Commit 05ef7055 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: fib: check correct rtable in vrf setups 

We need to init l3mdev unconditionally, else main routing table is searched
and incorrect result is returned unless strict (iif keyword) matching is
requested.

Next patch adds a selftest for this.

Fixes: 2a8a7c0e ("netfilter: nft_fib: Fix for rpath check with VRF devices")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1761


Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 0bfcb7b7

net/ipv4/netfilter/nft_fib_ipv4.c

+1 −3
Original line number Diff line number Diff line
@@ -65,6 +65,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, 
		.flowi4_scope = RT_SCOPE_UNIVERSE,

		.flowi4_iif = LOOPBACK_IFINDEX,

		.flowi4_uid = sock_net_uid(nft_net(pkt), NULL),

		.flowi4_l3mdev = l3mdev_master_ifindex_rcu(nft_in(pkt)),

	};

	const struct net_device *oif;

	const struct net_device *found;
@@ -83,9 +84,6 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, 
	else

		oif = NULL;



	if (priv->flags & NFTA_FIB_F_IIF)

		fl4.flowi4_l3mdev = l3mdev_master_ifindex_rcu(oif);



	if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&

	    nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {

		nft_fib_store_result(dest, priv, nft_in(pkt));

net/ipv6/netfilter/nft_fib_ipv6.c

+3 −2
Original line number Diff line number Diff line
@@ -41,8 +41,6 @@ static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv, 
	if (ipv6_addr_type(&fl6->daddr) & IPV6_ADDR_LINKLOCAL) {

		lookup_flags |= RT6_LOOKUP_F_IFACE;

		fl6->flowi6_oif = get_ifindex(dev ? dev : pkt->skb->dev);

	} else if (priv->flags & NFTA_FIB_F_IIF) {

		fl6->flowi6_l3mdev = l3mdev_master_ifindex_rcu(dev);

	}



	if (ipv6_addr_type(&fl6->saddr) & IPV6_ADDR_UNICAST)
@@ -75,6 +73,8 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv, 
	else if (priv->flags & NFTA_FIB_F_OIF)

		dev = nft_out(pkt);



	fl6.flowi6_l3mdev = l3mdev_master_ifindex_rcu(dev);



	nft_fib6_flowi_init(&fl6, priv, pkt, dev, iph);



	if (dev && nf_ipv6_chk_addr(nft_net(pkt), &fl6.daddr, dev, true))
@@ -165,6 +165,7 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, 
		.flowi6_iif = LOOPBACK_IFINDEX,

		.flowi6_proto = pkt->tprot,

		.flowi6_uid = sock_net_uid(nft_net(pkt), NULL),

		.flowi6_l3mdev = l3mdev_master_ifindex_rcu(nft_in(pkt)),

	};

	struct rt6_info *rt;

	int lookup_flags;