Skip to content

Commit 3a9ae06

Browse files
PlaidCatPlaidCat
committed
netfilter: nft_fwd_netdev: Support egress hook
jira LE-1907 Rebuild_History Non-Buildable kernel-5.14.0-284.30.1.el9_2 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit f87b946 Allow packet redirection to another interface upon egress. [lukas: set skb_iif, add commit message, original patch from Pablo. ] Signed-off-by: Lukas Wunner <lukas@wunner.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit f87b946) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
1 parent aa1059f commit 3a9ae06

File tree

1 file changed

+5
-2
lines changed

1 file changed

+5
-2
lines changed

net/netfilter/nft_fwd_netdev.c

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,9 +27,11 @@ static void nft_fwd_netdev_eval(const struct nft_expr *expr,
2727
{
2828
struct nft_fwd_netdev *priv = nft_expr_priv(expr);
2929
int oif = regs->data[priv->sreg_dev];
30+
struct sk_buff *skb = pkt->skb;
3031

3132
/* This is used by ifb only. */
32-
skb_set_redirected(pkt->skb, true);
33+
skb->skb_iif = skb->dev->ifindex;
34+
skb_set_redirected(skb, nft_hook(pkt) == NF_NETDEV_INGRESS);
3335

3436
nf_fwd_netdev_egress(pkt, oif);
3537
regs->verdict.code = NF_STOLEN;
@@ -203,7 +205,8 @@ static int nft_fwd_validate(const struct nft_ctx *ctx,
203205
const struct nft_expr *expr,
204206
const struct nft_data **data)
205207
{
206-
return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS));
208+
return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS) |
209+
(1 << NF_NETDEV_EGRESS));
207210
}
208211

209212
static struct nft_expr_type nft_fwd_netdev_type;

0 commit comments

Comments
 (0)