On Fri, Jan 11, 2019 at 02:46:15PM +0100, Florian Westphal wrote: > Following command: > iptables -D FORWARD -m physdev ... > causes connectivity loss in some setups. > > Reason is that iptables userspace will probe kernel for the module revision > of the physdev patch, and physdev has an artificial dependency on > br_netfilter (xt_physdev use makes no sense unless a br_netfilter module > is loaded). > > This causes the "phydev" module to be loaded, which in turn enables the > "call-iptables" infrastructure. > > bridged packets might then get dropped by the iptables ruleset. > > The better fix would be to change the "call-iptables" defaults to 0 and > enforce explicit setting to 1, but that breaks backwards compatibility. > > This does the next best thing: add a request_module call to checkentry. > This was a stray '-D ... -m physdev' won't activate br_netfilter > anymore. Applied, thanks.
