On Tue, Dec 18, 2018 at 10:14:51PM +0100, Florian Westphal wrote:
> Following command:
> iptables -D FORWARD -m physdev ...
> causes connectivity loss in some setups.
So, scenario is: User calls this where there is no rule at all with -m
physdev, right?
> This is caused indirectly by commit 3b2530ce7a0d6aa3bee687bf0167bb490
> ("xtables: Do not register matches/targets with incompatible revision").
>
> With this change, libtables queries the kernel for the match revision.
> This causes the "phydev" module to be loaded, which in turn enables the
> "call-iptables" infrastructure.
>
> bridged packets might then get dropped by the iptables ruleset.
>
> The better fix would be to change the "call-iptables" defaults to 0 and
> enforce explicit setting to 1.
> Another fix would be to only probe on rule add, not delete, but this is
> a detail that libxtables doesn't know.
>
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
> libxtables/xtables.c | 5 -----
> 1 file changed, 5 deletions(-)
>
> diff --git a/libxtables/xtables.c b/libxtables/xtables.c
> index ea9bb102c8eb..4fdf6554f339 100644
> --- a/libxtables/xtables.c
> +++ b/libxtables/xtables.c
> @@ -1011,11 +1011,6 @@ static bool xtables_fully_register_pending_match(struct xtables_match *me)
> const char *rn;
> int compare;
>
> - /* See if new match can be used. */
> - rn = (me->real_name != NULL) ? me->real_name : me->name;
> - if (!compatible_match_revision(rn, me->revision))
> - return false;
> -
> old = xtables_find_match(me->name, XTF_DURING_LOAD, NULL);
> while (old) {
> compare = xtables_match_prefer(old, me);
> --
> 2.19.2
>
