[SRU][B/D] Ensure /proc/sys/net/bridge folders (dis)appear appropriately

Connor Kuehl connor.kuehl at canonical.com
Wed Aug 28 23:28:12 UTC 2019 

On 7/25/19 5:20 PM, Connor Kuehl wrote:
> Note: Bionic required two additional patches in order for these to apply cleanly, one
> of which required minor backporting to use the updated wrappers/symbols.
> 
> BugLink: https://bugs.launchpad.net/bugs/1836910
> 
> Justification taken from the link above ^
> 
> SRU Justification
> 
> Impact: Currently, the /proc/sys/net/bridge folder is only created in the initial network namespace.
> This blocks use-cases where users would like to e.g. not do bridge filtering for bridges in a specific
> network namespace while doing so for bridges located in another network namespace.
> 
> Fix: The patches linked below ensure that the /proc/sys/net/bridge folder is available in each network
> namespace if the module is loaded and disappears from all network namespaces when the module is unloaded.
> 
> In doing so the patch makes the sysctls:
> 
> bridge-nf-call-arptables
> bridge-nf-call-ip6tables
> bridge-nf-call-iptables
> bridge-nf-filter-pppoe-tagged
> bridge-nf-filter-vlan-tagged
> bridge-nf-pass-vlan-input-dev
> 
> apply per network namespace.
> 
> Regression Potential: None, since this didn't use to work before. Otherwise limited to the br_netfilter module.
> The netfilter rules are afaict already per network namespace so it should be safe for users to specify whether
> bridge devices inside a network namespace are supposed to go through iptables et al. or not. Also, this can
> already be done per-bridge by setting an option for each individual bridge via Netlink. It should also be
> possible to do this for all bridges in a network namespace via sysctls.
> 
> Test Case: Tested with LXD on a kernel with the patches applied and per-network namespace iptables.
> 

Ping for SRU consideration into Bionic. Updated regression potential 
from the bug report below:

"Regression Potential: Low since it is limited to the br_netfilter 
module. I tested the patchset extensively by compiling a kernel with the 
patches applied. I loaded and unloaded the module and verified that it 
works correctly for the container usecase and does not crash. The Google 
ChromeOS team has also backported this patchset to their kernel and has 
not seen any issues so far: 
https://bugs.chromium.org/p/chromium/issues/detail?id=878034
Security considerations around netfilter rules are also low. The 
netfilter rules are already per network namespace so it should be safe 
for users to specify whether bridge devices inside a network namespace 
are supposed to go through iptables et al. or not. Also, this can 
already be done per-bridge by setting an option for each individual 
bridge via Netlink. It should also be possible to do this for all 
bridges in a network namespace via sysctls."

More information about the kernel-team mailing list