From 5182eb9924a0e8d21f6fb8748af95eac8bbe767e Mon Sep 17 00:00:00 2001 From: David Ahern Date: Tue, 23 Jul 2019 21:05:02 +0800 Subject: [PATCH] netfilter: bridge: Don't sabotage nf_hook calls for an l3mdev slave mainline inclusion from mainline-v5.1-rc1 commit cd6428988bf4fcc41d1deb7dae0e92e62c075c57 category: bugfix bugzilla: 18682 CVE: NA ------------------------------------------------- Followup to a173f066c7cf ("netfilter: bridge: Don't sabotage nf_hook calls from an l3mdev"). Some packets (e.g., ndisc) do not have the skb device flipped to the l3mdev (e.g., VRF) device. Update ip_sabotage_in to not drop packets for slave devices too. Currently, neighbor solicitation packets for 'dev -> bridge (addr) -> vrf' setups are getting dropped. This patch enables IPv6 communications for bridges with an address that are enslaved to a VRF. Fixes: 73e20b761acf ("net: vrf: Add support for PREROUTING rules on vrf device") Signed-off-by: David Ahern Signed-off-by: Pablo Neira Ayuso Signed-off-by: YueHaibing Conflicts: net/bridge/br_netfilter_hooks.c Reviewed-by: Wenan Mao Signed-off-by: Yang Yingliang --- net/bridge/br_netfilter_hooks.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c index 212c184c1eee..ec12b068ab13 100644 --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -837,7 +837,8 @@ static unsigned int ip_sabotage_in(void *priv, const struct nf_hook_state *state) { if (skb->nf_bridge && !skb->nf_bridge->in_prerouting && - !netif_is_l3_master(skb->dev)) { + !netif_is_l3_master(skb->dev) && + !netif_is_l3_slave(skb->dev)) { state->okfn(state->net, state->sk, skb); return NF_STOLEN; } -- GitLab