From: Jonatan Schlag <jonatan.schlag@ipfire.org>
Date: Sat, 11 Mar 2017 08:10:39 +0000 (+0100)
Subject: Disable netfilter on all bridges per default
X-Git-Tag: v2.19-core110^2~26
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0f1cda211c441d17e212ee7c881e0d0014238155;p=ipfire-2.x.git

Disable netfilter on all bridges per default

Fixes: #11301

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf
index e2e3d81b03..ad562404fb 100644
--- a/config/etc/sysctl.conf
+++ b/config/etc/sysctl.conf
@@ -34,3 +34,8 @@ net.ipv6.conf.default.disable_ipv6 = 1
 
 # Enable netfilter accounting
 net.netfilter.nf_conntrack_acct=1
+
+# Disable netfilter on bridges.
+net.bridge.bridge-nf-call-ip6tables = 0
+net.bridge.bridge-nf-call-iptables = 0
+net.bridge.bridge-nf-call-arptables = 0
diff --git a/config/rootfiles/core/110/filelists/files b/config/rootfiles/core/110/filelists/files
index b996e48aa4..f06b6d5de5 100644
--- a/config/rootfiles/core/110/filelists/files
+++ b/config/rootfiles/core/110/filelists/files
@@ -2,6 +2,7 @@ etc/system-release
 etc/issue
 etc/httpd/conf/server-tuning.conf
 etc/rc.d/init.d/unbound
+etc/sysctl.conf
 srv/web/ipfire/cgi-bin/index.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi
 usr/lib/libssp.so.0