Hi,
This patchset revisits vlan matching & mangling support for nf_tables:
Patch #1 restores q-in-q matching by reverting
f6ae9f120dad ("netfilter: nft_payload: add C-VLAN support").
Support for matching on inner vlan headers when vlan offload
was already available before such commit.
Patch #2 adds a parser to deal with setting the skbuff vlan offload
fields based on the payload offset and length. Userspace is
agnostic of the kernel vlan offload capabilities, hence,
kernel checks if offset and length refers to the skbuff
vlan_proto and vlan_tci fields. This also supports mangling
q-in-q too.
Note #2 only supports for vlan tag mangling: For pop/push tags a new
actions is required, I already made code for pushing tags which never
got integrated that I can polish and prepare for submission.
I am currently extending tests/shell/testcases/packetpath/vlan_8021ad_tag
to improve coverage for these two cases. I have already have a few
scripts to test this patches with containers but I need to integrate
them into the aforementioned tests/shell script, I will keep you posted.
Pablo Neira Ayuso (2):
netfilter: nft_payload: restore vlan q-in-q match support
netfilter: nft_payload: skbuff vlan metadata mangle support
net/netfilter/nft_payload.c | 95 ++++++++++++++++++++++++++++---------
1 file changed, 72 insertions(+), 23 deletions(-)
--
2.30.2
