kmod-br-netfilter: bundled sysctl exploits administrator inattention
Username: Config Absent
Origin: https://bugs.openwrt.org/index.php?do=details&task_id=2300
A sysctl parameter
net.bridge.bridge-nf-call-iptables=1
is on by default on install.
This drop-in /etc/sysctl.d/11-br-netfilter.conf
disable bridge firewalling by default
net.bridge.bridge-nf-call-arptables=0 net.bridge.bridge-nf-call-ip6tables=1 net.bridge.bridge-nf-call-iptables=1
will come into force only on restart.
A device administator is likely to introduce a security breach by applying rules that will be silently skipped on reboot.
I cannot see why it is neccessary to disable bridge firewalling by default. kmod-br-netfilter is absent on a clean install, therefore it cannot bother those who did not go to the trouble of installing the package. It goes without saying that an add-on firewall module should be left enabled.