lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aJ3Z1_-mm67LOID-@strlen.de>
Date: Thu, 14 Aug 2025 14:43:03 +0200
From: Florian Westphal <fw@...len.de>
To: gaoxingwang <gaoxingwang1@...wei.com>
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
	davem@...emloft.net, bridge@...ts.linux.dev,
	netfilter-devel@...r.kernel.org, idosch@...dia.com,
	pablo@...filter.org, kadlec@...filter.org, yanan@...wei.com,
	xuchunxiao3@...wei.com, huyizhen2@...wei.com
Subject: Re: netfilter: br_netfilter:NS packet was incorrectly matched by the
 nftables rule

gaoxingwang <gaoxingwang1@...wei.com> wrote:
> Hello,everyone:
> In my test case, the container (with net.bridge.bridge-nf-call-ip6tables=1 set) attempts
> to ping the host's IPv6 address through a bridged network. Simultaneously, tcpdump is used to monitor
> the bridge, and it is observed that the ping fails.
> 
> The direct cause of the ping failure is that the NS packet matches the "ct state invalid drop"
> rule in nftables and is therefore discarded.
> 
> The commit 751de2012eafa4d46d80 introduced a modification to bridge traffic handling. When the bridge
> is in promiscuous mode, it resets the conntrack state of the packets. 
> >	if (promisc) {
> >		nf_reset_ct(skb);
> >		return NF_ACCEPT;
> >	}
> IPv6 NS packets are untracked by default.When an IPv6 NS packet passes through the bridge and the bridge
> is in promiscuous mode, the conntrack state of the packet is reset. If there is a firewall rule
> such as "ct state invalid drop," the IPv6 NS packet will be deemed invalid and dropped, leading to
> a ping failure issue.
> 
> Is this a bug, or is there an issue with my analysis? 

net.bridge.bridge-nf-call-ip6tables and bridge conntrack are
incompatible.

Either use ipv6 conntrack with net.bridge.bridge-nf-call-ip6tables or
disable net.bridge.bridge-nf-call-ip6tables.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