Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp833978yba;
        Wed, 24 Apr 2019 10:20:14 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwctTT9F/LY60ZAD0LhEKgcQnEdYQoazlMCNvJ+jR7f1LtrD6g/SEAivxCy930VnwM6JmGz
X-Received: by 2002:aa7:82cb:: with SMTP id f11mr35750089pfn.0.1556126414696;
        Wed, 24 Apr 2019 10:20:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1556126414; cv=none;
        d=google.com; s=arc-20160816;
        b=SRnultUGIqbBY6wFZN0azMwfCfRmUe/eGXGxuEY7QltZnf0Ud5ckedIgimTbyzWwtj
         GbelOVLa2W89sVoTm84h41wRwNjouuaSOmBSAwaDQf0d/fZI2fZxy4R4XF3jJZ9VroIE
         xBc2mpitKRnCWKKPGHzUPcrgKu7U/nSVcAnJ/ZMfFzXOW4u0t7qT73e4fJf2Ld1mGjmc
         pk3Y/wpr42iTHgm/H+CLKtGqts4BZuM/LHKfuvFhudLEuwGjFHRgWKzptsL+xX9EVQfN
         GYpiMaJcMmo5iV3rIXPHsE10vN8PDuubced9ksx++n8tFDBXHh1A+Cuitt3p0ynEg+ru
         k2oA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=3aRqdLj1fLqsmzuojcsUK61zEw5wCbm0j5zl/MxbQeI=;
        b=FZgemnhKMvPjt8KfWuounWNB+zfEG+4pXpr4xequisheDQtKBewj0dzC9AfLh57BTr
         45ARDX37tunYfkaYB3nDUqtpYN3g4aKAC7oJm5Jl9IAP2WVKmVRIHJ6aPlZkoQgdQ1dL
         Gem5Q6ALug/dOwwavLG5WFRZfquYQkfKix/nxLXtm9y4fPGyW8TFtMboFB5HIhnABcxw
         jw0nB+XiNatWRkc1Y+uyT6nCWY4MROkndNz2bWTiqC/pjTdELYQAI4LnMFqgWm5cR8rx
         D+Xb6euFoBzBiK0y99q5+6+aZeA533EnkOXq88vAfO6AbEgvRfPrihbQBRP03PUIKo4h
         PNzw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="0eooxZ/U";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i3si5465265plt.237.2019.04.24.10.19.58;
        Wed, 24 Apr 2019 10:20:14 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="0eooxZ/U";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388166AbfDXRSR (ORCPT <rfc822;luigi.mantellini.ml@gmail.com>
        + 99 others); Wed, 24 Apr 2019 13:18:17 -0400
Received: from mail.kernel.org ([198.145.29.99]:43262 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2388238AbfDXRSP (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 24 Apr 2019 13:18:15 -0400
Received: from localhost (62-193-50-229.as16211.net [62.193.50.229])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id ED934218B0;
        Wed, 24 Apr 2019 17:18:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1556126294;
        bh=Oj9Gr/NA7Vo4d40ty/MQxrSCVLRqFfPoSa3g8kDuD08=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=0eooxZ/UnIWThD+uRrV3OGTNmjPleLQj2C/acB8gRIY1pvAXw0cnD3s1Ymwz7Wo4q
         GG+uE523pNrGkMJ+6byiK3IW8/mNWap+xE3ABDat9XImUsYDMj6zhh4FXFsRqTdYD8
         745fQNCppTmUoX+l3DjJ4Fx229Mc5pu2PoRQM0oU=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Florian Westphal <fw@strlen.de>,
        Pablo Neira Ayuso <pablo@netfilter.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.4 062/168] netfilter: physdev: relax br_netfilter dependency
Date:   Wed, 24 Apr 2019 19:08:26 +0200
Message-Id: <20190424170927.450633455@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190424170923.452349382@linuxfoundation.org>
References: <20190424170923.452349382@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

[ Upstream commit 8e2f311a68494a6677c1724bdcb10bada21af37c ]

Following command:
  iptables -D FORWARD -m physdev ...
causes connectivity loss in some setups.

Reason is that iptables userspace will probe kernel for the module revision
of the physdev patch, and physdev has an artificial dependency on
br_netfilter (xt_physdev use makes no sense unless a br_netfilter module
is loaded).

This causes the "phydev" module to be loaded, which in turn enables the
"call-iptables" infrastructure.

bridged packets might then get dropped by the iptables ruleset.

The better fix would be to change the "call-iptables" defaults to 0 and
enforce explicit setting to 1, but that breaks backwards compatibility.

This does the next best thing: add a request_module call to checkentry.
This was a stray '-D ... -m physdev' won't activate br_netfilter
anymore.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/net/netfilter/br_netfilter.h | 1 -
 net/bridge/br_netfilter_hooks.c      | 5 -----
 net/netfilter/xt_physdev.c           | 9 +++++++--
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h
index e8d1448425a7..b1d0d46344e2 100644
--- a/include/net/netfilter/br_netfilter.h
+++ b/include/net/netfilter/br_netfilter.h
@@ -42,7 +42,6 @@ static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
 }
 
 struct net_device *setup_pre_routing(struct sk_buff *skb);
-void br_netfilter_enable(void);
 
 #if IS_ENABLED(CONFIG_IPV6)
 int br_validate_ipv6(struct net *net, struct sk_buff *skb);
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 6def85d75b1d..93b5525bcccf 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -873,11 +873,6 @@ static const struct nf_br_ops br_ops = {
 	.br_dev_xmit_hook =	br_nf_dev_xmit,
 };
 
-void br_netfilter_enable(void)
-{
-}
-EXPORT_SYMBOL_GPL(br_netfilter_enable);
-
 /* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
  * br_dev_queue_push_xmit is called afterwards */
 static struct nf_hook_ops br_nf_ops[] __read_mostly = {
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 1caaccbc306c..7e4063621960 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -96,8 +96,7 @@ match_outdev:
 static int physdev_mt_check(const struct xt_mtchk_param *par)
 {
 	const struct xt_physdev_info *info = par->matchinfo;
-
-	br_netfilter_enable();
+	static bool brnf_probed __read_mostly;
 
 	if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
 	    info->bitmask & ~XT_PHYSDEV_OP_MASK)
@@ -113,6 +112,12 @@ static int physdev_mt_check(const struct xt_mtchk_param *par)
 		if (par->hook_mask & (1 << NF_INET_LOCAL_OUT))
 			return -EINVAL;
 	}
+
+	if (!brnf_probed) {
+		brnf_probed = true;
+		request_module("br_netfilter");
+	}
+
 	return 0;
 }
 
-- 
2.19.1