Home » Mailing list archives » git-commits-head » 2009 » January » 16

netfilter 03/09: bridge: Disable PPPOE/VLAN processing by default

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Linux Kernel Mailing List
Subject: netfilter 03/09: bridge: Disable PPPOE/VLAN processing by default
Date: Thursday, January 15, 2009 - 7:02 pm

Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=47e0e1...
Commit:     47e0e1ca13d64eeeb687995fbe4e239e743d7544
Parent:     a2bd40ad3151d4d346fd167e01fb84b06f7247fc
Author:     Herbert Xu <herbert@gondor.apana.org.au>
AuthorDate: Mon Jan 12 00:06:03 2009 +0000
Committer:  David S. Miller <davem@davemloft.net>
CommitDate: Mon Jan 12 21:18:34 2009 -0800

    netfilter 03/09: bridge: Disable PPPOE/VLAN processing by default
    
    The PPPOE/VLAN processing code in the bridge netfilter is broken
    by design.  The VLAN tag and the PPPOE session ID are an integral
    part of the packet flow information, yet they're completely
    ignored by the bridge netfilter.  This is potentially a security
    hole as it treats all VLANs and PPPOE sessions as the same.
    
    What's more, it's actually broken for PPPOE as the bridge netfilter
    tries to trim the packets to the IP length without adjusting the
    PPPOE header (and adjusting the PPPOE header isn't much better
    since the PPPOE peer may require the padding to be present).
    
    Therefore we should disable this by default.
    
    It does mean that people relying on this feature may lose networking
    depending on how their bridge netfilter rules are configured.
    However, IMHO the problems this code causes are serious enough to
    warrant this.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/bridge/br_netfilter.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 9a1cd75..cf754ac 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -58,11 +58,11 @@ static struct ctl_table_header *brnf_sysctl_header;
 static int brnf_call_iptables __read_mostly = 1;
 static int brnf_call_ip6tables __read_mostly = 1;
 static int brnf_call_arptables __read_mostly = 1;
-static int brnf_filter_vlan_tagged __read_mostly = 1;
-static int brnf_filter_pppoe_tagged __read_mostly = 1;
+static int brnf_filter_vlan_tagged __read_mostly = 0;
+static int brnf_filter_pppoe_tagged __read_mostly = 0;
 #else
-#define brnf_filter_vlan_tagged 1
-#define brnf_filter_pppoe_tagged 1
+#define brnf_filter_vlan_tagged 0
+#define brnf_filter_pppoe_tagged 0
 #endif
 
 static inline __be16 vlan_proto(const struct sk_buff *skb)
--
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
netfilter 03/09: bridge: Disable PPPOE/VLAN processing by ..., Linux Kernel Mailing ..., (Thu Jan 15, 7:02 pm)