Re: [PATCH nf-next] netfilter: nft_fwd_netdev: Support egress hook

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Tue, 30 Nov 2021 22:48:40 +0100

Hi Lukas,

I'm sorry, I just noticed something below.

On Tue, Nov 09, 2021 at 01:42:01PM +0100, Lukas Wunner wrote:
> From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> 
> Allow packet redirection to another interface upon egress.
> 
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> [lukas: set skb_iif, add commit message]
> Signed-off-by: Lukas Wunner <lukas@xxxxxxxxx>
> ---
>  net/netfilter/nft_fwd_netdev.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c
> index cd59afde5b2f..fa9301ca6033 100644
> --- a/net/netfilter/nft_fwd_netdev.c
> +++ b/net/netfilter/nft_fwd_netdev.c
> @@ -27,9 +27,11 @@ static void nft_fwd_netdev_eval(const struct nft_expr *expr,
>  {
>  	struct nft_fwd_netdev *priv = nft_expr_priv(expr);
>  	int oif = regs->data[priv->sreg_dev];
> +	struct sk_buff *skb = pkt->skb;
>  
>  	/* This is used by ifb only. */
> -	skb_set_redirected(pkt->skb, true);
> +	skb->skb_iif = skb->dev->ifindex;

Probably good to set skb->skb_iif only for NF_NETDEV_EGRESS?

> +	skb_set_redirected(skb, nft_hook(pkt) == NF_NETDEV_INGRESS);
>  
>  	nf_fwd_netdev_egress(pkt, oif);
>  	regs->verdict.code = NF_STOLEN;
> @@ -198,7 +200,8 @@ static int nft_fwd_validate(const struct nft_ctx *ctx,
>  			    const struct nft_expr *expr,
>  			    const struct nft_data **data)
>  {
> -	return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS));
> +	return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS) |
> +						    (1 << NF_NETDEV_EGRESS));
>  }
>  
>  static struct nft_expr_type nft_fwd_netdev_type;
> -- 
> 2.33.0
> 