netfilter: nft_fib: Fix for rpath check with VRF devices

[ Upstream commit 2a8a7c0eaa8747c16aa4a48d573aa920d5c00a5c ] Analogous to commit b575b24b8eee3 ("netfilter: Fix rpfilter dropping vrf packets by mistake") but for nftables fib expression: Add special treatment of VRF devices so that typical reverse path filtering via 'fib saddr . iif oif' expression works as expected. Fixes: f6d0cbcf09c50 ("netfilter: nf_tables: add fib expression") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Phil Sutter <phil@nwl.cc> 2022-09-21 14:07:31 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-10-26 14:25:22 +0300
commit: b284e1fe15c419717720508b367fe7cbfd8c74af (patch)
tree: 01b4b5291d2f70492dca8933a208cf2c77e54b24 /net/ipv4
parent: b384e8fb16068702a087e1d09814784753d7e6e2 (diff)
download: linux-b284e1fe15c419717720508b367fe7cbfd8c74af.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c
index 03df986217b7..9e6f0f1275e2 100644
--- a/net/ipv4/netfilter/nft_fib_ipv4.c
+++ b/net/ipv4/netfilter/nft_fib_ipv4.c
@@ -83,6 +83,9 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
 	else
 		oif = NULL;
 
+	if (priv->flags & NFTA_FIB_F_IIF)
+		fl4.flowi4_oif = l3mdev_master_ifindex_rcu(oif);
+
 	if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&
 	    nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {
 		nft_fib_store_result(dest, priv, nft_in(pkt));
author	Phil Sutter <phil@nwl.cc>	2022-09-21 14:07:31 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2022-10-26 14:25:22 +0300
commit	b284e1fe15c419717720508b367fe7cbfd8c74af (patch)
tree	01b4b5291d2f70492dca8933a208cf2c77e54b24 /net/ipv4
parent	b384e8fb16068702a087e1d09814784753d7e6e2 (diff)
download	linux-b284e1fe15c419717720508b367fe7cbfd8c74af.tar.xz