netfilter: nft_fib: allow from forward/input without iif selector

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This removes the restriction of needing iif selector in the
forward/input hooks for fib lookups when requested result is
oif/oifname.

Removing this restriction allows "loose" lookups from the forward hooks.

Fixes: be8be04e5ddb ("netfilter: nft_fib: reverse path filter for policy-based routing on iif")
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Eric Garver and committed by

Pablo Neira Ayuso 2 years ago e8ded22e 21a673bd

+3 -5

1 changed file

expand all

net

netfilter

nft_fib.c

+3 -5

net/netfilter/nft_fib.c

··· 35 35 switch (priv->result) { 36 36 case NFT_FIB_RESULT_OIF: 37 37 case NFT_FIB_RESULT_OIFNAME: 38 - hooks = (1 << NF_INET_PRE_ROUTING); 39 - if (priv->flags & NFTA_FIB_F_IIF) { 40 - hooks |= (1 << NF_INET_LOCAL_IN) | 41 - (1 << NF_INET_FORWARD); 42 - } 38 + hooks = (1 << NF_INET_PRE_ROUTING) | 39 + (1 << NF_INET_LOCAL_IN) | 40 + (1 << NF_INET_FORWARD); 43 41 break; 44 42 case NFT_FIB_RESULT_ADDRTYPE: 45 43 if (priv->flags & NFTA_FIB_F_IIF)