* [PATCH v4 0/2] Drop IPV6 packets if IPv6 is disabled on boot
@ 2019-08-30 18:13 Leonardo Bras
2019-08-30 18:13 ` [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled Leonardo Bras
2019-08-30 18:13 ` [PATCH v4 2/2] net: br_netfiler_hooks: Drops IPv6 packets if IPv6 module is not loaded Leonardo Bras
0 siblings, 2 replies; 17+ messages in thread
From: Leonardo Bras @ 2019-08-30 18:13 UTC (permalink / raw)
To: netfilter-devel, coreteam, bridge, netdev, linux-kernel
Cc: Leonardo Bras, Pablo Neira Ayuso, Jozsef Kadlecsik,
Florian Westphal, Roopa Prabhu, Nikolay Aleksandrov,
David S. Miller
This patchset was prevously a single patch named:
- netfilter: nf_tables: fib: Drop IPV6 packets if IPv6 is disabled on boot
It fixes a bug where a host, with IPv6 disabled on boot, has to deal with
guest IPv6 packets, that comes from a bridge interface.
When these packets reach the host ip6tables they cause a kernel panic.
---
Changes from v3:
- Move drop logic from nft_fib6_eval{,_type} to nft_fib_netdev_eval
- Add another patch to drop ipv6 packets from bridge when ipv6 disabled
Changes from v2:
- Replace veredict.code from NF_DROP to NFT_BREAK
- Updated commit message (s/package/packet)
Changes from v1:
- Move drop logic from nft_fib_inet_eval() to nft_fib6_eval{,_type}
so it can affect other usages of these functions.
Leonardo Bras (2):
netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is
disabled
net: br_netfiler_hooks: Drops IPv6 packets if IPv6 module is not
loaded
net/bridge/br_netfilter_hooks.c | 2 ++
net/netfilter/nft_fib_netdev.c | 3 +++
2 files changed, 5 insertions(+)
--
2.20.1
^ permalink raw reply [flat|nested] 17+ messages in thread
* [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled
2019-08-30 18:13 [PATCH v4 0/2] Drop IPV6 packets if IPv6 is disabled on boot Leonardo Bras
@ 2019-08-30 18:13 ` Leonardo Bras
2019-08-30 20:58 ` Florian Westphal
2019-09-03 20:55 ` Pablo Neira Ayuso
2019-08-30 18:13 ` [PATCH v4 2/2] net: br_netfiler_hooks: Drops IPv6 packets if IPv6 module is not loaded Leonardo Bras
1 sibling, 2 replies; 17+ messages in thread
From: Leonardo Bras @ 2019-08-30 18:13 UTC (permalink / raw)
To: netfilter-devel, coreteam, bridge, netdev, linux-kernel
Cc: Leonardo Bras, Pablo Neira Ayuso, Jozsef Kadlecsik,
Florian Westphal, Roopa Prabhu, Nikolay Aleksandrov,
David S. Miller
If IPv6 is disabled on boot (ipv6.disable=1), but nft_fib_inet ends up
dealing with a IPv6 packet, it causes a kernel panic in
fib6_node_lookup_1(), crashing in bad_page_fault.
The panic is caused by trying to deference a very low address (0x38
in ppc64le), due to ipv6.fib6_main_tbl = NULL.
BUG: Kernel NULL pointer dereference at 0x00000038
The kernel panic was reproduced in a host that disabled IPv6 on boot and
have to process guest packets (coming from a bridge) using it's ip6tables.
Terminate rule evaluation when packet protocol is IPv6 but the ipv6 module
is not loaded.
Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com>
---
net/netfilter/nft_fib_netdev.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nft_fib_netdev.c b/net/netfilter/nft_fib_netdev.c
index 2cf3f32fe6d2..a2e726ae7f07 100644
--- a/net/netfilter/nft_fib_netdev.c
+++ b/net/netfilter/nft_fib_netdev.c
@@ -14,6 +14,7 @@
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_tables.h>
+#include <net/ipv6.h>
#include <net/netfilter/nft_fib.h>
@@ -34,6 +35,8 @@ static void nft_fib_netdev_eval(const struct nft_expr *expr,
}
break;
case ETH_P_IPV6:
+ if (!ipv6_mod_enabled())
+ break;
switch (priv->result) {
case NFT_FIB_RESULT_OIF:
case NFT_FIB_RESULT_OIFNAME:
--
2.20.1
^ permalink raw reply related [flat|nested] 17+ messages in thread
* [PATCH v4 2/2] net: br_netfiler_hooks: Drops IPv6 packets if IPv6 module is not loaded
2019-08-30 18:13 [PATCH v4 0/2] Drop IPV6 packets if IPv6 is disabled on boot Leonardo Bras
2019-08-30 18:13 ` [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled Leonardo Bras
@ 2019-08-30 18:13 ` Leonardo Bras
2019-08-30 20:55 ` Florian Westphal
1 sibling, 1 reply; 17+ messages in thread
From: Leonardo Bras @ 2019-08-30 18:13 UTC (permalink / raw)
To: netfilter-devel, coreteam, bridge, netdev, linux-kernel
Cc: Leonardo Bras, Pablo Neira Ayuso, Jozsef Kadlecsik,
Florian Westphal, Roopa Prabhu, Nikolay Aleksandrov,
David S. Miller
A kernel panic can happen if a host has disabled IPv6 on boot and have to
process guest packets (coming from a bridge) using it's ip6tables.
IPv6 packets need to be dropped if the IPv6 module is not loaded.
Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com>
---
net/bridge/br_netfilter_hooks.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index d3f9592f4ff8..5e8693730df1 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -493,6 +493,8 @@ static unsigned int br_nf_pre_routing(void *priv,
brnet = net_generic(state->net, brnf_net_id);
if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||
is_pppoe_ipv6(skb, state->net)) {
+ if (!ipv6_mod_enabled())
+ return NF_DROP;
if (!brnet->call_ip6tables &&
!br_opt_get(br, BROPT_NF_CALL_IP6TABLES))
return NF_ACCEPT;
--
2.20.1
^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: [PATCH v4 2/2] net: br_netfiler_hooks: Drops IPv6 packets if IPv6 module is not loaded
2019-08-30 18:13 ` [PATCH v4 2/2] net: br_netfiler_hooks: Drops IPv6 packets if IPv6 module is not loaded Leonardo Bras
@ 2019-08-30 20:55 ` Florian Westphal
2019-08-31 4:42 ` Leonardo Bras
0 siblings, 1 reply; 17+ messages in thread
From: Florian Westphal @ 2019-08-30 20:55 UTC (permalink / raw)
To: Leonardo Bras
Cc: netfilter-devel, coreteam, bridge, netdev, linux-kernel,
Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
Roopa Prabhu, Nikolay Aleksandrov, David S. Miller
Leonardo Bras <leonardo@linux.ibm.com> wrote:
> A kernel panic can happen if a host has disabled IPv6 on boot and have to
> process guest packets (coming from a bridge) using it's ip6tables.
>
> IPv6 packets need to be dropped if the IPv6 module is not loaded.
>
> Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com>
> ---
> net/bridge/br_netfilter_hooks.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
> index d3f9592f4ff8..5e8693730df1 100644
> --- a/net/bridge/br_netfilter_hooks.c
> +++ b/net/bridge/br_netfilter_hooks.c
> @@ -493,6 +493,8 @@ static unsigned int br_nf_pre_routing(void *priv,
> brnet = net_generic(state->net, brnf_net_id);
> if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||
> is_pppoe_ipv6(skb, state->net)) {
> + if (!ipv6_mod_enabled())
> + return NF_DROP;
> if (!brnet->call_ip6tables &&
> !br_opt_get(br, BROPT_NF_CALL_IP6TABLES))
> return NF_ACCEPT;
No, thats too aggressive and turns the bridge into an ipv6 blackhole.
