netfilter: nft_fwd_netdev: check ttl/hl before forwarding

Drop packets if their ttl/hl is too small for forwarding. Fixes: d32de98ea70f ("netfilter: nft_fwd_netdev: allow to forward packets via neighbour layer") Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2026-04-09 13:30:41 +0200
committer: Florian Westphal <fw@strlen.de> 2026-04-10 12:16:27 +0200
commit: 1dfd95bdf4d18d263aa8fad06bfb9f4d9c992b18 (patch)
tree: 7bb164fe03d84b9495c759ccb62abbe04e415486
parent: f30e5a7291a879deeeb6b9ba92b12c9be1ee5f29 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c
index ad48dcd45abe..4bce36c3a6a0 100644
--- a/net/netfilter/nft_fwd_netdev.c
+++ b/net/netfilter/nft_fwd_netdev.c
@@ -116,6 +116,11 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,
 			goto out;
 		}
 		iph = ip_hdr(skb);
+		if (iph->ttl <= 1) {
+			verdict = NF_DROP;
+			goto out;
+		}
+
 		ip_decrease_ttl(iph);
 		neigh_table = NEIGH_ARP_TABLE;
 		break;
@@ -132,6 +137,11 @@ static void nft_fwd_neigh_eval(const struct nft_expr *expr,
 			goto out;
 		}
 		ip6h = ipv6_hdr(skb);
+		if (ip6h->hop_limit <= 1) {
+			verdict = NF_DROP;
+			goto out;
+		}
+
 		ip6h->hop_limit--;
 		neigh_table = NEIGH_ND_TABLE;
 		break;
author	Florian Westphal <fw@strlen.de>	2026-04-09 13:30:41 +0200
committer	Florian Westphal <fw@strlen.de>	2026-04-10 12:16:27 +0200
commit	1dfd95bdf4d18d263aa8fad06bfb9f4d9c992b18 (patch)
tree	7bb164fe03d84b9495c759ccb62abbe04e415486
parent	f30e5a7291a879deeeb6b9ba92b12c9be1ee5f29 (diff)