Bridge Firewall on fw4

Hi all,

I've OpenWRT 23.05.5 on Netgear GS108T v3
I will use the switch as a lan switch, without wan interface and/or Internet connection.

My goal is to bridge all
but drop udp packets destinated to a particular port (eg. 3000) for the host plugged to a physical port (eg. lan6)
and drop all UDP packets for a host plugged to a physical port (eg. lan7) except for packets destinated to a particular port (eg. 4000).
Particular performance on speed is not required.

What I've manged up to now (thanks to PSherman and Pavel for help and understanding) is to bridge all ports in a 'br-lan' Bridge device with 'Bridge VLAN filtering', create 3 VLANs devices whose base device is 'br-lan', and create 3 firewall zones to forward packets between zones.

That is working: I can transmit udp packets destinated to port 3000 and all VLANs receive them.
Now it's time to DROP these packets for the VLAN where I dont want to forward them.

And here comes the difficult (and my incompetence...).
What I've understood is that the configuration up to now works at L2, so if I will set a firewall rule between zones (L3) it will be NOT handled. As for PSherman suggestion I have to deal with 'Bridge Firewall': https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge?s[]=firewall

I followed the instructions but no success: I've set a nft bridge table, chain and rule to drop packets destinated to port 3000 but them yet comes.
Are there someone who can tell:

1. if fw4 can handle Bridge Firewall settings
2. And how to gain my goal

Following there are my settings:

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd93:4551:c672::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        list ports 'lan6'
        list ports 'lan7'
        list ports 'lan8'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'
        list ports 'lan5:u*'
        list ports 'lan6:u*'
        list ports 'lan7:u*'
        list ports 'lan8:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'

config interface 'rhib'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'

config interface 'simpulse'
        option device 'br-lan.2'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.2'

config interface 'radio'
        option device 'br-lan.3'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.0.3'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'rhibzone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'rhib'
        option log '1'

config zone
        option name 'simpulsezone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'simpulse'

config zone
        option name 'radiozone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'radio'

config forwarding
        option src 'rhibzone'
        option dest 'simpulsezone'

config forwarding
        option src 'simpulsezone'
        option dest 'rhibzone'

config forwarding
        option src 'rhibzone'
        option dest 'radiozone'

config forwarding
        option src 'radiozone'
        option dest 'rhibzone'

config include 'bridge'
        option path '/etc/nftables.d/bridge.sh'

/etc/nftables.d/bridge.sh

nft add table bridge filter
nft flush table bridge filter
nft add chain bridge filter forward '{type filter hook forward priority -200; }'

nft add rule bridge filter forward iifname "br-lan.1" oifname "br-lan.2" ip daddr 255.255.255.255 udp dport 3000 counter drop

Any help is appreciated!

You can add nft format segments eg

fw4 manages only table inet fw4 section.

I don't understand your setup. VLAN 2 and 3 have no assigned physical ports and the configured IP addresses are on the same subnet. Why are you using bridge vlan filtering at all?

If you need multiple IP addresses, you can use the list statement or aliases (if you need to create several interfaces using the same device).

Try to keep things as simple as possible during testing to find out what works and what doesn't.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd93:4551:c672::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        list ports 'lan6'
        list ports 'lan7'
        list ports 'lan8'

config interface 'rhib'
        option device 'br-lan'
        option proto 'static'
        list ipaddr '192.168.0.1/24'

nft add rule bridge filter forward oifname "lan6" udp dport 3000 counter drop

nft add rule bridge filter forward oifname "lan7" udp dport 4000 counter accept
nft add rule bridge filter forward oifname "lan7" ip protocol udp counter drop

While technically possible, this is an L3 features, which is not offloaded on rtl838x and will therefore by abysmally slow.

@pavelgl:
keep it simple... OK, I restart from:

My goal is to bridge all but drop udp packets destinated to a particular port (eg. 3000) for the host plugged to a physical port (eg. lan8).

Cattura929×506 57.9 KB

In the picture above there is the layout to better understand:
Host 1 transmits an UDP packet destinated to port 3000, I want Host 2 receives it but Host 3 do not receives it.
If possible, hosts 1, 2 and 3 are in the same subnet (eg. 192.168.0.0/24) if not, no problem.
Any solution can go, with or without VLANs, with or without forwards.