There are two solutions:
1. The above patch, but use NF_ACCEPT instead
2. keep the DROP, but move it below the call_ip6tables test,
so that users can tweak call-ip6tables to accept packets.
Perhaps it would be good to also add a pr_warn_once() that
tells that ipv6 was disabled on command line and
call-ip6tables isn't supported in this configuration.
I would go with option two.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled
2019-08-30 18:13 ` [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled Leonardo Bras
@ 2019-08-30 20:58 ` Florian Westphal
2019-09-03 16:46 ` Leonardo Bras
2019-09-03 20:55 ` Pablo Neira Ayuso
1 sibling, 1 reply; 17+ messages in thread
From: Florian Westphal @ 2019-08-30 20:58 UTC (permalink / raw)
To: Leonardo Bras
Cc: netfilter-devel, coreteam, bridge, netdev, linux-kernel,
Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
Roopa Prabhu, Nikolay Aleksandrov, David S. Miller
Leonardo Bras <leonardo@linux.ibm.com> wrote:
> If IPv6 is disabled on boot (ipv6.disable=1), but nft_fib_inet ends up
> dealing with a IPv6 packet, it causes a kernel panic in
> fib6_node_lookup_1(), crashing in bad_page_fault.
>
> The panic is caused by trying to deference a very low address (0x38
> in ppc64le), due to ipv6.fib6_main_tbl = NULL.
> BUG: Kernel NULL pointer dereference at 0x00000038
>
> The kernel panic was reproduced in a host that disabled IPv6 on boot and
> have to process guest packets (coming from a bridge) using it's ip6tables.
>
> Terminate rule evaluation when packet protocol is IPv6 but the ipv6 module
> is not loaded.
>
> Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com>
Acked-by: Florian Westphal <fw@strlen.de>
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v4 2/2] net: br_netfiler_hooks: Drops IPv6 packets if IPv6 module is not loaded
2019-08-30 20:55 ` Florian Westphal
@ 2019-08-31 4:42 ` Leonardo Bras
2019-08-31 8:43 ` Florian Westphal
0 siblings, 1 reply; 17+ messages in thread
From: Leonardo Bras @ 2019-08-31 4:42 UTC (permalink / raw)
To: Florian Westphal
Cc: netfilter-devel, coreteam, bridge, netdev, linux-kernel,
Pablo Neira Ayuso, Jozsef Kadlecsik, Roopa Prabhu,
Nikolay Aleksandrov, David S. Miller
[-- Attachment #1: Type: text/plain, Size: 1904 bytes --]
On Fri, 2019-08-30 at 22:55 +0200, Florian Westphal wrote:
> Leonardo Bras <leonardo@linux.ibm.com> wrote:
> > A kernel panic can happen if a host has disabled IPv6 on boot and have to
> > process guest packets (coming from a bridge) using it's ip6tables.
> >
> > IPv6 packets need to be dropped if the IPv6 module is not loaded.
> >
> > Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com>
> > ---
> > net/bridge/br_netfilter_hooks.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
> > index d3f9592f4ff8..5e8693730df1 100644
> > --- a/net/bridge/br_netfilter_hooks.c
> > +++ b/net/bridge/br_netfilter_hooks.c
> > @@ -493,6 +493,8 @@ static unsigned int br_nf_pre_routing(void *priv,
> > brnet = net_generic(state->net, brnf_net_id);
> > if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||
> > is_pppoe_ipv6(skb, state->net)) {
> > + if (!ipv6_mod_enabled())
> > + return NF_DROP;
> > if (!brnet->call_ip6tables &&
> > !br_opt_get(br, BROPT_NF_CALL_IP6TABLES))
> > return NF_ACCEPT;
>
> No, thats too aggressive and turns the bridge into an ipv6 blackhole.
>
> There are two solutions:
> 1. The above patch, but use NF_ACCEPT instead
> 2. keep the DROP, but move it below the call_ip6tables test,
> so that users can tweak call-ip6tables to accept packets.
Q: Does 2 mean that it will only be dropped if bridge intents to use
host's ip6tables? Else, it will be accepted by previous if?
