Commit 05ef7055 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso

netfilter: fib: check correct rtable in vrf setups

We need to init l3mdev unconditionally, else main routing table is searched
and incorrect result is returned unless strict (iif keyword) matching is
requested.

Next patch adds a selftest for this.

Fixes: 2a8a7c0e ("netfilter: nft_fib: Fix for rpath check with VRF devices")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1761Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 0bfcb7b7
...@@ -65,6 +65,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, ...@@ -65,6 +65,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
.flowi4_scope = RT_SCOPE_UNIVERSE, .flowi4_scope = RT_SCOPE_UNIVERSE,
.flowi4_iif = LOOPBACK_IFINDEX, .flowi4_iif = LOOPBACK_IFINDEX,
.flowi4_uid = sock_net_uid(nft_net(pkt), NULL), .flowi4_uid = sock_net_uid(nft_net(pkt), NULL),
.flowi4_l3mdev = l3mdev_master_ifindex_rcu(nft_in(pkt)),
}; };
const struct net_device *oif; const struct net_device *oif;
const struct net_device *found; const struct net_device *found;
...@@ -83,9 +84,6 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, ...@@ -83,9 +84,6 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
else else
oif = NULL; oif = NULL;
if (priv->flags & NFTA_FIB_F_IIF)
fl4.flowi4_l3mdev = l3mdev_master_ifindex_rcu(oif);
if (nft_hook(pkt) == NF_INET_PRE_ROUTING && if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&
nft_fib_is_loopback(pkt->skb, nft_in(pkt))) { nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {
nft_fib_store_result(dest, priv, nft_in(pkt)); nft_fib_store_result(dest, priv, nft_in(pkt));
......
...@@ -41,8 +41,6 @@ static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv, ...@@ -41,8 +41,6 @@ static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv,
if (ipv6_addr_type(&fl6->daddr) & IPV6_ADDR_LINKLOCAL) { if (ipv6_addr_type(&fl6->daddr) & IPV6_ADDR_LINKLOCAL) {
lookup_flags |= RT6_LOOKUP_F_IFACE; lookup_flags |= RT6_LOOKUP_F_IFACE;
fl6->flowi6_oif = get_ifindex(dev ? dev : pkt->skb->dev); fl6->flowi6_oif = get_ifindex(dev ? dev : pkt->skb->dev);
} else if (priv->flags & NFTA_FIB_F_IIF) {
fl6->flowi6_l3mdev = l3mdev_master_ifindex_rcu(dev);
} }
if (ipv6_addr_type(&fl6->saddr) & IPV6_ADDR_UNICAST) if (ipv6_addr_type(&fl6->saddr) & IPV6_ADDR_UNICAST)
...@@ -75,6 +73,8 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv, ...@@ -75,6 +73,8 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
else if (priv->flags & NFTA_FIB_F_OIF) else if (priv->flags & NFTA_FIB_F_OIF)
dev = nft_out(pkt); dev = nft_out(pkt);
fl6.flowi6_l3mdev = l3mdev_master_ifindex_rcu(dev);
nft_fib6_flowi_init(&fl6, priv, pkt, dev, iph); nft_fib6_flowi_init(&fl6, priv, pkt, dev, iph);
if (dev && nf_ipv6_chk_addr(nft_net(pkt), &fl6.daddr, dev, true)) if (dev && nf_ipv6_chk_addr(nft_net(pkt), &fl6.daddr, dev, true))
...@@ -165,6 +165,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, ...@@ -165,6 +165,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
.flowi6_iif = LOOPBACK_IFINDEX, .flowi6_iif = LOOPBACK_IFINDEX,
.flowi6_proto = pkt->tprot, .flowi6_proto = pkt->tprot,
.flowi6_uid = sock_net_uid(nft_net(pkt), NULL), .flowi6_uid = sock_net_uid(nft_net(pkt), NULL),
.flowi6_l3mdev = l3mdev_master_ifindex_rcu(nft_in(pkt)),
}; };
struct rt6_info *rt; struct rt6_info *rt;
int lookup_flags; int lookup_flags;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment