David Ahern a173f066c7 netfilter: bridge: Don't sabotage nf_hook calls from an l3mdev ... For starters, the bridge netfilter code registers operations that are invoked any time nh_hook is called. Specifically, ip_sabotage_in watches for nested calls for NF_INET_PRE_ROUTING when a bridge is in the stack. Packet wise, the bridge netfilter hook runs first. br_nf_pre_routing allocates nf_bridge, sets in_prerouting to 1 and calls NF_HOOK for NF_INET_PRE_ROUTING. It's finish function, br_nf_pre_routing_finish, then resets in_prerouting flag to 0 and the packet continues up the stack. The packet eventually makes it to the VRF driver and it invokes nf_hook for NF_INET_PRE_ROUTING in case any rules have been added against the vrf device. Because of the registered operations the call to nf_hook causes ip_sabotage_in to be invoked. That function sees the nf_bridge on the skb and that in_prerouting is not set. Thinking it is an invalid nested call it steals (drops) the packet. Update ip_sabotage_in to recognize that the bridge or one of its upper devices (e.g., vlan) can be enslaved to a VRF (L3 master device) and allow the packet to go through the nf_hook a second time. Fixes: 73e20b761a ("net: vrf: Add support for PREROUTING rules on vrf device") Reported-by: D'Souza, Nelson <ndsouza@ciena.com> Signed-off-by: David Ahern <dsahern@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>		2018-09-20 18:24:14 +02:00
..
6lowpan
9p	Pull request for inclusion in 4.19, take two	2018-08-17 17:27:58 -07:00
802
8021q
appletalk
atm
ax25
batman-adv	batman-adv: Increase version number to 2018.3	2018-09-14 17:59:20 +02:00
bluetooth	Bluetooth: Use correct tfm to generate OOB data	2018-09-11 13:33:57 +02:00
bpf
bpfilter
bridge	netfilter: bridge: Don't sabotage nf_hook calls from an l3mdev	2018-09-20 18:24:14 +02:00
caif
can
ceph
core	Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf	2018-09-16 17:47:03 -07:00
dcb
dccp
decnet
dns_resolver
dsa	net: dsa: Drop GPIO includes	2018-08-27 15:24:33 -07:00
ethernet
hsr
ieee802154
ife
ipv4	udp4: fix IP_CMSG_CHECKSUM for connected sockets	2018-09-16 15:27:44 -07:00
ipv6	ip6_tunnel: be careful when accessing the inner header	2018-09-19 21:24:28 -07:00
iucv	net/iucv: declare iucv_path_table_empty() as static	2018-09-05 22:32:22 -07:00
kcm	Revert "kcm: remove any offset before parsing messages"	2018-09-17 18:43:42 -07:00
key
l2tp
l3mdev
lapb
llc
mac80211	Here are quite a large number of fixes, notably:	2018-09-03 22:12:02 -07:00
mac802154
mpls
ncsi	net/ncsi: Fixup .dumpit message flags and ID check in Netlink handler	2018-08-22 21:39:08 -07:00
netfilter	Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf	2018-09-11 21:17:30 -07:00
netlabel
netlink
netrom
nfc	NFC: Fix possible memory corruption when handling SHDLC I-Frame commands	2018-09-18 19:55:01 -07:00
nsh
openvswitch
packet	Revert "packet: switch kvzalloc to allocate memory"	2018-08-31 23:00:28 -07:00
phonet
psample
qrtr
rds	rds: fix two RCU related problems	2018-09-12 00:09:19 -07:00
rfkill	Here are quite a large number of fixes, notably:	2018-09-03 22:12:02 -07:00
rose
rxrpc
sched	net/sched: act_sample: fix NULL dereference in the data path	2018-09-14 08:46:28 -07:00
sctp	sctp: not traverse asoc trans list if non-ipv6 trans exists for ipv6_flowlabel	2018-09-03 21:57:54 -07:00
smc	smc: generic netlink family should be __ro_after_init	2018-09-20 07:49:55 -07:00
strparser
sunrpc	NFS client updates for Linux 4.19	2018-08-23 16:03:58 -07:00
switchdev
tipc	tipc: check return value of __tipc_dump_start()	2018-09-12 13:15:04 -07:00
tls	tls: fix currently broken MSG_PEEK behavior	2018-09-17 08:03:09 -07:00
unix
vmw_vsock
wimax
wireless	Here are quite a large number of fixes, notably:	2018-09-03 22:12:02 -07:00
x25
xdp	xsk: fix return value of xdp_umem_assign_dev()	2018-08-21 22:06:53 +02:00
xfrm
compat.c
Kconfig
Makefile
socket.c	socket: fix struct ifreq size in compat ioctl	2018-09-13 16:01:06 -07:00
sysctl_net.c