netfilter: af_info: add 'strict' parameter to limit lookup to .oif

ipv6 fib lookup can set RT6_LOOKUP_F_IFACE flag to restrict search
to an interface, but this flag cannot be set via struct flowi.

Also, it cannot be set via ip6_route_output: this function uses the
passed sock struct to determine if this flag is required
(by testing for nonzero sk_bound_dev_if).

Work around this by passing in an artificial struct sk in case
'strict' argument is true.

This is required to replace the rt6_lookup call in xt_addrtype.c with
nf_afinfo->route().

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>

1 files changed, 10 insertions, 2 deletions

diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index e008b9b4a779..28bc1f644b7b 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -91,9 +91,17 @@ static int nf_ip6_reroute(struct sk_buff *skb,
 }
 
 static int nf_ip6_route(struct net *net, struct dst_entry **dst,
-                        struct flowi *fl)
+                        struct flowi *fl, bool strict)
 {
-        *dst = ip6_route_output(net, NULL, &fl->u.ip6);
+        static const struct ipv6_pinfo fake_pinfo;
+        static const struct inet_sock fake_sk = {
+                /* makes ip6_route_output set RT6_LOOKUP_F_IFACE: */
+                .sk.sk_bound_dev_if = 1,
+                .pinet6 = (struct ipv6_pinfo *) &fake_pinfo,
+        };
+        const void *sk = strict ? &fake_sk : NULL;
+
+        *dst = ip6_route_output(net, sk, &fl->u.ip6);
         return (*dst)->error;
 }