Bug 512206

Summary: Disable net.bridge.bridge-nf-call-*tables by default
Product: [Fedora] Fedora Reporter: Mark McLoughlin <markmc>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: brunojcm, herbert.xu, ian.springer, iarlyy, jcm, jpazdziora, klaus, mishu, notting, overholt, rvokal, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-31 09:42:36 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 498969    

Description Mark McLoughlin 2009-07-16 13:01:17 EDT
netfilter is currently enabled on bridges by default. This means, for example, that IP packets that are forwarded across the bridge are filtered by the iptables FORWARD rules.

In practice, this can lead to serious confusion where someone creates a bridge and finds that some traffic isn't being forwarded across the bridge. Because it's so unexpected that IP firewall rules apply to frames on a bridge, it can take quite some time to figure out what's going on.

The libvirt wiki has this advice:

  http://wiki.libvirt.org/page/Networking#Fedora.2FRHEL_Bridging

  The final step is to configure iptables to allow all traffic to be forwarded 
  across the bridge

  # echo "-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" > \
       /etc/sysconfig/iptables-forward-bridged
  # lokkit --custom-rules=ipv4:filter:/etc/sysconfig/iptables-forward-bridged
  # service libvirtd reload

  Alternatively, you can prevent bridged traffic getting pushed through the 
  host's iptables rules. In /etc/sysctl.conf add

  # cat >> /etc/sysctl.conf <<EOF
  net.bridge.bridge-nf-call-ip6tables = 0
  net.bridge.bridge-nf-call-iptables = 0
  net.bridge.bridge-nf-call-arptables = 0
  EOF
  # sysctl -p /etc/sysctl.conf

It sucks that people have to do this, especially since it's a very rare user who would be using iptables on a bridge for something useful.

I posted a patch to netdev which would have allowed us to disable it by default in our kernel builds:

  http://patchwork.ozlabs.org/patch/29319/

The conclusion seems to be an agreement that distros should disable this, but using sysctl.conf instead

In the thread Herbert describes a security issue with the current default:

  I still think the risk with bridging is higher, especially
  in the presence of virtualisation.  Consider the scenario where you
  have to VMs on the one host, each with a dedicated bridge with the
  intention that neither should know anything about the other's
  traffic.

  With conntrack running as part of bridging, the traffic can now
  cross over which is a serious security hole.

and goes on to say:

  FWIW I don't really care what we have as the default for bridge
  netfilter.  I just want to make sure that people who do have
  bridge netfilter (and in particular, conntrack + bridge) active
  on their machines are aware of the security implications.  Otherwise
  we'd be negligent.

  As you said distros can change the default regardless of what
  the kernel does.



In summary, I think we should add the following to sysctl.conf:

  net.bridge.bridge-nf-call-ip6tables = 0
  net.bridge.bridge-nf-call-iptables = 0
  net.bridge.bridge-nf-call-arptables = 0
Comment 1 iarly selbir 2009-07-16 13:26:49 EDT
Thanks for your report.

Bugzapper Team Member.
Comment 2 Bill Nottingham 2009-07-17 11:22:35 EDT
Blah. I disagree; if we're changing the defaults for *everyone*, we should just change the kernel, rather than a configuration file that is %config(noreplace).
Comment 3 Mark McLoughlin 2009-07-17 11:37:10 EDT
Granted. But given that point was made and rejected on the thread, I don't see another way to proceed
Comment 4 Mark McLoughlin 2009-07-31 09:02:50 EDT
Came up again on qemu-devel recently:

  http://lists.gnu.org/archive/html/qemu-devel/2009-07/msg01592.html

Any chance we get this change in?
Comment 5 Bill Nottingham 2009-07-31 09:42:36 EDT
http://git.fedorahosted.org/git/?p=initscripts.git;a=commitdiff;h=af3d40e8a4293f83abe9efaf8995f28f3287c758

Will get built before Tuesday one way or another.
Comment 6 Andrew Overholt 2009-10-29 14:18:51 EDT
I installed a clean x86_64 system from the F-12 beta yesterday and this was set to 1 for me.
Comment 7 Bill Nottingham 2009-10-29 19:21:10 EDT
Do you have a kernel with the bridge driver modular?
Comment 8 Andrew Overholt 2009-10-29 21:18:26 EDT
I'm not actually at the machine ATM and it's powered off, but it's just stock F-12 x86_64 kernel.
Comment 9 Andrew Overholt 2009-10-30 08:12:16 EDT
$ lsmod | grep bridge
bridge                 54112  0 
stp                     2724  1 bridge
llc                     6400  2 bridge,stp

2.6.31.5-96.fc12.x86_64
Comment 10 Jan Pazdziora 2009-11-27 05:36:45 EST
Hello,

I have a fresh F12 x86_64 install, running under vmware.

When I run sysctl -p without touching /etc/sysctl.conf, I get

# sysctl -p
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
# echo $?
255
# rpm -qf /etc/sysctl.conf 
initscripts-9.02-1.x86_64
# rpm -Vf /etc/sysctl.conf 
.......T.  c /etc/inittab
# lsmod | grep bridge
# 

So the problem here is that the keys generate errors, not warnings, which leads to sysctl -p returning error, which has bad impact on any script which assumes that sysctl -p does not fail. I've encountered it when oracle-xe-univ installation failed on Fedora 12 because of failed pre-installation scriptlet.

Should I open new bugzilla for this issue, or reopen this one? Is it even related?
Comment 11 Bill Nottingham 2009-11-30 16:44:48 EST
No, I suspect that you may just want to pass '-e'.
Comment 12 Jan Pazdziora 2009-11-30 17:03:51 EST
(In reply to comment #11)
> No, I suspect that you may just want to pass '-e'.  

Unfortunately, it's not me who packs oracle-xe-univ rpm, it's Oracle.

The net effect is that the first installation attempts of Oracle XE on Fedora 12 fails, the second one passes.
Comment 13 Klaus Heinrich Kiwi 2010-03-23 11:33:13 EDT
I'm trying to disable Netfilter processing in bridges using the sysctl.conf method (RHEL5.4), but those keys only become valid after 'bridge.ko' is insmod'ed.

My set-up does not have any bridges coming up at boot time (libvirt creates them on demand), so having them disabled at boot simply doesn't work.

I was thinking in forcibly insmod bridge before any network initialization so the keys will be there when init.d/network calls "sysctl -e -p /etc/sysctl.conf", but I'd like to hear how are you working around this in RAWHIDE first.

Also, please take note that removing and reinserting the bridge module will always reset those keys to their default value.
Comment 14 Bruno Medeiros 2014-10-06 14:29:31 EDT
Please, mark https://bugzilla.redhat.com/show_bug.cgi?id=634736 as related to this bug.
This one pops up more often on web search results, and doesn't point to the "current" status about this issue.