From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] Disable netfilter on all bridges per default Date: Sun, 12 Mar 2017 14:56:50 +0000 Message-ID: <1489330610.10391.53.camel@ipfire.org> In-Reply-To: <1489219839-659-1-git-send-email-jonatan.schlag@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7468087719934666800==" List-Id: --===============7468087719934666800== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Thanks for submitting this patch. This is the default in IPFire 3, so it makes sense to backport that behaviour= to IPFire 2 as well. Best, -Michael On Sat, 2017-03-11 at 09:10 +0100, Jonatan Schlag wrote: > Fixes: #11301 >=20 > Signed-off-by: Jonatan Schlag > --- > =C2=A0config/etc/sysctl.conf=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0| = 5 +++++ > =C2=A0config/rootfiles/core/110/filelists/files | 1 + > =C2=A02 files changed, 6 insertions(+) >=20 > diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf > index e2e3d81..ad56240 100644 > --- a/config/etc/sysctl.conf > +++ b/config/etc/sysctl.conf > @@ -34,3 +34,8 @@ net.ipv6.conf.default.disable_ipv6 =3D 1 > =C2=A0 > =C2=A0# Enable netfilter accounting > =C2=A0net.netfilter.nf_conntrack_acct=3D1 > + > +# Disable netfilter on bridges. > +net.bridge.bridge-nf-call-ip6tables =3D 0 > +net.bridge.bridge-nf-call-iptables =3D 0 > +net.bridge.bridge-nf-call-arptables =3D 0 > diff --git a/config/rootfiles/core/110/filelists/files > b/config/rootfiles/core/110/filelists/files > index b996e48..f06b6d5 100644 > --- a/config/rootfiles/core/110/filelists/files > +++ b/config/rootfiles/core/110/filelists/files > @@ -2,6 +2,7 @@ etc/system-release > =C2=A0etc/issue > =C2=A0etc/httpd/conf/server-tuning.conf > =C2=A0etc/rc.d/init.d/unbound > +etc/sysctl.conf > =C2=A0srv/web/ipfire/cgi-bin/index.cgi > =C2=A0srv/web/ipfire/cgi-bin/vpnmain.cgi > =C2=A0usr/lib/libssp.so.0 --===============7468087719934666800== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSll4V0d5QUFvSkVJQjU4UDl2a0FrSG9KZ1AvUmN1Y3duY0syOU1XUWpnZ2pKOUZKWVAK UjRYdHBxaVZZRVp3bDE0eGljT29ZUGlHQ0FrRjNjYWh5cURwWEs5TlhHU1BPOExEN3QzRHI2OFdV eUFoR21MeQpaYjJOMFNkbFl2RDJEa2lCSjdsY3Ezd3l6bGE3YkYwaXhsMndVSFZXNDNsVXN5L2VM YXZhd3o1SFkxNkMyYmE4ClIrR3pnSnlXZXZoMUlhU0VTZnhab3RFNm9SLzlRWlI4Ym1iT3RMVHdY a29UT0RSOThnVExnR1ovMHhibHFKcHQKaU9yamQ1OEEyV3lIRWNkL1JzZWFBWVdjb1l6Q3VUS0p2 QjhoWkN2YUQwM1VEYngrZFA3YUFmZ3VNTHB5cFJ0TAp1Y0pUNHJ3emVodENhUWVkVUFVUVQ3RHpq SXVwY3BSWWJxNzBPMVJZQkp2bzE3SlpkYXVpR040TWFxcVZkTE9xCmFLdVdtVnRZUHNKMlJuc2FP WW5pazJnSU1OekhXVlhEWk16M2Nqek1ubUl3TU51aWN0ZGUvdWZkaDVUSVJxL2QKb2dCUEdpUnNa ejFEUmRteGJxMHRxS0NTc1c3SXQ1N1hiZDFEMGl6VlBiZ1lpbE1NdTV2MVU0WStzQVRoMGhuMApN TU9JRjJFNHovNVFnWVNEc3JUZW14TENJV3VLN01PTjNTWURKcDhLb05sVHJFeGtvYkllUDh3TnFm RFFSRjVKCllsUVROTjhuT0ZQTnZtMDNnQkZZQXBqQW40S1Q4TkJWSmI3R3lRdFh5N2tBTXVOWWlY amdEV0xIUDFUWFo0bE4Kc2sxN1htQVdaVU9FU0MwNGk4emlxTFk0RXVuMnlwWVZQSU05Yi9QUU1C bC8wMFBNQlVFTVl6Y0V3bHVLeWgrRgpiWEVUZkMzSjBOWlpMNTZFQlhDRwo9MGczcgotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============7468087719934666800==--