| Message ID | 20190830181354.26279-3-leonardo@linux.ibm.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | Drop IPV6 packets if IPv6 is disabled on boot | expand |
Leonardo Bras <leonardo@linux.ibm.com> wrote: > A kernel panic can happen if a host has disabled IPv6 on boot and have to > process guest packets (coming from a bridge) using it's ip6tables. > > IPv6 packets need to be dropped if the IPv6 module is not loaded. > > Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com> > --- > net/bridge/br_netfilter_hooks.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c > index d3f9592f4ff8..5e8693730df1 100644 > --- a/net/bridge/br_netfilter_hooks.c > +++ b/net/bridge/br_netfilter_hooks.c > @@ -493,6 +493,8 @@ static unsigned int br_nf_pre_routing(void *priv, > brnet = net_generic(state->net, brnf_net_id); > if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || > is_pppoe_ipv6(skb, state->net)) { > + if (!ipv6_mod_enabled()) > + return NF_DROP; > if (!brnet->call_ip6tables && > !br_opt_get(br, BROPT_NF_CALL_IP6TABLES)) > return NF_ACCEPT; No, thats too aggressive and turns the bridge into an ipv6 blackhole. There are two solutions: 1. The above patch, but use NF_ACCEPT instead 2. keep the DROP, but move it below the call_ip6tables test, so that users can tweak call-ip6tables to accept packets. Perhaps it would be good to also add a pr_warn_once() that tells that ipv6 was disabled on command line and call-ip6tables isn't supported in this configuration. I would go with option two.
On Fri, 2019-08-30 at 22:55 +0200, Florian Westphal wrote: > Leonardo Bras <leonardo@linux.ibm.com> wrote: > > A kernel panic can happen if a host has disabled IPv6 on boot and have to > > process guest packets (coming from a bridge) using it's ip6tables. > > > > IPv6 packets need to be dropped if the IPv6 module is not loaded. > > > > Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com> > > --- > > net/bridge/br_netfilter_hooks.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c > > index d3f9592f4ff8..5e8693730df1 100644 > > --- a/net/bridge/br_netfilter_hooks.c > > +++ b/net/bridge/br_netfilter_hooks.c > > @@ -493,6 +493,8 @@ static unsigned int br_nf_pre_routing(void *priv, > > brnet = net_generic(state->net, brnf_net_id); > > if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || > > is_pppoe_ipv6(skb, state->net)) { > > + if (!ipv6_mod_enabled()) > > + return NF_DROP; > > if (!brnet->call_ip6tables && > > !br_opt_get(br, BROPT_NF_CALL_IP6TABLES)) > > return NF_ACCEPT; > > No, thats too aggressive and turns the bridge into an ipv6 blackhole. > > There are two solutions: > 1. The above patch, but use NF_ACCEPT instead > 2. keep the DROP, but move it below the call_ip6tables test, > so that users can tweak call-ip6tables to accept packets. Q: Does 2 mean that it will only be dropped if bridge intents to use host's ip6tables? Else, it will be accepted by previous if? > Perhaps it would be good to also add a pr_warn_once() that > tells that ipv6 was disabled on command line and > call-ip6tables isn't supported in this configuration. > Good idea, added. > I would go with option two. I think it's better than 1 too. I sent a v5 with these changes: https://lkml.org/lkml/2019/8/31/4 Thanks! Leonardo Bras
Leonardo Bras <leonardo@linux.ibm.com> wrote: > > There are two solutions: > > 1. The above patch, but use NF_ACCEPT instead > > 2. keep the DROP, but move it below the call_ip6tables test, > > so that users can tweak call-ip6tables to accept packets. > > Q: Does 2 mean that it will only be dropped if bridge intents to use > host's ip6tables? Else, it will be accepted by previous if? Yes, thats the idea: Let users decide if ipv6.disable or call-ip6tables is more important to them.
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c index d3f9592f4ff8..5e8693730df1 100644 --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -493,6 +493,8 @@ static unsigned int br_nf_pre_routing(void *priv, brnet = net_generic(state->net, brnf_net_id); if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) || is_pppoe_ipv6(skb, state->net)) { + if (!ipv6_mod_enabled()) + return NF_DROP; if (!brnet->call_ip6tables && !br_opt_get(br, BROPT_NF_CALL_IP6TABLES)) return NF_ACCEPT;
A kernel panic can happen if a host has disabled IPv6 on boot and have to process guest packets (coming from a bridge) using it's ip6tables. IPv6 packets need to be dropped if the IPv6 module is not loaded. Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com> --- net/bridge/br_netfilter_hooks.c | 2 ++ 1 file changed, 2 insertions(+)