> Perhaps it would be good to also add a pr_warn_once() that
> tells that ipv6 was disabled on command line and
> call-ip6tables isn't supported in this configuration.
>
Good idea, added.
> I would go with option two.
I think it's better than 1 too.
I sent a v5 with these changes:
https://lkml.org/lkml/2019/8/31/4
Thanks!
Leonardo Bras
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v4 2/2] net: br_netfiler_hooks: Drops IPv6 packets if IPv6 module is not loaded
2019-08-31 4:42 ` Leonardo Bras
@ 2019-08-31 8:43 ` Florian Westphal
0 siblings, 0 replies; 17+ messages in thread
From: Florian Westphal @ 2019-08-31 8:43 UTC (permalink / raw)
To: Leonardo Bras
Cc: Florian Westphal, netfilter-devel, coreteam, bridge, netdev,
linux-kernel, Pablo Neira Ayuso, Jozsef Kadlecsik, Roopa Prabhu,
Nikolay Aleksandrov, David S. Miller
Leonardo Bras <leonardo@linux.ibm.com> wrote:
> > There are two solutions:
> > 1. The above patch, but use NF_ACCEPT instead
> > 2. keep the DROP, but move it below the call_ip6tables test,
> > so that users can tweak call-ip6tables to accept packets.
>
> Q: Does 2 mean that it will only be dropped if bridge intents to use
> host's ip6tables? Else, it will be accepted by previous if?
Yes, thats the idea: Let users decide if ipv6.disable or call-ip6tables
is more important to them.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled
2019-08-30 20:58 ` Florian Westphal
@ 2019-09-03 16:46 ` Leonardo Bras
2019-09-03 16:49 ` Pablo Neira Ayuso
0 siblings, 1 reply; 17+ messages in thread
From: Leonardo Bras @ 2019-09-03 16:46 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, coreteam, bridge, netdev, linux-kernel,
FlorianWestphal, Jozsef Kadlecsik, Roopa Prabhu,
Nikolay Aleksandrov, David S. Miller
[-- Attachment #1: Type: text/plain, Size: 1124 bytes --]
On Fri, 2019-08-30 at 22:58 +0200, Florian Westphal wrote:
> Leonardo Bras <leonardo@linux.ibm.com> wrote:
> > If IPv6 is disabled on boot (ipv6.disable=1), but nft_fib_inet ends up
> > dealing with a IPv6 packet, it causes a kernel panic in
> > fib6_node_lookup_1(), crashing in bad_page_fault.
> >
> > The panic is caused by trying to deference a very low address (0x38
> > in ppc64le), due to ipv6.fib6_main_tbl = NULL.
> > BUG: Kernel NULL pointer dereference at 0x00000038
> >
> > The kernel panic was reproduced in a host that disabled IPv6 on boot and
> > have to process guest packets (coming from a bridge) using it's ip6tables.
> >
> > Terminate rule evaluation when packet protocol is IPv6 but the ipv6 module
> > is not loaded.
> >
> > Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com>
>
> Acked-by: Florian Westphal <fw@strlen.de>
>
Hello Pablo,
Any trouble with this patch?
I could see the other* one got applied, but not this one.
*(The other did not get acked, so i released it alone as v5)
Is there any fix I need to do in this one?
Best regards,
Leonardo Bras
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled
2019-09-03 16:46 ` Leonardo Bras
@ 2019-09-03 16:49 ` Pablo Neira Ayuso
2019-09-03 16:56 ` Leonardo Bras
2019-09-03 17:05 ` Florian Westphal
0 siblings, 2 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-03 16:49 UTC (permalink / raw)
To: Leonardo Bras
Cc: netfilter-devel, coreteam, bridge, netdev, linux-kernel,
FlorianWestphal, Jozsef Kadlecsik, Roopa Prabhu,
Nikolay Aleksandrov, David S. Miller
On Tue, Sep 03, 2019 at 01:46:50PM -0300, Leonardo Bras wrote:
> On Fri, 2019-08-30 at 22:58 +0200, Florian Westphal wrote:
> > Leonardo Bras <leonardo@linux.ibm.com> wrote:
> > > If IPv6 is disabled on boot (ipv6.disable=1), but nft_fib_inet ends up
> > > dealing with a IPv6 packet, it causes a kernel panic in
> > > fib6_node_lookup_1(), crashing in bad_page_fault.
