On Tue, Mar 31, 2020 at 12:16:03PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Mar 31, 2020 at 10:59:12AM +0200, Greg Kroah-Hartman wrote:
> > From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> >
> > commit bcfabee1afd99484b6ba067361b8678e28bbc065 upstream.
> >
> > Set skb->tc_redirected to 1, otherwise the ifb driver drops the packet.
> > Set skb->tc_from_ingress to 1 to reinject the packet back to the ingress
> > path after leaving the ifb egress path.
> >
> > This patch inconditionally sets on these two skb fields that are
> > meaningful to the ifb driver. The existing forward action is guaranteed
> > to run from ingress path.
> >
> > Fixes: 39e6dea28adc ("netfilter: nf_tables: add forward expression to the netdev family")
> > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> >
> > ---
> > net/netfilter/nft_fwd_netdev.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > --- a/net/netfilter/nft_fwd_netdev.c
> > +++ b/net/netfilter/nft_fwd_netdev.c
> > @@ -28,6 +28,10 @@ static void nft_fwd_netdev_eval(const st
> > struct nft_fwd_netdev *priv = nft_expr_priv(expr);
> > int oif = regs->data[priv->sreg_dev];
> >
> > + /* These are used by ifb only. */
> > + pkt->skb->tc_redirected = 1;
> > + pkt->skb->tc_from_ingress = 1;
>
> This patch also requires:
>
> 2c64605b590e net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build
>
> Otherwise build breaks with CONFIG_NET_CLS_ACT=n.
Thanks for the hint, will go do that now.
greg k-h
