T7512: firewall: Modify accepting invalid traffic for VLAN aware bridge

Allow accepting invalid packets for ethernet types `8021q` and `8021ad` in addition to ARP and UDP types so that stateful bridge firewall works for VLAN-aware bridges in addition to regular bridges.
author: Indrajit Raychaudhuri <irc@indrajit.com> 2025-06-01 23:32:13 -0500
committer: Indrajit Raychaudhuri <irc@indrajit.com> 2025-06-01 23:52:08 -0500
commit: b47adae7a3e963bfca3b775f4b84d5121907c76d (patch)
tree: e5c9cf3ea824fa87b52bb9bef4ed4b163139bde4 /data
parent: b8cd453177feebc44aee53657bfd2bbcea7a8d66 (diff)
download: vyos-1x-b47adae7a3e963bfca3b775f4b84d5121907c76d.tar.gz
vyos-1x-b47adae7a3e963bfca3b775f4b84d5121907c76d.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index a78119a80..f5cd801e4 100755
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -414,6 +414,8 @@ table bridge vyos_filter {
 {%                 if 'invalid_connections' in global_options.apply_to_bridged_traffic %}
         ct state invalid udp sport 67 udp dport 68 counter accept
         ct state invalid ether type arp counter accept
+        ct state invalid ether type 8021q counter accept
+        ct state invalid ether type 8021ad counter accept
         ct state invalid ether type 0x8864 counter accept
 {%                 endif %}
 {%             endif %}
author	Indrajit Raychaudhuri <irc@indrajit.com>	2025-06-01 23:32:13 -0500
committer	Indrajit Raychaudhuri <irc@indrajit.com>	2025-06-01 23:52:08 -0500
commit	b47adae7a3e963bfca3b775f4b84d5121907c76d (patch)
tree	e5c9cf3ea824fa87b52bb9bef4ed4b163139bde4 /data
parent	b8cd453177feebc44aee53657bfd2bbcea7a8d66 (diff)
download	vyos-1x-b47adae7a3e963bfca3b775f4b84d5121907c76d.tar.gz vyos-1x-b47adae7a3e963bfca3b775f4b84d5121907c76d.zip