This enables the use nft bridge reject with bridge vlan filtering.
It depends on a kernel patch to make the kernel preserve the
vlan id in nft bridge reject generation.
[ pablo: update tests/py ]
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
const struct proto_desc *desc;
desc = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
- if (desc != &proto_eth)
+ if (desc != &proto_eth && desc != &proto_vlan)
return stmt_binary_error(ctx,
&ctx->pctx.protocol[PROTO_BASE_LL_HDR],
stmt, "unsupported link layer protocol");
ether type ipv6 reject with icmp type host-unreachable;fail
ether type ip6 reject with icmp type host-unreachable;fail
ether type ip reject with icmpv6 type no-route;fail
-ether type vlan reject;fail
+ether type vlan reject;ok
ether type arp reject;fail
-ether type vlan reject;fail
-ether type arp reject;fail
-ether type vlan reject with tcp reset;fail
+ether type vlan reject with tcp reset;ok
ether type arp reject with tcp reset;fail
ip protocol udp reject with tcp reset;fail
ether type ip reject with icmpx type admin-prohibited;ok
ether type ip6 reject with icmpx type admin-prohibited;ok
-ether type vlan reject with icmpx type admin-prohibited;fail
+ether type vlan reject with icmpx type admin-prohibited;ok
ether type arp reject with icmpx type admin-prohibited;fail
[ cmp eq reg 1 0x0000dd86 ]
[ reject type 2 code 3 ]
+# ether type vlan reject
+bridge
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ reject type 2 code 1 ]
+
+# ether type vlan reject with tcp reset
+bridge
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ reject type 1 code 0 ]
+
+# ether type vlan reject with icmpx type admin-prohibited
+bridge
+ [ payload load 2b @ link header + 12 => reg 1 ]
+ [ cmp eq reg 1 0x00000081 ]
+ [ reject type 2 code 3 ]
+
projects / thirdparty / nftables.git / commitdiff
