netfilter: nft_fib: allow from forward/input without iif selector

This removes the restriction of needing iif selector in the
forward/input hooks for fib lookups when requested result is
oif/oifname.

Removing this restriction allows "loose" lookups from the forward hooks.

Fixes: be8be04e5ddb ("netfilter: nft_fib: reverse path filter for policy-based routing on iif")
Signed-off-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nft_fib.c b/net/netfilter/nft_fib.c
index 37cfe6dd712d8b138fc290abe66fd8d9b69963d6..b58f62195ff3ee04aebcf62a166349ff3a1f1285 100644 (file)
--- a/net/netfilter/nft_fib.c
+++ b/net/netfilter/nft_fib.c
@@ -35,11 +35,9 @@ int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
        switch (priv->result) {
        case NFT_FIB_RESULT_OIF:
        case NFT_FIB_RESULT_OIFNAME:
-               hooks = (1 << NF_INET_PRE_ROUTING);
-               if (priv->flags & NFTA_FIB_F_IIF) {
-                       hooks |= (1 << NF_INET_LOCAL_IN) |
-                                (1 << NF_INET_FORWARD);
-               }
+               hooks = (1 << NF_INET_PRE_ROUTING) |
+                       (1 << NF_INET_LOCAL_IN) |
+                       (1 << NF_INET_FORWARD);
                break;
        case NFT_FIB_RESULT_ADDRTYPE:
                if (priv->flags & NFTA_FIB_F_IIF)