* [PATCH nf-next] netfilter: nft_fib: reverse path filter for policy-based routing on iif
@ 2022-03-30 22:27 Pablo Neira Ayuso
2022-04-10 18:19 ` Florian Westphal
0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2022-03-30 22:27 UTC (permalink / raw)
To: netfilter-devel; +Cc: fw
If policy-based routing using the iif selector is used, then the fib
expression fails to look up for the reverse path from the prerouting
hook because the input interface cannot be inferred. In order to support
this scenario, extend the fib expression to allow to use after the route
lookup, from the forward chain.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv4/netfilter/nft_fib_ipv4.c | 4 ++++
net/ipv6/netfilter/nft_fib_ipv6.c | 4 ++++
net/netfilter/nft_fib.c | 2 ++
3 files changed, 10 insertions(+)
diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c
index 4151eb1262dd..b75cac69bd7e 100644
--- a/net/ipv4/netfilter/nft_fib_ipv4.c
+++ b/net/ipv4/netfilter/nft_fib_ipv4.c
@@ -112,6 +112,10 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
fl4.daddr = iph->daddr;
fl4.saddr = get_saddr(iph->saddr);
} else {
+ if (nft_hook(pkt) == NF_INET_FORWARD &&
+ priv->flags & NFTA_FIB_F_IIF)
+ fl4.flowi4_iif = nft_out(pkt)->ifindex;
+
fl4.daddr = iph->saddr;
fl4.saddr = get_saddr(iph->daddr);
}
diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c
index b3f163b40c2b..8970d0b4faeb 100644
--- a/net/ipv6/netfilter/nft_fib_ipv6.c
+++ b/net/ipv6/netfilter/nft_fib_ipv6.c
@@ -30,6 +30,10 @@ static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv,
fl6->daddr = iph->daddr;
fl6->saddr = iph->saddr;
} else {
+ if (nft_hook(pkt) == NF_INET_FORWARD &&
+ priv->flags & NFTA_FIB_F_IIF)
+ fl6->flowi6_iif = nft_out(pkt)->ifindex;
+
fl6->daddr = iph->saddr;
fl6->saddr = iph->daddr;
}
diff --git a/net/netfilter/nft_fib.c b/net/netfilter/nft_fib.c
index f198f2d9ef90..7689051654bf 100644
--- a/net/netfilter/nft_fib.c
+++ b/net/netfilter/nft_fib.c
@@ -35,6 +35,8 @@ int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
case NFT_FIB_RESULT_OIF:
case NFT_FIB_RESULT_OIFNAME:
hooks = (1 << NF_INET_PRE_ROUTING);
+ if (priv->flags & NFTA_FIB_F_IIF)
+ hooks |= (1 << NF_INET_FORWARD);
break;
case NFT_FIB_RESULT_ADDRTYPE:
if (priv->flags & NFTA_FIB_F_IIF)
--
2.30.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH nf-next] netfilter: nft_fib: reverse path filter for policy-based routing on iif
2022-03-30 22:27 [PATCH nf-next] netfilter: nft_fib: reverse path filter for policy-based routing on iif Pablo Neira Ayuso
@ 2022-04-10 18:19 ` Florian Westphal
0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2022-04-10 18:19 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, fw
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> If policy-based routing using the iif selector is used, then the fib
> expression fails to look up for the reverse path from the prerouting
> hook because the input interface cannot be inferred. In order to support
> this scenario, extend the fib expression to allow to use after the route
> lookup, from the forward chain.
LGTM,
Acked-by: Florian Westphal <fw@strlen.de>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-04-10 18:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-03-30 22:27 [PATCH nf-next] netfilter: nft_fib: reverse path filter for policy-based routing on iif Pablo Neira Ayuso
2022-04-10 18:19 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).