linux/net/bridge
Florian Westphal 7d8dc1c7be netfilter: nf_queue: drop packets with cloned unconfirmed conntracks
Conntrack assumes an unconfirmed entry (not yet committed to global hash
table) has a refcount of 1 and is not visible to other cores.

With multicast forwarding this assumption breaks down because such
skbs get cloned after being picked up, i.e.  ct->use refcount is > 1.

Likewise, bridge netfilter will clone broad/mutlicast frames and
all frames in case they need to be flood-forwarded during learning
phase.

For ip multicast forwarding or plain bridge flood-forward this will
"work" because packets don't leave softirq and are implicitly
serialized.

With nfqueue this no longer holds true, the packets get queued
and can be reinjected in arbitrary ways.

Disable this feature, I see no other solution.

After this patch, nfqueue cannot queue packets except the last
multicast/broadcast packet.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2024-08-14 23:37:23 +02:00
..
netfilter net: Rename mono_delivery_time to tstamp_type for scalabilty 2024-05-23 14:14:23 -07:00
br_arp_nd_proxy.c bridge: Add per-{Port, VLAN} neighbor suppression data path support 2023-04-21 08:25:50 +01:00
br_cfm_netlink.c bridge: cfm: fix enum typo in br_cc_ccm_tx_parse 2023-12-26 22:38:13 +00:00
br_cfm.c
br_device.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2024-05-15 07:30:49 -07:00
br_fdb.c net: bridge: Use KMEM_CACHE instead of kmem_cache_create 2024-01-31 16:39:46 -08:00
br_forward.c net: bridge: mst: Check vlan state for egress decision 2024-07-15 13:40:28 +01:00
br_if.c net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode 2023-07-03 09:11:34 +01:00
br_input.c netfilter: br_netfilter: skip conntrack input hook for promisc packets 2024-04-11 12:09:33 +02:00
br_ioctl.c
br_mdb.c bridge: mdb: Add MDB bulk deletion support 2023-12-20 11:27:20 +00:00
br_mrp_netlink.c
br_mrp_switchdev.c
br_mrp.c
br_mst.c net: bridge: mst: fix suspicious rcu usage in br_mst_set_state 2024-06-12 18:24:24 -07:00
br_multicast_eht.c treewide: Convert del_timer*() to timer_shutdown*() 2022-12-25 13:38:09 -08:00
br_multicast.c net: bridge: mcast: wait for previous gc cycles when removing port 2024-08-05 16:33:56 -07:00
br_netfilter_hooks.c netfilter: nf_queue: drop packets with cloned unconfirmed conntracks 2024-08-14 23:37:23 +02:00
br_netfilter_ipv6.c netfilter: bridge: replace physindev with physinif in nf_bridge_info 2024-01-17 12:02:49 +01:00
br_netlink_tunnel.c net: bridge: fix an inconsistent indentation 2024-06-05 10:04:47 +01:00
br_netlink.c bridge/br_netlink.c: no need to return void function 2024-04-22 11:57:14 +01:00
br_nf_core.c net: dst: Switch to rcuref_t reference counting 2023-03-28 18:52:28 -07:00
br_private_cfm.h
br_private_mcast_eht.h
br_private_mrp.h
br_private_stp.h
br_private_tunnel.h bridge: always declare tunnel functions 2023-05-17 21:28:58 -07:00
br_private.h netfilter: br_netfilter: skip conntrack input hook for promisc packets 2024-04-11 12:09:33 +02:00
br_stp_bpdu.c
br_stp_if.c
br_stp_timer.c
br_stp.c
br_switchdev.c net: bridge: switchdev: Ensure deferred event delivery on unoffload 2024-02-16 09:36:37 +00:00
br_sysfs_br.c bridge: Fix flushing of dynamic FDB entries 2022-11-02 20:47:09 -07:00
br_sysfs_if.c bridge: move from strlcpy with unused retval to strscpy 2022-08-22 17:57:30 -07:00
br_vlan_options.c bridge: vlan: Allow setting VLAN neighbor suppression state 2023-04-21 08:25:50 +01:00
br_vlan_tunnel.c ip_tunnel: convert __be16 tunnel flags to bitmaps 2024-04-01 10:49:28 +01:00
br_vlan.c bridge: vlan: use synchronize_net() when holding RTNL 2024-02-12 12:17:02 +00:00
br.c bridge: use exit_batch_rtnl() method 2024-02-07 18:55:12 -08:00
Kconfig
Makefile