diff options
author | Phil Sutter | 2023-02-16 17:05:36 +0100 |
---|---|---|
committer | Greg Kroah-Hartman | 2023-03-11 13:55:24 +0100 |
commit | 8291cfdfa6cd5eacfe1a5ba81b1a8cea4f086366 (patch) | |
tree | f3fe2390db7604a4c3a21a95c1b1fd51eb7969a8 /net/ipv6 | |
parent | 1fd3c69f6511cc0785d5f5f828a5c095d74df69f (diff) |
netfilter: ip6t_rpfilter: Fix regression with VRF interfaces
[ Upstream commit efb056e5f1f0036179b2f92c1c15f5ea7a891d70 ]
When calling ip6_route_lookup() for the packet arriving on the VRF
interface, the result is always the real (slave) interface. Expect this
when validating the result.
Fixes: acc641ab95b66 ("netfilter: rpfilter/fib: Populate flowic_l3mdev field")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net/ipv6')
-rw-r--r-- | net/ipv6/netfilter/ip6t_rpfilter.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c index a01d9b842bd0..67c87a88cde4 100644 --- a/net/ipv6/netfilter/ip6t_rpfilter.c +++ b/net/ipv6/netfilter/ip6t_rpfilter.c @@ -72,7 +72,9 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb, goto out; } - if (rt->rt6i_idev->dev == dev || (flags & XT_RPFILTER_LOOSE)) + if (rt->rt6i_idev->dev == dev || + l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == dev->ifindex || + (flags & XT_RPFILTER_LOOSE)) ret = true; out: ip6_rt_put(rt); |