Leonardo Bras <leonardo@xxxxxxxxxxxxx> wrote: > On Thu, 2019-08-29 at 17:04 -0300, Leonardo Bras wrote: > > > Thats a good point -- Leonardo, is the > > > "net.bridge.bridge-nf-call-ip6tables" sysctl on? > > > > Running > > # sudo sysctl -a > > I can see: > > net.bridge.bridge-nf-call-ip6tables = 1 > > Also, doing > # echo 0 > /proc/sys/net/bridge/bridge-nf-call-ip6tables > And then trying to boot the guest will not crash the host. > > Which would make sense, since host iptables is not dealing with guest > IPv6 packets. Yes. > So, the real cause of this bug is the bridge making host ip6tables deal > with guest IPv6 packets ? > If so, would it be ok if write a patch testing ipv6_mod_enabled() > before passing guest ipv6 packets to host ip6tables? I'm not sure. This switch is very old, it was added 10 years ago in v2.6.31-rc1. Even if we disable call-ip6tables in br_netfilter we will at least in addition need a patch for nft_fib_netdev.c. >From a "avoid calls to ipv6 stack when its disabled" standpoint, the safest fix is to disable call-ip6tables functionality if ipv6 module is off *and* fix nft_fib_netdev.c to BREAK in ipv6 is off case. I started to place a list of suspicous modules here, but that got out of hand quickly. So, given I don't want to plaster ipv6_mod_enabled() everywhere, I would suggest this course of action: 1. add a patch to BREAK in nft_fib_netdev.c for !ipv6_mod_enabled() 2. change net/bridge/br_netfilter_hooks.c, br_nf_pre_routing() to make sure ipv6_mod_enabled() is true before doing the ipv6 stack "emulation". Makes sense? Thanks, Florian
