Conntrack bridge only tracks untagged and 802.1q. To make the bridge-fastpath experience more similar to the forward-fastpath experience, add double vlan, pppoe and pppoe-in-q tagged packets to bridge conntrack and to bridge filter chain. Changes in v12: - Only allow tracking this traffic when a conntrack zone is set. - nf_ct_bridge_pre(): skb pull/push without touching the checksum, because the pull is always restored with push. - nft_do_chain_bridge(): handle the extra header similar to nf_ct_bridge_pre(), using pull/push. Changes in v11: - nft_do_chain_bridge(): Proper readout of encapsulated proto. - nft_do_chain_bridge(): Use skb_set_network_header() instead of thoff. - removed test script, it is now in separate patch. v10 split from patch-set: bridge-fastpath and related improvements v9 Eric Woudstra (2): netfilter: bridge: Add conntrack double vlan and pppoe netfilter: nft_chain_filter: Add bridge double vlan and pppoe net/bridge/netfilter/nf_conntrack_bridge.c | 83 ++++++++++++++++++---- net/netfilter/nft_chain_filter.c | 55 +++++++++++++- 2 files changed, 125 insertions(+), 13 deletions(-) -- 2.47.1
