[PATCH] bridge: Support nf_call_{ip,ip6,arp}tables attributes

Maximilian Riemensberger riemensberger at cadami.net
Tue Sep 13 23:50:50 PDT 2022

Hi Etienne,

On 9/14/22 02:24, Etienne Champetier wrote:
>> The bridge driver allows passing bridged frames to netfilter.  Add
>> bridge config options nf_call_iptables, nf_call_ip6tables,
>> nf_call_arptables to opt in.
> You should have a look at using nftables instead,
> no need for those coarse grain options and way more flexible / powerful.
> https://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering
> Here an example switching from iptables + br_netfilter to nftables +
> table bridge:
> https://github.com/nccgroup/phantap/commit/b066ce2c2bb21038958a117b3b67413e9a0ea0a3
> https://github.com/openwrt/packages/commit/66b7c19992688b924d2ecbbbc20781b32a82452f

Thanks for the hints. Unfortunately, we use openNDS for splash portals, which is relying heavily on legacy iptables etc.  So we are well served by those bridge settings.  Exposing them as config parameters makes it much easier to configure them correctly per bridge within the lifecycle of an interface.  We used to just globally enable the corresponding sysctls, but that's even cruder and has performance downsides if not all bridges need the filtering.

Side note: How can I ensure with nftables that the cost of going to the firewall (ebtables/iptables replacement) is only incurred on some bridges? Or does nftables figure that out on it's own?  With nf_call_iptables, I can set it on a per bridge basis.


> Etienne

Dr.-Ing. Maximilian Riemensberger

Cadami GmbH

Metzstraße 14b, 81667 Munich, Germany

+49 151 10325807 | riemensberger at cadami.net | www.cadami.net

Geschäftsführer: Andreas Dotzler, Michael Heindlmaier, Maximilian Riemensberger
Sitz der Gesellschaft: München, HRB 219979 Amtsgericht München
USt-IdNr.: DE301293803

More information about the openwrt-devel mailing list