| Message ID | 20250109093710.494322-1-atenart@kernel.org (mailing list archive) |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [nf-next] netfilter: br_netfilter: remove unused conditional and dead code | expand |
On Thu, Jan 09, 2025 at 10:37:09AM +0100, Antoine Tenart wrote: > The SKB_DROP_REASON_IP_INADDRERRORS drop reason is never returned from > any function, as such it cannot be returned from the ip_route_input call > tree. The 'reason != SKB_DROP_REASON_IP_INADDRERRORS' conditional is > thus always true. > > Looking back at history, commit 50038bf38e65 ("net: ip: make > ip_route_input() return drop reasons") changed the ip_route_input > returned value check in br_nf_pre_routing_finish from -EHOSTUNREACH to > SKB_DROP_REASON_IP_INADDRERRORS. It turns out -EHOSTUNREACH could not be > returned either from the ip_route_input call tree and this since commit > 251da4130115 ("ipv4: Cache ip_error() routes even when not > forwarding."). > > Not a fix as this won't change the behavior. While at it use > kfree_skb_reason. > > Signed-off-by: Antoine Tenart <atenart@kernel.org> > --- > net/bridge/br_netfilter_hooks.c | 30 +----------------------------- > 1 file changed, 1 insertion(+), 29 deletions(-) Nice diffstat :) Reviewed-by: Simon Horman <horms@kernel.org>
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c index 451e45b9a6a5..94cbe967d1c1 100644 --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -393,38 +393,10 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_ reason = ip_route_input(skb, iph->daddr, iph->saddr, ip4h_dscp(iph), dev); if (reason) { - struct in_device *in_dev = __in_dev_get_rcu(dev); - - /* If err equals -EHOSTUNREACH the error is due to a - * martian destination or due to the fact that - * forwarding is disabled. For most martian packets, - * ip_route_output_key() will fail. It won't fail for 2 types of - * martian destinations: loopback destinations and destination - * 0.0.0.0. In both cases the packet will be dropped because the - * destination is the loopback device and not the bridge. */ - if (reason != SKB_DROP_REASON_IP_INADDRERRORS || !in_dev || - IN_DEV_FORWARD(in_dev)) - goto free_skb; - - rt = ip_route_output(net, iph->daddr, 0, - ip4h_dscp(iph), 0, - RT_SCOPE_UNIVERSE); - if (!IS_ERR(rt)) { - /* - Bridged-and-DNAT'ed traffic doesn't - * require ip_forwarding. */ - if (rt->dst.dev == dev) { - skb_dst_drop(skb); - skb_dst_set(skb, &rt->dst); - goto bridged_dnat; - } - ip_rt_put(rt); - } -free_skb: - kfree_skb(skb); + kfree_skb_reason(skb, reason); return 0; } else { if (skb_dst(skb)->dev == dev) { -bridged_dnat: skb->dev = br_indev; nf_bridge_update_protocol(skb); nf_bridge_push_encap_header(skb);
The SKB_DROP_REASON_IP_INADDRERRORS drop reason is never returned from any function, as such it cannot be returned from the ip_route_input call tree. The 'reason != SKB_DROP_REASON_IP_INADDRERRORS' conditional is thus always true. Looking back at history, commit 50038bf38e65 ("net: ip: make ip_route_input() return drop reasons") changed the ip_route_input returned value check in br_nf_pre_routing_finish from -EHOSTUNREACH to SKB_DROP_REASON_IP_INADDRERRORS. It turns out -EHOSTUNREACH could not be returned either from the ip_route_input call tree and this since commit 251da4130115 ("ipv4: Cache ip_error() routes even when not forwarding."). Not a fix as this won't change the behavior. While at it use kfree_skb_reason. Signed-off-by: Antoine Tenart <atenart@kernel.org> --- net/bridge/br_netfilter_hooks.c | 30 +----------------------------- 1 file changed, 1 insertion(+), 29 deletions(-)