Hi Etienne,
On 9/14/22 02:24, Etienne Champetier wrote:
The bridge driver allows passing bridged frames to netfilter. Add
bridge config options nf_call_iptables, nf_call_ip6tables,
nf_call_arptables to opt in.
You should have a look at using nftables instead,
no need for those coarse grain options and way more flexible / powerful.
https://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering
Here an example switching from iptables + br_netfilter to nftables +
table bridge:
https://github.com/nccgroup/phantap/commit/b066ce2c2bb21038958a117b3b67413e9a0ea0a3
https://github.com/openwrt/packages/commit/66b7c19992688b924d2ecbbbc20781b32a82452f
Thanks for the hints. Unfortunately, we use openNDS for splash portals, which
is relying heavily on legacy iptables etc. So we are well served by those
bridge settings. Exposing them as config parameters makes it much easier to
configure them correctly per bridge within the lifecycle of an interface. We
used to just globally enable the corresponding sysctls, but that's even cruder
and has performance downsides if not all bridges need the filtering.
Side note: How can I ensure with nftables that the cost of going to the
firewall (ebtables/iptables replacement) is only incurred on some bridges? Or
does nftables figure that out on it's own? With nf_call_iptables, I can set it
on a per bridge basis.
Best
Max
Etienne
--
Dr.-Ing. Maximilian Riemensberger
Cadami GmbH
Metzstraße 14b, 81667 Munich, Germany
+49 151 10325807 | riemensber...@cadami.net | www.cadami.net
Geschäftsführer: Andreas Dotzler, Michael Heindlmaier, Maximilian Riemensberger
Sitz der Gesellschaft: München, HRB 219979 Amtsgericht München
USt-IdNr.: DE301293803
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
