Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp2852966ybl;
        Thu, 29 Aug 2019 14:00:07 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxYHBcGl6IKRkjTg9kKctqf01DqEzkec9mcVsZ+N7/0G0NcNmaakhiMHQ5grVaNHN7ztGS0
X-Received: by 2002:a65:448a:: with SMTP id l10mr9868367pgq.327.1567112407372;
        Thu, 29 Aug 2019 14:00:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1567112407; cv=none;
        d=google.com; s=arc-20160816;
        b=Gb5DNVSnXwMuKR/i23vbgm6YSWBPoz24W+rOQkwwFYhJkKujKo8FLmYz7nfewrZok4
         VTPvVXlsSTFQ2WfxQAtn1XDKF8++e25/OU+umPJGWzr1eDEHHUqc5j7v6viObbJpCeFq
         njyY7QcecKumyJyVIdg8eXW23Fk4NGT8vG3Gng70UNF20/CYdk3XiOh5WKGzcXeVamGP
         8ToxI4CmlwszwEC4GMEqBVO1AnqlhTqEjHBafugqpI/yw+OZPnvVccN0+zzMAevzGaQc
         NAjUlhkClpD2NNW6V5yyI5vtaBExPTeA+IYuADiL5hcC7eElvNmzZYE6DaEAZjQdexJa
         4w2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=+RzjwqquKSge4D+puNeFP845JxkkHjT8vD1ZrIV0+lM=;
        b=Xs8Dxfvgzt0KfkFXr11NBGyVrNZwIGq/x02ZW1FraOjePAKaySEDPMfP+eJBEIyfsS
         aFRDeOIvpLA1sRQlQeEiuDW5Fv2a0bFN3iG/ag5hnO5aODZkQHXgZXcEJXtq7YU8EQ89
         gXExnQZOSks0Je9qpld6kG1+wTn4z63U5IloW7lM7TlaBZ5jrVgXbqeAP4OnutQv4GAL
         3IpHVGLNP9Nc7kBXTM0+4sTlL+GPgbn/h+3oCKD8CA7DuK10SVMPLJLu2CxziQRCoOvx
         nngjnVoRKFlfriqeaIyFUTmuzEFrvXzMlrsZ2XgElNalcQlTsGzXd/ENBY/36PJ/ssSp
         M02A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m190si2887552pga.322.2019.08.29.13.59.52;
        Thu, 29 Aug 2019 14:00:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728300AbfH2U6h (ORCPT <rfc822;zffurovfq63@gmail.com>
        + 99 others); Thu, 29 Aug 2019 16:58:37 -0400
Received: from Chamillionaire.breakpoint.cc ([193.142.43.52]:53624 "EHLO
        Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726935AbfH2U6h (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 29 Aug 2019 16:58:37 -0400
Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92)
        (envelope-from <fw@strlen.de>)
        id 1i3RV2-0007J3-97; Thu, 29 Aug 2019 22:58:32 +0200
Date:   Thu, 29 Aug 2019 22:58:32 +0200
From:   Florian Westphal <fw@strlen.de>
To:     Leonardo Bras <leonardo@linux.ibm.com>
Cc:     Pablo Neira Ayuso <pablo@netfilter.org>,
        Florian Westphal <fw@strlen.de>,
        "David S. Miller" <davem@davemloft.net>,
        netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        Jozsef Kadlecsik <kadlec@netfilter.org>,
        Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
        Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Subject: Re: [PATCH v2 1/1] netfilter: nf_tables: fib: Drop IPV6 packages if
 IPv6 is disabled on boot
Message-ID: <20190829205832.GM20113@breakpoint.cc>
References: <20190821141505.2394-1-leonardo@linux.ibm.com>
 <db0f02c5b1a995fde174f036540a3d11008cf116.camel@linux.ibm.com>
 <b6585989069fd832a65b73d1c4f4319a10714165.camel@linux.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <b6585989069fd832a65b73d1c4f4319a10714165.camel@linux.ibm.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Leonardo Bras <leonardo@linux.ibm.com> wrote:
> On Thu, 2019-08-29 at 17:04 -0300, Leonardo Bras wrote:
> > > Thats a good point -- Leonardo, is the
> > > "net.bridge.bridge-nf-call-ip6tables" sysctl on?
> > 
> > Running
> > # sudo sysctl -a
> > I can see:
> > net.bridge.bridge-nf-call-ip6tables = 1
> 
> Also, doing
> # echo 0 >  /proc/sys/net/bridge/bridge-nf-call-ip6tables 
> And then trying to boot the guest will not crash the host.
> 
> Which would make sense, since host iptables is not dealing with guest
> IPv6 packets.

Yes.

> So, the real cause of this bug is the bridge making host ip6tables deal
> with guest IPv6 packets ? 
> If so, would it be ok if write a patch testing ipv6_mod_enabled()
> before passing guest ipv6 packets to host ip6tables? 

I'm not sure.  This switch is very old, it was added 10 years ago
in v2.6.31-rc1.

Even if we disable call-ip6tables in br_netfilter we will at least
in addition need a patch for nft_fib_netdev.c.

From a "avoid calls to ipv6 stack when its disabled" standpoint,
the safest fix is to disable call-ip6tables functionality if ipv6
module is off *and* fix nft_fib_netdev.c to BREAK in ipv6 is off case.

I started to place a list of suspicous modules here, but that got out
of hand quickly.

So, given I don't want to plaster ipv6_mod_enabled() everywhere, I
would suggest this course of action:

1. add a patch to BREAK in nft_fib_netdev.c for !ipv6_mod_enabled()
2. change net/bridge/br_netfilter_hooks.c, br_nf_pre_routing() to
   make sure ipv6_mod_enabled() is true before doing the ipv6 stack
   "emulation".

Makes sense?

Thanks,
Florian