From: Florian Westphal <fw@strlen.de>
To: Hangbin Liu <liuhangbin@gmail.com>
Cc: netdev@vger.kernel.org, "David S . Miller" <davem@davemloft.net>,
David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Ido Schimmel <idosch@idosch.org>,
Nikolay Aleksandrov <razor@blackwall.org>,
Roopa Prabhu <roopa@nvidia.com>,
Stephen Hemminger <stephen@networkplumber.org>,
netfilter-devel@vger.kernel.org
Subject: Re: [RFC Draft PATCHv2 net-next] Doc: update bridge doc
Date: Fri, 27 Oct 2023 14:31:30 +0200 [thread overview]
Message-ID: <ZTutokxEXya0rqYs@strlen.de> (raw)
In-Reply-To: <20231027071842.2705262-1-liuhangbin@gmail.com>
Hangbin Liu <liuhangbin@gmail.com> wrote:
[ cc nf-devel ]
> The current bridge kernel doc is too old. It only pointed to the
> linuxfoundation wiki page which lacks of the new features.
Indeed, thanks for taking time to improve the documention.
> +Netfilter
> +=========
> +
> +The bridge netfilter module allows packet filtering and firewall functionality
> +on bridge interfaces. As the Linux bridge, which traditionally operates at
> +Layer 2 and connects multiple network interfaces or segments, doesn't have
> +built-in packet filtering capabilities.
No, this is not what this module does. br_netfilter module should NEVER
be used. I'd love to remove it, but its very popular unfortunately.
Suggestion:
The bridge netfilter module is a legacy feature that allows to filter bridged
packets with iptables and ip6tables. Its use is discouraged. Users
should consider using nftables for packet filtering.
The older ebtables tool is more feature-limited compared to nftables, but
just like nftables it doesn't need this module either to function.
The br_netfilter module intercepts packets entering the bridge, performs
minimal sanity tests on ipv4 and ipv6 packets and then pretends that
these packets are being routed, not bridged. br_netfilter then calls
the ip and ipv6 netfilter hooks from the bridge layer, i.e. ip(6)tables
rulesets will also see these packets.
br_netfilter is also the reason for the iptables 'physdev' match:
This match is the only way to reliably tell routed and bridged packets
apart in an iptables ruleset.
Side note:
You might want to somehow massage the bits below, perhaps it would be
good to have the historical context as to why br_netfilter exists in the
first place.
> +With bridge netfilter, you can define rules to filter or manipulate Ethernet
> +frames as they traverse the bridge. These rules are typically based on
> +Ethernet frame attributes such as MAC addresses, VLAN tags, and more.
> +You can use the *ebtables* or *nftables* tools to create and manage these
> +rules. *ebtables* is a tool specifically designed for managing Ethernet frame
> +filtering rules, while *nftables* is a more versatile framework for managing
> +rules that can also be used for bridge filtering.
ebtables and nftables will work fine without the br_netfilter module.
iptables/ip6tables/arptables do not work for bridged traffic because they
plug in the routing stack.
nftables rules in ip/ip6/inet/arp families won't see traffic that is
forwarded by a bridge either, but thats very much how it should be.
br_netfilter is only needed if users, for some reason, need to use
ip(6)tables to filter packets forwarded by the bridge, or NAT bridged
traffic.
Historically the feature set of ebtables was very limited (it still is),
so this module was added to pretend packets are routed and invoke the
ipv4/ipv6 netfilter hooks from the bridge so users had access to the
more feature-rich iptables matching capabilities (including conntrack).
nftables doesn't have this limitation, pretty much all features work
regardless of the protocol family.
> +The bridge netfilter is commonly used in scenarios where you want to apply
> +security policies to the traffic at the data link layer. This can be useful
> +for segmenting and securing networks, enforcing access control policies,
> +and isolating different parts of a network.
See above, for pure link layer filtering, this module isn't needed.
next prev parent reply other threads:[~2023-10-27 12:32 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-27 7:18 [RFC Draft PATCHv2 net-next] Doc: update bridge doc Hangbin Liu
2023-10-27 12:31 ` Florian Westphal [this message]
2023-10-30 8:38 ` Hangbin Liu
2023-10-30 13:12 ` Nikolay Aleksandrov
2023-11-01 11:29 ` Nikolay Aleksandrov
2023-11-02 4:09 ` Hangbin Liu
2023-11-09 13:04 ` Hangbin Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZTutokxEXya0rqYs@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=idosch@idosch.org \
--cc=kuba@kernel.org \
--cc=liuhangbin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=razor@blackwall.org \
--cc=roopa@nvidia.com \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).