From patchwork Tue Jun 30 16:27:47 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mark McLoughlin <markmc@redhat.com>
X-Patchwork-Id: 29319
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@bilbo.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from ozlabs.org (ozlabs.org [203.10.76.45])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mx.ozlabs.org",
	Issuer "CA Cert Signing Authority" (verified OK))
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 27B9FB709B
	for <patchwork-incoming@bilbo.ozlabs.org>;
	Wed,  1 Jul 2009 10:12:22 +1000 (EST)
Received: by ozlabs.org (Postfix)
	id 6EB3EDDF90; Wed,  1 Jul 2009 02:28:19 +1000 (EST)
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by ozlabs.org (Postfix) with ESMTP id EE277DDF8F
	for <patchwork-incoming@ozlabs.org>;
	Wed,  1 Jul 2009 02:28:18 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751922AbZF3Q2C (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 30 Jun 2009 12:28:02 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751869AbZF3Q2A
	(ORCPT <rfc822; netdev-outgoing>); Tue, 30 Jun 2009 12:28:00 -0400
Received: from mx2.redhat.com ([66.187.237.31]:53257 "EHLO mx2.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751273AbZF3Q2A (ORCPT <rfc822;netdev@vger.kernel.org>);
	Tue, 30 Jun 2009 12:28:00 -0400
Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com
	[172.16.27.26])
	by mx2.redhat.com (8.13.8/8.13.8) with ESMTP id n5UGS0tp001064;
	Tue, 30 Jun 2009 12:28:00 -0400
Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199])
	by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id
	n5UGS0V7014432; Tue, 30 Jun 2009 12:28:00 -0400
Received: from [IPv6:::1] (sebastian-int.corp.redhat.com [172.16.52.221])
	by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n5UGRwBq019377;
	Tue, 30 Jun 2009 12:27:58 -0400
Subject: [PATCH] bridge: make bridge-nf-call-*tables default configurable
From: Mark McLoughlin <markmc@redhat.com>
Reply-To: Mark McLoughlin <markmc@redhat.com>
To: netdev <netdev@vger.kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Date: Tue, 30 Jun 2009 17:27:47 +0100
Message-Id: <1246379267.3749.42.camel@blaa>
Mime-Version: 1.0
X-Scanned-By: MIMEDefang 2.58 on 172.16.27.26
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

With BRIDGE_NETFILTER enabled, bridge traffic is passed through
netfilter as it is forwarded across the bridge. This is a useful
feature in specialized cases where the admin wishes to filter bridge
traffic based on higher-level protocol headers.

However, in a lot of cases, it causes a large amount of confusion
since it is so counter-intuitive - nobody expects their IP firewall
rules to also apply to traffic on their bridges.

This is especially true for virtualization, where users create a
bridge and find that some types of traffic work and others don't, and
it can take quite some time to identify iptables as the culprit. Users
are often recommended to configure their iptables rules to ACCEPT
"physdev-is-bridged" in order to avoid this confusion.

However, because nf_conntrack introduces an skb_orphan(), it is now
recommended that bridge-nf-call-iptables be disabled completely so as
to ensure features like TUNSETSNDBUF work as expected.

For these reasons, it makes sense to allow distributions to disable
netfilter on the bridge by default and require those specialized users
to enable it explicitly via sysctl.

Signed-off-by: Mark McLoughlin <markmc@redhat.com>
---
 net/Kconfig               |   12 ++++++++++++
 net/bridge/br_netfilter.c |    6 ++++++
 2 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/net/Kconfig b/net/Kconfig
index 7051b97..b5f4379 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -153,6 +153,18 @@ config BRIDGE_NETFILTER
 
 	  If unsure, say N.
 
+config BRIDGE_NETFILTER_DEFAULT_ON
+	def_bool y
+	prompt "Enable netfilter on the bridge by default"
+	depends on BRIDGE_NETFILTER && SYSCTL
+	---help---
+	  Selecting this option will enable netfilter iptables
+	  etc. rules on bridges by default. This means that netfilter
+	  iptables rules will apply to frames forwarded across the
+	  bridge. If this option is not selected, it can be enabled at
+	  runtime using the net.bridge.bridge-nf-call-*tables sysctl
+	  settings.
+
 source "net/netfilter/Kconfig"
 source "net/ipv4/netfilter/Kconfig"
 source "net/ipv6/netfilter/Kconfig"
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index d22f611..ed53e21 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -55,9 +55,15 @@
 
 #ifdef CONFIG_SYSCTL
 static struct ctl_table_header *brnf_sysctl_header;
+#ifdef CONFIG_BRIDGE_NETFILTER_DEFAULT_ON
 static int brnf_call_iptables __read_mostly = 1;
 static int brnf_call_ip6tables __read_mostly = 1;
 static int brnf_call_arptables __read_mostly = 1;
+#else
+static int brnf_call_iptables __read_mostly = 0;
+static int brnf_call_ip6tables __read_mostly = 0;
+static int brnf_call_arptables __read_mostly = 0;
+#endif
 static int brnf_filter_vlan_tagged __read_mostly = 0;
 static int brnf_filter_pppoe_tagged __read_mostly = 0;
 #else