summaryrefslogtreecommitdiff
path: root/net/ipv4/xfrm4_output.c
diff options
context:
space:
mode:
authorPhil Sutter <phil@nwl.cc>2019-11-12 19:14:37 +0300
committerPablo Neira Ayuso <pablo@netfilter.org>2019-11-16 01:44:48 +0300
commit28f8bfd1ac948403ebd5c8070ae1e25421560059 (patch)
tree8e5b472d45954ee16b7fb7d172bb394058b3268d /net/ipv4/xfrm4_output.c
parent5c27d8d76ce810c6254cf5917a6019d824f34bd2 (diff)
downloadlinux-28f8bfd1ac948403ebd5c8070ae1e25421560059.tar.xz
netfilter: Support iif matches in POSTROUTING
Instead of generally passing NULL to NF_HOOK_COND() for input device, pass skb->dev which contains input device for routed skbs. Note that iptables (both legacy and nft) reject rules with input interface match from being added to POSTROUTING chains, but nftables allows this. Cc: Eric Garver <eric@garver.life> Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv4/xfrm4_output.c')
-rw-r--r--net/ipv4/xfrm4_output.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index ecff3fce9807..89ba7c87de5d 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -92,7 +92,7 @@ static int __xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb)
int xfrm4_output(struct net *net, struct sock *sk, struct sk_buff *skb)
{
return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING,
- net, sk, skb, NULL, skb_dst(skb)->dev,
+ net, sk, skb, skb->dev, skb_dst(skb)->dev,
__xfrm4_output,
!(IPCB(skb)->flags & IPSKB_REROUTED));
}