diff mbox

net/bridge: Fix dropping packets that moving through bridge interface

Message ID 947bdfc8-07f1-f909-2328-85af084de741@gmail.com
State Accepted
Delegated to: Pablo Neira
Headers show

Commit Message

Artur Molchanov Dec. 30, 2016, 4:46 p.m. UTC 
From: Artur Molchanov <artur.molchanov@synesis.ru>

Fixes: c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh")

Problem:
br_nf_pre_routing_finish() calls itself instead of
br_nf_pre_routing_finish_bridge().
Due to this bug reverse path filter drops packets that moving through
bridge interface.

User impact:
Local docker containers with bridge network can not communicate with
each other.

Signed-off-by: Artur Molchanov <artur.molchanov@synesis.ru>
---
  net/bridge/br_netfilter_hooks.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

              ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr);

Comments

Florian Westphal Dec. 30, 2016, 4:58 p.m. UTC | #1 
Artur Molchanov <arturmolchanov@gmail.com> wrote:
> From: Artur Molchanov <artur.molchanov@synesis.ru>
> 
> Fixes: c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh")
> 
> Problem:
> br_nf_pre_routing_finish() calls itself instead of
> br_nf_pre_routing_finish_bridge().
> Due to this bug reverse path filter drops packets that moving through
> bridge interface.

Indeed, thanks for fixing this!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso Dec. 30, 2016, 5:22 p.m. UTC | #2 
On Fri, Dec 30, 2016 at 05:58:11PM +0100, Florian Westphal wrote:
> Artur Molchanov <arturmolchanov@gmail.com> wrote:
> > From: Artur Molchanov <artur.molchanov@synesis.ru>
> > 
> > Fixes: c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh")
> > 
> > Problem:
> > br_nf_pre_routing_finish() calls itself instead of
> > br_nf_pre_routing_finish_bridge().
> > Due to this bug reverse path filter drops packets that moving through
> > bridge interface.
> 
> Indeed, thanks for fixing this!

Applied, thanks everyone.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Artur Molchanov Jan. 5, 2017, 7:11 a.m. UTC | #3 
30.12.2016 20:22, Pablo Neira Ayuso wrote:

> On Fri, Dec 30, 2016 at 05:58:11PM +0100, Florian Westphal wrote:
>> Artur Molchanov <arturmolchanov@gmail.com> wrote:
>>> From: Artur Molchanov <artur.molchanov@synesis.ru>
>>>
>>> Fixes: c5136b15ea36 ("netfilter: bridge: add and use br_nf_hook_thresh")
>>>
>>> Problem:
>>> br_nf_pre_routing_finish() calls itself instead of
>>> br_nf_pre_routing_finish_bridge().
>>> Due to this bug reverse path filter drops packets that moving through
>>> bridge interface.
>> Indeed, thanks for fixing this!
> Applied, thanks everyone.

When the fix will be available in upstream?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/net/bridge/br_netfilter_hooks.c 
b/net/bridge/br_netfilter_hooks.c
index 8ca6a92..95087e6 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -399,7 +399,7 @@  static int br_nf_pre_routing_finish(struct net *net, 
struct sock *sk, struct sk_
                  br_nf_hook_thresh(NF_BR_PRE_ROUTING,
                            net, sk, skb, skb->dev,
                            NULL,
-                          br_nf_pre_routing_finish);
+                          br_nf_pre_routing_finish_bridge);
                  return 0;
              }