mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-27 12:57:53 +00:00
docs: bridge: add netfilter doc
Add netfilter part for bridge document. Reviewed-by: Florian Westphal <fw@strlen.de> Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com> Acked-by: Nikolay Aleksandrov <razor@blackwall.org> Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This commit is contained in:
parent
3c37f17d6c
commit
1b1a4c7e82
1 changed files with 36 additions and 0 deletions
|
@ -251,6 +251,42 @@ kernel.
|
|||
|
||||
Please see the :ref:`switchdev` document for more details.
|
||||
|
||||
Netfilter
|
||||
=========
|
||||
|
||||
The bridge netfilter module is a legacy feature that allows to filter bridged
|
||||
packets with iptables and ip6tables. Its use is discouraged. Users should
|
||||
consider using nftables for packet filtering.
|
||||
|
||||
The older ebtables tool is more feature-limited compared to nftables, but
|
||||
just like nftables it doesn't need this module either to function.
|
||||
|
||||
The br_netfilter module intercepts packets entering the bridge, performs
|
||||
minimal sanity tests on ipv4 and ipv6 packets and then pretends that
|
||||
these packets are being routed, not bridged. br_netfilter then calls
|
||||
the ip and ipv6 netfilter hooks from the bridge layer, i.e. ip(6)tables
|
||||
rulesets will also see these packets.
|
||||
|
||||
br_netfilter is also the reason for the iptables *physdev* match:
|
||||
This match is the only way to reliably tell routed and bridged packets
|
||||
apart in an iptables ruleset.
|
||||
|
||||
Note that ebtables and nftables will work fine without the br_netfilter module.
|
||||
iptables/ip6tables/arptables do not work for bridged traffic because they
|
||||
plug in the routing stack. nftables rules in ip/ip6/inet/arp families won't
|
||||
see traffic that is forwarded by a bridge either, but that's very much how it
|
||||
should be.
|
||||
|
||||
Historically the feature set of ebtables was very limited (it still is),
|
||||
this module was added to pretend packets are routed and invoke the ipv4/ipv6
|
||||
netfilter hooks from the bridge so users had access to the more feature-rich
|
||||
iptables matching capabilities (including conntrack). nftables doesn't have
|
||||
this limitation, pretty much all features work regardless of the protocol family.
|
||||
|
||||
So, br_netfilter is only needed if users, for some reason, need to use
|
||||
ip(6)tables to filter packets forwarded by the bridge, or NAT bridged
|
||||
traffic. For pure link layer filtering, this module isn't needed.
|
||||
|
||||
FAQ
|
||||
===
|
||||
|
||||
|
|
Loading…
Reference in a new issue