diff options
| author | Eric Garver <eric@garver.life> | 2024-05-21 10:25:05 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-06-12 11:03:58 +0200 |
| commit | c98af7fd2f9dae93c4fba0dc6ad1d956196c9901 (patch) | |
| tree | e9cb48c007263fae63b5d80221008fac61cb95b5 /net | |
| parent | caf3a8afb5ea00db6d5398adf148d5534615fd80 (diff) | |
| download | linux-c98af7fd2f9dae93c4fba0dc6ad1d956196c9901.tar.gz linux-c98af7fd2f9dae93c4fba0dc6ad1d956196c9901.tar.bz2 linux-c98af7fd2f9dae93c4fba0dc6ad1d956196c9901.zip | |
netfilter: nft_fib: allow from forward/input without iif selector
[ Upstream commit e8ded22ef0f4831279c363c264cd41cd9d59ca9e ]
This removes the restriction of needing iif selector in the
forward/input hooks for fib lookups when requested result is
oif/oifname.
Removing this restriction allows "loose" lookups from the forward hooks.
Fixes: be8be04e5ddb ("netfilter: nft_fib: reverse path filter for policy-based routing on iif")
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/nft_fib.c | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/net/netfilter/nft_fib.c b/net/netfilter/nft_fib.c index 5748415f74d0..0f17ace97227 100644 --- a/net/netfilter/nft_fib.c +++ b/net/netfilter/nft_fib.c @@ -34,11 +34,9 @@ int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr, switch (priv->result) { case NFT_FIB_RESULT_OIF: case NFT_FIB_RESULT_OIFNAME: - hooks = (1 << NF_INET_PRE_ROUTING); - if (priv->flags & NFTA_FIB_F_IIF) { - hooks |= (1 << NF_INET_LOCAL_IN) | - (1 << NF_INET_FORWARD); - } + hooks = (1 << NF_INET_PRE_ROUTING) | + (1 << NF_INET_LOCAL_IN) | + (1 << NF_INET_FORWARD); break; case NFT_FIB_RESULT_ADDRTYPE: if (priv->flags & NFTA_FIB_F_IIF) |