netfilter: bridge: Don't sabotage nf_hook calls for an l3mdev slave

mainline inclusion from mainline-v5.1-rc1 commit cd6428988bf4fcc41d1deb7dae0e92e62c075c57 category: bugfix bugzilla: 18682 CVE: NA ------------------------------------------------- Followup to a173f066 ("netfilter: bridge: Don't sabotage nf_hook calls from an l3mdev"). Some packets (e.g., ndisc) do not have the skb device flipped to the l3mdev (e.g., VRF) device. Update ip_sabotage_in to not drop packets for slave devices too. Currently, neighbor solicitation packets for 'dev -> bridge (addr) -> vrf' setups are getting dropped. This patch enables IPv6 communications for bridges with an address that are enslaved to a VRF. Fixes: 73e20b76 ("net: vrf: Add support for PREROUTING rules on vrf device") Signed-off-by: N David Ahern <dsahern@gmail.com> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: N YueHaibing <yuehaibing@huawei.com> Conflicts: net/bridge/br_netfilter_hooks.c Reviewed-by: N Wenan Mao <maowenan@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

netfilter: bridge: Don't sabotage nf_hook calls for an l3mdev slave
mainline inclusion from mainline-v5.1-rc1 commit cd6428988bf4fcc41d1deb7dae0e92e62c075c57 category: bugfix bugzilla: 18682 CVE: NA ------------------------------------------------- Followup to a173f066 ("netfilter: bridge: Don't sabotage nf_hook calls from an l3mdev"). Some packets (e.g., ndisc) do not have the skb device flipped to the l3mdev (e.g., VRF) device. Update ip_sabotage_in to not drop packets for slave devices too. Currently, neighbor solicitation packets for 'dev -> bridge (addr) -> vrf' setups are getting dropped. This patch enables IPv6 communications for bridges with an address that are enslaved to a VRF. Fixes: 73e20b76 ("net: vrf: Add support for PREROUTING rules on vrf device") Signed-off-by: N David Ahern <dsahern@gmail.com> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: N YueHaibing <yuehaibing@huawei.com> Conflicts: net/bridge/br_netfilter_hooks.c Reviewed-by: N Wenan Mao <maowenan@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
5182eb99 · David Ahern · Xie XiuQi · 711933a7 · 5182eb99
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

net/bridge/br_netfilter_hooks.c net/bridge/br_netfilter_hooks.c +2 -1

未找到文件。
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -837,7 +837,8 @@ static unsigned int ip_sabotage_in(void *priv,
 				   const struct nf_hook_state *state)
 {
 	if (skb->nf_bridge && !skb->nf_bridge->in_prerouting &&
-	    !netif_is_l3_master(skb->dev)) {
+	    !netif_is_l3_master(skb->dev) &&
+	    !netif_is_l3_slave(skb->dev)) {
 		state->okfn(state->net, state->sk, skb);
 		return NF_STOLEN;
 	}