Up to now I setup one 'Bridge device' that includes lan1..lan8 (named br-lan), 2 VLANs whose Base device is br-lan, and enabling 'Bridge VLAN filtering' and playing with tagging/untagging of the ports I enable/disable forwarding of messages between VLANs.
No Firewall zones nor rules are in place.
The config files:

# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd93:4551:c672::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        list ports 'lan6'
        list ports 'lan7'
        list ports 'lan8'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'
        list ports 'lan5:u*'
        list ports 'lan6:u*'
        list ports 'lan7:u*'
        list ports 'lan8:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'

config interface 'vlan1'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'

config interface 'vlan2'
        option device 'br-lan.2'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'

@slh:
if possible I will work at L2 only switching. as for the picture above my only requirement is to drop udp packets destinated to port 3000. No IPs to handle...

@brada4:
Not the same as Pavel, you suggest to to use something like:
nft add rule bridge fw4
instead Pavel:
nft add rule bridge filter

Finally: what I have to do?
Bridge VLAN filtering is the only way to go?
Or may be I have to only handle Bridge Firewall stuff?
I'm confused now.

The names dont matter, it is tree-like structure.
prerputing iif lan8 tcp dport 3000 drop

@brada4 excuse me for the 'geek' point on names of tables and chains. I've read a little bit on nftables now.

@pavelgl I restarted once again on the switch: the initial default configuration for the Netgear GS108T v3 OpenWRT installation is there:

• One bridge device named 'switch' with all 1..8 ports handled by BRIDGE VLAN filtering, all untagged.
• One network device named 'switch.1'
• One interface named 'lan' whose device is 'switch.1'

The only changes I made are:

• Set the static address of lan interface from 192.168.1.1 to 192.168.0.1
• Delete all firewall Traffic rules
• Followed the https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge?s[]=firewall article so I created the 'bridge.sh' file that add nft bridge table, chain and rule:

nft add table bridge t1
nft flush table bridge t1
nft add chain bridge t1 c1 '{type filter hook input priority 0; }'
nft add rule bridge t1 c1 udp dport 3000 counter drop

Now:
if I call 'nft list ruleset' I can see the inet fw4 table and, at the bottom, my 't1' bridge table.
If I set chain hook as 'prerouting' or 'input' I see counter increase after transmitting matching packets, if I set 'forward' or 'output' counter does not increase.

Anyway packets are received from a listening host and not dropped.
Can you explain why?

Anyway a little step is done:
I know nft bridge is handled by OpenWRT and I can set custom rules.
I know fw4 handles it's inet table and I don't have to deal with.

https://wiki.nftables.org/wiki-nftables/index.php/Bridge_filtering
I told prerouting

@brada4
no success until now... GRRR.

Saying that I'm tweaking with initial default OpenWRT configuration, cleaned firewall rules, added nftables bridge firewall packet and added a bridge table, chain and rule:

nft add table bridge t1
nft flush table bridge t1
nft add chain bridge t1 c1 '{type filter hook prerouting priority -200; }'
nft add rule bridge t1 c1 udp dport 3000 counter drop

This make rule counter increase but packet pass to destination. That's because of VLANs bridge filtering? I suppose but, as for documentation, these packets should be processed by nftables before entering the FDB.

If I set iif, oif, iifname, oifname syntax to the rule, specifying "lanX" and/or "switch.1" and so on, packets pass and no counter increase.

Now, VLANs bridging is made at L2?
Nftables bridge filtering too?
Again: why added nftables bridge rule counts but does not work as expected?

Thanks

cannot help since you did not follow a single piece of advice.
you may ask your AI assistant to help with your -300 priorities in command line

I apologize if I gave this impression, my effort is to get things working and I have a lack of knowledge on this. I proceed by tries reading on and when @pavelgl suggest me to keep things simple I reset the configurations to simpler settings. And NO, I never used Ai assistants and I don't intend to.

Anyway thanks for your help until now. I will continue my way.

You create a file
3k.nft

table bridge t1
flush table bridge t1
table bridge t1 {
  chain c1 {
       type filter hook prerouting priority filter; policy accept;
       udp dport 3000 log drop
 }
}

then check nft -c -f file.nft
IF it works right copy it to permanent place?