On Thu, 2019-08-29 at 22:58 +0200, Florian Westphal wrote: > In any case your patch looks ok to me. Great! Please give your feedback on v3: http://patchwork.ozlabs.org/patch/1154040/ [...] > > Even if we disable call-ip6tables in br_netfilter we will at least > in addition need a patch for nft_fib_netdev.c. > > From a "avoid calls to ipv6 stack when its disabled" standpoint, > the safest fix is to disable call-ip6tables functionality if ipv6 > module is off *and* fix nft_fib_netdev.c to BREAK in ipv6 is off case. > > I started to place a list of suspicous modules here, but that got out > of hand quickly. > > So, given I don't want to plaster ipv6_mod_enabled() everywhere, I > would suggest this course of action: > > 1. add a patch to BREAK in nft_fib_netdev.c for !ipv6_mod_enabled() > 2. change net/bridge/br_netfilter_hooks.c, br_nf_pre_routing() to > make sure ipv6_mod_enabled() is true before doing the ipv6 stack > "emulation". > > Makes sense? IMHO sure. Shortly, I will send a couple patches proposing the above changes. (Or my best understanding about them :) ) > > Thanks, > Florian Thank you, Leonardo Bras
Attachment:
signature.asc
Description: This is a digitally signed message part