git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Vincent Bernat <vincent@bernat.im>
	Sun, 20 May 2018 11:03:38 +0000 (13:03 +0200)
committer	Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	Mon, 14 Jan 2019 09:28:55 +0000 (09:28 +0000)
commit	a858bb28dcb30932271c46db3615a50075c1fba9
tree	fec07f14cae8e3e04a127ff04cb5fdf584205ef0	tree
parent	084df302accb54dab7fef56dd6daac98de858acf	commit \| diff

netfilter: ip6t_rpfilter: provide input interface for route lookup

BugLink: http://bugs.launchpad.net/bugs/1808185
commit cede24d1b21d68d84ac5a36c44f7d37daadcc258 upstream.

In commit 47b7e7f82802, this bit was removed at the same time the
RT6_LOOKUP_F_IFACE flag was removed. However, it is needed when
link-local addresses are used, which is a very common case: when
packets are routed, neighbor solicitations are done using link-local
addresses. For example, the following neighbor solicitation is not
matched by "-m rpfilter":

IP6 fe80::5254:33ff:fe00:1 > ff02::1:ff00:3: ICMP6, neighbor
solicitation, who has 2001:db8::5254:33ff:fe00:3, length 32

Commit 47b7e7f82802 doesn't quite explain why we shouldn't use
RT6_LOOKUP_F_IFACE in the rpfilter case. I suppose the interface check
later in the function would make it redundant. However, the remaining
of the routing code is using RT6_LOOKUP_F_IFACE when there is no
source address (which matches rpfilter's case with a non-unicast
destination, like with neighbor solicitation).

Signed-off-by: Vincent Bernat <vincent@bernat.im>
Fixes: 47b7e7f82802 ("netfilter: don't set F_IFACE on ipv6 fib lookups")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>