linux/net/ipv6
Liping Zhang d1a6cba576 netfilter: nft_chain_route: re-route before skb is queued to userspace
Imagine such situation, user add the following nft rules, and queue
the packets to userspace for further check:
  # ip rule add fwmark 0x0/0x1 lookup eth0
  # ip rule add fwmark 0x1/0x1 lookup eth1
  # nft add table filter
  # nft add chain filter output {type route hook output priority 0 \;}
  # nft add rule filter output mark set 0x1
  # nft add rule filter output queue num 0

But after we reinject the skbuff, the packet will be sent via the
wrong route, i.e. in this case, the packet will be routed via eth0
table, not eth1 table. Because we skip to do re-route when verdict
is NF_QUEUE, even if the mark was changed.

Acctually, we should not touch sk_buff if verdict is NF_DROP or
NF_STOLEN, and when re-route fails, return NF_DROP with error code.
This is consistent with the mangle table in iptables.

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-09-06 18:02:37 +02:00
..
ila ila: Fix checksum neutral mapping 2016-06-15 21:40:00 -07:00
netfilter netfilter: nft_chain_route: re-route before skb is queued to userspace 2016-09-06 18:02:37 +02:00
addrconf_core.c
addrconf.c netconf: add a notif when settings are created 2016-09-01 15:18:08 -07:00
addrlabel.c
af_inet6.c Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2016-07-29 17:38:46 -07:00
ah6.c
anycast.c
calipso.c calipso: fix resource leak on calipso_genopt failure 2016-08-13 14:56:17 -07:00
datagram.c sock: propagate __sock_cmsg_send() error 2016-05-16 13:46:23 -04:00
esp6.c
exthdrs_core.c ipv6: constify the skb pointer of ipv6_find_tlv(). 2016-06-27 15:06:15 -04:00
exthdrs_offload.c
exthdrs.c Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/selinux into next 2016-07-07 10:15:34 +10:00
fib6_rules.c net: Add l3mdev rule 2016-06-08 11:36:02 -07:00
fou6.c fou: add Kconfig options for IPv6 support 2016-05-29 22:24:21 -07:00
icmp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-06-30 05:03:36 -04:00
inet6_connection_sock.c soreuseport: fast reuseport TCP socket selection 2016-02-11 03:54:15 -05:00
inet6_hashtables.c net: rename NET_{ADD|INC}_STATS_BH() 2016-04-27 22:48:24 -04:00
ip6_checksum.c ipv6: fix checksum annotation in udp6_csum_init 2016-06-14 15:26:42 -04:00
ip6_fib.c ipv6: Fix mem leak in rt6i_pcpu 2016-07-05 14:09:23 -07:00
ip6_flowlabel.c ipv6: add new struct ipcm6_cookie 2016-05-03 16:08:14 -04:00
ip6_gre.c gre: set inner_protocol on xmit 2016-08-15 13:37:12 -07:00
ip6_icmp.c ipv6: icmp: add a force_saddr param to icmp6_send() 2016-06-18 22:11:38 -07:00
ip6_input.c net: vrf: ipv6 support for local traffic to local addresses 2016-06-08 00:25:38 -07:00
ip6_offload.c ip4ip6: Support for GSO/GRO 2016-05-20 18:03:17 -04:00
ip6_offload.h udp: Add GRO functions to UDP socket 2016-04-07 16:53:29 -04:00
ip6_output.c net: vrf: Implement get_saddr for IPv6 2016-06-17 21:25:29 -07:00
ip6_tunnel.c ipv6: Don't unset flowi6_proto in ipxip6_tnl_xmit() 2016-09-01 23:41:24 -07:00
ip6_udp_tunnel.c ip_tunnel: add support for setting flow label via collect metadata 2016-03-11 15:14:26 -05:00
ip6_vti.c net: replace dst_cache ip6_tunnel implementation with the generic one 2016-02-16 20:21:48 -05:00
ip6mr.c net: ipmr/ip6mr: update lastuse on entry change 2016-07-26 15:18:31 -07:00
ipcomp6.c
ipv6_sockglue.c Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/selinux into next 2016-07-07 10:15:34 +10:00
Kconfig fou: fix IPv6 Kconfig options 2016-05-31 14:07:49 -07:00
Makefile Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/selinux into next 2016-07-07 10:15:34 +10:00
mcast_snoop.c
mcast.c mld, igmp: Fix reserved tailroom calculation 2016-03-03 15:41:07 -05:00
mip6.c
ndisc.c ipv6: export several functions 2016-06-15 20:41:23 -07:00
netfilter.c
output_core.c
ping.c net: ipv6: Fix ping to link-local addresses. 2016-08-15 12:19:09 -07:00
proc.c
protocol.c
raw.c ipv6: use TOS marks from sockets for routing decision 2016-06-11 15:33:26 -07:00
reassembly.c ipv6: rename IP6_INC_STATS_BH() 2016-04-27 22:48:24 -04:00
route.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-06-30 05:03:36 -04:00
sit.c sit: support MPLS over IPv4 2016-07-09 17:45:56 -04:00
syncookies.c net: rename NET_{ADD|INC}_STATS_BH() 2016-04-27 22:48:24 -04:00
sysctl_net_ipv6.c calipso: Add a label cache. 2016-06-27 15:06:17 -04:00
tcp_ipv6.c tcp: properly scale window in tcp_v[46]_reqsk_send_ack() 2016-08-23 16:55:49 -07:00
tcpv6_offload.c
tunnel6.c
udp_impl.h
udp_offload.c gso: Remove arbitrary checks for unsupported GSO 2016-05-20 18:03:15 -04:00
udp.c udp: get rid of SLAB_DESTROY_BY_RCU allocations 2016-08-23 17:46:17 -07:00
udplite.c udp: get rid of SLAB_DESTROY_BY_RCU allocations 2016-08-23 17:46:17 -07:00
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c
xfrm6_policy.c net: xfrm: fix old-style declaration 2016-06-16 22:06:30 -07:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c