blob: c67249593e57d5c50fbc7c86625707e6863be421 [file] [log] [blame]
From 67b0ec166a40eb3d9769422ae62d39db3e8060b3 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 23 Mar 2020 19:53:10 +0100
Subject: [PATCH] netfilter: nft_fwd_netdev: allow to redirect to ifb via
ingress
commit bcfabee1afd99484b6ba067361b8678e28bbc065 upstream.
Set skb->tc_redirected to 1, otherwise the ifb driver drops the packet.
Set skb->tc_from_ingress to 1 to reinject the packet back to the ingress
path after leaving the ifb egress path.
This patch inconditionally sets on these two skb fields that are
meaningful to the ifb driver. The existing forward action is guaranteed
to run from ingress path.
Fixes: 39e6dea28adc ("netfilter: nf_tables: add forward expression to the netdev family")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c
index 51578cd0b0b7..2fe2d9d2016e 100644
--- a/net/netfilter/nft_fwd_netdev.c
+++ b/net/netfilter/nft_fwd_netdev.c
@@ -27,6 +27,10 @@ static void nft_fwd_netdev_eval(const struct nft_expr *expr,
struct nft_fwd_netdev *priv = nft_expr_priv(expr);
int oif = regs->data[priv->sreg_dev];
+ /* These are used by ifb only. */
+ pkt->skb->tc_redirected = 1;
+ pkt->skb->tc_from_ingress = 1;
+
nf_fwd_netdev_egress(pkt, oif);
regs->verdict.code = NF_STOLEN;
}
--
2.7.4