[OpenWrt-Devel] [patch] disable bridge firewalling in sysctl.conf by default

Tue, 11 Aug 2009 09:39:48 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

When compiling a kernel prepared for all packages, then bridge
firewalling is enabled inside the kernel.
This leads to "unexpected" behaviour for newbies and normal users: they
can not access other devices on the LAN.
Therefore disable bridge firewalling in sysctl.conf to avoid newbiw
problems.
And people who want bridge firewalling from the kernel will know about
the settings to enable it.
Fixes #5640, was also tested with a minimum kernel build which only lead
to info messages inside the system log.

Signed-off-by: Matthias Bücher <m...@maddes.net>

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqBnrUACgkQUXXT+9wZdbVfKgCg6Bfxn3VlbhKNelrIzwGRDb1Y
zvwAoPNZRi7NrM5Uw6a3hzz5vrAa2TcE
=BFV4
-----END PGP SIGNATURE-----

Index: package/base-files/files/etc/sysctl.conf
===================================================================
--- package/base-files/files/etc/sysctl.conf	(revision 17224)
+++ package/base-files/files/etc/sysctl.conf	(working copy)
@@ -4,7 +4,7 @@
 net.ipv4.ip_forward=1
 net.ipv4.icmp_echo_ignore_broadcasts=1
 net.ipv4.icmp_ignore_bogus_error_responses=1
-net.ipv4.tcp_ecn=0 
+net.ipv4.tcp_ecn=0
 net.ipv4.tcp_fin_timeout=30
 net.ipv4.tcp_keepalive_time=120
 net.ipv4.tcp_syncookies=1
@@ -17,3 +17,7 @@
 net.ipv4.netfilter.ip_conntrack_udp_timeout=60
 net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180
 # net.ipv6.conf.all.forwarding=1
+# disable bridge firewalling to avoid newbie problems, experts will know how to enable and use it
+net.bridge.bridge-nf-call-arptables=0
+net.bridge.bridge-nf-call-ip6tables=0
+net.bridge.bridge-nf-call-iptables=0

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEABECAAYFAkqBnrUACgkQUXXT+9wZdbWM9ACg2Coe3qeiW5NJiYf5eDaWHimW
BXIAoN2Q4JWV/UPTv0I/rjj6GADmHyS0
=QvOV
-----END PGP SIGNATURE-----

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to