Commit e8ded22e authored May 21, 2024 by Eric Garver Committed by Pablo Neira Ayuso May 29, 2024

netfilter: nft_fib: allow from forward/input without iif selector



This removes the restriction of needing iif selector in the
forward/input hooks for fib lookups when requested result is
oif/oifname.

Removing this restriction allows "loose" lookups from the forward hooks.

Fixes: be8be04e ("netfilter: nft_fib: reverse path filter for policy-based routing on iif")
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent 21a673bd

net/netfilter/nft_fib.c

+3 −5

Original line number	Diff line number	Diff line
		@@ -35,11 +35,9 @@ int nft_fib_validate(const struct nft_ctx ctx, const struct nft_expr expr,
		switch (priv->result) {
		case NFT_FIB_RESULT_OIF:
		case NFT_FIB_RESULT_OIFNAME:
		hooks = (1 << NF_INET_PRE_ROUTING);
		if (priv->flags & NFTA_FIB_F_IIF) {
		hooks \|= (1 << NF_INET_LOCAL_IN) \|
		hooks = (1 << NF_INET_PRE_ROUTING) \|
		(1 << NF_INET_LOCAL_IN) \|
		(1 << NF_INET_FORWARD);
		}
		break;
		case NFT_FIB_RESULT_ADDRTYPE:
		if (priv->flags & NFTA_FIB_F_IIF)