Following command:
iptables -D FORWARD -m physdev ...
causes connectivity loss in some setups.
This is caused indirectly by commit 3b2530ce7a0d6aa3bee687bf0167bb490
("xtables: Do not register matches/targets with incompatible revision").
With this change, libtables queries the kernel for the match revision.
This causes the "phydev" module to be loaded, which in turn enables the
"call-iptables" infrastructure.
bridged packets might then get dropped by the iptables ruleset.
The better fix would be to change the "call-iptables" defaults to 0 and
enforce explicit setting to 1.
Another fix would be to only probe on rule add, not delete, but this is
a detail that libxtables doesn't know.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
libxtables/xtables.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index ea9bb102c8eb..4fdf6554f339 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1011,11 +1011,6 @@ static bool xtables_fully_register_pending_match(struct xtables_match *me)
const char *rn;
int compare;
- /* See if new match can be used. */
- rn = (me->real_name != NULL) ? me->real_name : me->name;
- if (!compatible_match_revision(rn, me->revision))
- return false;
-
old = xtables_find_match(me->name, XTF_DURING_LOAD, NULL);
while (old) {
compare = xtables_match_prefer(old, me);
--
2.19.2
