Disable netfilter on all bridges per default
Message ID | 1489219839-659-1-git-send-email-jonatan.schlag@ipfire.org |
---|---|
State | Accepted |
Commit | 0f1cda211c441d17e212ee7c881e0d0014238155 |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.ipfire.org (Postfix) with ESMTP id B6CF762084 for <patchwork@ipfire.org>; Sat, 11 Mar 2017 09:10:51 +0100 (CET) Received: from mail01.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id A04A6BAC; Sat, 11 Mar 2017 09:10:49 +0100 (CET) Received: from fangorn.local.familyschlag (dslb-088-073-206-197.088.073.pools.vodafone-ip.de [88.73.206.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id B0FD5BAC; Sat, 11 Mar 2017 09:10:45 +0100 (CET) From: Jonatan Schlag <jonatan.schlag@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] Disable netfilter on all bridges per default Date: Sat, 11 Mar 2017 09:10:39 +0100 Message-Id: <1489219839-659-1-git-send-email-jonatan.schlag@ipfire.org> X-Mailer: git-send-email 2.1.4 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <http://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <http://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Message
Jonatan Schlag
March 11, 2017, 7:10 p.m. UTC
Fixes: #11301
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
---
config/etc/sysctl.conf | 5 +++++
config/rootfiles/core/110/filelists/files | 1 +
2 files changed, 6 insertions(+)
Comments
Thanks for submitting this patch. This is the default in IPFire 3, so it makes sense to backport that behaviour to IPFire 2 as well. Best, -Michael On Sat, 2017-03-11 at 09:10 +0100, Jonatan Schlag wrote: > Fixes: #11301 > > Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> > --- > config/etc/sysctl.conf | 5 +++++ > config/rootfiles/core/110/filelists/files | 1 + > 2 files changed, 6 insertions(+) > > diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf > index e2e3d81..ad56240 100644 > --- a/config/etc/sysctl.conf > +++ b/config/etc/sysctl.conf > @@ -34,3 +34,8 @@ net.ipv6.conf.default.disable_ipv6 = 1 > > # Enable netfilter accounting > net.netfilter.nf_conntrack_acct=1 > + > +# Disable netfilter on bridges. > +net.bridge.bridge-nf-call-ip6tables = 0 > +net.bridge.bridge-nf-call-iptables = 0 > +net.bridge.bridge-nf-call-arptables = 0 > diff --git a/config/rootfiles/core/110/filelists/files > b/config/rootfiles/core/110/filelists/files > index b996e48..f06b6d5 100644 > --- a/config/rootfiles/core/110/filelists/files > +++ b/config/rootfiles/core/110/filelists/files > @@ -2,6 +2,7 @@ etc/system-release > etc/issue > etc/httpd/conf/server-tuning.conf > etc/rc.d/init.d/unbound > +etc/sysctl.conf > srv/web/ipfire/cgi-bin/index.cgi > srv/web/ipfire/cgi-bin/vpnmain.cgi > usr/lib/libssp.so.0