github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

netfilter: nft_fwd_netdev: check ttl/hl before forwarding

Browse Source 
Drop packets if their ttl/hl is too small for forwarding.

Fixes: d32de98ea7 ("netfilter: nft_fwd_netdev: allow to forward packets via neighbour layer")
Signed-off-by: Florian Westphal <fw@strlen.de>
This commit is contained in:
Florian Westphal 2026-04-09 13:30:41 +02:00
parent f30e5a7291
commit 1dfd95bdf4
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
net/netfilter/nft_fwd_netdev.c
View File

@ -116,6 +116,11 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,
goto out;
}
iph = ip_hdr(skb);
if (iph->ttl <= 1) {
verdict = NF_DROP;
goto out;
}
ip_decrease_ttl(iph);
neigh_table = NEIGH_ARP_TABLE;
break;
@ -132,6 +137,11 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,
goto out;
}
ip6h = ipv6_hdr(skb);
if (ip6h->hop_limit <= 1) {
verdict = NF_DROP;
goto out;
}
ip6h->hop_limit--;
neigh_table = NEIGH_ND_TABLE;
break;