Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp5586868img; Wed, 27 Mar 2019 11:11:55 -0700 (PDT) X-Google-Smtp-Source: APXvYqzgW80G2raxTTUkh68S+4/j9F0bDzJFHbo7bLmq0XgFyGso59Rl+kULpWDUBi9OqRbhwxr3 X-Received: by 2002:a63:4346:: with SMTP id q67mr35180979pga.92.1553710315851; Wed, 27 Mar 2019 11:11:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553710315; cv=none; d=google.com; s=arc-20160816; b=BJY4WXtAHsWlqlLUozv+j4eFR+j7FXw/L8l9ONoro1g8b+n7vHJ4WpE0b9zmWbxcYk oZDObAgemMERlHu7AQIBt1pkVFQboBfrKgB6Bcm0ANTUmBjFbqCuK8jso5SVHva3B9Ha PWVLvbaWAwZRCWn8RCGL+2n/wlrKaHqLtuT6L1E0do9VwaQ4fJf0iqb/ZC6II1zFl5iG 2/6XvOf+U4qEb0LshZfjS1J+p0hZ0KZVsGt8XLf79wtGuI7wvo9ecxsDJS8oORefLQXp 4o1hELipxXR4wHhX4IVXA0s6UOpxINLo4zPBogypUd97UQdscmN8jFaRtXhe1XMZ6XRL 5Zww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=kj4jQCQ3V8XnRWIGay91is50sGLcUBa8MtdhQ+boj9A=; b=RpmPnOZtR5Ci8pIeFW9ELkFz/BootLms5PnCiEyrUljat/FrmZ94F/ZvB8rEYgKdj8 qhuzh9tGPkXePkYM3mGT23lA9/+5bjbXz8L5CsvCB6xrXSUk9jcCkTBMW/rbvDgfgnjW YgY3z3YP9t9oJtU4cqa13PVEJwyCNw2L5zv/mlb+KSxHMZjxVsrsOMS2kPs9JGnJeSGo cg/ila5w+JXwydLTz5OWncQU1bBmMf/CIAsOmlUjwqtvw82NyXan6LRz2orBef/G1p3U WUPT3YuhyCgVPTogiXfLGkgXHLLihOX4XFsHnE/D9/yCra76zKrfsLMejKjAiVhGRQvj obHQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ZSWdVQRC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o90si1140451pfi.161.2019.03.27.11.11.40; Wed, 27 Mar 2019 11:11:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ZSWdVQRC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388574AbfC0SJf (ORCPT + 99 others); Wed, 27 Mar 2019 14:09:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:51350 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388580AbfC0SJc (ORCPT ); Wed, 27 Mar 2019 14:09:32 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4CD0D2063F; Wed, 27 Mar 2019 18:09:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553710171; bh=w8JOCLULl7JTOFDUDC+FFkiBsazpMCqRDn6nVASIaZA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZSWdVQRCTQb40wqcHByKeeAnE1qhzvm5BMSnsnPyd1f8bhs/a7ugnuZrR731lbcti LeFwYLh8Sn2CcmnouGhtgety97MiIEVwsKw9t9h2b94lh8t3Valt67znj6k+rQ/y0t /Cz1svxB0xqpYAJcu4GluPiETjsbxvN5/JscqPc8= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Florian Westphal , Pablo Neira Ayuso , Sasha Levin , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 5.0 233/262] netfilter: physdev: relax br_netfilter dependency Date: Wed, 27 Mar 2019 14:01:28 -0400 Message-Id: <20190327180158.10245-233-sashal@kernel.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190327180158.10245-1-sashal@kernel.org> References: <20190327180158.10245-1-sashal@kernel.org> MIME-Version: 1.0 X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Florian Westphal [ Upstream commit 8e2f311a68494a6677c1724bdcb10bada21af37c ] Following command: iptables -D FORWARD -m physdev ... causes connectivity loss in some setups. Reason is that iptables userspace will probe kernel for the module revision of the physdev patch, and physdev has an artificial dependency on br_netfilter (xt_physdev use makes no sense unless a br_netfilter module is loaded). This causes the "phydev" module to be loaded, which in turn enables the "call-iptables" infrastructure. bridged packets might then get dropped by the iptables ruleset. The better fix would be to change the "call-iptables" defaults to 0 and enforce explicit setting to 1, but that breaks backwards compatibility. This does the next best thing: add a request_module call to checkentry. This was a stray '-D ... -m physdev' won't activate br_netfilter anymore. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- include/net/netfilter/br_netfilter.h | 1 - net/bridge/br_netfilter_hooks.c | 5 ----- net/netfilter/xt_physdev.c | 9 +++++++-- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h index 4cd56808ac4e..89808ce293c4 100644 --- a/include/net/netfilter/br_netfilter.h +++ b/include/net/netfilter/br_netfilter.h @@ -43,7 +43,6 @@ static inline struct rtable *bridge_parent_rtable(const struct net_device *dev) } struct net_device *setup_pre_routing(struct sk_buff *skb); -void br_netfilter_enable(void); #if IS_ENABLED(CONFIG_IPV6) int br_validate_ipv6(struct net *net, struct sk_buff *skb); diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c index c93c35bb73dd..40d058378b52 100644 --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -881,11 +881,6 @@ static const struct nf_br_ops br_ops = { .br_dev_xmit_hook = br_nf_dev_xmit, }; -void br_netfilter_enable(void) -{ -} -EXPORT_SYMBOL_GPL(br_netfilter_enable); - /* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because * br_dev_queue_push_xmit is called afterwards */ static const struct nf_hook_ops br_nf_ops[] = { diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c index 4034d70bff39..b2e39cb6a590 100644 --- a/net/netfilter/xt_physdev.c +++ b/net/netfilter/xt_physdev.c @@ -96,8 +96,7 @@ physdev_mt(const struct sk_buff *skb, struct xt_action_param *par) static int physdev_mt_check(const struct xt_mtchk_param *par) { const struct xt_physdev_info *info = par->matchinfo; - - br_netfilter_enable(); + static bool brnf_probed __read_mostly; if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || info->bitmask & ~XT_PHYSDEV_OP_MASK) @@ -111,6 +110,12 @@ static int physdev_mt_check(const struct xt_mtchk_param *par) if (par->hook_mask & (1 << NF_INET_LOCAL_OUT)) return -EINVAL; } + + if (!brnf_probed) { + brnf_probed = true; + request_module("br_netfilter"); + } + return 0; } -- 2.19.1