diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2009-01-11 19:06:03 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-01-13 00:18:34 -0500 |
commit | 47e0e1ca13d64eeeb687995fbe4e239e743d7544 (patch) | |
tree | ea069732dc87dca81fc2c5a405320c0fc518096e | |
parent | a2bd40ad3151d4d346fd167e01fb84b06f7247fc (diff) |
netfilter 03/09: bridge: Disable PPPOE/VLAN processing by default
The PPPOE/VLAN processing code in the bridge netfilter is broken
by design. The VLAN tag and the PPPOE session ID are an integral
part of the packet flow information, yet they're completely
ignored by the bridge netfilter. This is potentially a security
hole as it treats all VLANs and PPPOE sessions as the same.
What's more, it's actually broken for PPPOE as the bridge netfilter
tries to trim the packets to the IP length without adjusting the
PPPOE header (and adjusting the PPPOE header isn't much better
since the PPPOE peer may require the padding to be present).
Therefore we should disable this by default.
It does mean that people relying on this feature may lose networking
depending on how their bridge netfilter rules are configured.
However, IMHO the problems this code causes are serious enough to
warrant this.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/bridge/br_netfilter.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index 9a1cd757ec4e..cf754ace0b75 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c | |||
@@ -58,11 +58,11 @@ static struct ctl_table_header *brnf_sysctl_header; | |||
58 | static int brnf_call_iptables __read_mostly = 1; | 58 | static int brnf_call_iptables __read_mostly = 1; |
59 | static int brnf_call_ip6tables __read_mostly = 1; | 59 | static int brnf_call_ip6tables __read_mostly = 1; |
60 | static int brnf_call_arptables __read_mostly = 1; | 60 | static int brnf_call_arptables __read_mostly = 1; |
61 | static int brnf_filter_vlan_tagged __read_mostly = 1; | 61 | static int brnf_filter_vlan_tagged __read_mostly = 0; |
62 | static int brnf_filter_pppoe_tagged __read_mostly = 1; | 62 | static int brnf_filter_pppoe_tagged __read_mostly = 0; |
63 | #else | 63 | #else |
64 | #define brnf_filter_vlan_tagged 1 | 64 | #define brnf_filter_vlan_tagged 0 |
65 | #define brnf_filter_pppoe_tagged 1 | 65 | #define brnf_filter_pppoe_tagged 0 |
66 | #endif | 66 | #endif |
67 | 67 | ||
68 | static inline __be16 vlan_proto(const struct sk_buff *skb) | 68 | static inline __be16 vlan_proto(const struct sk_buff *skb) |