From 8615ed93f6e4c4b105525f033b927b510469b987 Mon Sep 17 00:00:00 2001
From: Michael Braun <michael-dev@fami-braun.de>
Date: Wed, 6 May 2020 11:46:24 +0200
Subject: evaluate: enable reject with 802.1q

This enables the use nft bridge reject with bridge vlan filtering.

It depends on a kernel patch to make the kernel preserve the
vlan id in nft bridge reject generation.

[ pablo: update tests/py ]

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/evaluate.c')

diff --git a/src/evaluate.c b/src/evaluate.c
index 506f2c6a..985ae4fe 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2616,7 +2616,7 @@ static int stmt_evaluate_reject_bridge(struct eval_ctx *ctx, struct stmt *stmt,
 	const struct proto_desc *desc;
 
 	desc = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
-	if (desc != &proto_eth)
+	if (desc != &proto_eth && desc != &proto_vlan)
 		return stmt_binary_error(ctx,
 					 &ctx->pctx.protocol[PROTO_BASE_LL_HDR],
 					 stmt, "unsupported link layer protocol");
-- 
cgit v1.2.3