Commit 1b1a4c7e authored by Hangbin Liu's avatar Hangbin Liu Committed by Paolo Abeni

docs: bridge: add netfilter doc

Add netfilter part for bridge document.
Reviewed-by: default avatarFlorian Westphal <fw@strlen.de>
Reviewed-by: default avatarFlorian Fainelli <florian.fainelli@broadcom.com>
Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parent 3c37f17d
...@@ -251,6 +251,42 @@ kernel. ...@@ -251,6 +251,42 @@ kernel.
Please see the :ref:`switchdev` document for more details. Please see the :ref:`switchdev` document for more details.
Netfilter
=========
The bridge netfilter module is a legacy feature that allows to filter bridged
packets with iptables and ip6tables. Its use is discouraged. Users should
consider using nftables for packet filtering.
The older ebtables tool is more feature-limited compared to nftables, but
just like nftables it doesn't need this module either to function.
The br_netfilter module intercepts packets entering the bridge, performs
minimal sanity tests on ipv4 and ipv6 packets and then pretends that
these packets are being routed, not bridged. br_netfilter then calls
the ip and ipv6 netfilter hooks from the bridge layer, i.e. ip(6)tables
rulesets will also see these packets.
br_netfilter is also the reason for the iptables *physdev* match:
This match is the only way to reliably tell routed and bridged packets
apart in an iptables ruleset.
Note that ebtables and nftables will work fine without the br_netfilter module.
iptables/ip6tables/arptables do not work for bridged traffic because they
plug in the routing stack. nftables rules in ip/ip6/inet/arp families won't
see traffic that is forwarded by a bridge either, but that's very much how it
should be.
Historically the feature set of ebtables was very limited (it still is),
this module was added to pretend packets are routed and invoke the ipv4/ipv6
netfilter hooks from the bridge so users had access to the more feature-rich
iptables matching capabilities (including conntrack). nftables doesn't have
this limitation, pretty much all features work regardless of the protocol family.
So, br_netfilter is only needed if users, for some reason, need to use
ip(6)tables to filter packets forwarded by the bridge, or NAT bridged
traffic. For pure link layer filtering, this module isn't needed.
FAQ FAQ
=== ===
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment