summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorLeonardo Bras <leonardo@linux.ibm.com>2019-08-31 06:40:33 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2019-09-02 23:19:27 +0200
commit48bd0d68cd4b849c0bb99dc1fb01b013ad4aa942 (patch)
treec17cf7f083d4a90cc4f921cb9daee0f4ade5fc51 /net
parentnet: stmmac: dwmac-sun8i: Variable "val" in function sun8i_dwmac_set_syscon()... (diff)
downloadlinux-48bd0d68cd4b849c0bb99dc1fb01b013ad4aa942.tar.xz
linux-48bd0d68cd4b849c0bb99dc1fb01b013ad4aa942.zip
netfilter: bridge: Drops IPv6 packets if IPv6 module is not loaded
A kernel panic can happen if a host has disabled IPv6 on boot and have to process guest packets (coming from a bridge) using it's ip6tables. IPv6 packets need to be dropped if the IPv6 module is not loaded, and the host ip6tables will be used. Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r--net/bridge/br_netfilter_hooks.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index d3f9592f4ff8..af7800103e51 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -496,6 +496,10 @@ static unsigned int br_nf_pre_routing(void *priv,
if (!brnet->call_ip6tables &&
!br_opt_get(br, BROPT_NF_CALL_IP6TABLES))
return NF_ACCEPT;
+ if (!ipv6_mod_enabled()) {
+ pr_warn_once("Module ipv6 is disabled, so call_ip6tables is not supported.");
+ return NF_DROP;
+ }
nf_bridge_pull_encap_header_rcsum(skb);
return br_nf_pre_routing_ipv6(priv, skb, state);