netfilter: nft_fwd_netdev: check ttl/hl before forwarding

Drop packets if their ttl/hl is too small for forwarding.

Fixes: d32de98ea70f ("netfilter: nft_fwd_netdev: allow to forward packets via neighbour layer")
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c
index ad48dcd45abea961bd3e3a507bb0c111fa8e6e76..4bce36c3a6a070deeadd24de6737a557b0217d96 100644 (file)
--- a/net/netfilter/nft_fwd_netdev.c
+++ b/net/netfilter/nft_fwd_netdev.c
@@ -116,6 +116,11 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,
                        goto out;
                }
                iph = ip_hdr(skb);
+               if (iph->ttl <= 1) {
+                       verdict = NF_DROP;
+                       goto out;
+               }
+
                ip_decrease_ttl(iph);
                neigh_table = NEIGH_ARP_TABLE;
                break;
@@ -132,6 +137,11 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,
                        goto out;
                }
                ip6h = ipv6_hdr(skb);
+               if (ip6h->hop_limit <= 1) {
+                       verdict = NF_DROP;
+                       goto out;
+               }
+
                ip6h->hop_limit--;
                neigh_table = NEIGH_ND_TABLE;
                break;