New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FS#2300 - kmod-br-netfilter: bundled sysctl exploits administrator inattention #6086
Comments
ynezz: I can confirm, that net.bridge.bridge-nf-call-iptables=1 is set by default after the module install, but I don't agree with your proposed solution. I think, that more appropriate fix would be setting of net.bridge.bridge-nf-call-iptables=0 in the module's post install script. I think, it's being disabled by default for a valid reasons, as for example leaving it on by default can cause other issues with some setups. |
config_absent: I ghosted a patch and a commit message for anyone willing to apply it for me no strings attached. You claim the credit, I avoid all the red tape. I hate a security issue received so little attention.
|
config_absent: Is it preferred to use shell built-ins in postinst scripts to external tools? If so, please apply this patch:
|
config_absent: Yousong Zhou, would you apply my patch? I see you subscribed to the task. |
ynezz: Thanks for the patch, would you mind sending it through one of the official channels (mail or GitHub PR)? Or at least add your |
config_absent: Why you don't want to take the credit yourself? I'd really prefer you to. But if it's a dealbreaker, amend the commit message like this:
|
yousong: Thanks, Marco. I tried the patch and am afraid the change will have to be done in default_postinst() The problem is postinst happened before the kmod was actually loaded (invoking kmodloader). |
yousong: Hi, Marco I just sent a patch [1] to the mailing list for review. Please consider giving it a try Also, if you're not okay with me using that mail address in the commit message, please provide a new one ;) |
config_absent:
A sysctl parameter
net.bridge.bridge-nf-call-iptables=1
is on by default on install.
This drop-in /etc/sysctl.d/11-br-netfilter.conf
disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
will come into force only on restart.
A device administator is likely to introduce a security breach by applying rules that will be silently skipped on reboot.
I cannot see why it is neccessary to disable bridge firewalling by default. kmod-br-netfilter is absent on a clean install, therefore it cannot bother those who did not go to the trouble of installing the package. It goes without saying that an add-on firewall module should be left enabled.
The text was updated successfully, but these errors were encountered: