Florian Westphal
2019-Aug-30 20:55 UTC
[Bridge] [PATCH v4 2/2] net: br_netfiler_hooks: Drops IPv6 packets if IPv6 module is not loaded
Leonardo Bras <leonardo at linux.ibm.com> wrote:> A kernel panic can happen if a host has disabled IPv6 on boot and have to > process guest packets (coming from a bridge) using it's ip6tables. > > IPv6 packets need to be dropped if the IPv6 module is not loaded. > > Signed-off-by: Leonardo Bras <leonardo at linux.ibm.com> > --- > net/bridge/br_netfilter_hooks.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c > index d3f9592f4ff8..5e8693730df1 100644 > --- a/net/bridge/br_netfilter_hooks.c > +++ b/net/bridge/br_netfilter_hooks.c > @@ -493,6 +493,8 @@ static unsigned int br_nf_pre_routing(void *priv, > brnet = net_generic(state->net, brnf_net_id); > if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || > is_pppoe_ipv6(skb, state->net)) { > + if (!ipv6_mod_enabled()) > + return NF_DROP; > if (!brnet->call_ip6tables && > !br_opt_get(br, BROPT_NF_CALL_IP6TABLES)) > return NF_ACCEPT;No, thats too aggressive and turns the bridge into an ipv6 blackhole. There are two solutions: 1. The above patch, but use NF_ACCEPT instead 2. keep the DROP, but move it below the call_ip6tables test, so that users can tweak call-ip6tables to accept packets. Perhaps it would be good to also add a pr_warn_once() that tells that ipv6 was disabled on command line and call-ip6tables isn't supported in this configuration. I would go with option two.
Leonardo Bras
2019-Aug-31 04:42 UTC
[Bridge] [PATCH v4 2/2] net: br_netfiler_hooks: Drops IPv6 packets if IPv6 module is not loaded
On Fri, 2019-08-30 at 22:55 +0200, Florian Westphal wrote:> Leonardo Bras <leonardo at linux.ibm.com> wrote: > > A kernel panic can happen if a host has disabled IPv6 on boot and have to > > process guest packets (coming from a bridge) using it's ip6tables. > > > > IPv6 packets need to be dropped if the IPv6 module is not loaded. > > > > Signed-off-by: Leonardo Bras <leonardo at linux.ibm.com> > > --- > > net/bridge/br_netfilter_hooks.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c > > index d3f9592f4ff8..5e8693730df1 100644 > > --- a/net/bridge/br_netfilter_hooks.c > > +++ b/net/bridge/br_netfilter_hooks.c > > @@ -493,6 +493,8 @@ static unsigned int br_nf_pre_routing(void *priv, > > brnet = net_generic(state->net, brnf_net_id); > > if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || > > is_pppoe_ipv6(skb, state->net)) { > > + if (!ipv6_mod_enabled()) > > + return NF_DROP; > > if (!brnet->call_ip6tables && > > !br_opt_get(br, BROPT_NF_CALL_IP6TABLES)) > > return NF_ACCEPT; > > No, thats too aggressive and turns the bridge into an ipv6 blackhole. > > There are two solutions: > 1. The above patch, but use NF_ACCEPT instead > 2. keep the DROP, but move it below the call_ip6tables test, > so that users can tweak call-ip6tables to accept packets.Q: Does 2 mean that it will only be dropped if bridge intents to use host's ip6tables? Else, it will be accepted by previous if?> Perhaps it would be good to also add a pr_warn_once() that > tells that ipv6 was disabled on command line and > call-ip6tables isn't supported in this configuration. >Good idea, added.> I would go with option two.I think it's better than 1 too. I sent a v5 with these changes: https://lkml.org/lkml/2019/8/31/4 Thanks! Leonardo Bras -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: <http://lists.linuxfoundation.org/pipermail/bridge/attachments/20190831/5f0a0e45/attachment-0001.sig>
Florian Westphal
2019-Aug-31 08:43 UTC
[Bridge] [PATCH v4 2/2] net: br_netfiler_hooks: Drops IPv6 packets if IPv6 module is not loaded
Leonardo Bras <leonardo at linux.ibm.com> wrote:> > There are two solutions: > > 1. The above patch, but use NF_ACCEPT instead > > 2. keep the DROP, but move it below the call_ip6tables test, > > so that users can tweak call-ip6tables to accept packets. > > Q: Does 2 mean that it will only be dropped if bridge intents to use > host's ip6tables? Else, it will be accepted by previous if?Yes, thats the idea: Let users decide if ipv6.disable or call-ip6tables is more important to them.