> > >
> > > The panic is caused by trying to deference a very low address (0x38
> > > in ppc64le), due to ipv6.fib6_main_tbl = NULL.
> > > BUG: Kernel NULL pointer dereference at 0x00000038
> > >
> > > The kernel panic was reproduced in a host that disabled IPv6 on boot and
> > > have to process guest packets (coming from a bridge) using it's ip6tables.
> > >
> > > Terminate rule evaluation when packet protocol is IPv6 but the ipv6 module
> > > is not loaded.
> > >
> > > Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com>
> >
> > Acked-by: Florian Westphal <fw@strlen.de>
> >
>
> Hello Pablo,
>
> Any trouble with this patch?
> I could see the other* one got applied, but not this one.
> *(The other did not get acked, so i released it alone as v5)
>
> Is there any fix I need to do in this one?
Hm, I see, so this one:
https://patchwork.ozlabs.org/patch/1156100/
is not enough?
I was expecting we could find a way to handle this from br_netfilter
alone itself.
Thanks.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled
2019-09-03 16:49 ` Pablo Neira Ayuso
@ 2019-09-03 16:56 ` Leonardo Bras
2019-09-03 17:05 ` Florian Westphal
1 sibling, 0 replies; 17+ messages in thread
From: Leonardo Bras @ 2019-09-03 16:56 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, coreteam, bridge, netdev, linux-kernel,
FlorianWestphal, Jozsef Kadlecsik, Roopa Prabhu,
Nikolay Aleksandrov, David S. Miller
[-- Attachment #1: Type: text/plain, Size: 1095 bytes --]
On Tue, 2019-09-03 at 18:49 +0200, Pablo Neira Ayuso wrote:
> On Tue, Sep 03, 2019 at 01:46:50PM -0300, Leonardo Bras wrote:
> > On Fri, 2019-08-30 at 22:58 +0200, Florian Westphal wrote:
> > Hello Pablo,
> >
> > Any trouble with this patch?
> > I could see the other* one got applied, but not this one.
> > *(The other did not get acked, so i released it alone as v5)
> >
> > Is there any fix I need to do in this one?
>
> Hm, I see, so this one:
>
> https://patchwork.ozlabs.org/patch/1156100/
>
> is not enough?
By what I could understand of Florian e-mail, we would need both:
>> So, given I don't want to plaster ipv6_mod_enabled() everywhere, I
>> would suggest this course of action:
>>
>> 1. add a patch to BREAK in nft_fib_netdev.c for !ipv6_mod_enabled()
>> 2. change net/bridge/br_netfilter_hooks.c, br_nf_pre_routing() to
>> make sure ipv6_mod_enabled() is true before doing the ipv6 stack
>> "emulation".
Is that ok?
>
> I was expecting we could find a way to handle this from br_netfilter
> alone itself.
>
> Thanks.
Thank you!
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled
2019-09-03 16:49 ` Pablo Neira Ayuso
2019-09-03 16:56 ` Leonardo Bras
@ 2019-09-03 17:05 ` Florian Westphal
2019-09-03 19:31 ` Pablo Neira Ayuso
1 sibling, 1 reply; 17+ messages in thread
From: Florian Westphal @ 2019-09-03 17:05 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Leonardo Bras, netfilter-devel, coreteam, bridge, netdev,
linux-kernel, FlorianWestphal, Jozsef Kadlecsik, Roopa Prabhu,
Nikolay Aleksandrov, David S. Miller
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Tue, Sep 03, 2019 at 01:46:50PM -0300, Leonardo Bras wrote:
> > On Fri, 2019-08-30 at 22:58 +0200, Florian Westphal wrote:
> > > Leonardo Bras <leonardo@linux.ibm.com> wrote:
> > > > If IPv6 is disabled on boot (ipv6.disable=1), but nft_fib_inet ends up
> > > > dealing with a IPv6 packet, it causes a kernel panic in
> > > > fib6_node_lookup_1(), crashing in bad_page_fault.
