You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Similarly to #1235, having br_netfilter loaded automatically puts all would-be bridge-forwarded frames through netfilter to be filtered in the same way routed packets would be.
However, just as firewalld documentation describes (1), rule evaluation does not stop at an accept, but must go through all the tables hooking the same filter without hitting a drop or reject.
The problem now is that it is currently impossible to add a iifname "br0" oifname "br0" accept sort of rule in forward without encountering reject with icmpx type admin-prohibited or ct state { invalid } drop.
There's no rich language way to specify input/output interface. The direct interface goes through iptables so the iifname "br0" oifname "br0" accept translation go into the ip filter or ip6 filter tables instead of the inet firewalld table.
At this moment, it is necessary to set FirewallBackend=iptables in /etc/firewalld/firewalld.conf AND use direct rules like below to allow bridge forwarding when br_netfilter is loaded, or else all new connections are dropped:
This is blocked by support in nftables. But I don't expect that to ever be supported because nftables has a true bridge family to support transparent firewalls.
erig0
added
the
blocked
Blocked in some way. e.g. waiting on the user that opened the issue or pull request
label
Nov 7, 2023
Well... it could work with current state of nftables if firewalld allowed a direct/rich rule utilizing iifname/oifname to be added to the inet firewalld filter_FORWARD chain prior to the final drop/rejects.
But... I see what you mean. Transparent bridge firewalling without interference from the inet/ip/ip6 type filter hook forward hooks is possible by ensuring that both the system-wide /proc/sys/net/bridge/bridge-nf-call-*tables and interface-specific /sys/devices/virtual/net/${interface_name}/bridge/nf_call_*tables are set to 0, but then I'd have to utilize something besides firewalld, and sacrifice its convenient zoning logic, for this purposes.
Similarly to #1235, having
br_netfilter
loaded automatically puts all would-be bridge-forwarded frames through netfilter to be filtered in the same way routed packets would be.However, just as firewalld documentation describes (1), rule evaluation does not stop at an
accept
, but must go through all the tables hooking the same filter without hitting adrop
orreject
.The problem now is that it is currently impossible to add a
iifname "br0" oifname "br0" accept
sort of rule in forward without encounteringreject with icmpx type admin-prohibited
orct state { invalid } drop
.There's no rich language way to specify input/output interface. The direct interface goes through iptables so the
iifname "br0" oifname "br0" accept
translation go into theip filter
orip6 filter
tables instead of theinet firewalld
table.At this moment, it is necessary to set
FirewallBackend=iptables
in/etc/firewalld/firewalld.conf
AND use direct rules like below to allow bridge forwarding whenbr_netfilter
is loaded, or else all new connections are dropped:Or preferrably:
Specifically, this is what I'm looking at:
vs:
The text was updated successfully, but these errors were encountered: