** Description changed: - Currently, the /proc/sys/net/bridge folder is only created in the initial - network namespace. This patch ensures that the /proc/sys/net/bridge folder - is available in each network namespace if the module is loaded and - disappears from all network namespaces when the module is unloaded. + SRU Justification + + Impact: Currently, the /proc/sys/net/bridge folder is only created in + the initial network namespace. This blocks use-cases where users would + like to e.g. not do bridge filtering for bridges in a specific network + namespace while doing so for bridges located in another network + namespace. + + Fix: The patches linked below ensure that the /proc/sys/net/bridge + folder is available in each network namespace if the module is loaded + and disappears from all network namespaces when the module is unloaded. In doing so the patch makes the sysctls: bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-pppoe-tagged bridge-nf-filter-vlan-tagged bridge-nf-pass-vlan-input-dev - apply per network namespace. This unblocks some use-cases where users would - like to e.g. not do bridge filtering for bridges in a specific network - namespace while doing so for bridges located in another network namespace. + apply per network namespace. - The netfilter rules are afaict already per network namespace so it should - be safe for users to specify whether bridge devices inside a network - namespace are supposed to go through iptables et al. or not. Also, this can - already be done per-bridge by setting an option for each individual bridge - via Netlink. It should also be possible to do this for all bridges in a - network namespace via sysctls. + Regression Potential: None, since this didn't use to work before. Otherwise limited to the br_netfilter module. + The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls. - I've pushed a small series of patches upstream. - Please backport them to our LTS kernels. :) + Test Case: Tested with LXD on a kernel with the patches applied and per- + network namespace iptables. + + Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the + patchset upstream. + + Patches: + https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2 + + https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe + + https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1836910 Title: br_netfilter: namespace sysctl operations To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1836910/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
