How to use bridge-nf-call in nftables

I use OpenWrt as a transparent bridge. It needs to add the following 3 lines to /etc/sysctl.conf

net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1

My OpenWrt uses nftables, but don't know how to modify them.

simply add them to the file ?

1 Like

Yes. On OpenWrt using iptables, only need to install kmod-br-netfilter and add these 3 lines to /etc/sysctl.conf. I have bridged two lan interfaces before this.

1 Like

Isn’t it possible to simply add 3 lines like OpenWrt using iptables?

nftables don't need any sysctl parameters.
You need to add nftables rules to the bridge table.

1 Like

I can't filter traffic between two bridged interfaces from my DSA switch. I don't understand the Wiki article. I've been searching for days in vain.

I've read the Linux Kernel Documentation about DSA switch and the nftables article about bridge firewall.

Moreover, it seems there are contradictory information.

The bridge family supports connection tracking since Linux kernel 5.3.

You only have to match on conntrack state information from your ruleset to enable it.

For those that are familiar with iptables: this provides a replacement for br_netfilter and the -m physdev match for iptables.

Source: Stateful firewall (nftables wiki)

Tables of this family see traffic/packets traversing bridges (i.e. switching). No assumptions are made about L3 protocols.

The ebtables tool is the legacy x_tables equivalent. Some old x_tables modules such as physdev will also eventually be served from the nftables bridge family.

Note that there is no nf_conntrack integration for the nftables bridge family.

Source: Nftables families (nftables wiki)

See Also:

Can iptables distinguish between the interfaces of a bridge? (unix dot stackexchange dot com)

How to use nft on linux bridge to block access to certain ip addr? (serverfault dot com)

You can not , dsa quickpaths are not visible by nftables.

I strongly suggest you stop posting irrelevant links to issue.

That's easy to say, but I don't claim to be a rocket scientist. I provide references to clarify and develop my point. I'm not satisfied with simple statements that don't get me very far.

Frankly, it's not nice. All I do is look around and get nothing, and all I get in return are disparaging remarks.

Maybe LLM answers there sound halucinat^H^H^H^H^H^Hconvincing that everything works, but in reality DSA quickpaths skip CPU port totally, firewall and route included.

Just found this topic while trying to understand why don't my nftables ip/ip6 family (not bridge family!) rules work when I'm trying to use connbytes matcher for routing (not switching), when the routing occurs inside the bridge.

chain zapret_lan_hook {
  type filter hook forward priority mangle;

  ip daddr != {0.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 100.64.0.0/10, 169.254.0.0/16, 224.0.0.0/3, 255.255.255.255/32} \
  tcp dport {80, 443} ct original packets lt 8 counter queue flags bypass to 200 comment "zapret IPv4 443 tcp"
}

Turns out nftables skips conntrack after the NEW state even for routing, when it doesn't leave logical bridge. Had to install iptables briding module and enable iptables bridge filtering. Solution:

opkg install kmod-br-netfilter
sysctl net.bridge.bridge-nf-call-iptables=1

It fixed the issue, now I can use connbytes inside nftables rules for the routed traffic inside br-lan.

P.S. I have all offloading disabled. OpenWrt 23.05.4. Honestly, this sounds like a nftables bug/deficiency.

1 Like