git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Florian Westphal <fw@strlen.de>
	Fri, 11 Jan 2019 13:46:15 +0000 (14:46 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sat, 27 Apr 2019 07:33:53 +0000 (09:33 +0200)
commit	421d2aae103cc215cc8167c00e842441d2b06fce
tree	f079fd9ec5b1a2cd91e85b2e1fa018fdf5313f8c	tree \| snapshot
parent	10fc10c3270d7d60108b071ebc37058be5dbf028	commit \| diff

netfilter: physdev: relax br_netfilter dependency

[ Upstream commit 8e2f311a68494a6677c1724bdcb10bada21af37c ]

Following command:
iptables -D FORWARD -m physdev ...
causes connectivity loss in some setups.

Reason is that iptables userspace will probe kernel for the module revision
of the physdev patch, and physdev has an artificial dependency on
br_netfilter (xt_physdev use makes no sense unless a br_netfilter module
is loaded).

This causes the "phydev" module to be loaded, which in turn enables the
"call-iptables" infrastructure.

bridged packets might then get dropped by the iptables ruleset.

The better fix would be to change the "call-iptables" defaults to 0 and
enforce explicit setting to 1, but that breaks backwards compatibility.

This does the next best thing: add a request_module call to checkentry.
This was a stray '-D ... -m physdev' won't activate br_netfilter
anymore.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

include/net/netfilter/br_netfilter.h		diff \| blob \| blame \| history
net/bridge/br_netfilter_hooks.c		diff \| blob \| blame \| history
net/netfilter/xt_physdev.c		diff \| blob \| blame \| history