[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
This bug was fixed in the package linux - 4.15.0-65.74 --- linux (4.15.0-65.74) bionic; urgency=medium * bionic/linux: 4.15.0-65.74 -proposed tracker (LP: #1844403) * arm64: large modules fail to load (LP: #1841109) - arm64/kernel: kaslr: reduce module randomization range to 4 GB - arm64/kernel: don't ban ADRP to work around Cortex-A53 erratum #843419 - arm64: fix undefined reference to 'printk' - arm64/kernel: rename module_emit_adrp_veneer->module_emit_veneer_for_adrp - [config] Remove CONFIG_ARM64_MODULE_CMODEL_LARGE * CVE-2018-20976 - xfs: clear sb->s_fs_info on mount failure * br_netfilter: namespace sysctl operations (LP: #1836910) - net: bridge: add bitfield for options and convert vlan opts - net: bridge: convert nf call options to bits - netfilter: bridge: port sysctls to use brnf_net - netfilter: bridge: namespace bridge netfilter sysctls - netfilter: bridge: prevent UAF in brnf_exit_net() * tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (LP: #1830756) - tuntap: correctly set SOCKWQ_ASYNC_NOSPACE * Bionic update: upstream stable patchset 2019-08-30 (LP: #1842114) - HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT - MIPS: kernel: only use i8253 clocksource with periodic clockevent - mips: fix cacheinfo - netfilter: ebtables: fix a memory leak bug in compat - ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks - bonding: Force slave speed check after link state recovery for 802.3ad - can: dev: call netif_carrier_off() in register_candev() - ASoC: Fail card instantiation if DAI format setup fails - st21nfca_connectivity_event_received: null check the allocation - st_nci_hci_connectivity_event_received: null check the allocation - ASoC: ti: davinci-mcasp: Correct slot_width posed constraint - net: usb: qmi_wwan: Add the BroadMobi BM818 card - qed: RDMA - Fix the hw_ver returned in device attributes - isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain() - netfilter: ipset: Fix rename concurrency with listing - isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack - perf bench numa: Fix cpu0 binding - can: sja1000: force the string buffer NULL-terminated - can: peak_usb: force the string buffer NULL-terminated - net/ethernet/qlogic/qed: force the string buffer NULL-terminated - NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() - HID: input: fix a4tech horizontal wheel custom usage - SMB3: Kernel oops mounting a encryptData share with CONFIG_DEBUG_VIRTUAL - net: cxgb3_main: Fix a resource leak in a error path in 'init_one()' - net: hisilicon: make hip04_tx_reclaim non-reentrant - net: hisilicon: fix hip04-xmit never return TX_BUSY - net: hisilicon: Fix dma_map_single failed on arm64 - libata: have ata_scsi_rw_xlat() fail invalid passthrough requests - libata: add SG safety checks in SFF pio transfers - x86/lib/cpu: Address missing prototypes warning - drm/vmwgfx: fix memory leak when too many retries have occurred - perf ftrace: Fix failure to set cpumask when only one cpu is present - perf cpumap: Fix writing to illegal memory in handling cpumap mask - perf pmu-events: Fix missing "cpu_clk_unhalted.core" event - selftests: kvm: Adding config fragments - HID: wacom: correct misreported EKR ring values - HID: wacom: Correct distance scale for 2nd-gen Intuos devices - Revert "dm bufio: fix deadlock with loop device" - ceph: don't try fill file_lock on unsuccessful GETFILELOCK reply - libceph: fix PG split vs OSD (re)connect race - drm/nouveau: Don't retry infinitely when receiving no data on i2c over AUX - gpiolib: never report open-drain/source lines as 'input' to user-space - userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx - x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386 - x86/apic: Handle missing global clockevent gracefully - x86/CPU/AMD: Clear RDRAND CPUID bit on AMD family 15h/16h - x86/boot: Save fields explicitly, zero out everything else - x86/boot: Fix boot regression caused by bootparam sanitizing - dm kcopyd: always complete failed jobs - dm btree: fix order of block initialization in btree_split_beneath - dm space map metadata: fix missing store of apply_bops() return value - dm table: fix invalid memory accesses with too high sector number - dm zoned: improve error handling in reclaim - dm zoned: improve error handling in i/o map code - dm zoned: properly handle backing device failure - genirq: Properly pair kobject_del() with kobject_add() - mm, page_owner: handle THP splits correctly - mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely - mm/zsmalloc.c: fix race condition in zs_destroy_pool - xfs: fix missing ILOCK unlock when
