Created attachment 145049 [details]
system-config-securitylevel-1.6.31-default-forward-rule.patch

Okay, I'm reworking some stuff in s-c-securitylevel right now that makes
applying this patch impossible at the moment but I will apply it before the next
release.  Thanks.

Nevermind, I've changed priorities and can commit this right now.  Thanks for
the patch.

So, if you set up a bridge (br0) with two members (eth0 and eth1) you want rules
like:

  -I FORWARD -m physdev --physdev-in eth0 -j ACCEPT
  -I FORWARD -m physdev --physdev-in eth1 -j ACCEPT

We were talking about how e.g. initscripts and xen could make sure that these
rules get added automatically even across iptables restarts or users configuring
the firewall etc.

I suggested having the iptables init script run scripts from
/etc/sysconfig/iptables.d and have initscripts and xen install scripts there.

An example Xen script might be:

----
XEND_CONFIG=/etc/xen/xend-config.sxp

[ "$1" = "start" ] || exit 0

if ! grep '^[^#]*(network-script .*network-bridge' $XEND_CONFIG > /dev/null
2>&1; then
    exit 0
fi

bridge=$(awk '/^[^#]*\(network-script.*bridge=/ { print gensub(".*bridge=([^
'"'"']+).*", "\\1", "g") }' < $XEND_CONFIG)

[ "$bridge" ] || bridge="xenbr0"

for i in $(brctl show | awk -v bridge=$bridge \
                            'BEGIN {f=1;b="";} \
                            /^[^[:space:]]/ { if (f==1) {f=0; next;} b=$1; } \
                            { if (b==bridge) { if (NF==4||NF==1) { print $NF
}}}'); do
    iptables -I FORWARD -m physdev --physdev-in $i -j ACCEPT
done
----

One reason this sucks is if you e.g. do service iptables save, then you get
multiple copies of these rules.

What eventually occurred to me, though, was that although the default rule for
IP forwarding (e.g. in a gateway) should be REJECT, the default rule for
bridging should be ACCEPT.

Who ever heard of a real ethernet bridge where you have to configure a firewall
to  allow frames from individual ports?

If you add a bridge and enslave devices to that bridge, you expect all frames to
be bridged between ports.

So, can we change the default forward rule to:

  -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with
icmp-host-prohibited

Created attachment 145980 [details]
allow-bridging-by-default.patch

Any thoughts on this?

Setting the default rule to REJECT in the FORWARD chain of the filter table this
way is going to break NAT setups unless you also properly specify that NATted
traffic is allowed through the FORWARD chain of the filter table. I suppose you
could:

Check if the incoming interface (lan-side) is trusted, the traffic is accepted
Allow ESTABLISHED,RELATED to pass the FORWARD chain from any incoming interface
towards the outgoing (trusted) interface.

system-config-firewall in devel provides the ability to load custom rules.
Please have a look at "lokkit --help". You can add a file with your rules by
using "lokkit --custom-rules=ipv4:filter:/etc/sysconfig/my_rules_file".
lokkit also got an new option "--update" which regenerates the firewall rules
for ipv4 and ipv6. Use this if you are udating custom rules and want that the
changes are persistent.
The enhancements in lokkit does not require a change in the firewall handling
for iptables; it does not know anything about the includes. This solution is
transparent in use especially for updaters.

Please have a look at this solution and report problems if you have any.
Thanks

twoerner: the request is that the default for the forward chain should be that
all IP level forwarding is rejected, but link level bridging should be accepted.

See comment #7

Created attachment 290742 [details]
system-config-firewall-allow-briding-by-default.patch

Adding FutureFeature keyword to RFE's.