How can i block dhcp traffic inside bridge interface?

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

In previous Openwrt versions, i have used fw3. So i must install ebtables (with both kmod-ebtables, ipv4 and ipv6) and config following commands at the router start:

ebtables -I FORWARD -i tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP
ebtables -I FORWARD -o tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP
ebtables -I INPUT -i tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv4 --ip-proto udp --ip-dport 67:68 -j DROP

ebtables -I FORWARD -i tap0 -p IPv6 --ip6-proto udp --ip6-dport 546:547 -j DROP
ebtables -I FORWARD -o tap0 -p IPv6 --ip6-proto udp --ip6-dport 546:547 -j DROP
ebtables -I INPUT -i tap0 -p IPv6 --ip6-proto udp --ip6-dport 546:547 -j DROP
ebtables -I OUTPUT -o tap0 -p IPv6 --ip6-proto udp --ip6-dport 546:547 -j DROP

since i upgraded, i use fw4, which means nftables can also handle bridge traffic. So:

1.- Which extra modules must i install to block this traffic? (if needed)
2.- Which commands/rules i must config in order to translate ebtables comands i pasted?

Regards,

2

Help, pls!

3

Hi,

I did some investigations, and i found this.

This is the module i need to install (at least): kmod-nft-bridge.

Since it is installed, you can do several configurations. If you dont, you will find some syntax errors. (confusing for me)

Once you install this module, you can config this: (you can also define it as custom config in proper nft folder)

nft add table bridge filter

nft add chain bridge filter input '{type filter hook input priority 0; policy accept; }'
nft add rule bridge filter input iifname "tap0" udp sport {67, 68} counter drop
nft add rule bridge filter input iifname "tap0" udp dport {67, 68} counter drop
nft add rule bridge filter input iifname "tap0" udp sport {546, 547} counter drop
nft add rule bridge filter input iifname "tap0" udp dport {546, 547} counter drop

nft add chain bridge filter forward '{type filter hook forward priority 0; policy accept; }'
nft add rule bridge filter forward iifname "tap0" udp sport {67, 68} counter drop
nft add rule bridge filter forward iifname "tap0" udp dport {67, 68} counter drop
nft add rule bridge filter forward iifname "tap0" udp sport {546, 547} counter drop
nft add rule bridge filter forward iifname "tap0" udp dport {546, 547} counter drop

nft add chain bridge filter output  '{type filter hook output priority 0; policy accept; }'

I found this, and seems working (at least properly with ipv4):

table bridge filter {
	chain input {
		type filter hook input priority 0; policy accept;
		iifname "tap0" udp sport { 67, 68 } counter packets 59 bytes 21951 drop
		iifname "tap0" udp dport { 67, 68 } counter packets 0 bytes 0 drop
		iifname "tap0" udp sport { 546, 547 } counter packets 15 bytes 3092 drop
		iifname "tap0" udp dport { 546, 547 } counter packets 0 bytes 0 drop
	}
	chain forward {
		type filter hook forward priority 0; policy accept;
		iifname "tap0" udp sport { 67, 68 } counter packets 243 bytes 87501 drop
		iifname "tap0" udp dport { 67, 68 } counter packets 0 bytes 0 drop
		iifname "tap0" udp sport { 546, 547 } counter packets 130 bytes 22380 drop
		iifname "tap0" udp dport { 546, 547 } counter packets 0 bytes 0 drop
	}
	chain output {
		type filter hook output priority 0; policy accept;
	}
}

so i assume i can reduce the config with just sport definition... (we will see). Anyway, there is still something i need to learn, since my secondary dhcp server is still serving dhcpv6 address... Anyone knows why?

Regards,

4

I found the solution.

I missunderstood the chains with the traffic flow. I must consider also the traffic, inside the forward chain, that is going out of the bridge, so, in this case, the proper parameter is oifname (in addition to iffname)

So the final configuration is:

1.- You must install the kmod-nft-bridge module.
2.- I must also do this config:

nft add table bridge filter

nft add chain bridge filter input '{type filter hook input priority 0; policy accept; }'
nft add rule bridge filter input iifname "tap0" udp sport {67, 68} counter drop
nft add rule bridge filter input iifname "tap0" udp sport {546, 547} counter drop

nft add chain bridge filter forward '{type filter hook forward priority 0; policy accept; }'
nft add rule bridge filter forward iifname "tap0" udp sport {67, 68} counter drop
nft add rule bridge filter forward iifname "tap0" udp sport {546, 547} counter drop
nft add rule bridge filter forward oifname "tap0" udp sport {67, 68} counter drop
nft add rule bridge filter forward oifname "tap0" udp sport {546, 547} counter drop

I will review if i prefer to use these commands or use the custom config file, but it wont make any functional change at the end, i think is just a preference. (i guess)

I found no help here, but i hope my findings will help someone someday.

Regards,

1 Like