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Disco: Fix Released Bug description: SRU Justification Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. Regression Potential: Low since it is limited to the br_netfilter module. I tested the patchset extensively by compiling a kernel with the patches applied. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash. The Google ChromeOS team has also backported this patchset to their kernel and has not seen any issues so far: https://bugs.chromium.org/p/chromium/issues/detail?id=878034 Security considerations around netfilter rules are also low. The netfilter rules are already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables. Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream. Patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836910/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Disco: Fix Released Bug description: SRU Justification Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. Regression Potential: Low since it is limited to the br_netfilter module. I tested the patchset extensively by compiling a kernel with the patches applied. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash. The Google ChromeOS team has also backported this patchset to their kernel and has not seen any issues so far: https://bugs.chromium.org/p/chromium/issues/detail?id=878034 Security considerations around netfilter rules are also low. The netfilter rules are already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables. Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream. Patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836910/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
** Changed in: linux (Ubuntu Bionic) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Disco: Fix Released Bug description: SRU Justification Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. Regression Potential: Low since it is limited to the br_netfilter module. I tested the patchset extensively by compiling a kernel with the patches applied. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash. The Google ChromeOS team has also backported this patchset to their kernel and has not seen any issues so far: https://bugs.chromium.org/p/chromium/issues/detail?id=878034 Security considerations around netfilter rules are also low. The netfilter rules are already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables. Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream. Patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836910/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
The tag verification-needed-bionic has been wrongly added by the bot, the fixes for this bug hasn't been merged yet. I'm removing the tag. ** Tags removed: verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Disco: Fix Released Bug description: SRU Justification Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. Regression Potential: Low since it is limited to the br_netfilter module. I tested the patchset extensively by compiling a kernel with the patches applied. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash. The Google ChromeOS team has also backported this patchset to their kernel and has not seen any issues so far: https://bugs.chromium.org/p/chromium/issues/detail?id=878034 Security considerations around netfilter rules are also low. The netfilter rules are already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables. Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream. Patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836910/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
This bug was fixed in the package linux - 5.0.0-27.28 --- linux (5.0.0-27.28) disco; urgency=medium * disco/linux: 5.0.0-27.28 -proposed tracker (LP: #1840816) * [Potential Regression] System crashes when running ftrace test in ubuntu_kernel_selftests (LP: #1840750) - x86/kprobes: Set instruction page as executable linux (5.0.0-26.27) disco; urgency=medium * disco/linux: 5.0.0-26.27 -proposed tracker (LP: #1839972) * Packaging resync (LP: #1786013) - [Packaging] update helper scripts * alsa/hdmi: add icelake hdmi audio support for a Dell machine (LP: #1836916) - ALSA: hda: hdmi - add Icelake support - ALSA: hda/hdmi - Remove duplicated define - ALSA: hda/hdmi - Fix i915 reverse port/pin mapping * input/mouse: alps trackpoint-only device doesn't work (LP: #1836752) - Input: alps - don't handle ALPS cs19 trackpoint-only device - Input: alps - fix a mismatch between a condition check and its comment * [18.04 FEAT] Enhanced hardware support (LP: #1836857) - s390: report new CPU capabilities - s390: add alignment hints to vector load and store * System does not auto detect disconnection of external monitor (LP: #1835001) - drm/i915: Add support for retrying hotplug - drm/i915: Enable hotplug retry * [18.04 FEAT] Enhanced CPU-MF hardware counters - kernel part (LP: #1836860) - s390/cpum_cf: Add support for CPU-MF SVN 6 - s390/cpumf: Add extended counter set definitions for model 8561 and 8562 * EeePC 1005px laptop backlight is off after system boot up (LP: #1837117) - platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from asus_nb_wmi * br_netfilter: namespace sysctl operations (LP: #1836910) - netfilter: bridge: port sysctls to use brnf_net - netfilter: bridge: namespace bridge netfilter sysctls - netfilter: bridge: prevent UAF in brnf_exit_net() * ideapad_laptop disables WiFi/BT radios on Lenovo Y540 (LP: #1837136) - platform/x86: ideapad-laptop: Remove no_hw_rfkill_list * shiftfs: allow overlayfs (LP: #1838677) - SAUCE: shiftfs: enable overlayfs on shiftfs * bcache: bch_allocator_thread(): hung task timeout (LP: #1784665) - bcache: never writeback a discard operation - bcache: improve bcache_reboot() - SAUCE: bcache: fix deadlock in bcache_allocator * Regressions in CMA allocation rework (LP: #1839395) - dma-contiguous: do not overwrite align in dma_alloc_contiguous() - dma-contiguous: page-align the size in dma_free_contiguous() * CVE-2019-3900 - vhost: introduce vhost_exceeds_weight() - vhost_net: fix possible infinite loop - vhost: vsock: add weight support - vhost: scsi: add weight support * Disco update: 5.0.21 upstream stable release (LP: #1837518) - bonding/802.3ad: fix slave link initialization transition states - cxgb4: offload VLAN flows regardless of VLAN ethtype - inet: switch IP ID generator to siphash - ipv4/igmp: fix another memory leak in igmpv3_del_delrec() - ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST - ipv6: Consider sk_bound_dev_if when binding a raw socket to an address - ipv6: Fix redirect with VRF - llc: fix skb leak in llc_build_and_send_ui_pkt() - mlxsw: spectrum_acl: Avoid warning after identical rules insertion - net: dsa: mv88e6xxx: fix handling of upper half of STATS_TYPE_PORT - net: fec: fix the clk mismatch in failed_reset path - net-gro: fix use-after-free read in napi_gro_frags() - net: mvneta: Fix err code path of probe - net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value - net: phy: marvell10g: report if the PHY fails to boot firmware - net: sched: don't use tc_action->order during action dump - net: stmmac: fix reset gpio free missing - r8169: fix MAC address being lost in PCI D3 - usbnet: fix kernel crash after disconnect - net/mlx5: Avoid double free in fs init error unwinding path - tipc: Avoid copying bytes beyond the supplied data - net/mlx5: Allocate root ns memory using kzalloc to match kfree - net/mlx5e: Disable rxhash when CQE compress is enabled - net: stmmac: fix ethtool flow control not able to get/set - net: stmmac: dma channel control register need to be init first - bnxt_en: Fix aggregation buffer leak under OOM condition. - bnxt_en: Fix possible BUG() condition when calling pci_disable_msix(). - bnxt_en: Reduce memory usage when running in kdump kernel. - net/tls: fix state removal with feature flags off - net/tls: don't ignore netdev notifications if no TLS features - cxgb4: Revert "cxgb4: Remove SGE_HOST_PAGE_SIZE dependency on page size" - net: correct zerocopy refcnt with udp MSG_MORE - crypto: vmx - ghash: do nosimd fallback manually - xen/pciback: Don't disable PCI_COMMAND on PCI device reset. - Revert "tipc: fix modprobe tipc failed after switch order of device registration" -
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
** Tags removed: verification-needed-bionic verification-needed-disco ** Tags added: verification-done-bionic verification-done-disco -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: In Progress Status in linux source package in Disco: Fix Committed Bug description: SRU Justification Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. Regression Potential: Low since it is limited to the br_netfilter module. I tested the patchset extensively by compiling a kernel with the patches applied. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash. The Google ChromeOS team has also backported this patchset to their kernel and has not seen any issues so far: https://bugs.chromium.org/p/chromium/issues/detail?id=878034 Security considerations around netfilter rules are also low. The netfilter rules are already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables. Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream. Patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836910/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: In Progress Status in linux source package in Disco: Fix Committed Bug description: SRU Justification Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. Regression Potential: Low since it is limited to the br_netfilter module. I tested the patchset extensively by compiling a kernel with the patches applied. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash. The Google ChromeOS team has also backported this patchset to their kernel and has not seen any issues so far: https://bugs.chromium.org/p/chromium/issues/detail?id=878034 Security considerations around netfilter rules are also low. The netfilter rules are already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables. Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream. Patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836910/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- disco' to 'verification-done-disco'. If the problem still exists, change the tag 'verification-needed-disco' to 'verification-failed-disco'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-disco -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: In Progress Status in linux source package in Disco: Fix Committed Bug description: SRU Justification Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. Regression Potential: Low since it is limited to the br_netfilter module. I tested the patchset extensively by compiling a kernel with the patches applied. