git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Thu, 28 Apr 2022 07:39:21 +0000 (09:39 +0200)
committer	Stefan Bader <stefan.bader@canonical.com>
	Wed, 22 Jun 2022 12:23:04 +0000 (14:23 +0200)
commit	19bc20a12e004165d116222adf83fa85b74022ce
tree	03af1f2193e89c60d8997e730664a903570fa306	tree
parent	56f2b0784eece8c95c88cfcf8ed4926cc6889bec	commit \| diff

netfilter: nft_socket: only do sk lookups when indev is available

BugLink: https://bugs.launchpad.net/bugs/1978234
commit 743b83f15d4069ea57c3e40996bf4a1077e0cdc1 upstream.

Check if the incoming interface is available and NFT_BREAK
in case neither skb->sk nor input device are set.

Because nf_sk_lookup_slow*() assume packet headers are in the
'in' direction, use in postrouting is not going to yield a meaningful
result. Same is true for the forward chain, so restrict the use
to prerouting, input and output.

Use in output work if a socket is already attached to the skb.

Fixes: 554ced0a6e29 ("netfilter: nf_tables: add support for native socket matching")
Reported-and-tested-by: Topi Miettinen <toiwoton@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>