mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-01 10:45:49 +00:00
netfilter: fib: check correct rtable in vrf setups
We need to init l3mdev unconditionally, else main routing table is searched
and incorrect result is returned unless strict (iif keyword) matching is
requested.
Next patch adds a selftest for this.
Fixes: 2a8a7c0eaa
("netfilter: nft_fib: Fix for rpath check with VRF devices")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1761
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
0bfcb7b71e
commit
05ef7055de
@ -65,6 +65,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
|
||||
.flowi4_scope = RT_SCOPE_UNIVERSE,
|
||||
.flowi4_iif = LOOPBACK_IFINDEX,
|
||||
.flowi4_uid = sock_net_uid(nft_net(pkt), NULL),
|
||||
.flowi4_l3mdev = l3mdev_master_ifindex_rcu(nft_in(pkt)),
|
||||
};
|
||||
const struct net_device *oif;
|
||||
const struct net_device *found;
|
||||
@ -83,9 +84,6 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
|
||||
else
|
||||
oif = NULL;
|
||||
|
||||
if (priv->flags & NFTA_FIB_F_IIF)
|
||||
fl4.flowi4_l3mdev = l3mdev_master_ifindex_rcu(oif);
|
||||
|
||||
if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&
|
||||
nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {
|
||||
nft_fib_store_result(dest, priv, nft_in(pkt));
|
||||
|
@ -41,8 +41,6 @@ static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv,
|
||||
if (ipv6_addr_type(&fl6->daddr) & IPV6_ADDR_LINKLOCAL) {
|
||||
lookup_flags |= RT6_LOOKUP_F_IFACE;
|
||||
fl6->flowi6_oif = get_ifindex(dev ? dev : pkt->skb->dev);
|
||||
} else if (priv->flags & NFTA_FIB_F_IIF) {
|
||||
fl6->flowi6_l3mdev = l3mdev_master_ifindex_rcu(dev);
|
||||
}
|
||||
|
||||
if (ipv6_addr_type(&fl6->saddr) & IPV6_ADDR_UNICAST)
|
||||
@ -75,6 +73,8 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
|
||||
else if (priv->flags & NFTA_FIB_F_OIF)
|
||||
dev = nft_out(pkt);
|
||||
|
||||
fl6.flowi6_l3mdev = l3mdev_master_ifindex_rcu(dev);
|
||||
|
||||
nft_fib6_flowi_init(&fl6, priv, pkt, dev, iph);
|
||||
|
||||
if (dev && nf_ipv6_chk_addr(nft_net(pkt), &fl6.daddr, dev, true))
|
||||
@ -165,6 +165,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
|
||||
.flowi6_iif = LOOPBACK_IFINDEX,
|
||||
.flowi6_proto = pkt->tprot,
|
||||
.flowi6_uid = sock_net_uid(nft_net(pkt), NULL),
|
||||
.flowi6_l3mdev = l3mdev_master_ifindex_rcu(nft_in(pkt)),
|
||||
};
|
||||
struct rt6_info *rt;
|
||||
int lookup_flags;
|
||||
|
Loading…
Reference in New Issue
Block a user