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash. The Google ChromeOS team has also backported this patchset to their kernel and has not seen any issues so far: https://bugs.chromium.org/p/chromium/issues/detail?id=878034 Security considerations around netfilter rules are also low. The netfilter rules are already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables. Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream. Patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836910/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
** Changed in: linux (Ubuntu Disco) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: In Progress Status in linux source package in Disco: Fix Committed Bug description: SRU Justification Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. Regression Potential: Low since it is limited to the br_netfilter module. I tested the patchset extensively by compiling a kernel with the patches applied. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash. The Google ChromeOS team has also backported this patchset to their kernel and has not seen any issues so far: https://bugs.chromium.org/p/chromium/issues/detail?id=878034 Security considerations around netfilter rules are also low. The netfilter rules are already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables. Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream. Patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836910/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
This bug was fixed in the package linux - 5.2.0-10.11 --- linux (5.2.0-10.11) eoan; urgency=medium * eoan/linux: 5.2.0-10.11 -proposed tracker (LP: #1838113) * Packaging resync (LP: #1786013) - [Packaging] resync git-ubuntu-log * Eoan update: v5.2.4 upstream stable release (LP: #1838428) - bnx2x: Prevent load reordering in tx completion processing - caif-hsi: fix possible deadlock in cfhsi_exit_module() - hv_netvsc: Fix extra rcu_read_unlock in netvsc_recv_callback() - igmp: fix memory leak in igmpv3_del_delrec() - ipv4: don't set IPv6 only flags to IPv4 addresses - ipv6: rt6_check should return NULL if 'from' is NULL - ipv6: Unlink sibling route in case of failure - net: bcmgenet: use promisc for unsupported filters - net: dsa: mv88e6xxx: wait after reset deactivation - net: make skb_dst_force return true when dst is refcounted - net: neigh: fix multiple neigh timer scheduling - net: openvswitch: fix csum updates for MPLS actions - net: phy: sfp: hwmon: Fix scaling of RX power - net_sched: unset TCQ_F_CAN_BYPASS when adding filters - net: stmmac: Re-work the queue selection for TSO packets - net/tls: make sure offload also gets the keys wiped - nfc: fix potential illegal memory access - r8169: fix issue with confused RX unit after PHY power-down on RTL8411b - rxrpc: Fix send on a connected, but unbound socket - sctp: fix error handling on stream scheduler initialization - sctp: not bind the socket in sctp_connect - sky2: Disable MSI on ASUS P6T - tcp: be more careful in tcp_fragment() - tcp: fix tcp_set_congestion_control() use from bpf hook - tcp: Reset bytes_acked and bytes_received when disconnecting - vrf: make sure skb->data contains ip header to make routing - net/mlx5e: IPoIB, Add error path in mlx5_rdma_setup_rn - net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling - net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query - net: bridge: don't cache ether dest pointer on input - net: bridge: stp: don't cache eth dest pointer before skb pull - macsec: fix use-after-free of skb during RX - macsec: fix checksumming after decryption - netrom: fix a memory leak in nr_rx_frame() - netrom: hold sock when setting skb->destructor - selftests: txring_overwrite: fix incorrect test of mmap() return value - net/tls: fix poll ignoring partially copied records - net/tls: reject offload of TLS 1.3 - net/mlx5e: Fix port tunnel GRE entropy control - net/mlx5e: Rx, Fix checksum calculation for new hardware - net/mlx5e: Fix return value from timeout recover function - net/mlx5e: Fix error flow in tx reporter diagnose - bnxt_en: Fix VNIC accounting when enabling aRFS on 57500 chips. - mlxsw: spectrum_dcb: Configure DSCP map as the last rule is removed - net/mlx5: E-Switch, Fix default encap mode - mlxsw: spectrum: Do not process learned records with a dummy FID - dma-buf: balance refcount inbalance - dma-buf: Discard old fence_excl on retrying get_fences_rcu for realloc - Revert "gpio/spi: Fix spi-gpio regression on active high CS" - gpiolib: of: fix a memory leak in of_gpio_flags_quirks() - gpio: davinci: silence error prints in case of EPROBE_DEFER - MIPS: lb60: Fix pin mappings - perf script: Assume native_arch for pipe mode - perf/core: Fix exclusive events' grouping - perf/core: Fix race between close() and fork() - ext4: don't allow any modifications to an immutable file - ext4: enforce the immutable flag on open files - mm: add filemap_fdatawait_range_keep_errors() - jbd2: introduce jbd2_inode dirty range scoping - ext4: use jbd2_inode dirty range scoping - ext4: allow directory holes - KVM: nVMX: do not use dangling shadow VMCS after guest reset - KVM: nVMX: Clear pending KVM_REQ_GET_VMCS12_PAGES when leaving nested - Revert "kvm: x86: Use task structs fpu field for user" - sd_zbc: Fix report zones buffer allocation - block: Limit zone array allocation size - net: sched: verify that q!