netfilter: flowtable: ensure sufficient headroom in xmit path

Check for headroom and call skb_expand_head() like in the IP output
path to ensure there is sufficient headroom for the mac header when
forwarding this packet as suggested by sashiko.

Fixes: b5964aac51e0 ("netfilter: flowtable: consolidate xmit path")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index dbd7644fdbebeb594dae19b194e02917eb068e03..8d5fb7e940a173b1222304b6173df3f64494b511 100644 (file)
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -471,8 +471,17 @@ struct nf_flow_xmit {
 static unsigned int nf_flow_queue_xmit(struct net *net, struct sk_buff *skb,
                                       struct nf_flow_xmit *xmit)
 {
-       skb->dev = xmit->outdev;
-       dev_hard_header(skb, skb->dev, ntohs(skb->protocol),
+       struct net_device *dev = xmit->outdev;
+       unsigned int hh_len = LL_RESERVED_SPACE(dev);
+
+       if (unlikely(skb_headroom(skb) < hh_len && dev->header_ops)) {
+               skb = skb_expand_head(skb, hh_len);
+               if (!skb)
+                       return NF_STOLEN;
+       }
+
+       skb->dev = dev;
+       dev_hard_header(skb, dev, ntohs(skb->protocol),
                        xmit->dest, xmit->source, skb->len);
        dev_queue_xmit(skb);