Skip to content

Commit

Permalink
netfilter: nft_fib: allow from forward/input without iif selector
Browse files Browse the repository at this point in the history 
This removes the restriction of needing iif selector in the
forward/input hooks for fib lookups when requested result is
oif/oifname.

Removing this restriction allows "loose" lookups from the forward hooks.

Fixes: be8be04 ("netfilter: nft_fib: reverse path filter for policy-based routing on iif")
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  • Loading branch information
@erig0 @ummakynes
erig0 authored and ummakynes committed May 28, 2024
1 parent 21a673b commit e8ded22
Showing 1 changed file with 3 additions and 5 deletions.
8 changes: 3 additions & 5 deletions net/netfilter/nft_fib.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,9 @@ int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
switch (priv->result) {
case NFT_FIB_RESULT_OIF:
case NFT_FIB_RESULT_OIFNAME:
hooks = (1 << NF_INET_PRE_ROUTING);
if (priv->flags & NFTA_FIB_F_IIF) {
hooks |= (1 << NF_INET_LOCAL_IN) |
(1 << NF_INET_FORWARD);
}
hooks = (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_LOCAL_IN) |
(1 << NF_INET_FORWARD);
break;
case NFT_FIB_RESULT_ADDRTYPE:
if (priv->flags & NFTA_FIB_F_IIF)
Expand Down

0 comments on commit e8ded22

Please sign in to comment.