[OpenWrt-Devel] MT7621 and bridge firewalling
Etienne Champetier
champetier.etienne at gmail.com
Sun Apr 26 10:57:56 EDT 2020
Hi All,
Le sam. 11 avr. 2020 à 12:48, Etienne Champetier
<champetier.etienne at gmail.com> a écrit :
>
> Hello OpenWrt hackers,
>
> I'm playing around with OpenWrt master on a MikroTik RB750Gr3 and
> would like to do hardware accelerated statefull bridge firewalling. My
> end goal is to learn and make PhanTap
> (https://github.com/nccgroup/phantap) work at line rate.
>
> MT7621 supports flow offload, so the high level idea would be to:
> - create a linux bridge with 2 ports (say lan4/lan5)
> - disable normal switch offload (do not forward just based on mac
> dest) and have the packets go through netfilter
Big thanks to Qingfang for the tip, for this part I just disabled MAC leaning
--- a/drivers/net/dsa/mt7530.c
+++ b/drivers/net/dsa/mt7530.c
@@ -1319,6 +1319,9 @@ mt7530_setup(struct dsa_switch *ds)
/* Enable consistent egress tag */
mt7530_rmw(priv, MT7530_PVC_P(i), PVC_EG_TAG_MASK,
PVC_EG_TAG(MT7530_VLAN_EG_CONSISTENT));
+
+ /* hack */
+ mt7530_set(priv, MT7530_PSC_P(i), SA_DIS);
}
/* Setup port 5 */
> - have netfilter create/install flow offload rules for most
> connections like we do for the routing case.
> - enjoy
>
> My questions are:
> - will the hardware let me do that (any restrictions on the flow
> offload rules or ...) ?
> - is it already possible with OpenWrt master (I was not able to have a
> bridge without offload yet) ?
> - any pointer to ongoing work in that area (while writing this email I
> just found NF_CONNTRACK_BRIDGE)
>
> Thanks
> Etienne
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list