From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.0 233/262] netfilter: physdev: relax br_netfilter dependency
Date: Wed, 27 Mar 2019 14:01:28 -0400 [thread overview]
Message-ID: <20190327180158.10245-233-sashal@kernel.org> (raw)
In-Reply-To: <20190327180158.10245-1-sashal@kernel.org>
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 8e2f311a68494a6677c1724bdcb10bada21af37c ]
Following command:
iptables -D FORWARD -m physdev ...
causes connectivity loss in some setups.
Reason is that iptables userspace will probe kernel for the module revision
of the physdev patch, and physdev has an artificial dependency on
br_netfilter (xt_physdev use makes no sense unless a br_netfilter module
is loaded).
This causes the "phydev" module to be loaded, which in turn enables the
"call-iptables" infrastructure.
bridged packets might then get dropped by the iptables ruleset.
The better fix would be to change the "call-iptables" defaults to 0 and
enforce explicit setting to 1, but that breaks backwards compatibility.
This does the next best thing: add a request_module call to checkentry.
This was a stray '-D ... -m physdev' won't activate br_netfilter
anymore.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/br_netfilter.h | 1 -
net/bridge/br_netfilter_hooks.c | 5 -----
net/netfilter/xt_physdev.c | 9 +++++++--
3 files changed, 7 insertions(+), 8 deletions(-)
diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h
index 4cd56808ac4e..89808ce293c4 100644
--- a/include/net/netfilter/br_netfilter.h
+++ b/include/net/netfilter/br_netfilter.h
@@ -43,7 +43,6 @@ static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
}
struct net_device *setup_pre_routing(struct sk_buff *skb);
-void br_netfilter_enable(void);
#if IS_ENABLED(CONFIG_IPV6)
int br_validate_ipv6(struct net *net, struct sk_buff *skb);
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index c93c35bb73dd..40d058378b52 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -881,11 +881,6 @@ static const struct nf_br_ops br_ops = {
.br_dev_xmit_hook = br_nf_dev_xmit,
};
-void br_netfilter_enable(void)
-{
-}
-EXPORT_SYMBOL_GPL(br_netfilter_enable);
-
/* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
* br_dev_queue_push_xmit is called afterwards */
static const struct nf_hook_ops br_nf_ops[] = {
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 4034d70bff39..b2e39cb6a590 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -96,8 +96,7 @@ physdev_mt(const struct sk_buff *skb, struct xt_action_param *par)
static int physdev_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_physdev_info *info = par->matchinfo;
-
- br_netfilter_enable();
+ static bool brnf_probed __read_mostly;
if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
info->bitmask & ~XT_PHYSDEV_OP_MASK)
@@ -111,6 +110,12 @@ static int physdev_mt_check(const struct xt_mtchk_param *par)
if (par->hook_mask & (1 << NF_INET_LOCAL_OUT))
return -EINVAL;
}
+
+ if (!brnf_probed) {
+ brnf_probed = true;
+ request_module("br_netfilter");
+ }
+
return 0;
}
--
2.19.1
next prev parent reply other threads:[~2019-03-27 18:09 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20190327180158.10245-1-sashal@kernel.org>
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 012/262] net/mlx5e: Fix access to non-existing receive queue Sasha Levin
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 013/262] net/mlx5: Avoid panic when setting vport rate Sasha Levin
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 014/262] net/mlx5: Avoid panic when setting vport mac, getting vport config Sasha Levin
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 016/262] xsk: fix to reject invalid flags in xsk_bind Sasha Levin
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 020/262] netfilter: nf_tables: fix set double-free in abort path Sasha Levin
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 022/262] net: stmmac: Avoid sometimes uninitialized Clang warnings Sasha Levin
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 023/262] enic: fix build warning without CONFIG_CPUMASK_OFFSTACK Sasha Levin
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 024/262] libbpf: force fixdep compilation at the start of the build Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 053/262] netfilter: nf_tables: check the result of dereferencing base_chain->stats Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 055/262] netfilter: conntrack: tcp: only close if RST matches exact sequence Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 063/262] wil6210: check null pointer in _wil_cfg80211_merge_extra_ies Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 064/262] mt76: fix a leaked reference by adding a missing of_node_put Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 065/262] ath10k: Fix the wrong updation of BW in tx_stats debugfs entry Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 069/262] tools/bpf: selftests: add map lookup to test_map_in_map bpf prog Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 079/262] ath10k: don't report unset rssi values to mac80211 Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 087/262] net: dsa: mv88e6xxx: Default CMODE to 1000BaseX only on 6390X Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 088/262] ice: fix ice_remove_rule_internal vsi_list handling Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 093/262] net: dsa: mv88e6xxx: Add lockdep classes to fix false positive splat Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 094/262] net: hns3: fix setting of the hns reset_type for rdma hw errors Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 095/262] veth: Fix -Wformat-truncation Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 096/262] e1000e: Fix -Wformat-truncation warnings Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 097/262] mlxsw: spectrum: Avoid " Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 116/262] mwifiex: don't advertise IBSS features without FW support Sasha Levin
2019-03-27 18:08 ` Brian Norris
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 127/262] mt76: usb: do not run mt76u_queues_deinit twice Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 140/262] tools build: Add test-reallocarray.c to test-all.c to fix the build Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 145/262] iwlwifi: pcie: fix emergency path Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 149/262] selftests: skip seccomp get_metadata test if not real root Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 153/262] netfilter: conntrack: fix cloned unconfirmed skb->_nfct race in __nf_conntrack_confirm Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 157/262] ath10k: fix shadow register implementation for WCN3990 Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 165/262] net: marvell: mvpp2: fix stuck in-band SGMII negotiation Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 167/262] net: phy: consider latched link-down status in polling mode Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 172/262] bpf: test_maps: fix possible out of bound access warning Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 177/262] e1000e: fix cyclic resets at link up with active tx Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 178/262] e1000e: Exclude device from suspend direct complete optimization Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 182/262] iwlwifi: mvm: fix RFH config command with >=10 CPUs Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 192/262] nfp: bpf: correct the behavior for shifts by zero Sasha Levin
2019-03-27 18:14 ` [oss-drivers] " Jakub Kicinski
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 195/262] mt7601u: bump supported EEPROM version Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 200/262] bpf: fix missing prototype warnings Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 201/262] selftests/bpf: skip verifier tests for unsupported program types Sasha Levin
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 212/262] perf trace: Fixup etcsnoop example Sasha Levin
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 218/262] selftests/bpf: suppress readelf stderr when probing for BTF support Sasha Levin
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 221/262] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Sasha Levin
2019-03-27 18:01 ` Sasha Levin [this message]
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 234/262] nfp: flower: tidy tunnel related private data Sasha Levin
2019-03-27 18:15 ` [oss-drivers] " Jakub Kicinski
2019-04-03 16:20 ` Sasha Levin
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 245/262] brcmfmac: Use firmware_request_nowarn for the clm_blob Sasha Levin
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 246/262] wlcore: Fix memory leak in case wl12xx_fetch_firmware failure Sasha Levin
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 258/262] net: stmmac: Avoid one more sometimes uninitialized Clang warning Sasha Levin
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 259/262] appletalk: Fix compile regression Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190327180158.10245-233-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=coreteam@netfilter.org \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).