| 2019-07-17 13:53:18 |
Christian Brauner |
bug |
|
|
added bug |
| 2019-07-17 13:54:41 |
Christian Brauner |
bug |
|
|
added subscriber Ubuntu Containers Team |
| 2019-07-17 13:54:49 |
Christian Brauner |
bug |
|
|
added subscriber Seth Forshee |
| 2019-07-17 14:00:06 |
Ubuntu Kernel Bot |
linux (Ubuntu): status |
New |
Incomplete |
|
| 2019-07-17 14:00:18 |
Christian Brauner |
linux (Ubuntu): status |
Incomplete |
Confirmed |
|
| 2019-07-17 16:25:58 |
Christian Brauner |
description |
Currently, the /proc/sys/net/bridge folder is only created in the initial
network namespace. This patch ensures that the /proc/sys/net/bridge folder
is available in each network namespace if the module is loaded and
disappears from all network namespaces when the module is unloaded.
In doing so the patch makes the sysctls:
bridge-nf-call-arptables
bridge-nf-call-ip6tables
bridge-nf-call-iptables
bridge-nf-filter-pppoe-tagged
bridge-nf-filter-vlan-tagged
bridge-nf-pass-vlan-input-dev
apply per network namespace. This unblocks some use-cases where users would
like to e.g. not do bridge filtering for bridges in a specific network
namespace while doing so for bridges located in another network namespace.
The netfilter rules are afaict already per network namespace so it should
be safe for users to specify whether bridge devices inside a network
namespace are supposed to go through iptables et al. or not. Also, this can
already be done per-bridge by setting an option for each individual bridge
via Netlink. It should also be possible to do this for all bridges in a
network namespace via sysctls.
I've pushed a small series of patches upstream.
Please backport them to our LTS kernels. :) |
SRU Justification
Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace.
Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded.
In doing so the patch makes the sysctls:
bridge-nf-call-arptables
bridge-nf-call-ip6tables
bridge-nf-call-iptables
bridge-nf-filter-pppoe-tagged
bridge-nf-filter-vlan-tagged
bridge-nf-pass-vlan-input-dev
apply per network namespace.
Regression Potential: None, since this didn't use to work before. Otherwise limited to the br_netfilter module.
The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls.
Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables.
Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream.
Patches:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db |
|
| 2019-07-19 23:54:59 |
Terry Rudd |
bug |
|
|
added subscriber Terry Rudd |
| 2019-07-22 20:22:54 |
Connor Kuehl |
nominated for series |
|
Ubuntu Disco |
|
| 2019-07-22 20:22:54 |
Connor Kuehl |
bug task added |
|
linux (Ubuntu Disco) |
|
| 2019-07-22 20:22:54 |
Connor Kuehl |
nominated for series |
|
Ubuntu Bionic |
|
| 2019-07-22 20:22:54 |
Connor Kuehl |
bug task added |
|
linux (Ubuntu Bionic) |
|
| 2019-07-22 20:22:59 |
Connor Kuehl |
linux (Ubuntu Bionic): status |
New |
In Progress |
|
| 2019-07-22 20:23:01 |
Connor Kuehl |
linux (Ubuntu Disco): status |
New |
In Progress |
|
| 2019-07-22 20:23:03 |
Connor Kuehl |
linux (Ubuntu Bionic): importance |
Undecided |
Medium |
|
| 2019-07-22 20:23:05 |
Connor Kuehl |
linux (Ubuntu Disco): importance |
Undecided |
Medium |
|
| 2019-07-22 20:23:06 |
Connor Kuehl |
linux (Ubuntu Disco): assignee |
|
Connor Kuehl (connork) |
|
| 2019-07-22 20:23:08 |
Connor Kuehl |
linux (Ubuntu Bionic): assignee |
|
Connor Kuehl (connork) |
|
| 2019-07-22 20:23:17 |
Connor Kuehl |
linux (Ubuntu): status |
Confirmed |
Invalid |
|
| 2019-07-30 15:57:30 |
Seth Forshee |
linux (Ubuntu): status |
Invalid |
Fix Committed |
|
| 2019-07-30 16:24:28 |
Christian Brauner |
description |
SRU Justification
Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace.
Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded.
In doing so the patch makes the sysctls:
bridge-nf-call-arptables
bridge-nf-call-ip6tables
bridge-nf-call-iptables
bridge-nf-filter-pppoe-tagged
bridge-nf-filter-vlan-tagged
bridge-nf-pass-vlan-input-dev
apply per network namespace.
Regression Potential: None, since this didn't use to work before. Otherwise limited to the br_netfilter module.
The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls.
Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables.
Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream.
Patches:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db |
SRU Justification
Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace.
Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded.
