git.baikalelectronics.ru Git - kernel.git/commit

author	Liping Zhang <liping.zhang@spreadtrum.com>
	Tue, 6 Sep 2016 14:31:02 +0000 (22:31 +0800)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Tue, 6 Sep 2016 16:02:37 +0000 (18:02 +0200)
commit	1b25f5f77934d50d648a42083d92dbf9704c2b2a
tree	f587b5b46936d84c4bcd12ac4b314cbafaa6381b	tree \| snapshot
parent	81ee3127efb255e257f2c4016514f3378a4b2f85	commit \| diff

netfilter: nft_chain_route: re-route before skb is queued to userspace

Imagine such situation, user add the following nft rules, and queue
the packets to userspace for further check:
  # ip rule add fwmark 0x0/0x1 lookup eth0
  # ip rule add fwmark 0x1/0x1 lookup eth1
  # nft add table filter
  # nft add chain filter output {type route hook output priority 0 \;}
  # nft add rule filter output mark set 0x1
  # nft add rule filter output queue num 0

But after we reinject the skbuff, the packet will be sent via the
wrong route, i.e. in this case, the packet will be routed via eth0
table, not eth1 table. Because we skip to do re-route when verdict
is NF_QUEUE, even if the mark was changed.

Acctually, we should not touch sk_buff if verdict is NF_DROP or
NF_STOLEN, and when re-route fails, return NF_DROP with error code.
This is consistent with the mangle table in iptables.

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/ipv4/netfilter/nft_chain_route_ipv4.c		diff \| blob \| history
net/ipv6/netfilter/nft_chain_route_ipv6.c		diff \| blob \| history