Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Tue, Aug 27, 2019 at 11:58:36PM +0200, Florian Westphal wrote:
> > David Miller <davemdavemloft!net> wrote:
> > > From: Leonardo Bras <leonardo@xxxxxxxxxxxxx>
> > > Date: Tue, 27 Aug 2019 14:34:14 -0300
> > >
> > > > I could reproduce this bug on a host ('ipv6.disable=1') starting a
> > > > guest with a virtio-net interface with 'filterref' over a virtual
> > > > bridge. It crashes the host during guest boot (just before login).
> > > >
> > > > By that I could understand that a guest IPv6 network traffic
> > > > (viavirtio-net) may cause this kernel panic.
> > >
> > > Really this is bad and I suspected bridging to be involved somehow.
> >
> > Thats a good point -- Leonardo, is the
> > "net.bridge.bridge-nf-call-ip6tables" sysctl on?
> >
> > As much as i'd like to send a patch to remove br_netfilter, I fear
> > we can't even stop passing ipv6 packets up to netfilter if
> > ipv6.disable=1 is set because users might be using ip6tables for
> > bridged traffic.
>
> If the br_netfilter module is in placed, then it's probably better to
> perform this check from there.
ipt6tables won't work for filtering anymore, so I don't think this is
something we can do. Anyway, lets wait for Leonardo to confirm, else
this is pointless speculation :-)
