]> git.dujemihanovic.xyz Git - linux.git/commitdiff
projects / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4e7aaa6)
netfilter: Use flowlabel flow key when re-routing mangled packets
authorFlorian Westphal <fw@strlen.de>
Thu, 6 Jun 2024 10:23:31 +0000 (12:23 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Tue, 11 Jun 2024 16:46:04 +0000 (18:46 +0200)
'ip6 dscp set $v' in an nftables outpute route chain has no effect.
While nftables does detect the dscp change and calls the reroute hook.
But ip6_route_me_harder never sets the dscp/flowlabel:
flowlabel/dsfield routing rules are ignored and no reroute takes place.

Thanks to Yi Chen for an excellent reproducer script that I used
to validate this change.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Yi Chen <yiche@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/ipv6/netfilter.c patch | blob | history

diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 53d255838e6ab5f8ac4985c6d824966c3475ec97..5d989d803009f526838d1d8e7e76747548852d8d 100644 (file)
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -36,6 +36,7 @@ int ip6_route_me_harder(struct net *net, struct sock *sk_partial, struct sk_buff
                .flowi6_uid = sock_net_uid(net, sk),
                .daddr = iph->daddr,
                .saddr = iph->saddr,
+               .flowlabel = ip6_flowinfo(iph),
        };
        int err;
 
Unnamed repository; edit this file 'description' to name the repository.