linux/net/ipv6/netfilter
Liping Zhang 6443ebc3fd netfilter: rpfilter: fix incorrect loopback packet judgment
Currently, we check the existing rtable in PREROUTING hook, if RTCF_LOCAL
is set, we assume that the packet is loopback.

But this assumption is incorrect, for example, a packet encapsulated
in ipsec transport mode was received and routed to local, after
decapsulation, it would be delivered to local again, and the rtable
was not dropped, so RTCF_LOCAL check would trigger. But actually, the
packet was not loopback.

So for these normal loopback packets, we can check whether the in device
is IFF_LOOPBACK or not. For these locally generated broadcast/multicast,
we can check whether the skb->pkt_type is PACKET_LOOPBACK or not.

Finally, there's a subtle difference between nft fib expr and xtables
rpfilter extension, user can add the following nft rule to do strict
rpfilter check:
  # nft add rule x y meta iif eth0 fib saddr . iif oif != eth0 drop

So when the packet is loopback, it's better to store the in device
instead of the LOOPBACK_IFINDEX, otherwise, after adding the above
nft rule, locally generated broad/multicast packets will be dropped
incorrectly.

Fixes: f83a7ea207 ("netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too")
Fixes: f6d0cbcf09 ("netfilter: nf_tables: add fib expression")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-01-16 14:23:01 +01:00
..
ip6_tables.c Replace <asm/uaccess.h> with <linux/uaccess.h> globally 2016-12-24 11:46:01 -08:00
ip6t_ah.c netfilter: ip6_tables: add flags parameter to ipv6_find_hdr() 2012-05-09 12:53:47 +02:00
ip6t_eui64.c netfilter: xtables: change hotdrop pointer to direct modification 2010-05-11 18:35:27 +02:00
ip6t_frag.c netfilter: ip6_tables: add flags parameter to ipv6_find_hdr() 2012-05-09 12:53:47 +02:00
ip6t_hbh.c netfilter: ip6_tables: add flags parameter to ipv6_find_hdr() 2012-05-09 12:53:47 +02:00
ip6t_ipv6header.c netfilter: remove unnecessary break after return 2014-07-15 16:27:00 -07:00
ip6t_MASQUERADE.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
ip6t_mh.c netfilter: xtables: change hotdrop pointer to direct modification 2010-05-11 18:35:27 +02:00
ip6t_NPT.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-04-07 18:37:01 -04:00
ip6t_REJECT.c netfilter: x_tables: move hook state into xt_action_param structure 2016-11-03 10:56:21 +01:00
ip6t_rpfilter.c netfilter: rpfilter: fix incorrect loopback packet judgment 2017-01-16 14:23:01 +01:00
ip6t_rt.c netfilter: ip6_tables: add flags parameter to ipv6_find_hdr() 2012-05-09 12:53:47 +02:00
ip6t_SYNPROXY.c netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
ip6table_filter.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
ip6table_mangle.c netfilter: x_tables: simplify ip{6}table_mangle_hook() 2016-07-01 16:37:02 +02:00
ip6table_nat.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
ip6table_raw.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
ip6table_security.c netfilter: xtables: don't hook tables by default 2016-03-02 20:05:24 +01:00
Kconfig netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c 2016-11-01 20:50:31 +01:00
Makefile netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c 2016-11-01 20:50:31 +01:00
nf_conntrack_l3proto_ipv6.c netfilter: defrag: only register defrag functionality if needed 2016-12-06 21:42:00 +01:00
nf_conntrack_proto_icmpv6.c netfilter: Remove explicit rcu_read_lock in nf_hook_slow 2016-09-24 21:29:53 +02:00
nf_conntrack_reasm.c netfilter: ipv6: nf_defrag: drop mangled skb on ream error 2016-11-29 20:23:58 +01:00
nf_defrag_ipv6_hooks.c netfilter: defrag: only register defrag functionality if needed 2016-12-06 21:42:00 +01:00
nf_dup_ipv6.c netfilter: nf_dup_ipv6: set again FLOWI_FLAG_KNOWN_NH at flowi6_flags 2016-05-30 12:21:23 +02:00
nf_log_ipv6.c netfilter: nf_log: get rid of XT_LOG_* macros 2016-09-25 23:16:45 +02:00
nf_nat_l3proto_ipv6.c netfilter: Allow calling into nat helper without skb_dst. 2016-03-14 23:47:27 +01:00
nf_nat_masquerade_ipv6.c netfilter: conntrack: resched in nf_ct_iterate_cleanup 2016-02-01 00:15:26 +01:00
nf_nat_proto_icmpv6.c net: Change pseudohdr argument of inet_proto_csum_replace* to be a bool 2015-08-17 21:33:06 -07:00
nf_reject_ipv6.c netfilter: use fwmark_reflect in nf_send_reset 2017-01-09 18:01:03 +01:00
nf_socket_ipv6.c netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c 2016-11-01 20:50:31 +01:00
nf_tables_ipv6.c netfilter: Add the missed return value check of nft_register_chain_type 2016-09-12 19:54:45 +02:00
nft_chain_nat_ipv6.c netfilter: Pass priv instead of nf_hook_ops to netfilter hooks 2015-09-18 22:00:16 +02:00
nft_chain_route_ipv6.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2016-09-25 23:34:19 +02:00
nft_dup_ipv6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-11-15 10:54:36 -05:00
nft_fib_ipv6.c netfilter: rpfilter: fix incorrect loopback packet judgment 2017-01-16 14:23:01 +01:00
nft_masq_ipv6.c netfilter: nf_tables: add conntrack dependencies for nat/masq/redir expressions 2016-12-04 21:17:16 +01:00
nft_redir_ipv6.c netfilter: nf_tables: add conntrack dependencies for nat/masq/redir expressions 2016-12-04 21:17:16 +01:00
nft_reject_ipv6.c netfilter: nf_tables: use hook state from xt_action_param structure 2016-11-03 11:52:34 +01:00