| Message ID | af1325c0c71ad2786b7fba282a4b21c8fc0cf53c.1636461297.git.lukas@wunner.de |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | [nf-next] netfilter: nft_fwd_netdev: Support egress hook | expand |
Hi Lukas, I'm sorry, I just noticed something below. On Tue, Nov 09, 2021 at 01:42:01PM +0100, Lukas Wunner wrote: > From: Pablo Neira Ayuso <pablo@netfilter.org> > > Allow packet redirection to another interface upon egress. > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > [lukas: set skb_iif, add commit message] > Signed-off-by: Lukas Wunner <lukas@wunner.de> > --- > net/netfilter/nft_fwd_netdev.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c > index cd59afde5b2f..fa9301ca6033 100644 > --- a/net/netfilter/nft_fwd_netdev.c > +++ b/net/netfilter/nft_fwd_netdev.c > @@ -27,9 +27,11 @@ static void nft_fwd_netdev_eval(const struct nft_expr *expr, > { > struct nft_fwd_netdev *priv = nft_expr_priv(expr); > int oif = regs->data[priv->sreg_dev]; > + struct sk_buff *skb = pkt->skb; > > /* This is used by ifb only. */ > - skb_set_redirected(pkt->skb, true); > + skb->skb_iif = skb->dev->ifindex; Probably good to set skb->skb_iif only for NF_NETDEV_EGRESS? > + skb_set_redirected(skb, nft_hook(pkt) == NF_NETDEV_INGRESS); > > nf_fwd_netdev_egress(pkt, oif); > regs->verdict.code = NF_STOLEN; > @@ -198,7 +200,8 @@ static int nft_fwd_validate(const struct nft_ctx *ctx, > const struct nft_expr *expr, > const struct nft_data **data) > { > - return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS)); > + return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS) | > + (1 << NF_NETDEV_EGRESS)); > } > > static struct nft_expr_type nft_fwd_netdev_type; > -- > 2.33.0 >
On Tue, Nov 30, 2021 at 10:48:44PM +0100, Pablo Neira Ayuso wrote: > Hi Lukas, > > I'm sorry, I just noticed something below. > > On Tue, Nov 09, 2021 at 01:42:01PM +0100, Lukas Wunner wrote: > > From: Pablo Neira Ayuso <pablo@netfilter.org> > > > > Allow packet redirection to another interface upon egress. > > > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > > [lukas: set skb_iif, add commit message] > > Signed-off-by: Lukas Wunner <lukas@wunner.de> > > --- > > net/netfilter/nft_fwd_netdev.c | 7 +++++-- > > 1 file changed, 5 insertions(+), 2 deletions(-) > > > > diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c > > index cd59afde5b2f..fa9301ca6033 100644 > > --- a/net/netfilter/nft_fwd_netdev.c > > +++ b/net/netfilter/nft_fwd_netdev.c > > @@ -27,9 +27,11 @@ static void nft_fwd_netdev_eval(const struct nft_expr *expr, > > { > > struct nft_fwd_netdev *priv = nft_expr_priv(expr); > > int oif = regs->data[priv->sreg_dev]; > > + struct sk_buff *skb = pkt->skb; > > > > /* This is used by ifb only. */ > > - skb_set_redirected(pkt->skb, true); > > + skb->skb_iif = skb->dev->ifindex; > > Probably good to set skb->skb_iif only for NF_NETDEV_EGRESS? Just quickly checked again, from ingress skb->skb_iif == skb->dev->ifindex. Applied to nf-next, thanks.
diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c index cd59afde5b2f..fa9301ca6033 100644 --- a/net/netfilter/nft_fwd_netdev.c +++ b/net/netfilter/nft_fwd_netdev.c @@ -27,9 +27,11 @@ static void nft_fwd_netdev_eval(const struct nft_expr *expr, { struct nft_fwd_netdev *priv = nft_expr_priv(expr); int oif = regs->data[priv->sreg_dev]; + struct sk_buff *skb = pkt->skb; /* This is used by ifb only. */ - skb_set_redirected(pkt->skb, true); + skb->skb_iif = skb->dev->ifindex; + skb_set_redirected(skb, nft_hook(pkt) == NF_NETDEV_INGRESS); nf_fwd_netdev_egress(pkt, oif); regs->verdict.code = NF_STOLEN; @@ -198,7 +200,8 @@ static int nft_fwd_validate(const struct nft_ctx *ctx, const struct nft_expr *expr, const struct nft_data **data) { - return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS)); + return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS) | + (1 << NF_NETDEV_EGRESS)); } static struct nft_expr_type nft_fwd_netdev_type;