Skip to content

Commit

Permalink
netfilter: bridge: Drops IPv6 packets if IPv6 module is not loaded
Browse files Browse the repository at this point in the history 
A kernel panic can happen if a host has disabled IPv6 on boot and have to
process guest packets (coming from a bridge) using it's ip6tables.

IPv6 packets need to be dropped if the IPv6 module is not loaded, and the
host ip6tables will be used.

Signed-off-by: Leonardo Bras <[email protected]>
Acked-by: Florian Westphal <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
  • Loading branch information
@LeoBras @ummakynes
LeoBras authored and ummakynes committed Sep 2, 2019
1 parent e33b432 commit 48bd0d6
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions net/bridge/br_netfilter_hooks.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -496,6 +496,10 @@ static unsigned int br_nf_pre_routing(void *priv,
if (!brnet->call_ip6tables &&
!br_opt_get(br, BROPT_NF_CALL_IP6TABLES))
return NF_ACCEPT;
if (!ipv6_mod_enabled()) {
pr_warn_once("Module ipv6 is disabled, so call_ip6tables is not supported.");
return NF_DROP;
}

nf_bridge_pull_encap_header_rcsum(skb);
return br_nf_pre_routing_ipv6(priv, skb, state);
Expand Down

0 comments on commit 48bd0d6

Please sign in to comment.