On Fri, 2019-08-30 at 22:55 +0200, Florian Westphal wrote: > Leonardo Bras <leonardo@xxxxxxxxxxxxx> wrote: > > A kernel panic can happen if a host has disabled IPv6 on boot and have to > > process guest packets (coming from a bridge) using it's ip6tables. > > > > IPv6 packets need to be dropped if the IPv6 module is not loaded. > > > > Signed-off-by: Leonardo Bras <leonardo@xxxxxxxxxxxxx> > > --- > > net/bridge/br_netfilter_hooks.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c > > index d3f9592f4ff8..5e8693730df1 100644 > > --- a/net/bridge/br_netfilter_hooks.c > > +++ b/net/bridge/br_netfilter_hooks.c > > @@ -493,6 +493,8 @@ static unsigned int br_nf_pre_routing(void *priv, > > brnet = net_generic(state->net, brnf_net_id); > > if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || > > is_pppoe_ipv6(skb, state->net)) { > > + if (!ipv6_mod_enabled()) > > + return NF_DROP; > > if (!brnet->call_ip6tables && > > !br_opt_get(br, BROPT_NF_CALL_IP6TABLES)) > > return NF_ACCEPT; > > No, thats too aggressive and turns the bridge into an ipv6 blackhole. > > There are two solutions: > 1. The above patch, but use NF_ACCEPT instead > 2. keep the DROP, but move it below the call_ip6tables test, > so that users can tweak call-ip6tables to accept packets. Q: Does 2 mean that it will only be dropped if bridge intents to use host's ip6tables? Else, it will be accepted by previous if? > Perhaps it would be good to also add a pr_warn_once() that > tells that ipv6 was disabled on command line and > call-ip6tables isn't supported in this configuration. > Good idea, added. > I would go with option two. I think it's better than 1 too. I sent a v5 with these changes: https://lkml.org/lkml/2019/8/31/4 Thanks! Leonardo Bras
Attachment:
signature.asc
Description: This is a digitally signed message part