Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3b760dcb authored Dec 03, 2016 by Liping Zhang Committed by Pablo Neira Ayuso Dec 07, 2016

netfilter: rpfilter: bypass ipv4 lbcast packets with zeronet source



Otherwise, DHCP Discover packets(0.0.0.0->255.255.255.255) may be
dropped incorrectly.

Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent a9fea2a3

net/ipv4/netfilter/ipt_rpfilter.c

+5 −3

Original line number	Diff line number	Diff line
		@@ -83,10 +83,12 @@ static bool rpfilter_mt(const struct sk_buff skb, struct xt_action_param par)
		return true ^ invert;

		iph = ip_hdr(skb);
		if (ipv4_is_multicast(iph->daddr)) {
		if (ipv4_is_zeronet(iph->saddr))
		return ipv4_is_local_multicast(iph->daddr) ^ invert;
		if (ipv4_is_zeronet(iph->saddr)) {
		if (ipv4_is_lbcast(iph->daddr) \|\|
		ipv4_is_local_multicast(iph->daddr))
		return true ^ invert;
		}

		flow.flowi4_iif = LOOPBACK_IFINDEX;
		flow.daddr = iph->saddr;
		flow.saddr = rpfilter_get_saddr(iph->daddr);

net/ipv4/netfilter/nft_fib_ipv4.c

+7 −6

Original line number	Diff line number	Diff line
		@@ -101,13 +101,14 @@ void nft_fib4_eval(const struct nft_expr expr, struct nft_regs regs,
		}

		iph = ip_hdr(pkt->skb);
		if (ipv4_is_multicast(iph->daddr) &&
		ipv4_is_zeronet(iph->saddr) &&
		if (ipv4_is_zeronet(iph->saddr)) {
		if (ipv4_is_lbcast(iph->daddr) \|\|
		ipv4_is_local_multicast(iph->daddr)) {
		nft_fib_store_result(dest, priv->result, pkt,
		get_ifindex(pkt->skb->dev));
		return;
		}
		}

		if (priv->flags & NFTA_FIB_F_MARK)
		fl4.flowi4_mark = pkt->skb->mark;