From patchwork Fri Jan 9 12:04:55 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Herbert Xu X-Patchwork-Id: 17502 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id 6D4FDDE85A for ; Fri, 9 Jan 2009 23:05:09 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752821AbZAIMFG (ORCPT ); Fri, 9 Jan 2009 07:05:06 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752804AbZAIMFE (ORCPT ); Fri, 9 Jan 2009 07:05:04 -0500 Received: from rhun.apana.org.au ([64.62.148.172]:40645 "EHLO arnor.apana.org.au" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752691AbZAIMFD (ORCPT ); Fri, 9 Jan 2009 07:05:03 -0500 Received: from gondolin.me.apana.org.au ([192.168.0.6]) by arnor.apana.org.au with esmtp (Exim 4.63 #1 (Debian)) id 1LLG6l-00023z-Lj; Fri, 09 Jan 2009 23:04:59 +1100 Received: from herbert by gondolin.me.apana.org.au with local (Exim 4.69) (envelope-from ) id 1LLG6h-0003Hn-Qv; Fri, 09 Jan 2009 23:04:55 +1100 Date: Fri, 9 Jan 2009 23:04:55 +1100 From: Herbert Xu To: John Dykstra Cc: Ilpo =?iso-8859-1?Q?J=E4rvinen?= , Netdev , bugme-daemon@bugzilla.kernel.org, Andrew Morton , Speedster , Patrick McHardy , Stephen Hemminger , "David S. Miller" Subject: Re: [Bugme-new] [Bug 12327] New: Intermittent TCP issues with => 2.6.27 Message-ID: <20090109120455.GB12486@gondor.apana.org.au> References: <20090109031408.GB11336@gondor.apana.org.au> <20090109115515.GA12486@gondor.apana.org.au> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20090109115515.GA12486@gondor.apana.org.au> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Fri, Jan 09, 2009 at 10:55:15PM +1100, Herbert Xu wrote: > > It turns out that even though we have sysctl's that's supposed > to control pppoe/vlan processing, they don't actually work. > > This patch should make them work. With that we can actually turn them off. bridge: Disable PPPOE/VLAN processing by default The PPPOE/VLAN processing code in the bridge netfilter is broken by design. The VLAN tag and the PPPOE session ID are an integral part of the packet flow information, yet they're completely ignored by the bridge netfilter. This is potentially a security hole as it treats all VLANs and PPPOE sessions as the same. What's more, it's actually broken for PPPOE as the bridge netfilter tries to trim the packets to the IP length without adjusting the PPPOE header (and adjusting the PPPOE header isn't much better since the PPPOE peer may require the padding to be present). Therefore we should disable this by default. It does mean that people relying on this feature may lose networking depending on how their bridge netfilter rules are configured. However, IMHO the problems this code causes are serious enough to warrant this. Signed-off-by: Herbert Xu Cheers, diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index 9a1cd75..cf754ac 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c @@ -58,11 +58,11 @@ static struct ctl_table_header *brnf_sysctl_header; static int brnf_call_iptables __read_mostly = 1; static int brnf_call_ip6tables __read_mostly = 1; static int brnf_call_arptables __read_mostly = 1; -static int brnf_filter_vlan_tagged __read_mostly = 1; -static int brnf_filter_pppoe_tagged __read_mostly = 1; +static int brnf_filter_vlan_tagged __read_mostly = 0; +static int brnf_filter_pppoe_tagged __read_mostly = 0; #else -#define brnf_filter_vlan_tagged 1 -#define brnf_filter_pppoe_tagged 1 +#define brnf_filter_vlan_tagged 0 +#define brnf_filter_pppoe_tagged 0 #endif static inline __be16 vlan_proto(const struct sk_buff *skb)