On Thu, Mar 31, 2022 at 05:14:47PM +0200, Pablo Neira Ayuso wrote:
> If policy-based routing using the iif selector is used, then the fib
> expression fails to look up for the reverse path from the prerouting
> hook because the input interface cannot be inferred. In order to support
> this scenario, extend the fib expression to allow to use after the route
> lookup, from the input and forward hooks.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> v2: allow to use it from the input hook too.
This is for usability reasons.
For this use-case, you have to move the rule from prerouting to
forward.
So if you still want to perform the reverse path check for the input
case, you have to add a rule there.
Simplify allowing input if sufficient, in this case flowi4_iif with
loopback is fine.
I'll send a v3 amending the description to detail why input is needed
(for different reasons).
> net/ipv4/netfilter/nft_fib_ipv4.c | 4 ++++
> net/ipv6/netfilter/nft_fib_ipv6.c | 4 ++++
> net/netfilter/nft_fib.c | 4 ++++
> 3 files changed, 12 insertions(+)
>
> diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c
> index 4151eb1262dd..b75cac69bd7e 100644
> --- a/net/ipv4/netfilter/nft_fib_ipv4.c
> +++ b/net/ipv4/netfilter/nft_fib_ipv4.c
> @@ -112,6 +112,10 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
> fl4.daddr = iph->daddr;
> fl4.saddr = get_saddr(iph->saddr);
> } else {
> + if (nft_hook(pkt) == NF_INET_FORWARD &&
So there is no need to add NF_INET_LOCAL_IN here.
> + priv->flags & NFTA_FIB_F_IIF)
> + fl4.flowi4_iif = nft_out(pkt)->ifindex;
> +
> fl4.daddr = iph->saddr;
> fl4.saddr = get_saddr(iph->daddr);
> }
> diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c
> index b3f163b40c2b..8970d0b4faeb 100644
> --- a/net/ipv6/netfilter/nft_fib_ipv6.c
> +++ b/net/ipv6/netfilter/nft_fib_ipv6.c
> @@ -30,6 +30,10 @@ static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv,
> fl6->daddr = iph->daddr;
> fl6->saddr = iph->saddr;
> } else {
> + if (nft_hook(pkt) == NF_INET_FORWARD &&
> + priv->flags & NFTA_FIB_F_IIF)
> + fl6->flowi6_iif = nft_out(pkt)->ifindex;
> +
> fl6->daddr = iph->saddr;
> fl6->saddr = iph->daddr;
> }
> diff --git a/net/netfilter/nft_fib.c b/net/netfilter/nft_fib.c
> index f198f2d9ef90..1f12d7ade606 100644
> --- a/net/netfilter/nft_fib.c
> +++ b/net/netfilter/nft_fib.c
> @@ -35,6 +35,10 @@ int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
> case NFT_FIB_RESULT_OIF:
> case NFT_FIB_RESULT_OIFNAME:
> hooks = (1 << NF_INET_PRE_ROUTING);
> + if (priv->flags & NFTA_FIB_F_IIF) {
> + hooks |= (1 << NF_INET_LOCAL_IN) |
> + (1 << NF_INET_FORWARD);
> + }
> break;
> case NFT_FIB_RESULT_ADDRTYPE:
> if (priv->flags & NFTA_FIB_F_IIF)
> --
> 2.30.2
>
