There is a day 0 bug in bridge netfilter when used with
connection tracking.
Conntrack assumes that an nf_conn structure that is not
yet added to hash table ("unconfirmed"), is only visible
by the current cpu that is processing the sk_buff.
For bridge this isn't true, sk_buff can get cloned in
between, and clones can be processed in parallel on
different cpu.
First patch disables NAT and conntrack helpers for multicast
packets, second patch adds a test case for this problem.
Florian Westphal (2):
netfilter: bridge: confirm multicast packets before passing them up
the stack
selftests: netfilter: add bridge conntrack + multicast test case
include/linux/netfilter.h | 1 +
net/bridge/br_netfilter_hooks.c | 96 +++++++++
net/bridge/netfilter/nf_conntrack_bridge.c | 26 +++
net/netfilter/nf_conntrack_core.c | 1 +
tools/testing/selftests/netfilter/Makefile | 3 +-
.../selftests/netfilter/bridge_netfilter.sh | 187 ++++++++++++++++++
6 files changed, 313 insertions(+), 1 deletion(-)
create mode 100644 tools/testing/selftests/netfilter/bridge_netfilter.sh
--
2.43.0
