Commit 48bd0d68 authored by Leonardo Bras's avatar Leonardo Bras Committed by Pablo Neira Ayuso

netfilter: bridge: Drops IPv6 packets if IPv6 module is not loaded

A kernel panic can happen if a host has disabled IPv6 on boot and have to
process guest packets (coming from a bridge) using it's ip6tables.

IPv6 packets need to be dropped if the IPv6 module is not loaded, and the
host ip6tables will be used.
Signed-off-by: default avatarLeonardo Bras <leonardo@linux.ibm.com>
Acked-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent e33b4325
...@@ -496,6 +496,10 @@ static unsigned int br_nf_pre_routing(void *priv, ...@@ -496,6 +496,10 @@ static unsigned int br_nf_pre_routing(void *priv,
if (!brnet->call_ip6tables && if (!brnet->call_ip6tables &&
!br_opt_get(br, BROPT_NF_CALL_IP6TABLES)) !br_opt_get(br, BROPT_NF_CALL_IP6TABLES))
return NF_ACCEPT; return NF_ACCEPT;
if (!ipv6_mod_enabled()) {
pr_warn_once("Module ipv6 is disabled, so call_ip6tables is not supported.");
return NF_DROP;
}
nf_bridge_pull_encap_header_rcsum(skb); nf_bridge_pull_encap_header_rcsum(skb);
return br_nf_pre_routing_ipv6(priv, skb, state); return br_nf_pre_routing_ipv6(priv, skb, state);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment