[arch-general] What's the holdup on Linux 3.18?

Leonid Isaev lisaev at umail.iu.edu
Thu Jan 8 20:17:00 UTC 2015


On Thu, Jan 08, 2015 at 07:18:25PM +0000, Mauro Santos wrote:
> On 08-01-2015 18:57, Leonid Isaev wrote:
> > 
> > BTW, to those updating, one notable (at least from my perspective) change with
> > 3.18.y is the new module br_netfilter responsible for filtering traffic coming
> > through a bridge. This module is not loaded automatically, so no firewall is
> > enabled by default in bridges. Here is a dmesg snippet:
> > ---
> > kernel: [   23.690774] bridge: automatic filtering via arp/ip/ip6tables has
> > been deprecated. Update your scripts to load br_netfilter if you need this.
> > ---
> 
> I'm not sure I'm reading it right and a quick google search doesn't turn
> up much besides this[1]. Does this apply to filtering via iptables
> (traffic from/to localhost to/from machines on the bridge) or more
> specifically to ebtables (filter traffic between machines on the bridge)?
> 
> [1] http://ebtables.netfilter.org/documentation/bridge-nf.html

The former. It applies to filtering traffic passing through the bridge. If the
module is loaded and /proc/sys/net/bridge/bridge-nf-* == 1 then you should be
able to manipulate traffic _inside_ the bridge using iptables FORWARD chain. If
the module is not loaded, or the above files contain 0, then the bridge acts as
a "dumb" switch. So, you can use the FORWARD chain to forward packets _between_
the bridge and some other interface.

The warning is because with linux < 3.18, bridge-netfilter was enabled by
default, so you'd need a service that nullifies bridge-nf-*. Now, the module is
not loaded by default, so the files are not there, and the existing service
will fail. Basically there is no need to do what is suggested in [1] and [2].
(Note, that the sysctl was never the right approach to begin with, no idea who
put it in thw wiki).

[1] https://wiki.archlinux.org/index.php/QEMU#Creating_bridge_manually
[2] https://bugzilla.redhat.com/show_bug.cgi?id=512206

Cheers,
-- 
Leonid Isaev
GPG fingerprints: DA92 034D B4A8 EC51 7EA6  20DF 9291 EE8A 043C B8C4
                  C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20150108/1ebedb56/attachment.bin>


More information about the arch-general mailing list