diff options
author | Leonardo Bras <leonardo@linux.ibm.com> | 2019-08-31 06:40:33 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-09-02 23:19:27 +0200 |
commit | 48bd0d68cd4b849c0bb99dc1fb01b013ad4aa942 (patch) | |
tree | c17cf7f083d4a90cc4f921cb9daee0f4ade5fc51 /net | |
parent | net: stmmac: dwmac-sun8i: Variable "val" in function sun8i_dwmac_set_syscon()... (diff) | |
download | linux-48bd0d68cd4b849c0bb99dc1fb01b013ad4aa942.tar.xz linux-48bd0d68cd4b849c0bb99dc1fb01b013ad4aa942.zip |
netfilter: bridge: Drops IPv6 packets if IPv6 module is not loaded
A kernel panic can happen if a host has disabled IPv6 on boot and have to
process guest packets (coming from a bridge) using it's ip6tables.
IPv6 packets need to be dropped if the IPv6 module is not loaded, and the
host ip6tables will be used.
Signed-off-by: Leonardo Bras <leonardo@linux.ibm.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/bridge/br_netfilter_hooks.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c index d3f9592f4ff8..af7800103e51 100644 --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -496,6 +496,10 @@ static unsigned int br_nf_pre_routing(void *priv, if (!brnet->call_ip6tables && !br_opt_get(br, BROPT_NF_CALL_IP6TABLES)) return NF_ACCEPT; + if (!ipv6_mod_enabled()) { + pr_warn_once("Module ipv6 is disabled, so call_ip6tables is not supported."); + return NF_DROP; + } nf_bridge_pull_encap_header_rcsum(skb); return br_nf_pre_routing_ipv6(priv, skb, state); |