* bridge-nf-call-iptables: checking bridge vs. IP context?
@ 2021-03-29 18:08 Linus Lüssing
2021-03-29 19:02 ` Florian Westphal
0 siblings, 1 reply; 4+ messages in thread
From: Linus Lüssing @ 2021-03-29 18:08 UTC (permalink / raw)
To: netfilter
Hi,
I'm wondering whether I'm currently overlooking a simple solution
for the following:
When setting bridge-nf-call-iptables = 1, is there a simple way to
check within one iptables rule whether it matched from a bridge
netfilter hook or from an IP netfilter hook?
"--physdev-is-bridged" seemingly is not quite what I'm looking
for, as it will only match after a bridging decision, in the
FORWARD or POSTROUTING chains.
If that does not exist yet, what would be the preferred,
upstreamable format: Adding a flag to "struct nf_bridge_info" or
are there some other, already existing fields I could use to
verify the context?
Regards, Linus
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: bridge-nf-call-iptables: checking bridge vs. IP context?
2021-03-29 18:08 bridge-nf-call-iptables: checking bridge vs. IP context? Linus Lüssing
@ 2021-03-29 19:02 ` Florian Westphal
2021-03-29 23:24 ` Linus Lüssing
0 siblings, 1 reply; 4+ messages in thread
From: Florian Westphal @ 2021-03-29 19:02 UTC (permalink / raw)
To: Linus Lüssing; +Cc: netfilter
Linus Lüssing <linus.luessing@c0d3.blue> wrote:
> I'm wondering whether I'm currently overlooking a simple solution
> for the following:
>
> When setting bridge-nf-call-iptables = 1, is there a simple way to
> check within one iptables rule whether it matched from a bridge
> netfilter hook or from an IP netfilter hook?
What is the use case? I would try to not use nf-call-iptables if possible.
If its a bridge netfiler hook, its only visible in ebtables.
If its a "native" IP netfilter hook, the skb has no bridge netfilter
extension, --physdev-is-in/out will never match.
> "--physdev-is-bridged" seemingly is not quite what I'm looking
> for, as it will only match after a bridging decision, in the
> FORWARD or POSTROUTING chains.
Yes, for some reason it was tied to output interface.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: bridge-nf-call-iptables: checking bridge vs. IP context?
2021-03-29 19:02 ` Florian Westphal
@ 2021-03-29 23:24 ` Linus Lüssing
2021-03-30 17:33 ` Florian Westphal
0 siblings, 1 reply; 4+ messages in thread
From: Linus Lüssing @ 2021-03-29 23:24 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter
On Mon, Mar 29, 2021 at 09:02:55PM +0200, Florian Westphal wrote:
> Linus Lüssing <linus.luessing@c0d3.blue> wrote:
> > I'm wondering whether I'm currently overlooking a simple solution
> > for the following:
> >
> > When setting bridge-nf-call-iptables = 1, is there a simple way to
> > check within one iptables rule whether it matched from a bridge
> > netfilter hook or from an IP netfilter hook?
>
> What is the use case? I would try to not use nf-call-iptables if possible.
The use case is the following: I would like to use openNDS
(captive portal) between bridge ports. As is it comes with a set
of iptables rules. And I have the OpenWrt firewall with another
set of iptables rules.
Ideally I would want to avoid major modifications to either of
them.
For instance it would be great if I could avoid porting the
iptables rules of openNDS to ebtables, to avoid the maintenance
burden of keeping the iptables and ebtables version in sync. And
actually conditionally, when bridge-nf-call-iptables is set, replacing
any "-i" and "-o" on br-lan with --physdev-{in,out} on the bridge ports
in openNDS already works quite well.
Now I'm wondering if it would be possible to conditionally, when
bridge-nf-call-iptables is set, add something like a
"! --physdev-in-bridge-context" to all OpenWrt firewall rules. So
that any rule in the OpenWrt firewall would behave as if I
had bridge-nf-call-iptables=0. Again with the goal to avoid having
to maintain a heavilly modified OpenWrt firewall rule set.
>
> If its a bridge netfiler hook, its only visible in ebtables.
> If its a "native" IP netfilter hook, the skb has no bridge netfilter
> extension, --physdev-is-in/out will never match.
Ah! Okay, so adding something like
"-m physdev ! --physdev-is-in" to all OpenWrt firewall rules should work?
So from a bridge netfilter hook "--physdev-in" will always either
point to a bridge port or the bridge interface itself?
And "--physdev-is-in" will always be true?
And in "native" IP netfilter hooks "--physdev-in" will never match
and "--physdev-is-in" will always be false?
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: bridge-nf-call-iptables: checking bridge vs. IP context?
2021-03-29 23:24 ` Linus Lüssing
@ 2021-03-30 17:33 ` Florian Westphal
0 siblings, 0 replies; 4+ messages in thread
From: Florian Westphal @ 2021-03-30 17:33 UTC (permalink / raw)
To: Linus Lüssing; +Cc: Florian Westphal, netfilter
Linus Lüssing <linus.luessing@c0d3.blue> wrote:
> Ah! Okay, so adding something like
> "-m physdev ! --physdev-is-in" to all OpenWrt firewall rules should work?
Yes.
> So from a bridge netfilter hook "--physdev-in" will always either
> point to a bridge port or the bridge interface itself?
> And "--physdev-is-in" will always be true?
--physdev-is-in is true when call-iptables infra is 1 and packet
came in via a bridge port.
> And in "native" IP netfilter hooks "--physdev-in" will never match
It won't match if packet came in via a normal (not bridged)
interface.
> and "--physdev-is-in" will always be false?
Yes.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-03-30 17:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-29 18:08 bridge-nf-call-iptables: checking bridge vs. IP context? Linus Lüssing
2021-03-29 19:02 ` Florian Westphal
2021-03-29 23:24 ` Linus Lüssing
2021-03-30 17:33 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox