDIkbB/VJQq8xk lG5DnLnLGrPAlOiZR6/qA16vHTL0RH1LT2stD4tiJQj2BC9KA1TLFDacMRgrLYiMcLJhfuxy81c PE/Eh6Tvvi4l7ZLd/x3+tBrf8nE14noP2G8Vi0G8Lny8iYLZW431K9tJE9bw0AHjv152U+hTnm9 iTJteZ0y1FB7tf67uGpHHDWugTHopxXqf7F7HNTaL7V8nDG+73ZfZ3ga74208Kgw48432rpg2bD CXcgIuCnmOkS5CdHtm3LhuxbV3xACWYuaAEzPENH/6RRTQJEnZf/McjfDjT5A08DDVvDa0N6kJz ai2KZYqalPhT0r06ff0XlGY7hIuRhwMPW8MDMoc0yw/UPKFeRUZEJev0RFH1eiTRjXj9b1lyOAi rVnyiZBapSxo29Jme/vDn5T5h5oXP2jJFGH1RzAqi+cVh7FmFLXOKlrk7WK/OmonxBiODMt0TUV UlKQ1LlxmrGChgZ4/k3typGK+yr+cSJzC5uWhs1//3a1W4RUxyfhevvAnCPYp2AUg== X-Received: by 2002:a17:907:988:b0:b88:1e2:ed49 with SMTP id a640c23a62f3a-b9080f13a76mr405909266b.8.1771790346139; Sun, 22 Feb 2026 11:59:06 -0800 (PST) Received: from eric (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b9084c5c514sm246125466b.5.2026.02.22.11.59.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Feb 2026 11:59:05 -0800 (PST) From: Eric Woudstra To: Pablo Neira Ayuso , Florian Westphal , Phil Sutter , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Nikolay Aleksandrov , Ido Schimmel Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org, bridge@lists.linux.dev, Eric Woudstra Subject: [PATCH v18 nf-next 4/4] netfilter: nft_chain_filter: Add bridge double vlan and pppoe Date: Sun, 22 Feb 2026 20:58:43 +0100 Message-ID: <20260222195845.77880-5-ericwouds@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260222195845.77880-1-ericwouds@gmail.com> References: <20260222195845.77880-1-ericwouds@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit In nft_do_chain_bridge() pktinfo is only fully populated for plain packets and packets encapsulated in single 802.1q or 802.1ad. When implementing the software bridge-fastpath and testing all possible encapulations, there can be more encapsulations: The packet could (also) be encapsulated in PPPoE, or the packet could be encapsulated in an inner 802.1q, combined with an outer 802.1ad or 802.1q encapsulation. nft_flow_offload_eval() also examines the L4 header, with the L4 protocol known from the conntrack-tuplehash. To access the header it uses nft_thoff(), but for these packets it returns zero. Introduce nft_set_bridge_pktinfo() to help populate pktinfo with the offsets. Signed-off-by: Eric Woudstra --- net/netfilter/nft_chain_filter.c | 55 +++++++++++++++++++++++++++++--- 1 file changed, 51 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c index d4d5eadaba9c..66ef30c60e56 100644 --- a/net/netfilter/nft_chain_filter.c +++ b/net/netfilter/nft_chain_filter.c @@ -227,21 +227,68 @@ static inline void nft_chain_filter_inet_fini(void) {} #endif /* CONFIG_NF_TABLES_IPV6 */ #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE) +static int nft_set_bridge_pktinfo(struct nft_pktinfo *pkt, struct sk_buff *skb, + const struct nf_hook_state *state, + __be16 *proto) +{ + nft_set_pktinfo(pkt, skb, state); + + switch (*proto) { + case htons(ETH_P_PPP_SES): { + struct ppp_hdr { + struct pppoe_hdr hdr; + __be16 proto; + } *ph, _ph; + + ph = skb_header_pointer(skb, 0, sizeof(_ph), &_ph); + if (!ph) { + *proto = 0; + return -1; + } + switch (ph->proto) { + case htons(PPP_IP): + *proto = htons(ETH_P_IP); + return PPPOE_SES_HLEN; + case htons(PPP_IPV6): + *proto = htons(ETH_P_IPV6); + return PPPOE_SES_HLEN; + } + break; + } + case htons(ETH_P_8021Q): { + struct vlan_hdr *vhdr, _vhdr; + + vhdr = skb_header_pointer(skb, 0, sizeof(_vhdr), &_vhdr); + if (!vhdr) { + *proto = 0; + return -1; + } + *proto = vhdr->h_vlan_encapsulated_proto; + return VLAN_HLEN; + } + } + return 0; +} + static unsigned int nft_do_chain_bridge(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) { struct nft_pktinfo pkt; + __be16 proto; + int offset; - nft_set_pktinfo(&pkt, skb, state); + proto = eth_hdr(skb)->h_proto; + + offset = nft_set_bridge_pktinfo(&pkt, skb, state, &proto); - switch (eth_hdr(skb)->h_proto) { + switch (proto) { case htons(ETH_P_IP): - nft_set_pktinfo_ipv4_validate(&pkt, 0); + nft_set_pktinfo_ipv4_validate(&pkt, offset); break; case htons(ETH_P_IPV6): - nft_set_pktinfo_ipv6_validate(&pkt, 0); + nft_set_pktinfo_ipv6_validate(&pkt, offset); break; default: nft_set_pktinfo_unspec(&pkt); -- 2.53.0