On Tue, Aug 27, 2019 at 11:58:36PM +0200, Florian Westphal wrote:
> David Miller <davemdavemloft!net> wrote:
> > From: Leonardo Bras <leonardo@xxxxxxxxxxxxx>
> > Date: Tue, 27 Aug 2019 14:34:14 -0300
> >
> > > I could reproduce this bug on a host ('ipv6.disable=1') starting a
> > > guest with a virtio-net interface with 'filterref' over a virtual
> > > bridge. It crashes the host during guest boot (just before login).
> > >
> > > By that I could understand that a guest IPv6 network traffic
> > > (viavirtio-net) may cause this kernel panic.
> >
> > Really this is bad and I suspected bridging to be involved somehow.
>
> Thats a good point -- Leonardo, is the
> "net.bridge.bridge-nf-call-ip6tables" sysctl on?
>
> As much as i'd like to send a patch to remove br_netfilter, I fear
> we can't even stop passing ipv6 packets up to netfilter if
> ipv6.disable=1 is set because users might be using ip6tables for
> bridged traffic.
If the br_netfilter module is in placed, then it's probably better to
perform this check from there.
