Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1011054yba; Thu, 4 Apr 2019 02:22:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqyLp8ytHYXn9d42Z6FmfNDnbtmw7cl8Lsx/yr+AdsD/ZoLDN8LLHoLv+lN/dK7Pz+Nqtfib X-Received: by 2002:a63:fb16:: with SMTP id o22mr4432855pgh.209.1554369739534; Thu, 04 Apr 2019 02:22:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554369739; cv=none; d=google.com; s=arc-20160816; b=WeAYiJmbHDWLN0AQPrklBf6BmtZyz+fRVPvZymDcl9KLk3WzD8eXHA4DuDUxnvrp8s dgo/SzQCZZE8hb/aPF6/t8oEmqhTNt5BuavssMCJaqI4btFHeo+EoFhNJzYkHzQkrIYH 0pMTnGea9i/Rhh0cbzpFL+DDbCB3bg0b0hrVK8i6yNYUHysHRhxz60Zksjn0itHIlneM 2jDMsFT5kk/ds1NYZGaP/qwo5X9ZHHm4j4hJ7qZODeNRsThelGo2fA0bwKtauRzRwCFX dtthtNnm9A9/bZlCvBvSZ2l6lv9wwz0NVxm/qrM1HO7/RDOkgK6sevpq3kfm6C0o5M3M pD9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ysAZgmhXtIAHaqhGZCt3JVbP6VBBLQyhvEGmpsC12QY=; b=w+X4SQTPkQKR9XVFv3oiypz6vpI6t/fnUVX+2tZNWqijEZ8lRQVqmcPqMg0FhUF/71 2CYSZwz5bm2uslam+Fw/B5fd7IBpARaZvM21zr6phADkBoCITq2NmpiRrirNqXzHpd8m fyrsczHaoHLqpNo8eSv6NmgXmthBM/LJJX8c4bD92k8O53+s/PYJUifURmjy/dGnjFmE SrFkv2ChdFJmEzrKu+J3toaR2VCV8+ChMwFp3Ri0BafIfw5HT8qZdYQp6tEK8uiG32Y9 AtM2xexOAV6uwq3V0TcpaNMADdImSKchvIIpJieeZfjYW5sAJt2SBlrGGXvOhUilkhRz bQVQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xAbwJE77; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o123si16556038pfb.116.2019.04.04.02.22.04; Thu, 04 Apr 2019 02:22:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xAbwJE77; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388244AbfDDJVE (ORCPT + 99 others); Thu, 4 Apr 2019 05:21:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:58556 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388153AbfDDJRE (ORCPT ); Thu, 4 Apr 2019 05:17:04 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7834C2177E; Thu, 4 Apr 2019 09:17:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1554369422; bh=lZ31QYSzEQ0eA/uVHOo6kxtwqj+L/yiwk2qbjpa9QRQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xAbwJE772+UDTTzPzzfZ04ZM0X5uULE7N1N2JhrAr6bMPHmI6spjq0/1S1g1YkLf2 GiSnCls68ZfXbMDxudacWHyagZRBZb4tSpjSI3YbW2A4rJgiRyGl/sjrK9J7ZptW52 nOLKsqS6CnGsD8BYEOhPJksBkTStiKKOQP3JyWSU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Florian Westphal , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 5.0 218/246] netfilter: physdev: relax br_netfilter dependency Date: Thu, 4 Apr 2019 10:48:38 +0200 Message-Id: <20190404084626.831232056@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190404084619.236418459@linuxfoundation.org> References: <20190404084619.236418459@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 5.0-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 8e2f311a68494a6677c1724bdcb10bada21af37c ] Following command: iptables -D FORWARD -m physdev ... causes connectivity loss in some setups. Reason is that iptables userspace will probe kernel for the module revision of the physdev patch, and physdev has an artificial dependency on br_netfilter (xt_physdev use makes no sense unless a br_netfilter module is loaded). This causes the "phydev" module to be loaded, which in turn enables the "call-iptables" infrastructure. bridged packets might then get dropped by the iptables ruleset. The better fix would be to change the "call-iptables" defaults to 0 and enforce explicit setting to 1, but that breaks backwards compatibility. This does the next best thing: add a request_module call to checkentry. This was a stray '-D ... -m physdev' won't activate br_netfilter anymore. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- include/net/netfilter/br_netfilter.h | 1 - net/bridge/br_netfilter_hooks.c | 5 ----- net/netfilter/xt_physdev.c | 9 +++++++-- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h index 4cd56808ac4e..89808ce293c4 100644 --- a/include/net/netfilter/br_netfilter.h +++ b/include/net/netfilter/br_netfilter.h @@ -43,7 +43,6 @@ static inline struct rtable *bridge_parent_rtable(const struct net_device *dev) } struct net_device *setup_pre_routing(struct sk_buff *skb); -void br_netfilter_enable(void); #if IS_ENABLED(CONFIG_IPV6) int br_validate_ipv6(struct net *net, struct sk_buff *skb); diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c index c93c35bb73dd..40d058378b52 100644 --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -881,11 +881,6 @@ static const struct nf_br_ops br_ops = { .br_dev_xmit_hook = br_nf_dev_xmit, }; -void br_netfilter_enable(void) -{ -} -EXPORT_SYMBOL_GPL(br_netfilter_enable); - /* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because * br_dev_queue_push_xmit is called afterwards */ static const struct nf_hook_ops br_nf_ops[] = { diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c index 4034d70bff39..b2e39cb6a590 100644 --- a/net/netfilter/xt_physdev.c +++ b/net/netfilter/xt_physdev.c @@ -96,8 +96,7 @@ match_outdev: static int physdev_mt_check(const struct xt_mtchk_param *par) { const struct xt_physdev_info *info = par->matchinfo; - - br_netfilter_enable(); + static bool brnf_probed __read_mostly; if (!(info->bitmask & XT_PHYSDEV_OP_MASK) || info->bitmask & ~XT_PHYSDEV_OP_MASK) @@ -111,6 +110,12 @@ static int physdev_mt_check(const struct xt_mtchk_param *par) if (par->hook_mask & (1 << NF_INET_LOCAL_OUT)) return -EINVAL; } + + if (!brnf_probed) { + brnf_probed = true; + request_module("br_netfilter"); + } + return 0; } -- 2.19.1