** Also affects: linux (Ubuntu Disco)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Bionic)
Status: New => In Progress
** Changed in: linux (Ubuntu Disco)
Status: New => In Progress
** Changed in: linux (Ubuntu Bionic)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Disco)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Disco)
Assignee: (unassigned) => Connor Kuehl (connork)
** Changed in: linux (Ubuntu Bionic)
Assignee: (unassigned) => Connor Kuehl (connork)
** Changed in: linux (Ubuntu)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1836910
Title:
br_netfilter: namespace sysctl operations
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Bionic:
In Progress
Status in linux source package in Disco:
In Progress
Bug description:
SRU Justification
Impact: Currently, the /proc/sys/net/bridge folder is only created in
the initial network namespace. This blocks use-cases where users would
like to e.g. not do bridge filtering for bridges in a specific network
namespace while doing so for bridges located in another network
namespace.
Fix: The patches linked below ensure that the /proc/sys/net/bridge
folder is available in each network namespace if the module is loaded
and disappears from all network namespaces when the module is
unloaded.
In doing so the patch makes the sysctls:
bridge-nf-call-arptables
bridge-nf-call-ip6tables
bridge-nf-call-iptables
bridge-nf-filter-pppoe-tagged
bridge-nf-filter-vlan-tagged
bridge-nf-pass-vlan-input-dev
apply per network namespace.
Regression Potential: None, since this didn't use to work before. Otherwise
limited to the br_netfilter module.
The netfilter rules are afaict already per network namespace so it should be
safe for users to specify whether bridge devices inside a network namespace are
supposed to go through iptables et al. or not. Also, this can already be done
per-bridge by setting an option for each individual bridge via Netlink. It
should also be possible to do this for all bridges in a network namespace via
sysctls.
Test Case: Tested with LXD on a kernel with the patches applied and
per-network namespace iptables.
Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the
patchset upstream.
Patches:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836910/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
