Leonardo Bras <leonardo@xxxxxxxxxxxxx> wrote: > > Thats a good point -- Leonardo, is the > > "net.bridge.bridge-nf-call-ip6tables" sysctl on? > > Running > # sudo sysctl -a > I can see: > net.bridge.bridge-nf-call-ip6tables = 1 > > So this packets are sent to host iptables for processing? Yes, this is an hold hack that was made because ebtables is very feature-limited. However, as I mentioned before I don't think there is anything we can do here except audit all affected nft expressions and ip6tables matches and add this check where needed. ip6t_rpfilter.c comes to mind. In any case your patch looks ok to me. > (Sorry for the delay, I did not received the previous e-mails. > Please include me in to/cc.) Sorry about that.
