[lxc-devel] [lxd/master] Bridged NIC: Load br_netfilter kernel module when using IPv6 filtering

[tomponline on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 365 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200204/416e4124/attachment.bin>
-------------- next part --------------
From 21a2b5bc869ffe785a5f0d10bd3727fa679695c4 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Tue, 4 Feb 2020 08:51:05 +0000
Subject: [PATCH] lxd/device/nic/bridged: Load br_netfilter kernel module when
 using IPv6 filtering

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 lxd/device/nic_bridged.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lxd/device/nic_bridged.go b/lxd/device/nic_bridged.go
index b30248fe33..18fb417076 100644
--- a/lxd/device/nic_bridged.go
+++ b/lxd/device/nic_bridged.go
@@ -17,6 +17,7 @@ import (
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/mdlayher/eui64"
+	"github.com/pkg/errors"
 
 	"github.com/lxc/lxd/lxd/db"
 	deviceConfig "github.com/lxc/lxd/lxd/device/config"
@@ -479,6 +480,13 @@ func (d *nicBridged) setFilters() (err error) {
 	}
 
 	if shared.IsTrue(d.config["security.ipv6_filtering"]) {
+		// Ensure the correct br_netfilter kernel module is loaded before establishing checking for
+		// bridge filtering support in iptables.
+		err := util.LoadModule("br_netfilter")
+		if err != nil {
+			return errors.Wrapf(err, "Error loading %q module", "br_netfilter")
+		}
+
 		// Check br_netfilter is loaded and enabled for IPv6.
 		sysctlPath := "net/bridge/bridge-nf-call-ip6tables"
 		sysctlVal, err := util.SysctlGet(sysctlPath)