netfilter: nft_socket: only do sk lookups when indev is available - linux - Linux Kernel (branches are rebased on master from time to time)

diff options

author	Florian Westphal <fw@strlen.de>	2022-04-28 09:39:21 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2022-04-28 16:15:23 +0200
commit	743b83f15d4069ea57c3e40996bf4a1077e0cdc1 (patch)
tree	9c5101d16e4a843aa728f348667bfe3a13c495cf /net/bpfilter
parent	626873c446f7559d5af8b48cefad903ffd85cf4e (diff)
download	linux-743b83f15d4069ea57c3e40996bf4a1077e0cdc1.tar.bz2

netfilter: nft_socket: only do sk lookups when indev is available

Check if the incoming interface is available and NFT_BREAK in case neither skb->sk nor input device are set. Because nf_sk_lookup_slow*() assume packet headers are in the 'in' direction, use in postrouting is not going to yield a meaningful result. Same is true for the forward chain, so restrict the use to prerouting, input and output. Use in output work if a socket is already attached to the skb. Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching") Reported-and-tested-by: Topi Miettinen <toiwoton@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'net/bpfilter')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: