| Message ID | 1439449095-21947-1-git-send-email-bernhard.thaler@wvnet.at |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
On Thu, Aug 13, 2015 at 08:58:15AM +0200, Bernhard Thaler wrote: > 230ac490f7fba introduced a dependency to CONFIG_IPV6 which breaks bridging > of IPv6 packets on a bridge with CONFIG_IPV6=n. > > Sysctl entry /proc/sys/net/bridge/bridge-nf-call-ip6tables defaults to 1, > for this reason packets are handled by br_nf_pre_routing_ipv6(). When compiled > with CONFIG_IPV6=n this function returns NF_DROP but should return NF_ACCEPT > to let packets through. > > Change CONFIG_IPV6=n br_nf_pre_routing_ipv6() return value to NF_ACCEPT. > > Tested with a simple bridge with two interfaces and IPv6 packets trying > to pass from host on left side to host on right side of the bridge. > > Fixes: 230ac490f7fba ("netfilter: bridge: split ipv6 code into separated file") Applied this oneliner to the nf tree, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h index bab824b..d4c6b5f 100644 --- a/include/net/netfilter/br_netfilter.h +++ b/include/net/netfilter/br_netfilter.h @@ -59,7 +59,7 @@ static inline unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops, struct sk_buff *skb, const struct nf_hook_state *state) { - return NF_DROP; + return NF_ACCEPT; } #endif
230ac490f7fba introduced a dependency to CONFIG_IPV6 which breaks bridging of IPv6 packets on a bridge with CONFIG_IPV6=n. Sysctl entry /proc/sys/net/bridge/bridge-nf-call-ip6tables defaults to 1, for this reason packets are handled by br_nf_pre_routing_ipv6(). When compiled with CONFIG_IPV6=n this function returns NF_DROP but should return NF_ACCEPT to let packets through. Change CONFIG_IPV6=n br_nf_pre_routing_ipv6() return value to NF_ACCEPT. Tested with a simple bridge with two interfaces and IPv6 packets trying to pass from host on left side to host on right side of the bridge. Fixes: 230ac490f7fba ("netfilter: bridge: split ipv6 code into separated file") Signed-off-by: Bernhard Thaler <bernhard.thaler@wvnet.at> --- NOTE: With CONFIG_IPV6=n /proc/sys/net/bridge/bridge-nf-call-ip6tables is ineffective as regardless of value packets will not be available to ip6tables which is not available in this case anyway. This patch is the easier solution to the original problem without introducing new code (and complexity) for exposing ip6tables related sysfs and sysctl entries only when CONFIG_IPV6=y. Patch history v4 * complete re-write to a simpler solution only changing NF_DROP to NF_ACCEPT in br_nf_pre_routing_ipv6() when CONFIG_IPV6=n v3 * fix checkpatch error in separate patch * changes to reduce #ifdef pollution v2 * do not expose sysfs and sysctl if CONFIG_IP6_NF_IPTABLES=n * change dependency to CONFIG_IP6_NF_IPTABLES as suggested by Florian Westphal * removed changes to br_validate_ipv6() in br_netfilter.h as test show it may not be needed v1 * sysfs and sysctl entry were exposed but not writeable if CONFIG_IPV6=n include/net/netfilter/br_netfilter.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)