Hi Eric, On Tue, Feb 24, 2026 at 07:53:06AM +0100, Eric Woudstra wrote: > In nft_do_chain_bridge() pktinfo is only fully populated for plain packets > and packets encapsulated in single 802.1q or 802.1ad. > > When implementing the software bridge-fastpath and testing all possible > encapulations, there can be more encapsulations: > > The packet could (also) be encapsulated in PPPoE, or the packet could be > encapsulated in an inner 802.1q, combined with an outer 802.1ad or 802.1q > encapsulation. > > nft_flow_offload_eval() also examines the L4 header, with the L4 protocol > known from the conntrack-tuplehash. To access the header it uses > nft_thoff(), but for these packets it returns zero. > > Introduce nft_set_bridge_pktinfo() to help populate pktinfo with the > offsets.
I just posted a slightly different approach to deal with this which also works for the netdev family. My understanding is that your proposal has a strong dependency on the conntrack infrastructure, and it would be good if stateless filtering on double-tagged vlan and pppoe is also possible.
