git.baikalelectronics.ru Git - kernel.git/commit

author	Herbert Xu <herbert@gondor.apana.org.au>
	Mon, 12 Jan 2009 00:06:03 +0000 (00:06 +0000)
committer	David S. Miller <davem@davemloft.net>
	Tue, 13 Jan 2009 05:18:34 +0000 (21:18 -0800)
commit	4ed3db79f3c1238281fd00ee21c0eabcae212956
tree	ea069732dc87dca81fc2c5a405320c0fc518096e	tree \| snapshot
parent	e2ebc7dd541590a55aa47b652d26a4b8337620e8	commit \| diff

netfilter 03/09: bridge: Disable PPPOE/VLAN processing by default

The PPPOE/VLAN processing code in the bridge netfilter is broken
by design. The VLAN tag and the PPPOE session ID are an integral
part of the packet flow information, yet they're completely
ignored by the bridge netfilter. This is potentially a security
hole as it treats all VLANs and PPPOE sessions as the same.

What's more, it's actually broken for PPPOE as the bridge netfilter
tries to trim the packets to the IP length without adjusting the
PPPOE header (and adjusting the PPPOE header isn't much better
since the PPPOE peer may require the padding to be present).

Therefore we should disable this by default.

It does mean that people relying on this feature may lose networking
depending on how their bridge netfilter rules are configured.
However, IMHO the problems this code causes are serious enough to
warrant this.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>