Help with fw3 for Bridged Firewall

Hi, I'm trying to setup Bridged Firewall, with all firewall ability of standard configuration.
For that, I have to use iptables physdev packet matching module for using physical bridged interfaces names in rules.
Unfortunately, fw3 doesn't seem support this.

In standard configuration, I have following references to interfaces in generated rules:

root@OpenWrt:~# fw3 print|grep -- \ -i
Warning: Unable to locate ipset utility, disabling ipset support
iptables -t filter -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
iptables -t filter -D FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
iptables -t filter -D zone_wan_src_ACCEPT -i eth1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_src_ACCEPT -i eth1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
iptables -t filter -D FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t filter -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
iptables -t nat -D PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
iptables -t nat -D PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
iptables -t nat -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
root@OpenWrt:~# fw3 print|grep -- \ -o
Warning: Unable to locate ipset utility, disabling ipset support
root@OpenWrt:~# fw3 print|grep -- \ -o
Warning: Unable to locate ipset utility, disabling ipset support
iptables -t filter -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
iptables -t filter -D zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
iptables -t filter -D OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t filter -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
iptables -t nat -D POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
iptables -t nat -D POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
iptables -t nat -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting

Now I would bridge my LAN and WAN ifaces (eth0, eth1) together, and as I understand it, then the rules above should be transformed as following:

  • every -i br-lan replaced with -m physdev --physdev-in eth0
  • every -i eth1 replaced with -m physdev --physdev-in eth1, as it bridged now.
    Analogously,
  • every -o br-lan replaced with -m physdev --physdev-out eth0
  • every -o eth1 replaced with -m physdev --physdev-out eth1

The problem is I don't know how to better achieve that.
Is it possible with fw3, or I have to re-do the rules altogether from scratch?

Please help, I'm new to this stuff. Thanks.

Eventually, I ended it up with Shorewall-lite: Bridged Firewalls

https://openwrt.org/packages/pkgdata/kmod-br-netfilter
https://openwrt.org/packages/pkgdata/kmod-ipt-physdev

I know about the modules, the question was about fw3 setup which makes use of it.
Unfortunately, I didn't find the way of doing so with fw3.

PS: seems fw3 doesn't handle physdevs in zones properly, but Shorewall has particular support for this