On 9/6/25 11:11 PM, Florian Westphal wrote:
> Eric Woudstra <ericwouds@xxxxxxxxx> wrote:
>> enum ip_conntrack_info ctinfo;
>> + u32 len, data_len = U32_MAX;
>> + int ret, offset = 0;
>> struct nf_conn *ct;
>> - u32 len;
>> - int ret;
>> + __be16 outer_proto;
>>
>> ct = nf_ct_get(skb, &ctinfo);
>> if ((ct && !nf_ct_is_template(ct)) ||
>> ctinfo == IP_CT_UNTRACKED)
>> return NF_ACCEPT;
>>
>> + if (ct && nf_ct_zone_id(nf_ct_zone(ct), CTINFO2DIR(ctinfo)) !=
>> + NF_CT_DEFAULT_ZONE_ID) {
>> + switch (skb->protocol) {
>> + case htons(ETH_P_PPP_SES): {
>> + struct ppp_hdr {
>> + struct pppoe_hdr hdr;
>> + __be16 proto;
>> + } *ph;
>> +
>
> This function is getting too long, please move this to a helper
> function.
Ok. At the end of nf_ct_bridge_pre() I've added:
>> + if (offset && ret == NF_ACCEPT)
>> + skb_reset_network_header(skb);
to reset the network header, only when it had been changed.
Do you want this helper to return the offset, so it can be used here?
Or do you think it is more clean to always reset the network header like so:
if (ret == NF_ACCEPT)
skb_reset_network_header(skb);
(Same question for nft_do_chain_bridge())
