docs: bridge: add netfilter doc · tjh.dev/kernel@1b1a4c7

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

docs: bridge: add netfilter doc

Add netfilter part for bridge document.

Reviewed-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

authored by

Hangbin Liu and committed by

Paolo Abeni 2 years ago 1b1a4c7e 3c37f17d

+36

1 changed file

expand all

Documentation

networking

bridge.rst

+36

Documentation/networking/bridge.rst

··· 251 251 252 252 Please see the :ref:`switchdev` document for more details. 253 253 254 + Netfilter 255 + ========= 256 + 257 + The bridge netfilter module is a legacy feature that allows to filter bridged 258 + packets with iptables and ip6tables. Its use is discouraged. Users should 259 + consider using nftables for packet filtering. 260 + 261 + The older ebtables tool is more feature-limited compared to nftables, but 262 + just like nftables it doesn't need this module either to function. 263 + 264 + The br_netfilter module intercepts packets entering the bridge, performs 265 + minimal sanity tests on ipv4 and ipv6 packets and then pretends that 266 + these packets are being routed, not bridged. br_netfilter then calls 267 + the ip and ipv6 netfilter hooks from the bridge layer, i.e. ip(6)tables 268 + rulesets will also see these packets. 269 + 270 + br_netfilter is also the reason for the iptables *physdev* match: 271 + This match is the only way to reliably tell routed and bridged packets 272 + apart in an iptables ruleset. 273 + 274 + Note that ebtables and nftables will work fine without the br_netfilter module. 275 + iptables/ip6tables/arptables do not work for bridged traffic because they 276 + plug in the routing stack. nftables rules in ip/ip6/inet/arp families won't 277 + see traffic that is forwarded by a bridge either, but that's very much how it 278 + should be. 279 + 280 + Historically the feature set of ebtables was very limited (it still is), 281 + this module was added to pretend packets are routed and invoke the ipv4/ipv6 282 + netfilter hooks from the bridge so users had access to the more feature-rich 283 + iptables matching capabilities (including conntrack). nftables doesn't have 284 + this limitation, pretty much all features work regardless of the protocol family. 285 + 286 + So, br_netfilter is only needed if users, for some reason, need to use 287 + ip(6)tables to filter packets forwarded by the bridge, or NAT bridged 288 + traffic. For pure link layer filtering, this module isn't needed. 289 + 254 290 FAQ 255 291 === 256 292