netfilter: nft_fwd_netdev: allow to redirect to ifb via ingress
commitbcfabee1afupstream. Set skb->tc_redirected to 1, otherwise the ifb driver drops the packet. Set skb->tc_from_ingress to 1 to reinject the packet back to the ingress path after leaving the ifb egress path. This patch inconditionally sets on these two skb fields that are meaningful to the ifb driver. The existing forward action is guaranteed to run from ingress path. Fixes:39e6dea28a("netfilter: nf_tables: add forward expression to the netdev family") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Pablo Neira Ayuso
Greg Kroah-Hartman
parent
5be3b97a1f
commit
6734a326cb
|
|
@ -28,6 +28,10 @@ static void nft_fwd_netdev_eval(const struct nft_expr *expr,
|
||||||
struct nft_fwd_netdev *priv = nft_expr_priv(expr);
|
struct nft_fwd_netdev *priv = nft_expr_priv(expr);
|
||||||
int oif = regs->data[priv->sreg_dev];
|
int oif = regs->data[priv->sreg_dev];
|
||||||
|
|
||||||
|
/* These are used by ifb only. */
|
||||||
|
pkt->skb->tc_redirected = 1;
|
||||||
|
pkt->skb->tc_from_ingress = 1;
|
||||||
|
|
||||||
nf_fwd_netdev_egress(pkt, oif);
|
nf_fwd_netdev_egress(pkt, oif);
|
||||||
regs->verdict.code = NF_STOLEN;
|
regs->verdict.code = NF_STOLEN;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue