On Tue, Mar 31, 2020 at 10:59:12AM +0200, Greg Kroah-Hartman wrote:
From: Pablo Neira Ayuso pablo@netfilter.org
commit bcfabee1afd99484b6ba067361b8678e28bbc065 upstream.
Set skb->tc_redirected to 1, otherwise the ifb driver drops the packet. Set skb->tc_from_ingress to 1 to reinject the packet back to the ingress path after leaving the ifb egress path.
This patch inconditionally sets on these two skb fields that are meaningful to the ifb driver. The existing forward action is guaranteed to run from ingress path.
Fixes: 39e6dea28adc ("netfilter: nf_tables: add forward expression to the netdev family") Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
net/netfilter/nft_fwd_netdev.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/net/netfilter/nft_fwd_netdev.c +++ b/net/netfilter/nft_fwd_netdev.c @@ -28,6 +28,10 @@ static void nft_fwd_netdev_eval(const st struct nft_fwd_netdev *priv = nft_expr_priv(expr); int oif = regs->data[priv->sreg_dev];
- /* These are used by ifb only. */
- pkt->skb->tc_redirected = 1;
- pkt->skb->tc_from_ingress = 1;
This patch also requires:
2c64605b590e net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build
Otherwise build breaks with CONFIG_NET_CLS_ACT=n.
Thanks.