linux/net/ipv6
Liping Zhang 6443ebc3fd netfilter: rpfilter: fix incorrect loopback packet judgment
Currently, we check the existing rtable in PREROUTING hook, if RTCF_LOCAL
is set, we assume that the packet is loopback.

But this assumption is incorrect, for example, a packet encapsulated
in ipsec transport mode was received and routed to local, after
decapsulation, it would be delivered to local again, and the rtable
was not dropped, so RTCF_LOCAL check would trigger. But actually, the
packet was not loopback.

So for these normal loopback packets, we can check whether the in device
is IFF_LOOPBACK or not. For these locally generated broadcast/multicast,
we can check whether the skb->pkt_type is PACKET_LOOPBACK or not.

Finally, there's a subtle difference between nft fib expr and xtables
rpfilter extension, user can add the following nft rule to do strict
rpfilter check:
  # nft add rule x y meta iif eth0 fib saddr . iif oif != eth0 drop

So when the packet is loopback, it's better to store the in device
instead of the LOOPBACK_IFINDEX, otherwise, after adding the above
nft rule, locally generated broad/multicast packets will be dropped
incorrectly.

Fixes: f83a7ea207 ("netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too")
Fixes: f6d0cbcf09 ("netfilter: nf_tables: add fib expression")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-01-16 14:23:01 +01:00
..
ila
netfilter netfilter: rpfilter: fix incorrect loopback packet judgment 2017-01-16 14:23:01 +01:00
addrconf_core.c
addrconf.c ipv6 addrconf: Implemented enhanced DAD (RFC7527) 2016-12-03 23:21:37 -05:00
addrlabel.c
af_inet6.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
ah6.c
anycast.c
calipso.c
datagram.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
esp6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-12-03 12:29:53 -05:00
exthdrs_core.c
exthdrs_offload.c
exthdrs.c ktime: Get rid of the union 2016-12-25 17:21:22 +01:00
fib6_rules.c
fou6.c
icmp.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
inet6_connection_sock.c inet: Fix get port to handle zero port number with soreuseport set 2016-12-17 11:13:19 -05:00
inet6_hashtables.c
ip6_checksum.c
ip6_fib.c
ip6_flowlabel.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
ip6_gre.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
ip6_icmp.c
ip6_input.c
ip6_offload.c ip6_offload: check segs for NULL in ipv6_gso_segment. 2016-12-02 13:34:58 -05:00
ip6_offload.h
ip6_output.c ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output 2016-12-29 11:55:17 -05:00
ip6_tunnel.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
ip6_udp_tunnel.c
ip6_vti.c vti6: fix device register to report IFLA_INFO_KIND 2017-01-06 16:09:09 -05:00
ip6mr.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
ipcomp6.c
ipv6_sockglue.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
Kconfig ipv6: sr: add option to control lwtunnel support 2016-11-16 11:29:46 -05:00
Makefile ipv6: sr: add option to control lwtunnel support 2016-11-16 11:29:46 -05:00
mcast_snoop.c
mcast.c
mip6.c ktime: Get rid of ktime_equal() 2016-12-25 17:21:23 +01:00
ndisc.c ipv6 addrconf: Implemented enhanced DAD (RFC7527) 2016-12-03 23:21:37 -05:00
netfilter.c
output_core.c ipv6: Set skb->protocol properly for local output 2016-12-02 12:34:22 -05:00
ping.c
proc.c
protocol.c
raw.c ipv6: handle -EFAULT from skb_copy_bits 2016-12-23 12:20:39 -05:00
reassembly.c
route.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
seg6_hmac.c ipv6: sr: add core files for SR HMAC support 2016-11-09 20:40:06 -05:00
seg6_iptunnel.c ipv6: sr: add calls to verify and insert HMAC signatures 2016-11-09 20:40:06 -05:00
seg6.c ipv6: sr: add option to control lwtunnel support 2016-11-16 11:29:46 -05:00
sit.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
syncookies.c tcp: randomize tcp timestamp offsets for each connection 2016-12-02 12:49:59 -05:00
sysctl_net_ipv6.c
tcp_ipv6.c tcp: fix mark propagation with fwmark_reflect enabled 2017-01-09 18:01:03 +01:00
tcpv6_offload.c
tunnel6.c
udp_impl.h udplite: call proper backlog handlers 2016-11-24 15:32:14 -05:00
udp_offload.c
udp.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
udplite.c udplite: call proper backlog handlers 2016-11-24 15:32:14 -05:00
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c
xfrm6_policy.c
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00