From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jonatan Schlag <jonatan.schlag@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] Disable netfilter on all bridges per default
Date: Sat, 11 Mar 2017 09:10:39 +0100
Message-ID: <1489219839-659-1-git-send-email-jonatan.schlag@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6900699146112418189=="
List-Id: <development.lists.ipfire.org>

--===============6900699146112418189==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Fixes: #11301

Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org>
---
 config/etc/sysctl.conf                    | 5 +++++
 config/rootfiles/core/110/filelists/files | 1 +
 2 files changed, 6 insertions(+)

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index e2e3d81..ad56240 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -34,3 +34,8 @@ net.ipv6.conf.default.disable_ipv6 =3D 1
=20
 # Enable netfilter accounting
 net.netfilter.nf_conntrack_acct=3D1
+
+# Disable netfilter on bridges.
+net.bridge.bridge-nf-call-ip6tables =3D 0
+net.bridge.bridge-nf-call-iptables =3D 0
+net.bridge.bridge-nf-call-arptables =3D 0
diff --git a/config/rootfiles/core/110/filelists/files b/config/rootfiles/cor=
e/110/filelists/files
index b996e48..f06b6d5 100644
--- a/config/rootfiles/core/110/filelists/files
+++ b/config/rootfiles/core/110/filelists/files
@@ -2,6 +2,7 @@ etc/system-release
 etc/issue
 etc/httpd/conf/server-tuning.conf
 etc/rc.d/init.d/unbound
+etc/sysctl.conf
 srv/web/ipfire/cgi-bin/index.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi
 usr/lib/libssp.so.0
--=20
2.1.4


--===============6900699146112418189==--