In doing so the patch makes the sysctls:
bridge-nf-call-arptables
bridge-nf-call-ip6tables
bridge-nf-call-iptables
bridge-nf-filter-pppoe-tagged
bridge-nf-filter-vlan-tagged
bridge-nf-pass-vlan-input-dev
apply per network namespace.
Regression Potential: Low since it is limited to the br_netfilter module.
I verified that this does not lead to any regressions by compiling a kernel with those patches. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash.
The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls.
Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables.
Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream.
Patches:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db |
|
| 2019-07-31 18:12:56 |
Christian Brauner |
description |
SRU Justification
Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace.
Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded.
In doing so the patch makes the sysctls:
bridge-nf-call-arptables
bridge-nf-call-ip6tables
bridge-nf-call-iptables
bridge-nf-filter-pppoe-tagged
bridge-nf-filter-vlan-tagged
bridge-nf-pass-vlan-input-dev
apply per network namespace.
Regression Potential: Low since it is limited to the br_netfilter module.
I verified that this does not lead to any regressions by compiling a kernel with those patches. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash.
The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls.
Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables.
Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream.
Patches:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db |
SRU Justification
Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace. This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific network namespace while doing so for bridges located in another network namespace.
Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network namespace if the module is loaded and disappears from all network namespaces when the module is unloaded.
In doing so the patch makes the sysctls:
bridge-nf-call-arptables
bridge-nf-call-ip6tables
bridge-nf-call-iptables
bridge-nf-filter-pppoe-tagged
bridge-nf-filter-vlan-tagged
bridge-nf-pass-vlan-input-dev
apply per network namespace.
Regression Potential: Low since it is limited to the br_netfilter module. I tested the patchset extensively by compiling a kernel with the patches applied. I loaded and unloaded the module and verified that it works correctly for the container usecase and does not crash. The Google ChromeOS team has also backported this patchset to their kernel and has not seen any issues so far: https://bugs.chromium.org/p/chromium/issues/detail?id=878034
Security considerations around netfilter rules are also low. The netfilter rules are already per network namespace so it should be safe for users to specify whether bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be possible to do this for all bridges in a network namespace via sysctls.
Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables.
Target Kernels: All LTS kernels starting from 4.15. Kernel 5.3 has the patchset upstream.
Patches:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff6d090d0db41425aef0cfe5dc58bb3cc12514a2
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=22567590b2e634247931b3d2351384ba45720ebe
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e6daf50e1f4ea0ecd56406beb64ffc66e1e94db |
|
| 2019-08-09 11:38:28 |
Launchpad Janitor |
linux (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2019-08-09 11:38:28 |
Launchpad Janitor |
cve linked |
|
2019-12614 |
|
| 2019-08-09 11:38:28 |
Launchpad Janitor |
cve linked |
|
2019-13648 |
|
| 2019-08-13 05:30:05 |
Khaled El Mously |
linux (Ubuntu Disco): status |
In Progress |
Fix Committed |
|
| 2019-08-15 10:51:43 |
Ubuntu Kernel Bot |
tags |
|
verification-needed-disco |
|
| 2019-08-20 15:19:26 |
Ubuntu Kernel Bot |
tags |
verification-needed-disco |
verification-needed-bionic verification-needed-disco |
|
| 2019-08-20 18:05:49 |
Christian Brauner |
tags |
verification-needed-bionic verification-needed-disco |
verification-done-bionic verification-done-disco |
|
| 2019-09-02 11:11:09 |
Launchpad Janitor |
linux (Ubuntu Disco): status |
Fix Committed |
Fix Released |
|
| 2019-09-02 11:11:09 |
Launchpad Janitor |
cve linked |
|
2019-14283 |
|
| 2019-09-02 11:11:09 |
Launchpad Janitor |
cve linked |
|
2019-14284 |
|
| 2019-09-02 11:11:09 |
Launchpad Janitor |
cve linked |
|
2019-3900 |
|
| 2019-09-03 17:20:01 |
Kleber Sacilotto de Souza |
tags |
verification-done-bionic verification-done-disco |
verification-done-disco |
|
| 2019-09-03 17:29:02 |
Kleber Sacilotto de Souza |
linux (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
| 2019-09-11 15:12:38 |
Ubuntu Kernel Bot |
tags |
verification-done-disco |
verification-done-disco verification-needed-bionic |
|
| 2019-09-16 07:21:46 |
Christian Brauner |
tags |
verification-done-disco verification-needed-bionic |
verification-done-bionic verification-done-disco |
|
| 2019-09-30 21:48:23 |
Launchpad Janitor |
linux (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2019-09-30 21:48:23 |
Launchpad Janitor |
cve linked |
|
2018-20976 |
|
