netfilter: nft_reject_bridge: enable reject with bridge vlan

commit e9c284ec4b41c827f4369973d2792992849e4fa5 upstream.

Currently, using the bridge reject target with tagged packets
results in untagged packets being sent back.

Fix this by mirroring the vlan id as well.

Fixes: 85f5b3086a04 ("netfilter: bridge: add reject support")
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
index b325b569e76155f70d2266fb1aba3b8074537b91..f48cf4cfb80f9e4e1981dbb28a97e80d6af50176 100644 (file)
--- a/net/bridge/netfilter/nft_reject_bridge.c
+++ b/net/bridge/netfilter/nft_reject_bridge.c
@@ -31,6 +31,12 @@ static void nft_reject_br_push_etherhdr(struct sk_buff *oldskb,
        ether_addr_copy(eth->h_dest, eth_hdr(oldskb)->h_source);
        eth->h_proto = eth_hdr(oldskb)->h_proto;
        skb_pull(nskb, ETH_HLEN);
+
+       if (skb_vlan_tag_present(oldskb)) {
+               u16 vid = skb_vlan_tag_get(oldskb);
+
+               __vlan_hwaccel_put_tag(nskb, oldskb->vlan_proto, vid);
+       }
 }
 
 static int nft_bridge_iphdr_validate(struct sk_buff *skb)