On Mon, May 02, 2022 at 10:50:29PM +0200, Florian Westphal wrote:
commit 743b83f15d4069ea57c3e40996bf4a1077e0cdc1 upstream.
Check if the incoming interface is available and NFT_BREAK in case neither skb->sk nor input device are set.
Because nf_sk_lookup_slow*() assume packet headers are in the 'in' direction, use in postrouting is not going to yield a meaningful result. Same is true for the forward chain, so restrict the use to prerouting, input and output.
Use in output work if a socket is already attached to the skb.
Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching") Reported-and-tested-by: Topi Miettinen toiwoton@gmail.com Signed-off-by: Florian Westphal fw@strlen.de Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org
net/netfilter/nft_socket.c | 52 ++++++++++++++++++++++++++++---------- 1 file changed, 38 insertions(+), 14 deletions(-)
Now queued up, thanks for the backport.
greg k-h