On Mon, May 02, 2022 at 10:50:29PM +0200, Florian Westphal wrote:
> commit 743b83f15d4069ea57c3e40996bf4a1077e0cdc1 upstream.
>
> Check if the incoming interface is available and NFT_BREAK
> in case neither skb->sk nor input device are set.
>
> Because nf_sk_lookup_slow*() assume packet headers are in the
> 'in' direction, use in postrouting is not going to yield a meaningful
> result. Same is true for the forward chain, so restrict the use
> to prerouting, input and output.
>
> Use in output work if a socket is already attached to the skb.
>
> Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching")
> Reported-and-tested-by: Topi Miettinen <toiwoton@xxxxxxxxx>
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> net/netfilter/nft_socket.c | 52 ++++++++++++++++++++++++++++----------
> 1 file changed, 38 insertions(+), 14 deletions(-)
>
Now queued up, thanks for the backport.
greg k-h
