netfilter: nft_fib: Fix for rpath check with VRF devices (60a7496b) · Commits · e / devices / android_kernel_fairphone_FP5

net/ipv4/netfilter/nft_fib_ipv4.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -83,6 +83,9 @@ void nft_fib4_eval(const struct nft_expr expr, struct nft_regs regs,
		else
		oif = NULL;

		if (priv->flags & NFTA_FIB_F_IIF)
		fl4.flowi4_oif = l3mdev_master_ifindex_rcu(oif);

		if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&
		nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {
		nft_fib_store_result(dest, priv, nft_in(pkt));

+5 −1

Original line number	Diff line number	Diff line
		@@ -37,6 +37,9 @@ static int nft_fib6_flowi_init(struct flowi6 fl6, const struct nft_fib priv,
		if (ipv6_addr_type(&fl6->daddr) & IPV6_ADDR_LINKLOCAL) {
		lookup_flags \|= RT6_LOOKUP_F_IFACE;
		fl6->flowi6_oif = get_ifindex(dev ? dev : pkt->skb->dev);
		} else if ((priv->flags & NFTA_FIB_F_IIF) &&
		(netif_is_l3_master(dev) \|\| netif_is_l3_slave(dev))) {
		fl6->flowi6_oif = dev->ifindex;
		}

		if (ipv6_addr_type(&fl6->saddr) & IPV6_ADDR_UNICAST)
		@@ -179,7 +182,8 @@ void nft_fib6_eval(const struct nft_expr expr, struct nft_regs regs,
		if (rt->rt6i_flags & (RTF_REJECT \| RTF_ANYCAST \| RTF_LOCAL))
		goto put_rt_err;

		if (oif && oif != rt->rt6i_idev->dev)
		if (oif && oif != rt->rt6i_idev->dev &&
		l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) != oif->ifindex)
		goto put_rt_err;

		nft_fib_store_result(dest, priv, rt->rt6i_idev->dev);