lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1246379267.3749.42.camel@blaa>
Date:	Tue, 30 Jun 2009 17:27:47 +0100
From:	Mark McLoughlin <markmc@...hat.com>
To:	netdev <netdev@...r.kernel.org>
Cc:	Herbert Xu <herbert@...dor.apana.org.au>
Subject: [PATCH] bridge: make bridge-nf-call-*tables default configurable

With BRIDGE_NETFILTER enabled, bridge traffic is passed through
netfilter as it is forwarded across the bridge. This is a useful
feature in specialized cases where the admin wishes to filter bridge
traffic based on higher-level protocol headers.

However, in a lot of cases, it causes a large amount of confusion
since it is so counter-intuitive - nobody expects their IP firewall
rules to also apply to traffic on their bridges.

This is especially true for virtualization, where users create a
bridge and find that some types of traffic work and others don't, and
it can take quite some time to identify iptables as the culprit. Users
are often recommended to configure their iptables rules to ACCEPT
"physdev-is-bridged" in order to avoid this confusion.

However, because nf_conntrack introduces an skb_orphan(), it is now
recommended that bridge-nf-call-iptables be disabled completely so as
to ensure features like TUNSETSNDBUF work as expected.

For these reasons, it makes sense to allow distributions to disable
netfilter on the bridge by default and require those specialized users
to enable it explicitly via sysctl.

Signed-off-by: Mark McLoughlin <markmc@...hat.com>
---
 net/Kconfig               |   12 ++++++++++++
 net/bridge/br_netfilter.c |    6 ++++++
 2 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/net/Kconfig b/net/Kconfig
index 7051b97..b5f4379 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -153,6 +153,18 @@ config BRIDGE_NETFILTER
 
 	  If unsure, say N.
 
+config BRIDGE_NETFILTER_DEFAULT_ON
+	def_bool y
+	prompt "Enable netfilter on the bridge by default"
+	depends on BRIDGE_NETFILTER && SYSCTL
+	---help---
+	  Selecting this option will enable netfilter iptables
+	  etc. rules on bridges by default. This means that netfilter
+	  iptables rules will apply to frames forwarded across the
+	  bridge. If this option is not selected, it can be enabled at
+	  runtime using the net.bridge.bridge-nf-call-*tables sysctl
+	  settings.
+
 source "net/netfilter/Kconfig"
 source "net/ipv4/netfilter/Kconfig"
 source "net/ipv6/netfilter/Kconfig"
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index d22f611..ed53e21 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -55,9 +55,15 @@
 
 #ifdef CONFIG_SYSCTL
 static struct ctl_table_header *brnf_sysctl_header;
+#ifdef CONFIG_BRIDGE_NETFILTER_DEFAULT_ON
 static int brnf_call_iptables __read_mostly = 1;
 static int brnf_call_ip6tables __read_mostly = 1;
 static int brnf_call_arptables __read_mostly = 1;
+#else
+static int brnf_call_iptables __read_mostly = 0;
+static int brnf_call_ip6tables __read_mostly = 0;
+static int brnf_call_arptables __read_mostly = 0;
+#endif
 static int brnf_filter_vlan_tagged __read_mostly = 0;
 static int brnf_filter_pppoe_tagged __read_mostly = 0;
 #else
-- 
1.6.2.2

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