From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.9 77/87] netfilter: physdev: relax br_netfilter dependency
Date: Wed, 27 Mar 2019 14:20:30 -0400 [thread overview]
Message-ID: <20190327182040.17444-77-sashal@kernel.org> (raw)
In-Reply-To: <20190327182040.17444-1-sashal@kernel.org>
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 8e2f311a68494a6677c1724bdcb10bada21af37c ]
Following command:
iptables -D FORWARD -m physdev ...
causes connectivity loss in some setups.
Reason is that iptables userspace will probe kernel for the module revision
of the physdev patch, and physdev has an artificial dependency on
br_netfilter (xt_physdev use makes no sense unless a br_netfilter module
is loaded).
This causes the "phydev" module to be loaded, which in turn enables the
"call-iptables" infrastructure.
bridged packets might then get dropped by the iptables ruleset.
The better fix would be to change the "call-iptables" defaults to 0 and
enforce explicit setting to 1, but that breaks backwards compatibility.
This does the next best thing: add a request_module call to checkentry.
This was a stray '-D ... -m physdev' won't activate br_netfilter
anymore.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/br_netfilter.h | 1 -
net/bridge/br_netfilter_hooks.c | 5 -----
net/netfilter/xt_physdev.c | 9 +++++++--
3 files changed, 7 insertions(+), 8 deletions(-)
diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h
index 0b0c35c37125..238d1b83a45a 100644
--- a/include/net/netfilter/br_netfilter.h
+++ b/include/net/netfilter/br_netfilter.h
@@ -48,7 +48,6 @@ static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
}
struct net_device *setup_pre_routing(struct sk_buff *skb);
-void br_netfilter_enable(void);
#if IS_ENABLED(CONFIG_IPV6)
int br_validate_ipv6(struct net *net, struct sk_buff *skb);
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 7e42c0d1f55b..38865deab3ac 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -878,11 +878,6 @@ static const struct nf_br_ops br_ops = {
.br_dev_xmit_hook = br_nf_dev_xmit,
};
-void br_netfilter_enable(void)
-{
-}
-EXPORT_SYMBOL_GPL(br_netfilter_enable);
-
/* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
* br_dev_queue_push_xmit is called afterwards */
static struct nf_hook_ops br_nf_ops[] __read_mostly = {
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index bb33598e4530..ec247d8370e8 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -96,8 +96,7 @@ physdev_mt(const struct sk_buff *skb, struct xt_action_param *par)
static int physdev_mt_check(const struct xt_mtchk_param *par)
{
const struct xt_physdev_info *info = par->matchinfo;
-
- br_netfilter_enable();
+ static bool brnf_probed __read_mostly;
if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
info->bitmask & ~XT_PHYSDEV_OP_MASK)
@@ -113,6 +112,12 @@ static int physdev_mt_check(const struct xt_mtchk_param *par)
if (par->hook_mask & (1 << NF_INET_LOCAL_OUT))
return -EINVAL;
}
+
+ if (!brnf_probed) {
+ brnf_probed = true;
+ request_module("br_netfilter");
+ }
+
return 0;
}
--
2.19.1
next prev parent reply other threads:[~2019-03-27 18:39 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-27 18:19 [PATCH AUTOSEL 4.9 01/87] CIFS: fix POSIX lock leak and invalid ptr deref Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 02/87] h8300: use cc-cross-prefix instead of hardcoding h8300-unknown-linux- Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 03/87] i2c: sis630: correct format strings Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 04/87] tracing: kdb: Fix ftdump to not sleep Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 05/87] gpio: gpio-omap: fix level interrupt idling Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 06/87] include/linux/relay.h: fix percpu annotation in struct rchan Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 07/87] sysctl: handle overflow for file-max Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 08/87] enic: fix build warning without CONFIG_CPUMASK_OFFSTACK Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 09/87] scsi: hisi_sas: Set PHY linkrate when disconnected Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 10/87] mm/cma.c: cma_declare_contiguous: correct err handling Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 11/87] mm/page_ext.c: fix an imbalance with kmemleak Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 12/87] mm/vmalloc.c: fix kernel BUG at mm/vmalloc.c:512! Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 13/87] mm/slab.c: kmemleak no scan alien caches Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 14/87] ocfs2: fix a panic problem caused by o2cb_ctl Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 15/87] f2fs: do not use mutex lock in atomic context Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 16/87] fs/file.c: initialize init_files.resize_wait Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 17/87] cifs: use correct format characters Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 18/87] dm thin: add sanity checks to thin-pool and external snapshot creation Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 19/87] cifs: Fix NULL pointer dereference of devname Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 20/87] fs: Make splice() and tee() take into account O_NONBLOCK flag on pipes Sasha Levin
2019-03-28 15:37 ` Slavomir Kaslev
2019-03-28 16:04 ` Steven Rostedt
2019-04-03 16:19 ` Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 21/87] jbd2: fix invalid descriptor block checksum Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 22/87] fs: fix guard_bio_eod to check for real EOD errors Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 23/87] tools lib traceevent: Fix buffer overflow in arg_eval Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 24/87] wil6210: check null pointer in _wil_cfg80211_merge_extra_ies Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 25/87] crypto: crypto4xx - add missing of_node_put after of_device_is_available Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 26/87] usb: chipidea: Grab the (legacy) USB PHY by phandle first Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 27/87] scsi: core: replace GFP_ATOMIC with GFP_KERNEL in scsi_scan.c Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 28/87] coresight: etm4x: Add support to enable ETMv4.2 Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 29/87] ARM: 8840/1: use a raw_spinlock_t in unwind Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 