| Message ID | 1479910341-40744-2-git-send-email-zlpnobody@163.com |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
Liping Zhang <zlpnobody@163.com> wrote: > From: Liping Zhang <zlpnobody@gmail.com> > > Otherwise, if fib lookup fail, *dest will be filled with garbage value, > so reverse path filtering will not work properly: > # nft add rule x prerouting fib saddr oif eq 0 drop > > Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression") > Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Acked-by: Florian Westphal <fw@strlen.de> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Nov 23, 2016 at 10:12:21PM +0800, Liping Zhang wrote: > From: Liping Zhang <zlpnobody@gmail.com> > > Otherwise, if fib lookup fail, *dest will be filled with garbage value, > so reverse path filtering will not work properly: > # nft add rule x prerouting fib saddr oif eq 0 drop Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c index bfffa74..2581363 100644 --- a/net/ipv4/netfilter/nft_fib_ipv4.c +++ b/net/ipv4/netfilter/nft_fib_ipv4.c @@ -122,6 +122,8 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, fl4.saddr = get_saddr(iph->daddr); } + *dest = 0; + if (fib_lookup(nft_net(pkt), &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE)) return;