netfilter: nft_fib: allow from forward/input without iif selector

This removes the restriction of needing iif selector in the forward/input hooks for fib lookups when requested result is oif/oifname. Removing this restriction allows "loose" lookups from the forward hooks. Fixes: be8be04e ("netfilter: nft_fib: reverse path filter for policy-based routing on iif") Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: nft_fib: allow from forward/input without iif selector
This removes the restriction of needing iif selector in the forward/input hooks for fib lookups when requested result is oif/oifname. Removing this restriction allows "loose" lookups from the forward hooks. Fixes: be8be04e ("netfilter: nft_fib: reverse path filter for policy-based routing on iif") Signed-off-by: Eric Garver <eric@garver.life> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
e8ded22e · Eric Garver · Pablo Neira Ayuso · 21a673bd · e8ded22e
Commit e8ded22e authored May 21, 2024 by Eric Garver Committed by Pablo Neira Ayuso May 29, 2024
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 5 deletions

net/netfilter/nft_fib.c net/netfilter/nft_fib.c +3 -5

No files found.
--- a/net/netfilter/nft_fib.c
+++ b/net/netfilter/nft_fib.c
@@ -35,11 +35,9 @@ int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
 	switch (priv->result) {
 	case NFT_FIB_RESULT_OIF:
 	case NFT_FIB_RESULT_OIFNAME:
-		hooks = (1 << NF_INET_PRE_ROUTING);
+		hooks = (1 << NF_INET_PRE_ROUTING) |
-		if (priv->flags & NFTA_FIB_F_IIF) {
+			(1 << NF_INET_LOCAL_IN) |
-			hooks |= (1 << NF_INET_LOCAL_IN) |
+			(1 << NF_INET_FORWARD);
-				 (1 << NF_INET_FORWARD);
-		}
 		break;
 	case NFT_FIB_RESULT_ADDRTYPE:
 		if (priv->flags & NFTA_FIB_F_IIF)