From patchwork Tue Jun 30 16:27:47 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: bridge: make bridge-nf-call-*tables default configurable Date: Tue, 30 Jun 2009 06:27:47 -0000 From: Mark McLoughlin X-Patchwork-Id: 29319 Message-Id: <1246379267.3749.42.camel@blaa> To: netdev Cc: Herbert Xu With BRIDGE_NETFILTER enabled, bridge traffic is passed through netfilter as it is forwarded across the bridge. This is a useful feature in specialized cases where the admin wishes to filter bridge traffic based on higher-level protocol headers. However, in a lot of cases, it causes a large amount of confusion since it is so counter-intuitive - nobody expects their IP firewall rules to also apply to traffic on their bridges. This is especially true for virtualization, where users create a bridge and find that some types of traffic work and others don't, and it can take quite some time to identify iptables as the culprit. Users are often recommended to configure their iptables rules to ACCEPT "physdev-is-bridged" in order to avoid this confusion. However, because nf_conntrack introduces an skb_orphan(), it is now recommended that bridge-nf-call-iptables be disabled completely so as to ensure features like TUNSETSNDBUF work as expected. For these reasons, it makes sense to allow distributions to disable netfilter on the bridge by default and require those specialized users to enable it explicitly via sysctl. Signed-off-by: Mark McLoughlin --- net/Kconfig | 12 ++++++++++++ net/bridge/br_netfilter.c | 6 ++++++ 2 files changed, 18 insertions(+), 0 deletions(-) diff --git a/net/Kconfig b/net/Kconfig index 7051b97..b5f4379 100644 --- a/net/Kconfig +++ b/net/Kconfig @@ -153,6 +153,18 @@ config BRIDGE_NETFILTER If unsure, say N. +config BRIDGE_NETFILTER_DEFAULT_ON + def_bool y + prompt "Enable netfilter on the bridge by default" + depends on BRIDGE_NETFILTER && SYSCTL + ---help--- + Selecting this option will enable netfilter iptables + etc. rules on bridges by default. This means that netfilter + iptables rules will apply to frames forwarded across the + bridge. If this option is not selected, it can be enabled at + runtime using the net.bridge.bridge-nf-call-*tables sysctl + settings. + source "net/netfilter/Kconfig" source "net/ipv4/netfilter/Kconfig" source "net/ipv6/netfilter/Kconfig" diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index d22f611..ed53e21 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c @@ -55,9 +55,15 @@ #ifdef CONFIG_SYSCTL static struct ctl_table_header *brnf_sysctl_header; +#ifdef CONFIG_BRIDGE_NETFILTER_DEFAULT_ON static int brnf_call_iptables __read_mostly = 1; static int brnf_call_ip6tables __read_mostly = 1; static int brnf_call_arptables __read_mostly = 1; +#else +static int brnf_call_iptables __read_mostly = 0; +static int brnf_call_ip6tables __read_mostly = 0; +static int brnf_call_arptables __read_mostly = 0; +#endif static int brnf_filter_vlan_tagged __read_mostly = 0; static int brnf_filter_pppoe_tagged __read_mostly = 0; #else