Re: [PATCH bpf-next v8 2/7] net: move netfilter nf_reject6_fill_skb_dst to core ipv6
From: "Emil Tsalapatis" <emil@etsalapatis.com>
Date: 2026-06-24 00:16:19
Also in:
bpf, netfilter-devel
On Mon Jun 22, 2026 at 8:05 AM EDT, Mahe Tardy wrote:
Move and rename nf_reject6_fill_skb_dst from ipv6/netfilter/nf_reject_ipv6 to ip6_route_reply_fill_dst in ipv6/route.c so that it can be reused in the following patches by BPF kfuncs. Netfilter uses nf_ip6_route that is almost a transparent wrapper around ip6_route_output so this patch inlines it. Reviewed-by: Jordan Rife <redacted> Signed-off-by: Mahe Tardy <redacted>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
quoted hunk ↗ jump to hunk
--- include/net/ip6_route.h | 2 ++ net/ipv6/netfilter/nf_reject_ipv6.c | 17 +---------------- net/ipv6/route.c | 18 ++++++++++++++++++ 3 files changed, 21 insertions(+), 16 deletions(-)diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h index 09ffe0f13ce7..eb5a60d3babe 100644 --- a/include/net/ip6_route.h +++ b/include/net/ip6_route.h@@ -100,6 +100,8 @@ static inline struct dst_entry *ip6_route_output(struct net *net, return ip6_route_output_flags(net, sk, fl6, 0); } +int ip6_route_reply_fill_dst(struct sk_buff *skb); + /* Only conditionally release dst if flags indicates * !RT6_LOOKUP_F_DST_NOREF or dst is in uncached_list. */diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c index ef5b7e85cffa..7d2f577e72b8 100644 --- a/net/ipv6/netfilter/nf_reject_ipv6.c +++ b/net/ipv6/netfilter/nf_reject_ipv6.c@@ -293,21 +293,6 @@ nf_reject_ip6_tcphdr_put(struct sk_buff *nskb, sizeof(struct tcphdr), 0)); } -static int nf_reject6_fill_skb_dst(struct sk_buff *skb_in) -{ - struct dst_entry *dst = NULL; - struct flowi fl; - - memset(&fl, 0, sizeof(struct flowi)); - fl.u.ip6.daddr = ipv6_hdr(skb_in)->saddr; - nf_ip6_route(dev_net(skb_in->dev), &dst, &fl, false); - if (!dst) - return -1; - - skb_dst_set(skb_in, dst); - return 0; -} - void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb, int hook) {@@ -440,7 +425,7 @@ void nf_send_unreach6(struct net *net, struct sk_buff *skb_in, if (hooknum == NF_INET_LOCAL_OUT && skb_in->dev == NULL) skb_in->dev = net->loopback_dev; - if (!skb_dst(skb_in) && nf_reject6_fill_skb_dst(skb_in) < 0) + if (!skb_dst(skb_in) && ip6_route_reply_fill_dst(skb_in) < 0) return; icmpv6_send(skb_in, ICMPV6_DEST_UNREACH, code, 0);diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 6361ad2fcf77..0fa56c801178 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c@@ -2732,6 +2732,24 @@ struct dst_entry *ip6_route_output_flags(struct net *net, } EXPORT_SYMBOL_GPL(ip6_route_output_flags); +int ip6_route_reply_fill_dst(struct sk_buff *skb) +{ + struct dst_entry *result; + struct flowi6 fl = { + .daddr = ipv6_hdr(skb)->saddr + }; + int err; + + result = ip6_route_output(dev_net(skb->dev), NULL, &fl); + err = result->error; + if (err) + dst_release(result); + else + skb_dst_set(skb, result); + return err; +} +EXPORT_SYMBOL_GPL(ip6_route_reply_fill_dst); + struct dst_entry *ip6_blackhole_route(struct net *net, struct dst_entry *dst_orig) { struct rt6_info *rt, *ort = dst_rt6_info(dst_orig); --2.34.1