On 6/22/25 10:40 PM, Florian Westphal wrote:
> Eric Woudstra <ericwouds@xxxxxxxxx> wrote:
>> - return nft_do_chain(&pkt, priv);
>> + ret = nft_do_chain(&pkt, priv);
>> +
>> + if (offset) {
>> + __skb_push(skb, offset);
>> + skb_reset_network_header(skb);
>> + skb->protocol = outer_proto;
>> + }
>
> I don't think its a good idea to do this.
>
> nft_do_chain() can mangle packet in arbitrary ways,
> including making a duplicate, sending icmp/tcp resets in response
> to packet. forwarding the packet to another interface, dropping
> the packet, etc.
>
> Wouldn't it be enough to set the skb network header if its not
> set yet, without pull (and a need to push later)?
If I replace the pull + skb_reset_network_header with
skb_set_network_header and remove the push, this also works.
I'll change it in the next version of this patch.
However, if I do the same in nf_ct_bridge_pre() (the other patch in this
patch-set), then packets get dropped. I'll need to look into that furter.
