[lxc-devel] [lxd/master] NIC Bridged: Dont load br_netfilter

tomponline on Github lxc-bot at linuxcontainers.org
Fri Apr 17 16:15:23 UTC 2020 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 449 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200417/3180ff1f/attachment.bin>
-------------- next part --------------
From a6177995499dde2e27e52d610ed64547d2797164 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Fri, 17 Apr 2020 17:13:57 +0100
Subject: [PATCH] lxd/device/nic/bridged: Dont load br_netfilter

This can cause unwanted traffic blocks in its default mode so don't try and load it.

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 lxd/device/nic_bridged.go | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/lxd/device/nic_bridged.go b/lxd/device/nic_bridged.go
index 5807c82274..5ab6c41df0 100644
--- a/lxd/device/nic_bridged.go
+++ b/lxd/device/nic_bridged.go
@@ -537,22 +537,16 @@ func (d *nicBridged) setFilters() (err error) {
 	}
 
 	if shared.IsTrue(d.config["security.ipv6_filtering"]) {
-		// Ensure the correct br_netfilter kernel module is loaded before checking for bridge filtering
-		// support in iptables.
-		err := util.LoadModule("br_netfilter")
-		if err != nil {
-			return errors.Wrapf(err, "Error loading %q module", "br_netfilter")
-		}
-
-		// Check br_netfilter is loaded and enabled for IPv6.
+		// Check br_netfilter kernel module is loaded and enabled for IPv6. We won't try to load it as its
+		// default mode can cause unwanted traffic blocking.
 		sysctlPath := "net/bridge/bridge-nf-call-ip6tables"
 		sysctlVal, err := util.SysctlGet(sysctlPath)
 		if err != nil {
-			return fmt.Errorf("Error reading net sysctl %s: %v", sysctlPath, err)
+			return errors.Wrapf(err, "security.ipv6_filtering requires br_netfilter be loaded")
 		}
 
 		if sysctlVal != "1\n" {
-			return fmt.Errorf("security.ipv6_filtering requires br_netfilter and sysctl net.bridge.bridge-nf-call-ip6tables=1")
+			return fmt.Errorf("security.ipv6_filtering requires br_netfilter sysctl net.bridge.bridge-nf-call-ip6tables=1")
 		}
 	}

More information about the lxc-devel mailing list