--- /dev/null
+From dce766af541f6605fa9889892c0280bab31c66ab Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fwestphal@astaro.com>
+Date: Fri, 8 Jan 2010 17:31:24 +0100
+Subject: netfilter: ebtables: enforce CAP_NET_ADMIN
+
+From: Florian Westphal <fwestphal@astaro.com>
+
+commit dce766af541f6605fa9889892c0280bab31c66ab upstream.
+
+normal users are currently allowed to set/modify ebtables rules.
+Restrict it to processes with CAP_NET_ADMIN.
+
+Note that this cannot be reproduced with unmodified ebtables binary
+because it uses SOCK_RAW.
+
+Signed-off-by: Florian Westphal <fwestphal@astaro.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/bridge/netfilter/ebtables.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1405,6 +1405,9 @@ static int do_ebt_set_ctl(struct sock *s
+ {
+ int ret;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ switch(cmd) {
+ case EBT_SO_SET_ENTRIES:
+ ret = do_replace(sock_net(sk), user, len);
+@@ -1424,6 +1427,9 @@ static int do_ebt_get_ctl(struct sock *s
+ struct ebt_replace tmp;
+ struct ebt_table *t;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (copy_from_user(&tmp, user, sizeof(tmp)))
+ return -EFAULT;
+