From 6d47692a3e4e8e1da37a09019b5c8361e0004bd4 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Sun, 10 Jul 2011 21:47:27 +0100 Subject: [PATCH] bookends.m4: Only disable filtering on bridges if we have bridges. Actually, we're too early in the boot process to tell whether there are bridges; but we can try to load the applicable module and only do the hacking if it's available. This probably bloats some kernels a bit, but it's not too bad. --- bookends.m4 | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/bookends.m4 b/bookends.m4 index 495e95a..02f7859 100644 --- a/bookends.m4 +++ b/bookends.m4 @@ -58,9 +58,14 @@ setopt icmp_echo_ignore_broadcasts 0 ## Turn off iptables filtering for bridges. We'll use ebtables if we need ## to; but right now the model is that we do filtering at the borders, and ## are tolerant of things which are local. -for filter in arptables iptables ip6tables; do - run sysctl -q net/bridge/bridge-nf-call-$filter=0 -done +if [ -x /sbin/brctl ]; then + modprobe bridge || : + if [ -d /proc/sys/net/bridge ]; then + for filter in arptables iptables ip6tables; do + run sysctl -q net.bridge.bridge-nf-call-$filter=0 + done + fi +fi ## Turn on the reverse-path filter, and log weird things. setdevopt rp_filter 1 -- 2.11.0