Skip to content

kmod-br-netfilter: bundled sysctl exploits administrator inattention

Username: Config Absent

Origin: https://bugs.openwrt.org/index.php?do=details&task_id=2300

A sysctl parameter

net.bridge.bridge-nf-call-iptables=1

is on by default on install.

This drop-in /etc/sysctl.d/11-br-netfilter.conf

disable bridge firewalling by default

net.bridge.bridge-nf-call-arptables=0 net.bridge.bridge-nf-call-ip6tables=1 net.bridge.bridge-nf-call-iptables=1

will come into force only on restart.

A device administator is likely to introduce a security breach by applying rules that will be silently skipped on reboot.

I cannot see why it is neccessary to disable bridge firewalling by default. kmod-br-netfilter is absent on a clean install, therefore it cannot bother those who did not go to the trouble of installing the package. It goes without saying that an add-on firewall module should be left enabled.