diff options
| author | Ido Schimmel <idosch@nvidia.com> | 2024-08-21 15:52:44 +0300 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2024-08-22 16:59:57 -0700 |
| commit | 338385e059c5d299556fa341d10601ae72c6e932 (patch) | |
| tree | 6973143bdaf07b4afcb6260f2e27da482a5fed2a /net/ipv4 | |
| parent | c1ae5ca69b691a7403e85047382fc4fd6a69ee9f (diff) | |
| download | lwn-338385e059c5d299556fa341d10601ae72c6e932.tar.gz lwn-338385e059c5d299556fa341d10601ae72c6e932.zip | |
netfilter: nft_fib: Unmask upper DSCP bits
In a similar fashion to the iptables rpfilter match, unmask the upper
DSCP bits of the DS field of the currently tested packet so that in the
future the FIB lookup could be performed according to the full DSCP
value.
No functional changes intended since the upper DSCP bits are masked when
comparing against the TOS selectors in FIB rules and routes.
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Guillaume Nault <gnault@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20240821125251.1571445-6-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/nft_fib_ipv4.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c index df94bc28c3d7..00da1332bbf1 100644 --- a/net/ipv4/netfilter/nft_fib_ipv4.c +++ b/net/ipv4/netfilter/nft_fib_ipv4.c @@ -10,6 +10,7 @@ #include <net/netfilter/nf_tables.h> #include <net/netfilter/nft_fib.h> +#include <net/inet_dscp.h> #include <net/ip_fib.h> #include <net/route.h> @@ -108,7 +109,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, if (priv->flags & NFTA_FIB_F_MARK) fl4.flowi4_mark = pkt->skb->mark; - fl4.flowi4_tos = iph->tos & IPTOS_RT_MASK; + fl4.flowi4_tos = iph->tos & INET_DSCP_MASK; if (priv->flags & NFTA_FIB_F_DADDR) { fl4.daddr = iph->daddr; |