netfilter: Support iif matches in POSTROUTING

Phil Sutter · ummakynes · commit 28f8bfd1ac94 · 2019-11-15T23:44:48.000+01:00
Instead of generally passing NULL to NF_HOOK_COND() for input device,
pass skb-&gt;dev which contains input device for routed skbs.

Note that iptables (both legacy and nft) reject rules with input
interface match from being added to POSTROUTING chains, but nftables
allows this.

Cc: Eric Garver &lt;eric@garver.life&gt;
Signed-off-by: Phil Sutter &lt;phil@nwl.cc&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
@@ -422,15 +422,15 @@ int ip_mc_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 
 int ip_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
-	struct net_device *dev = skb_dst(skb)->dev;
+	struct net_device *dev = skb_dst(skb)->dev, *indev = skb->dev;
 
 	IP_UPD_PO_STATS(net, IPSTATS_MIB_OUT, skb->len);
 
 	skb->dev = dev;
 	skb->protocol = htons(ETH_P_IP);
 
 	return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING,
-			    net, sk, skb, NULL, dev,
+			    net, sk, skb, indev, dev,
 			    ip_finish_output,
 			    !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
@@ -92,7 +92,7 @@ static int __xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
 	return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING,
-			    net, sk, skb, NULL, skb_dst(skb)->dev,
+			    net, sk, skb, skb->dev, skb_dst(skb)->dev,
 			    __xfrm4_output,
 			    !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
@@ -160,7 +160,7 @@ static int ip6_finish_output(struct net *net, struct sock *sk, struct sk_buff *s
 
 int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
-	struct net_device *dev = skb_dst(skb)->dev;
+	struct net_device *dev = skb_dst(skb)->dev, *indev = skb->dev;
 	struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
 
 	skb->protocol = htons(ETH_P_IPV6);
@@ -173,7 +173,7 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 	}
 
 	return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING,
-			    net, sk, skb, NULL, dev,
+			    net, sk, skb, indev, dev,
 			    ip6_finish_output,
 			    !(IP6CB(skb)->flags & IP6SKB_REROUTED));
 }
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
@@ -187,7 +187,7 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
 	return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING,
-			    net, sk, skb,  NULL, skb_dst(skb)->dev,
+			    net, sk, skb,  skb->dev, skb_dst(skb)->dev,
 			    __xfrm6_output,
 			    !(IP6CB(skb)->flags & IP6SKB_REROUTED));
 }

Original file line number	Diff line number	Diff line change
`@@ -422,15 +422,15 @@ int ip_mc_output(struct net net, struct sock sk, struct sk_buff *skb)`
`422`	`422`
`423`	`423`	`int ip_output(struct net net, struct sock sk, struct sk_buff *skb)`
`424`	`424`	`{`
`425`		`- struct net_device *dev = skb_dst(skb)->dev;`
	`425`	`+ struct net_device dev = skb_dst(skb)->dev, indev = skb->dev;`
`426`	`426`
`427`	`427`	`IP_UPD_PO_STATS(net, IPSTATS_MIB_OUT, skb->len);`
`428`	`428`
`429`	`429`	`skb->dev = dev;`
`430`	`430`	`skb->protocol = htons(ETH_P_IP);`
`431`	`431`
`432`	`432`	`return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING,`
`433`		`- net, sk, skb, NULL, dev,`
	`433`	`+ net, sk, skb, indev, dev,`
`434`	`434`	`ip_finish_output,`
`435`	`435`	`!(IPCB(skb)->flags & IPSKB_REROUTED));`
`436`	`436`	`}`
Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,7 @@ static int __xfrm4_output(struct net net, struct sock sk, struct sk_buff *skb)`
`92`	`92`	`int xfrm4_output(struct net net, struct sock sk, struct sk_buff *skb)`
`93`	`93`	`{`
`94`	`94`	`return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING,`
`95`		`- net, sk, skb, NULL, skb_dst(skb)->dev,`
	`95`	`+ net, sk, skb, skb->dev, skb_dst(skb)->dev,`
`96`	`96`	`__xfrm4_output,`
`97`	`97`	`!(IPCB(skb)->flags & IPSKB_REROUTED));`
`98`	`98`	`}`
Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,7 @@ static int ip6_finish_output(struct net net, struct sock sk, struct sk_buff *s`
`160`	`160`
`161`	`161`	`int ip6_output(struct net net, struct sock sk, struct sk_buff *skb)`
`162`	`162`	`{`
`163`		`- struct net_device *dev = skb_dst(skb)->dev;`
	`163`	`+ struct net_device dev = skb_dst(skb)->dev, indev = skb->dev;`
`164`	`164`	`struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));`
`165`	`165`
`166`	`166`	`skb->protocol = htons(ETH_P_IPV6);`
`@@ -173,7 +173,7 @@ int ip6_output(struct net net, struct sock sk, struct sk_buff *skb)`
`173`	`173`	`}`
`174`	`174`
`175`	`175`	`return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING,`
`176`		`- net, sk, skb, NULL, dev,`
	`176`	`+ net, sk, skb, indev, dev,`
`177`	`177`	`ip6_finish_output,`
`178`	`178`	`!(IP6CB(skb)->flags & IP6SKB_REROUTED));`
`179`	`179`	`}`
Original file line number	Diff line number	Diff line change
`@@ -187,7 +187,7 @@ static int __xfrm6_output(struct net net, struct sock sk, struct sk_buff *skb)`
`187`	`187`	`int xfrm6_output(struct net net, struct sock sk, struct sk_buff *skb)`
`188`	`188`	`{`
`189`	`189`	`return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING,`
`190`		`- net, sk, skb, NULL, skb_dst(skb)->dev,`
	`190`	`+ net, sk, skb, skb->dev, skb_dst(skb)->dev,`
`191`	`191`	`__xfrm6_output,`
`192`	`192`	`!(IP6CB(skb)->flags & IP6SKB_REROUTED));`
`193`	`193`	`}`