On Mon, Aug 10, 2015 at 12:50:16AM +0200, Bernhard Thaler wrote:
> Hi Pablo,
>
> seeing all this I think there is a much simpler solution to the initial
> problem that should be fixed (IPv6 packets not traversing the bridge
> with CONFIG_IPV6=n).
>
> diff --git a/include/net/netfilter/br_netfilter.h
> b/include/net/netfilter/br_netfilter.h
> index bab824b..d4c6b5f 100644
> --- a/include/net/netfilter/br_netfilter.h
> +++ b/include/net/netfilter/br_netfilter.h
> @@ -59,7 +59,7 @@ static inline unsigned int
> br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops, struct sk_buff *skb,
> const struct nf_hook_state *state)
> {
> - return NF_DROP;
> + return NF_ACCEPT;
> }
> #endif
>
>
> Only downside it has that /proc/sys/net/bridge/bridge-nf-call-ip6tables
> and /sys/class/net/brXXX/bridge/nf_call_ip6tables is still exposed with
> CONFIG_IPV6=n and changeable, but with no effect.
> Despite brnf_call_ip6tables being set to 1 packets will not be available
> to ip6tables, which will not be present anyway in this case.
Given that this has been the default behaviour before the _ipv6.c file
was introduced and that it is a corner case (it only affects people
that compile custom kernels), this sounds OK.
Anyway it would be good to have the patches that move IPv6 code to the
new _ipv6.c file now that we have it there.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
