[OpenWrt-Devel] MT7621 and bridge firewalling

Etienne Champetier champetier.etienne at gmail.com
Sun Apr 12 17:48:05 EDT 2020 

Le sam. 11 avr. 2020 à 12:48, Etienne Champetier
<champetier.etienne at gmail.com> a écrit :
>
> Hello OpenWrt hackers,
>
> I'm playing around with OpenWrt master on a MikroTik RB750Gr3 and
> would like to do hardware accelerated statefull bridge firewalling. My
> end goal is to learn and make PhanTap
> (https://github.com/nccgroup/phantap) work at line rate.
>
> MT7621 supports flow offload, so the high level idea would be to:
> - create a linux bridge with 2 ports (say lan4/lan5)
> - disable normal switch offload (do not forward just based on mac
> dest) and have the packets go through netfilter
> - have netfilter create/install flow offload rules for most
> connections like we do for the routing case.
> - enjoy
>
> My questions are:
> - will the hardware let me do that (any restrictions on the flow
> offload rules or ...) ?
> - is it already possible with OpenWrt master (I was not able to have a
> bridge without offload yet) ?
> - any pointer to ongoing work in that area (while writing this email I
> just found NF_CONNTRACK_BRIDGE)

I spent part of the day randomly patching out some part of the kernel, example:

--- a/drivers/net/dsa/mt7530.c
+++ b/drivers/net/dsa/mt7530.c
@@ -1658,15 +1658,15 @@ static const struct dsa_switch_ops mt753
     .port_enable        = mt7530_port_enable,
     .port_disable        = mt7530_port_disable,
     .port_stp_state_set    = mt7530_stp_state_set,
-    .port_bridge_join    = mt7530_port_bridge_join,
-    .port_bridge_leave    = mt7530_port_bridge_leave,
-    .port_fdb_add        = mt7530_port_fdb_add,
-    .port_fdb_del        = mt7530_port_fdb_del,
+    //.port_bridge_join    = mt7530_port_bridge_join,
+    //.port_bridge_leave    = mt7530_port_bridge_leave,
+    //.port_fdb_add        = mt7530_port_fdb_add,
+    //.port_fdb_del        = mt7530_port_fdb_del,
     .port_fdb_dump        = mt7530_port_fdb_dump,
-    .port_vlan_filtering    = mt7530_port_vlan_filtering,
-    .port_vlan_prepare    = mt7530_port_vlan_prepare,
-    .port_vlan_add        = mt7530_port_vlan_add,
-    .port_vlan_del        = mt7530_port_vlan_del,
+    //.port_vlan_filtering    = mt7530_port_vlan_filtering,
+    //.port_vlan_prepare    = mt7530_port_vlan_prepare,
+    //.port_vlan_add        = mt7530_port_vlan_add,
+    //.port_vlan_del        = mt7530_port_vlan_del,
     .port_mirror_add    = mt7530_port_mirror_add,
     .port_mirror_del    = mt7530_port_mirror_del,
     .phylink_validate    = mt7530_phylink_validate,

I was only able to break unicast traffic :(
L2 broadcast works fine but I don't see unicast responses if the dst
MAC is not the one of the switch
As a first step I just want all traffic of lanX to go to the software
bridge, but no luck so far

>
> Thanks
> Etienne

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list