=NULL before setting q->flags - Linux 5.2.4 * linux hwe i386 kernel 5.0.0-21.22~18.04.1 crashes on Lenovo x220 (LP: #1838115) - x86/mm: Check for pfn instead of page in vmalloc_sync_one() - x86/mm: Sync also unmappings in vmalloc_sync_all() - mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy() * br_netfilter: namespace sysctl operations (LP: #1836910) - netfilter: bridge: port sysctls to use brnf_net - netfilter: bridge: namespace bridge netfilter sysctls - netfilter: bridge: prevent UAF in brnf_exit_net() * Eoan update: v5.2.3 upstream stable release (LP: #1838089) - ath10k: Check tx_stats before use it - ath10k: htt: don't use txdone_fifo with SDIO - ath10k: fix incorrect multicast/broadcast rate setting - ath9k: Don't trust TX status TID
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
** Description changed: SRU Justification Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. - Regression Potential: Low since it is limited to the br_netfilter module. - I verified that this does not lead to any regressions by compiling a kernel with those patches. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash. - The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. + Regression Potential: Low since it is limited to the br_netfilter module. I tested the patchset extensively by compiling a kernel with the patches applied. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash. The Google ChromeOS team has also backported this patchset to their kernel and has not seen any issues so far: https://bugs.chromium.org/p/chromium/issues/detail?id=878034 + Security considerations around netfilter rules are also low. The netfilter rules are already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Test Case: Tested with LXD on a kernel with the patches applied and per- network namespace iptables. Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream. Patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: In Progress Status in linux source package in Disco: In Progress Bug description: SRU Justification Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. Regression Potential: Low since it is limited to the br_netfilter module. I tested the patchset extensively by compiling a kernel with the patches applied. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash. The Google ChromeOS team has also backported this patchset to their kernel and has not seen any issues so far: https://bugs.chromium.org/p/chromium/issues/detail?id=878034 Security considerations around netfilter rules are also low. The netfilter rules are already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
** Description changed: SRU Justification Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. - Regression Potential: None, since this didn't use to work before. Otherwise limited to the br_netfilter module. + Regression Potential: Low since it is limited to the br_netfilter module. + I verified that this does not lead to any regressions by compiling a kernel with those patches. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash. The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Test Case: Tested with LXD on a kernel with the patches applied and per- network namespace iptables. Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream. Patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: In Progress Status in linux source package in Disco: In Progress Bug description: SRU Justification Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. Regression Potential: Low since it is limited to the br_netfilter module. I verified that this does not lead to any regressions by compiling a kernel with those patches. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash. The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables. Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream. Patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836910/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help :
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
** Changed in: linux (Ubuntu) Status: Invalid => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: In Progress Status in linux source package in Disco: In Progress Bug description: SRU Justification Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. Regression Potential: None, since this didn't use to work before. Otherwise limited to the br_netfilter module. The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables. Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream. Patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836910/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
https://lists.ubuntu.com/archives/kernel-team/2019-July/102594.html -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations Status in linux package in Ubuntu: Invalid Status in linux source package in Bionic: In Progress Status in linux source package in Disco: In Progress Bug description: SRU Justification Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. Regression Potential: None, since this didn't use to work before. Otherwise limited to the br_netfilter module. The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables. Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream. Patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836910/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
