diff options
| author | Hangbin Liu <liuhangbin@gmail.com> | 2023-12-01 16:19:49 +0800 |
|---|---|---|
| committer | Paolo Abeni <pabeni@redhat.com> | 2023-12-05 10:48:01 +0100 |
| commit | 1b1a4c7e82aeebef6bd68c94b0531aa72531f60c (patch) | |
| tree | 5ab3ec911fcd4530aadd1dee3a3e26f5709bc8ad /Documentation | |
| parent | 3c37f17d6ca9a2153486e2893f996a9f1525c410 (diff) | |
| download | linux-stable-1b1a4c7e82aeebef6bd68c94b0531aa72531f60c.tar.gz linux-stable-1b1a4c7e82aeebef6bd68c94b0531aa72531f60c.tar.bz2 linux-stable-1b1a4c7e82aeebef6bd68c94b0531aa72531f60c.zip | |
docs: bridge: add netfilter doc
Add netfilter part for bridge document.
Reviewed-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/networking/bridge.rst | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/Documentation/networking/bridge.rst b/Documentation/networking/bridge.rst index e96af89cd061..39ff8d126a04 100644 --- a/Documentation/networking/bridge.rst +++ b/Documentation/networking/bridge.rst @@ -251,6 +251,42 @@ kernel. Please see the :ref:`switchdev` document for more details. +Netfilter +========= + +The bridge netfilter module is a legacy feature that allows to filter bridged +packets with iptables and ip6tables. Its use is discouraged. Users should +consider using nftables for packet filtering. + +The older ebtables tool is more feature-limited compared to nftables, but +just like nftables it doesn't need this module either to function. + +The br_netfilter module intercepts packets entering the bridge, performs +minimal sanity tests on ipv4 and ipv6 packets and then pretends that +these packets are being routed, not bridged. br_netfilter then calls +the ip and ipv6 netfilter hooks from the bridge layer, i.e. ip(6)tables +rulesets will also see these packets. + +br_netfilter is also the reason for the iptables *physdev* match: +This match is the only way to reliably tell routed and bridged packets +apart in an iptables ruleset. + +Note that ebtables and nftables will work fine without the br_netfilter module. +iptables/ip6tables/arptables do not work for bridged traffic because they +plug in the routing stack. nftables rules in ip/ip6/inet/arp families won't +see traffic that is forwarded by a bridge either, but that's very much how it +should be. + +Historically the feature set of ebtables was very limited (it still is), +this module was added to pretend packets are routed and invoke the ipv4/ipv6 +netfilter hooks from the bridge so users had access to the more feature-rich +iptables matching capabilities (including conntrack). nftables doesn't have +this limitation, pretty much all features work regardless of the protocol family. + +So, br_netfilter is only needed if users, for some reason, need to use +ip(6)tables to filter packets forwarded by the bridge, or NAT bridged +traffic. For pure link layer filtering, this module isn't needed. + FAQ === |