All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCHv4 nf-next] netfilter: bridge: fix IPv6 packets not being bridged with CONFIG_IPV6=n
@ 2015-08-13  6:58 Bernhard Thaler
  2015-08-19 19:22 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Bernhard Thaler @ 2015-08-13  6:58 UTC (permalink / raw)
  To: pablo, kadlec; +Cc: netfilter-devel, Bernhard Thaler

230ac490f7fba introduced a dependency to CONFIG_IPV6 which breaks bridging
of IPv6 packets on a bridge with CONFIG_IPV6=n.

Sysctl entry /proc/sys/net/bridge/bridge-nf-call-ip6tables defaults to 1,
for this reason packets are handled by br_nf_pre_routing_ipv6(). When compiled
with CONFIG_IPV6=n this function returns NF_DROP but should return NF_ACCEPT
to let packets through.

Change CONFIG_IPV6=n br_nf_pre_routing_ipv6() return value to NF_ACCEPT.

Tested with a simple bridge with two interfaces and IPv6 packets trying
to pass from host on left side to host on right side of the bridge.

Fixes: 230ac490f7fba ("netfilter: bridge: split ipv6 code into separated file")

Signed-off-by: Bernhard Thaler <bernhard.thaler@wvnet.at>
---
NOTE:
With CONFIG_IPV6=n /proc/sys/net/bridge/bridge-nf-call-ip6tables is ineffective
as regardless of value packets will not be available to ip6tables which is not
available in this case anyway.
This patch is the easier solution to the original problem without introducing
new code (and complexity) for exposing ip6tables related sysfs and sysctl
entries only when CONFIG_IPV6=y.

Patch history

v4
* complete re-write to a simpler solution only changing NF_DROP
  to NF_ACCEPT in br_nf_pre_routing_ipv6() when CONFIG_IPV6=n

v3
* fix checkpatch error in separate patch
* changes to reduce #ifdef pollution

v2
* do not expose sysfs and sysctl if CONFIG_IP6_NF_IPTABLES=n 
* change dependency to CONFIG_IP6_NF_IPTABLES as suggested by Florian Westphal
* removed changes to br_validate_ipv6() in br_netfilter.h as test show it may
  not be needed

v1
* sysfs and sysctl entry were exposed but not writeable if CONFIG_IPV6=n

 include/net/netfilter/br_netfilter.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h
index bab824b..d4c6b5f 100644
--- a/include/net/netfilter/br_netfilter.h
+++ b/include/net/netfilter/br_netfilter.h
@@ -59,7 +59,7 @@ static inline unsigned int
 br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops, struct sk_buff *skb,
 		       const struct nf_hook_state *state)
 {
-	return NF_DROP;
+	return NF_ACCEPT;
 }
 #endif
 
-- 
1.7.10.4


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCHv4 nf-next] netfilter: bridge: fix IPv6 packets not being bridged with CONFIG_IPV6=n
  2015-08-13  6:58 [PATCHv4 nf-next] netfilter: bridge: fix IPv6 packets not being bridged with CONFIG_IPV6=n Bernhard Thaler
@ 2015-08-19 19:22 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2015-08-19 19:22 UTC (permalink / raw)
  To: Bernhard Thaler; +Cc: kadlec, netfilter-devel

On Thu, Aug 13, 2015 at 08:58:15AM +0200, Bernhard Thaler wrote:
> 230ac490f7fba introduced a dependency to CONFIG_IPV6 which breaks bridging
> of IPv6 packets on a bridge with CONFIG_IPV6=n.
> 
> Sysctl entry /proc/sys/net/bridge/bridge-nf-call-ip6tables defaults to 1,
> for this reason packets are handled by br_nf_pre_routing_ipv6(). When compiled
> with CONFIG_IPV6=n this function returns NF_DROP but should return NF_ACCEPT
> to let packets through.
> 
> Change CONFIG_IPV6=n br_nf_pre_routing_ipv6() return value to NF_ACCEPT.
> 
> Tested with a simple bridge with two interfaces and IPv6 packets trying
> to pass from host on left side to host on right side of the bridge.
> 
> Fixes: 230ac490f7fba ("netfilter: bridge: split ipv6 code into separated file")

Applied this oneliner to the nf tree, thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-08-19 19:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-08-13  6:58 [PATCHv4 nf-next] netfilter: bridge: fix IPv6 packets not being bridged with CONFIG_IPV6=n Bernhard Thaler
2015-08-19 19:22 ` Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.