Hi,
I did some investigations, and i found this.
This is the module i need to install (at least): kmod-nft-bridge.
Since it is installed, you can do several configurations. If you dont, you will find some syntax errors. (confusing for me)
Once you install this module, you can config this: (you can also define it as custom config in proper nft folder)
nft add table bridge filter
nft add chain bridge filter input '{type filter hook input priority 0; policy accept; }'
nft add rule bridge filter input iifname "tap0" udp sport {67, 68} counter drop
nft add rule bridge filter input iifname "tap0" udp dport {67, 68} counter drop
nft add rule bridge filter input iifname "tap0" udp sport {546, 547} counter drop
nft add rule bridge filter input iifname "tap0" udp dport {546, 547} counter drop
nft add chain bridge filter forward '{type filter hook forward priority 0; policy accept; }'
nft add rule bridge filter forward iifname "tap0" udp sport {67, 68} counter drop
nft add rule bridge filter forward iifname "tap0" udp dport {67, 68} counter drop
nft add rule bridge filter forward iifname "tap0" udp sport {546, 547} counter drop
nft add rule bridge filter forward iifname "tap0" udp dport {546, 547} counter drop
nft add chain bridge filter output '{type filter hook output priority 0; policy accept; }'
I found this, and seems working (at least properly with ipv4):
table bridge filter {
chain input {
type filter hook input priority 0; policy accept;
iifname "tap0" udp sport { 67, 68 } counter packets 59 bytes 21951 drop
iifname "tap0" udp dport { 67, 68 } counter packets 0 bytes 0 drop
iifname "tap0" udp sport { 546, 547 } counter packets 15 bytes 3092 drop
iifname "tap0" udp dport { 546, 547 } counter packets 0 bytes 0 drop
}
chain forward {
type filter hook forward priority 0; policy accept;
iifname "tap0" udp sport { 67, 68 } counter packets 243 bytes 87501 drop
iifname "tap0" udp dport { 67, 68 } counter packets 0 bytes 0 drop
iifname "tap0" udp sport { 546, 547 } counter packets 130 bytes 22380 drop
iifname "tap0" udp dport { 546, 547 } counter packets 0 bytes 0 drop
}
chain output {
type filter hook output priority 0; policy accept;
}
}
so i assume i can reduce the config with just sport definition... (we will see). Anyway, there is still something i need to learn, since my secondary dhcp server is still serving dhcpv6 address... Anyone knows why?
Regards,