> > > >
> > > > The panic is caused by trying to deference a very low address (0x38
> > > > in ppc64le), due to ipv6.fib6_main_tbl = NULL.
> > > > BUG: Kernel NULL pointer dereference at 0x00000038
> > > >
> > > > The kernel panic was reproduced in a host that disabled IPv6 on boot and
> > > > have to process guest packets (coming from a bridge) using it's ip6tables.
> > > >
> > > > Terminate rule evaluation when packet protocol is IPv6 but the ipv6 module
> > > > is not loaded.
> > > >
> > > > Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com>
> > >
> > > Acked-by: Florian Westphal <fw@strlen.de>
> > >
> >
> > Hello Pablo,
> >
> > Any trouble with this patch?
> > I could see the other* one got applied, but not this one.
> > *(The other did not get acked, so i released it alone as v5)
> >
> > Is there any fix I need to do in this one?
>
> Hm, I see, so this one:
>
> https://patchwork.ozlabs.org/patch/1156100/
>
> is not enough?
No, its not.
> I was expecting we could find a way to handle this from br_netfilter
> alone itself.
We can't because we support ipv6 fib lookups from the netdev family
as well.
Alternative is to auto-accept ipv6 packets from the nf_tables eval loop,
but I think its worse.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled
2019-09-03 17:05 ` Florian Westphal
@ 2019-09-03 19:31 ` Pablo Neira Ayuso
2019-09-03 19:48 ` Florian Westphal
0 siblings, 1 reply; 17+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-03 19:31 UTC (permalink / raw)
To: Florian Westphal
Cc: Leonardo Bras, netfilter-devel, coreteam, bridge, netdev,
linux-kernel, Jozsef Kadlecsik, Roopa Prabhu,
Nikolay Aleksandrov, David S. Miller
On Tue, Sep 03, 2019 at 07:05:50PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Tue, Sep 03, 2019 at 01:46:50PM -0300, Leonardo Bras wrote:
> > > On Fri, 2019-08-30 at 22:58 +0200, Florian Westphal wrote:
> > > > Leonardo Bras <leonardo@linux.ibm.com> wrote:
> > > > > If IPv6 is disabled on boot (ipv6.disable=1), but nft_fib_inet ends up
> > > > > dealing with a IPv6 packet, it causes a kernel panic in
> > > > > fib6_node_lookup_1(), crashing in bad_page_fault.
> > > > >
> > > > > The panic is caused by trying to deference a very low address (0x38
> > > > > in ppc64le), due to ipv6.fib6_main_tbl = NULL.
> > > > > BUG: Kernel NULL pointer dereference at 0x00000038
> > > > >
> > > > > The kernel panic was reproduced in a host that disabled IPv6 on boot and
> > > > > have to process guest packets (coming from a bridge) using it's ip6tables.
> > > > >
> > > > > Terminate rule evaluation when packet protocol is IPv6 but the ipv6 module
> > > > > is not loaded.
> > > > >
> > > > > Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com>
> > > >
> > > > Acked-by: Florian Westphal <fw@strlen.de>
> > > >
> > >
> > > Hello Pablo,
> > >
> > > Any trouble with this patch?
> > > I could see the other* one got applied, but not this one.
> > > *(The other did not get acked, so i released it alone as v5)
> > >
> > > Is there any fix I need to do in this one?
> >
> > Hm, I see, so this one:
> >
> > https://patchwork.ozlabs.org/patch/1156100/
> >
> > is not enough?
>
> No, its not.
>
> > I was expecting we could find a way to handle this from br_netfilter
> > alone itself.
>
> We can't because we support ipv6 fib lookups from the netdev family
> as well.
>
> Alternative is to auto-accept ipv6 packets from the nf_tables eval loop,
> but I think its worse.
