diff options
| author | Florian Westphal <fw@strlen.de> | 2018-02-14 18:23:05 -0500 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-02-25 14:15:53 -0500 |
| commit | 47b7e7f82802dced3ac73658bf4b77584a63063f (patch) | |
| tree | 2f7da12fa07b876dbfd2c433452f636f70420e05 | |
| parent | 2412d897c2c34ab5a9834a2dc472512d96e485ef (diff) | |
netfilter: don't set F_IFACE on ipv6 fib lookups
"fib" starts to behave strangely when an ipv6 default route is
added - the FIB lookup returns a route using 'oif' in this case.
This behaviour was inherited from ip6tables rpfilter so change
this as well.
Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1221
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | net/ipv6/netfilter/ip6t_rpfilter.c | 4 | ||||
| -rw-r--r-- | net/ipv6/netfilter/nft_fib_ipv6.c | 12 |
2 files changed, 2 insertions, 14 deletions
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c index 94deb69bbbda..91ed25a24b79 100644 --- a/net/ipv6/netfilter/ip6t_rpfilter.c +++ b/net/ipv6/netfilter/ip6t_rpfilter.c | |||
| @@ -48,10 +48,6 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb, | |||
| 48 | } | 48 | } |
| 49 | 49 | ||
| 50 | fl6.flowi6_mark = flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0; | 50 | fl6.flowi6_mark = flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0; |
| 51 | if ((flags & XT_RPFILTER_LOOSE) == 0) { | ||
| 52 | fl6.flowi6_oif = dev->ifindex; | ||
| 53 | lookup_flags |= RT6_LOOKUP_F_IFACE; | ||
| 54 | } | ||
| 55 | 51 | ||
| 56 | rt = (void *) ip6_route_lookup(net, &fl6, lookup_flags); | 52 | rt = (void *) ip6_route_lookup(net, &fl6, lookup_flags); |
| 57 | if (rt->dst.error) | 53 | if (rt->dst.error) |
diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c index cc5174c7254c..62fc84d7bdff 100644 --- a/net/ipv6/netfilter/nft_fib_ipv6.c +++ b/net/ipv6/netfilter/nft_fib_ipv6.c | |||
| @@ -180,7 +180,6 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, | |||
| 180 | } | 180 | } |
| 181 | 181 | ||
| 182 | *dest = 0; | 182 | *dest = 0; |
| 183 | again: | ||
| 184 | rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, lookup_flags); | 183 | rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, lookup_flags); |
| 185 | if (rt->dst.error) | 184 | if (rt->dst.error) |
| 186 | goto put_rt_err; | 185 | goto put_rt_err; |
| @@ -189,15 +188,8 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, | |||
| 189 | if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL)) | 188 | if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL)) |
| 190 | goto put_rt_err; | 189 | goto put_rt_err; |
| 191 | 190 | ||
| 192 | if (oif && oif != rt->rt6i_idev->dev) { | 191 | if (oif && oif != rt->rt6i_idev->dev) |
| 193 | /* multipath route? Try again with F_IFACE */ | 192 | goto put_rt_err; |
| 194 | if ((lookup_flags & RT6_LOOKUP_F_IFACE) == 0) { | ||
| 195 | lookup_flags |= RT6_LOOKUP_F_IFACE; | ||
| 196 | fl6.flowi6_oif = oif->ifindex; | ||
| 197 | ip6_rt_put(rt); | ||
| 198 | goto again; | ||
| 199 | } | ||
| 200 | } | ||
| 201 | 193 | ||
| 202 | switch (priv->result) { | 194 | switch (priv->result) { |
| 203 | case NFT_FIB_RESULT_OIF: | 195 | case NFT_FIB_RESULT_OIF: |