git.baikalelectronics.ru Git - kernel.git/commit

author	Ido Schimmel <idosch@nvidia.com>
	Wed, 14 Apr 2021 08:20:32 +0000 (11:20 +0300)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Sun, 18 Apr 2021 20:04:16 +0000 (22:04 +0200)
commit	007de9c9f1825b2eca40b318ca5d4c3f01046af7
tree	5c7385ce12cf10921f289c7e65ca809904208f99	tree \| snapshot
parent	1712046fcfc313c2e3f0cd434f4624b50c7d7b8a	commit \| diff

netfilter: Dissect flow after packet mangling

Netfilter tries to reroute mangled packets as a different route might
need to be used following the mangling. When this happens, netfilter
does not populate the IP protocol, the source port and the destination
port in the flow key. Therefore, FIB rules that match on these fields
are ignored and packets can be misrouted.

Solve this by dissecting the outer flow and populating the flow key
before rerouting the packet. Note that flow dissection only happens when
FIB rules that match on these fields are installed, so in the common
case there should not be a penalty.

Reported-by: Michal Soltys <msoltyspl@yandex.pl>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/ipv4/netfilter.c		diff \| blob \| history
net/ipv6/netfilter.c		diff \| blob \| history