OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category Packages
  • Assigned To
    Yousong Zhou
  • Operating System All
  • Severity Very Low
  • Priority Very Low
  • Reported Version All
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Config Absent - 30.05.2019
Last edited by Yousong Zhou - 21.06.2019

FS#2300 - kmod-br-netfilter: bundled sysctl exploits administrator inattention

A sysctl parameter

net.bridge.bridge-nf-call-iptables=1

is on by default on install.

This drop-in /etc/sysctl.d/11-br-netfilter.conf 
----
# disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1

will come into force only on restart.

A device administator is likely to introduce a security breach by applying rules that will be silently skipped on reboot.

I cannot see why it is neccessary to disable bridge firewalling by default. kmod-br-netfilter is absent on a clean install, therefore it cannot bother those who did not go to the trouble of installing the package. It goes without saying that an add-on firewall module should be left enabled.

Closed by  Yousong Zhou
21.06.2019 03:56
Reason for closing:  Fixed
Additional comments about closing:  

Fixed with http://g it.openwrt.org/3dc4f59eabaed5135cd4eed8d 1846248d5f1b37c

Admin
Petr Štetiar commented on 05.06.2019 08:36

I can confirm, that net.bridge.bridge-nf-call-iptables=1 is set by default after the module install, but I don't agree with your proposed solution. I think, that more appropriate fix would be setting of net.bridge.bridge-nf-call-iptables=0 in the module's post install script.

I think, it's being disabled by default for a valid reasons, as for example leaving it on by default can cause other issues with some setups.

Config Absent commented on 12.06.2019 13:14

I ghosted a patch and a commit message for anyone willing to apply it for me no strings attached. You claim the credit, I avoid all the red tape. I hate a security issue received so little attention.

kmod-br-netfilter: disable bridge firewalling

Disable bridge firewalling after installation to stay consistent
with /etc/sysctl.d/11-br-netfilter.conf sysctl drop-in.
diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
index 53188eab..17e927d7 100644
--- a/package/kernel/linux/modules/netfilter.mk
+++ b/package/kernel/linux/modules/netfilter.mk
@@ -880,6 +880,12 @@ define KernelPackage/br-netfilter/install
 	$(INSTALL_DATA) ./files/sysctl-br-netfilter.conf $(1)/etc/sysctl.d/11-br-netfilter.conf
 endef
 
+define KernelPackage/br-netfilter/postinst
+#!/bin/sh
+sysctl -w net.bridge.bridge-nf-call-iptables=0
+exit 0
+endef
+
 $(eval $(call KernelPackage,br-netfilter))
 
 
Config Absent commented on 19.06.2019 07:06

Is it preferred to use shell built-ins in postinst scripts to external tools? If so, please apply this patch:

diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
index 53188eab..d7cf9f01 100644
--- a/package/kernel/linux/modules/netfilter.mk
+++ b/package/kernel/linux/modules/netfilter.mk
@@ -880,6 +880,12 @@ define KernelPackage/br-netfilter/install
 	$(INSTALL_DATA) ./files/sysctl-br-netfilter.conf $(1)/etc/sysctl.d/11-br-netfilter.conf
 endef
 
+define KernelPackage/br-netfilter/postinst
+#!/bin/sh
+echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables
+exit 0
+endef
+
 $(eval $(call KernelPackage,br-netfilter))
 
 
Config Absent commented on 19.06.2019 07:15

Yousong Zhou, would you apply my patch? I see you subscribed to the task.

Admin
Petr Štetiar commented on 19.06.2019 09:16

Thanks for the patch, would you mind sending it through one of the official channels (mail or GitHub PR)? Or at least add your `Signed-off-by: Your Real Name your@email.com` in order to have proper authorship and give you credit for this contribution?

Config Absent commented on 20.06.2019 09:02

Why you don't want to take the credit yourself? I'd really prefer you to. But if it's a dealbreaker, amend the commit message like this:

kmod-br-netfilter: disable bridge firewalling

Disable bridge firewalling after installation to stay consistent
with /etc/sysctl.d/11-br-netfilter.conf sysctl drop-in.

Signed-off-by: Marco Sartorius <tidbits@ormoorgmen.info>
Project Manager
Yousong Zhou commented on 20.06.2019 11:00

Thanks, Marco.

I tried the patch and am afraid the change will have to be done in default_postinst()

The problem is postinst happened before the kmod was actually loaded (invoking kmodloader).

Project Manager
Yousong Zhou commented on 20.06.2019 12:22

Hi, Marco

I just sent a patch [1] to the mailing list for review. Please consider giving it a try

Also, if you're not okay with me using that mail address in the commit message, please provide a new one ;)

[1] http://patchwork.ozlabs.org/patch/1119411/

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing