Merge tag 'nf-next-25-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next

	return skb->pkt_type == PACKET_LOOPBACK || in->flags & IFF_LOOPBACK;

}

static inline bool nft_fib_can_skip(const struct nft_pktinfo *pkt)

{

	const struct net_device *indev = nft_in(pkt);

	const struct sock *sk;

	switch (nft_hook(pkt)) {

	case NF_INET_PRE_ROUTING:

	case NF_INET_INGRESS:

	case NF_INET_LOCAL_IN:

		break;

	default:

		return false;

	}

	sk = pkt->skb->sk;

	if (sk && sk_fullsock(sk))

	       return sk->sk_rx_dst_ifindex == indev->ifindex;

	return nft_fib_is_loopback(pkt->skb, indev);

}

int nft_fib_dump(struct sk_buff *skb, const struct nft_expr *expr, bool reset);

int nft_fib_init(const struct nft_ctx *ctx, const struct nft_expr *expr,

		 const struct nlattr * const tb[]);

	const struct net_device *oif;

	const struct net_device *found;

	if (nft_fib_can_skip(pkt)) {

		nft_fib_store_result(dest, priv, nft_in(pkt));

		return;

	}

	/*

	 * Do not set flowi4_oif, it restricts results (for example, asking

	 * for oif 3 will get RTN_UNICAST result even if the daddr exits

	else

		oif = NULL;

	if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&

	    nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {

		nft_fib_store_result(dest, priv, nft_in(pkt));

		return;

	}

	iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph);

	if (!iph) {

		regs->verdict.code = NFT_BREAK;

	struct sk_buff *data_skb = NULL;

	int doff = 0;

	int thoff = 0, tproto;

#if IS_ENABLED(CONFIG_NF_CONNTRACK)

	enum ip_conntrack_info ctinfo;

	struct nf_conn const *ct;

#endif

	tproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);

	if (tproto < 0) {

		return NULL;

	}

#if IS_ENABLED(CONFIG_NF_CONNTRACK)

	/* Do the lookup with the original socket address in

	 * case this is a reply packet of an established

	 * SNAT-ted connection.

	 */

	ct = nf_ct_get(skb, &ctinfo);

	if (ct &&

	    ((tproto != IPPROTO_ICMPV6 &&

	      ctinfo == IP_CT_ESTABLISHED_REPLY) ||

	     (tproto == IPPROTO_ICMPV6 &&

	      ctinfo == IP_CT_RELATED_REPLY)) &&

	    (ct->status & IPS_SRC_NAT_DONE)) {

		daddr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.in6;

		dport = (tproto == IPPROTO_TCP) ?

			ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.tcp.port :

			ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port;

	}

#endif

	return nf_socket_get_sock_v6(net, data_skb, doff, tproto, saddr, daddr,

				     sport, dport, indev);

}

	struct rt6_info *rt;

	int lookup_flags;

	if (nft_fib_can_skip(pkt)) {

		nft_fib_store_result(dest, priv, nft_in(pkt));

		return;

	}

	if (priv->flags & NFTA_FIB_F_IIF)

		oif = nft_in(pkt);

	else if (priv->flags & NFTA_FIB_F_OIF)

		return;

	}

	lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif, iph);

	if (nft_hook(pkt) == NF_INET_PRE_ROUTING ||

	    nft_hook(pkt) == NF_INET_INGRESS) {

		if (nft_fib_is_loopback(pkt->skb, nft_in(pkt)) ||

		    nft_fib_v6_skip_icmpv6(pkt->skb, pkt->tprot, iph)) {

	if (nft_fib_v6_skip_icmpv6(pkt->skb, pkt->tprot, iph)) {

		nft_fib_store_result(dest, priv, nft_in(pkt));

		return;

	}

	}

	lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif, iph);

	*dest = 0;

	rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, pkt->skb,

		.data		= &nf_conntrack_max,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= proc_dointvec,

		.proc_handler	= proc_dointvec_minmax,

		.extra1		= SYSCTL_ZERO,

		.extra2		= SYSCTL_INT_MAX,

	},

	[NF_SYSCTL_CT_COUNT] = {

		.procname	= "nf_conntrack_count",

		.data		= &nf_ct_expect_max,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= proc_dointvec,

		.proc_handler	= proc_dointvec_minmax,

		.extra1		= SYSCTL_ONE,

		.extra2		= SYSCTL_INT_MAX,

	},

	[NF_SYSCTL_CT_ACCT] = {

		.procname	= "nf_conntrack_acct",

		.data		= &nf_conntrack_max,

		.maxlen		= sizeof(int),

		.mode		= 0644,

		.proc_handler	= proc_dointvec,

		.proc_handler	= proc_dointvec_minmax,

		.extra1		= SYSCTL_ZERO,

		.extra2		= SYSCTL_INT_MAX,

	},

};