lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 31 Mar 2020 12:16:03 +0200
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     linux-kernel@...r.kernel.org, stable@...r.kernel.org,
        netfilter-devel@...r.kernel.org
Subject: Re: [PATCH 5.5 138/170] netfilter: nft_fwd_netdev: allow to redirect
 to ifb via ingress

On Tue, Mar 31, 2020 at 10:59:12AM +0200, Greg Kroah-Hartman wrote:
> From: Pablo Neira Ayuso <pablo@...filter.org>
> 
> commit bcfabee1afd99484b6ba067361b8678e28bbc065 upstream.
> 
> Set skb->tc_redirected to 1, otherwise the ifb driver drops the packet.
> Set skb->tc_from_ingress to 1 to reinject the packet back to the ingress
> path after leaving the ifb egress path.
> 
> This patch inconditionally sets on these two skb fields that are
> meaningful to the ifb driver. The existing forward action is guaranteed
> to run from ingress path.
> 
> Fixes: 39e6dea28adc ("netfilter: nf_tables: add forward expression to the netdev family")
> Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> 
> ---
>  net/netfilter/nft_fwd_netdev.c |    4 ++++
>  1 file changed, 4 insertions(+)
> 
> --- a/net/netfilter/nft_fwd_netdev.c
> +++ b/net/netfilter/nft_fwd_netdev.c
> @@ -28,6 +28,10 @@ static void nft_fwd_netdev_eval(const st
>  	struct nft_fwd_netdev *priv = nft_expr_priv(expr);
>  	int oif = regs->data[priv->sreg_dev];
>  
> +	/* These are used by ifb only. */
> +	pkt->skb->tc_redirected = 1;
> +	pkt->skb->tc_from_ingress = 1;

This patch also requires:

2c64605b590e net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build

Otherwise build breaks with CONFIG_NET_CLS_ACT=n.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