mbox

Disable netfilter on all bridges per default

Message ID 1489219839-659-1-git-send-email-jonatan.schlag@ipfire.org
State Accepted
Commit 0f1cda211c441d17e212ee7c881e0d0014238155
Headers

Message

Jonatan Schlag March 11, 2017, 7:10 p.m. UTC 
  Fixes: #11301

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
---
 config/etc/sysctl.conf                    | 5 +++++
 config/rootfiles/core/110/filelists/files | 1 +
 2 files changed, 6 insertions(+)

Comments

Michael Tremer March 13, 2017, 1:56 a.m. UTC | #1 
Thanks for submitting this patch.

This is the default in IPFire 3, so it makes sense to backport that behaviour to
IPFire 2 as well.

Best,
-Michael

On Sat, 2017-03-11 at 09:10 +0100, Jonatan Schlag wrote:
> Fixes: #11301
> 
> Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
> ---
>  config/etc/sysctl.conf                    | 5 +++++
>  config/rootfiles/core/110/filelists/files | 1 +
>  2 files changed, 6 insertions(+)
> 
> diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
> index e2e3d81..ad56240 100644
> --- a/config/etc/sysctl.conf
> +++ b/config/etc/sysctl.conf
> @@ -34,3 +34,8 @@ net.ipv6.conf.default.disable_ipv6 = 1
>  
>  # Enable netfilter accounting
>  net.netfilter.nf_conntrack_acct=1
> +
> +# Disable netfilter on bridges.
> +net.bridge.bridge-nf-call-ip6tables = 0
> +net.bridge.bridge-nf-call-iptables = 0
> +net.bridge.bridge-nf-call-arptables = 0
> diff --git a/config/rootfiles/core/110/filelists/files
> b/config/rootfiles/core/110/filelists/files
> index b996e48..f06b6d5 100644
> --- a/config/rootfiles/core/110/filelists/files
> +++ b/config/rootfiles/core/110/filelists/files
> @@ -2,6 +2,7 @@ etc/system-release
>  etc/issue
>  etc/httpd/conf/server-tuning.conf
>  etc/rc.d/init.d/unbound
> +etc/sysctl.conf
>  srv/web/ipfire/cgi-bin/index.cgi
>  srv/web/ipfire/cgi-bin/vpnmain.cgi
>  usr/lib/libssp.so.0