netfilter: ip6t_rpfilter: Fix regression with VRF interfaces

commit efb056e5f1f0036179b2f92c1c15f5ea7a891d70 upstream. When calling ip6_route_lookup() for the packet arriving on the VRF interface, the result is always the real (slave) interface. Expect this when validating the result. Fixes: acc641ab95b66 ("netfilter: rpfilter/fib: Populate flowic_l3mdev field") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Phil Sutter <phil@nwl.cc> 2023-02-16 19:05:36 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-10-17 16:12:01 +0300
commit: 8fcd1021b2608924fe3a9df45d99888ebdd2a28d (patch)
tree: 1c8d4d1d2a743f29a5e25bfcbe307fdfecd7118c
parent: 83948838e1c7a90015834d62932cec37d04941bf (diff)
download: linux-8fcd1021b2608924fe3a9df45d99888ebdd2a28d.tar.xz
1 files changed, 3 insertions, 1 deletions
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
index a01d9b842bd0..67c87a88cde4 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -72,7 +72,9 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb,
 		goto out;
 	}
 
-	if (rt->rt6i_idev->dev == dev || (flags & XT_RPFILTER_LOOSE))
+	if (rt->rt6i_idev->dev == dev ||
+	    l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == dev->ifindex ||
+	    (flags & XT_RPFILTER_LOOSE))
 		ret = true;
  out:
 	ip6_rt_put(rt);
author	Phil Sutter <phil@nwl.cc>	2023-02-16 19:05:36 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2024-10-17 16:12:01 +0300
commit	8fcd1021b2608924fe3a9df45d99888ebdd2a28d (patch)
tree	1c8d4d1d2a743f29a5e25bfcbe307fdfecd7118c
parent	83948838e1c7a90015834d62932cec37d04941bf (diff)
download	linux-8fcd1021b2608924fe3a9df45d99888ebdd2a28d.tar.xz