30/87] iommu/io-pgtable-arm-v7s: Only kmemleak_ignore L2 tables Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 31/87] mmc: omap: fix the maximum timeout setting Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 32/87] e1000e: Fix -Wformat-truncation warnings Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 33/87] mlxsw: spectrum: Avoid " Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 34/87] IB/mlx4: Increase the timeout for CM cache Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 35/87] ASoC: qcom: Fix of-node refcount unbalance in apq8016_sbc_parse_of() Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 36/87] scsi: megaraid_sas: return error when create DMA pool failed Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 37/87] perf test: Fix failure of 'evsel-tp-sched' test on s390 Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 38/87] SoC: imx-sgtl5000: add missing put_device() Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 39/87] media: sh_veu: Correct return type for mem2mem buffer helpers Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 40/87] media: s5p-jpeg: " Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 41/87] media: s5p-g2d: " Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 42/87] media: mx2_emmaprp: " Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 43/87] vfs: fix preadv64v2 and pwritev64v2 compat syscalls with offset == -1 Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 44/87] HID: intel-ish-hid: avoid binding wrong ishtp_cl_device Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 45/87] leds: lp55xx: fix null deref on firmware load failure Sasha Levin
2019-03-27 18:19 ` [PATCH AUTOSEL 4.9 46/87] iwlwifi: pcie: fix emergency path Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 47/87] ACPI / video: Refactor and fix dmi_is_desktop() Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 48/87] kprobes: Prohibit probing on bsearch() Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 49/87] ARM: 8833/1: Ensure that NEON code always compiles with Clang Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 50/87] ALSA: PCM: check if ops are defined before suspending PCM Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 51/87] usb: f_fs: Avoid crash due to out-of-scope stack ptr access Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 52/87] bcache: fix input overflow to cache set sysfs file io_error_halflife Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 53/87] bcache: fix input overflow to sequential_cutoff Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 54/87] bcache: improve sysfs_strtoul_clamp() Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 55/87] genirq: Avoid summation loops for /proc/stat Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 56/87] iw_cxgb4: fix srqidx leak during connection abort Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 57/87] fbdev: fbmem: fix memory access if logo is bigger than the screen Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 58/87] cdrom: Fix race condition in cdrom_sysctl_register Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 59/87] e1000e: fix cyclic resets at link up with active tx Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 60/87] ASoC: fsl-asoc-card: fix object reference leaks in fsl_asoc_card_probe Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 61/87] locking/lockdep: Add debug_locks check in __lock_downgrade() Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 62/87] efi/memattr: Don't bail on zero VA if it equals the region's PA Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 63/87] ARM: dts: lpc32xx: Remove leading 0x and 0s from bindings notation Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 64/87] soc: qcom: gsbi: Fix error handling in gsbi_probe() Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 65/87] mt7601u: bump supported EEPROM version Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 66/87] ARM: avoid Cortex-A9 livelock on tight dmb loops Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 67/87] tty: increase the default flip buffer limit to 2*640K Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 68/87] powerpc/pseries: Perform full re-add of CPU for topology update post-migration Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 69/87] media: mt9m111: set initial frame size other than 0x0 Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 70/87] hwrng: virtio - Avoid repeated init of completion Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 71/87] soc/tegra: fuse: Fix illegal free of IO base address Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 72/87] HID: intel-ish: ipc: handle PIMR before ish_wakeup also clear PISR busy_clear bit Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 73/87] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 74/87] hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 75/87] dmaengine: imx-dma: fix warning comparison of distinct pointer types Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 76/87] dmaengine: qcom_hidma: assign channel cookie correctly Sasha Levin
2019-03-27 18:20 ` Sasha Levin [this message]
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 78/87] media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 79/87] regulator: act8865: Fix act8600_sudcdc_voltage_ranges setting Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 80/87] drm/nouveau: Stop using drm_crtc_force_disable Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 81/87] x86/build: Specify elf_i386 linker emulation explicitly for i386 objects Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 82/87] selinux: do not override context on context mounts Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 83/87] wlcore: Fix memory leak in case wl12xx_fetch_firmware failure Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 84/87] x86/build: Mark per-CPU symbols as absolute explicitly for LLD Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 85/87] dmaengine: tegra: avoid overflow of byte tracking Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 86/87] drm/dp/mst: Configure no_stop_bit correctly for remote i2c xfers Sasha Levin
2019-03-27 18:20 ` [PATCH AUTOSEL 4.9 87/87] ACPI / video: Extend chassis-type detection with a "Lunch Box" check Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190327182040.17444-77-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=coreteam@netfilter.org \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).