Could we add a restriction for nf_tables + br_netfilter + !ipv6. I
mean, if this is an IPv6 packet, nf_tables is on and IPv6 module if
off, then drop this packet?
By dropping packet, the user could diagnose that its setup is
incomplete. I mean, if nf_tables fib ipv6 is used, then this setup is
really wrong and the user forgots to load the ipv6 module.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled
2019-09-03 19:31 ` Pablo Neira Ayuso
@ 2019-09-03 19:48 ` Florian Westphal
2019-09-03 20:19 ` Pablo Neira Ayuso
0 siblings, 1 reply; 17+ messages in thread
From: Florian Westphal @ 2019-09-03 19:48 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Florian Westphal, Leonardo Bras, netfilter-devel, coreteam,
bridge, netdev, linux-kernel, Jozsef Kadlecsik, Roopa Prabhu,
Nikolay Aleksandrov, David S. Miller
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > I was expecting we could find a way to handle this from br_netfilter
> > > alone itself.
> >
> > We can't because we support ipv6 fib lookups from the netdev family
> > as well.
> >
> > Alternative is to auto-accept ipv6 packets from the nf_tables eval loop,
> > but I think its worse.
>
> Could we add a restriction for nf_tables + br_netfilter + !ipv6. I
> mean, if this is an IPv6 packet, nf_tables is on and IPv6 module if
> off, then drop this packet?
We could do that from nft_do_chain_netdev().
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled
2019-09-03 19:48 ` Florian Westphal
@ 2019-09-03 20:19 ` Pablo Neira Ayuso
2019-09-03 20:35 ` Florian Westphal
0 siblings, 1 reply; 17+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-03 20:19 UTC (permalink / raw)
To: Florian Westphal
Cc: Leonardo Bras, netfilter-devel, coreteam, bridge, netdev,
linux-kernel, Jozsef Kadlecsik, Roopa Prabhu,
Nikolay Aleksandrov, David S. Miller
On Tue, Sep 03, 2019 at 09:48:09PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > > I was expecting we could find a way to handle this from br_netfilter
> > > > alone itself.
> > >
> > > We can't because we support ipv6 fib lookups from the netdev family
> > > as well.
> > >
> > > Alternative is to auto-accept ipv6 packets from the nf_tables eval loop,
> > > but I think its worse.
> >
> > Could we add a restriction for nf_tables + br_netfilter + !ipv6. I
> > mean, if this is an IPv6 packet, nf_tables is on and IPv6 module if
> > off, then drop this packet?
>
> We could do that from nft_do_chain_netdev().
Indeed, this is all about the netdev case.
Probably add something similar to nf_ip6_route() to deal with
ip6_route_lookup() case? This is the one trigering the problem, right?
BTW, how does nft_fib_ipv6 module kicks in if ipv6 module is not
loaded? The symbol dependency would pull in the IPv6 module anyway.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled
2019-09-03 20:19 ` Pablo Neira Ayuso
@ 2019-09-03 20:35 ` Florian Westphal
2019-09-03 20:55 ` Pablo Neira Ayuso
0 siblings, 1 reply; 17+ messages in thread
From: Florian Westphal @ 2019-09-03 20:35 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Florian Westphal, Leonardo Bras, netfilter-devel, coreteam,
bridge, netdev, linux-kernel, Jozsef Kadlecsik, Roopa Prabhu,
Nikolay Aleksandrov, David S. Miller
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Tue, Sep 03, 2019 at 09:48:09PM +0200, Florian Westphal wrote:
> > We could do that from nft_do_chain_netdev().
>
> Indeed, this is all about the netdev case.
>
> Probably add something similar to nf_ip6_route() to deal with
> ip6_route_lookup() case? This is the one trigering the problem, right?
Yes, this particular problem is caused by ipv6 fib not being
initialized due to ipv6.disable=1. I don't know if there are cases
other than FIB.
