From: "Linus Lüssing" <linus.luessing@c0d3.blue>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter@vger.kernel.org
Subject: Re: bridge-nf-call-iptables: checking bridge vs. IP context?
Date: Tue, 30 Mar 2021 01:24:23 +0200 [thread overview]
Message-ID: <20210329232423.GF2742@otheros> (raw)
In-Reply-To: <20210329190255.GE8998@breakpoint.cc>
On Mon, Mar 29, 2021 at 09:02:55PM +0200, Florian Westphal wrote:
> Linus Lüssing <linus.luessing@c0d3.blue> wrote:
> > I'm wondering whether I'm currently overlooking a simple solution
> > for the following:
> >
> > When setting bridge-nf-call-iptables = 1, is there a simple way to
> > check within one iptables rule whether it matched from a bridge
> > netfilter hook or from an IP netfilter hook?
>
> What is the use case? I would try to not use nf-call-iptables if possible.
The use case is the following: I would like to use openNDS
(captive portal) between bridge ports. As is it comes with a set
of iptables rules. And I have the OpenWrt firewall with another
set of iptables rules.
Ideally I would want to avoid major modifications to either of
them.
For instance it would be great if I could avoid porting the
iptables rules of openNDS to ebtables, to avoid the maintenance
burden of keeping the iptables and ebtables version in sync. And
actually conditionally, when bridge-nf-call-iptables is set, replacing
any "-i" and "-o" on br-lan with --physdev-{in,out} on the bridge ports
in openNDS already works quite well.
Now I'm wondering if it would be possible to conditionally, when
bridge-nf-call-iptables is set, add something like a
"! --physdev-in-bridge-context" to all OpenWrt firewall rules. So
that any rule in the OpenWrt firewall would behave as if I
had bridge-nf-call-iptables=0. Again with the goal to avoid having
to maintain a heavilly modified OpenWrt firewall rule set.
>
> If its a bridge netfiler hook, its only visible in ebtables.
> If its a "native" IP netfilter hook, the skb has no bridge netfilter
> extension, --physdev-is-in/out will never match.
Ah! Okay, so adding something like
"-m physdev ! --physdev-is-in" to all OpenWrt firewall rules should work?
So from a bridge netfilter hook "--physdev-in" will always either
point to a bridge port or the bridge interface itself?
And "--physdev-is-in" will always be true?
And in "native" IP netfilter hooks "--physdev-in" will never match
and "--physdev-is-in" will always be false?
next prev parent reply other threads:[~2021-03-29 23:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-29 18:08 bridge-nf-call-iptables: checking bridge vs. IP context? Linus Lüssing
2021-03-29 19:02 ` Florian Westphal
2021-03-29 23:24 ` Linus Lüssing [this message]
2021-03-30 17:33 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210329232423.GF2742@otheros \
--to=linus.luessing@c0d3.blue \
--cc=fw@strlen.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.