** Also affects: linux (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Bionic) Status: New => In Progress ** Changed in: linux (Ubuntu Disco) Status: New => In Progress ** Changed in: linux (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Disco) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Disco) Assignee: (unassigned) => Connor Kuehl (connork) ** Changed in: linux (Ubuntu Bionic) Assignee: (unassigned) => Connor Kuehl (connork) ** Changed in: linux (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations Status in linux package in Ubuntu: Invalid Status in linux source package in Bionic: In Progress Status in linux source package in Disco: In Progress Bug description: SRU Justification Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. Regression Potential: None, since this didn't use to work before. Otherwise limited to the br_netfilter module. The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables. Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream. Patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836910/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
** Description changed: - Currently, the /proc/sys/net/bridge folder is only created in the initial - network namespace. This patch ensures that the /proc/sys/net/bridge folder - is available in each network namespace if the module is loaded and - disappears from all network namespaces when the module is unloaded. + SRU Justification + + Impact: Currently, the /proc/sys/net/bridge folder is only created in + the initial network namespace. This blocks use-cases where users would + like to e.g. not do bridge filtering for bridges in a specific network + namespace while doing so for bridges located in another network + namespace. + + Fix: The patches linked below ensure that the /proc/sys/net/bridge + folder is available in each network namespace if the module is loaded + and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev - apply per network namespace. This unblocks some use-cases where users would - like to e.g. not do bridge filtering for bridges in a specific network - namespace while doing so for bridges located in another network namespace. + apply per network namespace. - The netfilter rules are afaict already per network namespace so it should - be safe for users to specify whether bridge devices inside a network - namespace are supposed to go through iptables et al. or not. Also, this can - already be done per-bridge by setting an option for each individual bridge - via Netlink. It should also be possible to do this for all bridges in a - network namespace via sysctls. + Regression Potential: None, since this didn't use to work before. Otherwise limited to the br_netfilter module. + The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. - I've pushed a small series of patches upstream. - Please backport them to our LTS kernels. :) + Test Case: Tested with LXD on a kernel with the patches applied and per- + network namespace iptables. + + Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the + patchset upstream. + + Patches: + https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 + + https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe + + https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations Status in linux package in Ubuntu: Confirmed Bug description: SRU Justification Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. Regression Potential: None, since this didn't use to work before. Otherwise limited to the br_netfilter module. The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables. Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream. Patches: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
Relevant upstream commits are: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations Status in linux package in Ubuntu: Confirmed Bug description: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This patch ensures that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. This unblocks some use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. I've pushed a small series of patches upstream. Please backport them to our LTS kernels. :) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836910/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1836910] Re: br_netfilter: namespace sysctl operations
** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations Status in linux package in Ubuntu: Confirmed Bug description: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This patch ensures that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev apply per network namespace. This unblocks some use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace. The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. I've pushed a small series of patches upstream. Please backport them to our LTS kernels. :) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836910/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