> BTW, how does nft_fib_ipv6 module kicks in if ipv6 module is not
> loaded? The symbol dependency would pull in the IPv6 module anyway.
ipv6.disabled=1 does load the ipv6 module, but its non-functional.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled
2019-09-03 20:35 ` Florian Westphal
@ 2019-09-03 20:55 ` Pablo Neira Ayuso
0 siblings, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-03 20:55 UTC (permalink / raw)
To: Florian Westphal
Cc: Leonardo Bras, netfilter-devel, coreteam, bridge, netdev,
linux-kernel, Jozsef Kadlecsik, Roopa Prabhu,
Nikolay Aleksandrov, David S. Miller
On Tue, Sep 03, 2019 at 10:35:31PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Tue, Sep 03, 2019 at 09:48:09PM +0200, Florian Westphal wrote:
> > > We could do that from nft_do_chain_netdev().
> >
> > Indeed, this is all about the netdev case.
> >
> > Probably add something similar to nf_ip6_route() to deal with
> > ip6_route_lookup() case? This is the one trigering the problem, right?
>
> Yes, this particular problem is caused by ipv6 fib not being
> initialized due to ipv6.disable=1. I don't know if there are cases
> other than FIB.
>
> > BTW, how does nft_fib_ipv6 module kicks in if ipv6 module is not
> > loaded? The symbol dependency would pull in the IPv6 module anyway.
>
> ipv6.disabled=1 does load the ipv6 module, but its non-functional.
I see, thanks for explaining.
^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled
2019-08-30 18:13 ` [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled Leonardo Bras
2019-08-30 20:58 ` Florian Westphal
@ 2019-09-03 20:55 ` Pablo Neira Ayuso
1 sibling, 0 replies; 17+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-03 20:55 UTC (permalink / raw)
To: Leonardo Bras
Cc: netfilter-devel, coreteam, bridge, netdev, linux-kernel,
Jozsef Kadlecsik, Florian Westphal, Roopa Prabhu,
Nikolay Aleksandrov, David S. Miller
On Fri, Aug 30, 2019 at 03:13:53PM -0300, Leonardo Bras wrote:
> If IPv6 is disabled on boot (ipv6.disable=1), but nft_fib_inet ends up
> dealing with a IPv6 packet, it causes a kernel panic in
> fib6_node_lookup_1(), crashing in bad_page_fault.
>
> The panic is caused by trying to deference a very low address (0x38
> in ppc64le), due to ipv6.fib6_main_tbl = NULL.
> BUG: Kernel NULL pointer dereference at 0x00000038
>
> The kernel panic was reproduced in a host that disabled IPv6 on boot and
> have to process guest packets (coming from a bridge) using it's ip6tables.
>
> Terminate rule evaluation when packet protocol is IPv6 but the ipv6 module
> is not loaded.
Patch is applied, thanks.
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2019-09-03 20:55 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-30 18:13 [PATCH v4 0/2] Drop IPV6 packets if IPv6 is disabled on boot Leonardo Bras
2019-08-30 18:13 ` [PATCH v4 1/2] netfilter: Terminate rule eval if protocol=IPv6 and ipv6 module is disabled Leonardo Bras
2019-08-30 20:58 ` Florian Westphal
2019-09-03 16:46 ` Leonardo Bras
2019-09-03 16:49 ` Pablo Neira Ayuso
2019-09-03 16:56 ` Leonardo Bras
2019-09-03 17:05 ` Florian Westphal
2019-09-03 19:31 ` Pablo Neira Ayuso
2019-09-03 19:48 ` Florian Westphal
2019-09-03 20:19 ` Pablo Neira Ayuso
2019-09-03 20:35 ` Florian Westphal
2019-09-03 20:55 ` Pablo Neira Ayuso
2019-09-03 20:55 ` Pablo Neira Ayuso
2019-08-30 18:13 ` [PATCH v4 2/2] net: br_netfiler_hooks: Drops IPv6 packets if IPv6 module is not loaded Leonardo Bras
2019-08-30 20:55 ` Florian Westphal
2019-08-31 4:42 ` Leonardo Bras
2019-08-31 8:43 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).