EBTables VS BR_Netfilter

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Mon Aug 01, 2022 11:08    Post subject: EBTables VS BR_Netfilter Reply with quote
Help me understand whether BR_Netfilter (enforced by net.bridge.bridge-nf-call-iptables=1 sysctl parameter) actually replaces EBTables. BR_Netfilter is supposed to apply IPTables rules to bridge interfaces, but IPTables apply to Layer 3 packets while EBTables apply to Layer 2 frames.

EBTables can filter EtherTypes that IPTables can't. For example, there are no IPTables filters that can specifically drop X25 or NetBEUI or IPX frames. At the same time, an IPTables rule can specify to drop all packets, except IPv4. In such a case, IPTables drops all packets other than IPv4 packets, but I don't understand whether the same IPTables rule drops all frames and/or all packets on bridge interface when "net.bridge.bridge-nf-call-iptables parameter" is set to "1".

When does BR_Netfilter apply itself? Before BROUTING or PREROUTING?

FYI: BR_Netfilter often requires "modprobe br_netfilter" to be activated.


Last edited by OpenSource Ghost on Mon Aug 01, 2022 12:25; edited 1 time in total
Sponsor
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Mon Aug 01, 2022 12:15    Post subject: Reply with quote
FYI, performance hit from EBTables can be significant, but performance hit from enabling BR_Netfilter is negligible. In my previous posts about EBTables, someone mentions that EBTables can reduce performance due to switches using their own (slow) CPU's instead of using router CPU's. Perhaps BR_Netfilter uses router CPU's to accomplish bridge filtering and that is why there is a neglible performance hit from its use.

It definitely forces bridge to use IPTables. Accessing router on port 80 via port 8080 works fine when "net.bridge.bridge-nf-call-iptables" is set to "0" and the following set of rules:
Code:
iptables -t nat -I PREROUTING -i br50 -p tcp --dport 8080 -j REDIRECT --to-port 80
iptables -t nat -I PREROUTING -i br50 -p tcp --dport 80 -j DNAT --to-destination 0.0.0.0
ebtables -I INPUT -i br50 -p IPv4 --ip-src X.X.X.X --ip-proto 6 --ip-dport 80 -j DROP


If "net.bridge.bridge-nf-call-iptables" is set to "1", then the same rule combination prevents users from accessing router on port 80 via port 8080.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Tue Aug 02, 2022 10:48    Post subject: Reply with quote
on what router, witch firmware build?

afaik br rules are always been there...
and those are used/addressed as interface -i br0

and yes ebtables take a big toll on performance and
ect.

but, it would be interesting to see more comment's here.. Rolling Eyes

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Tue Aug 02, 2022 14:03    Post subject: Reply with quote
This isn't necessarily a router-specific question or topic, however, I do not see this sysctl option on my TL-WR1043NDv2, but the output of cat /proc/sys/net/bridge/bridge-nf-call-iptables is 0. I would have to check one of the higher-end devices to see if this setting on the Administration -> Sysctl page exists or not. "Inconsistencies in DD-WRT" WinkCool
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Tue Aug 02, 2022 14:56    Post subject: Reply with quote
kernel-panic69 wrote:
This isn't necessarily a router-specific question or topic, however, I do not see this sysctl option on my TL-WR1043NDv2, but the output of cat /proc/sys/net/bridge/bridge-nf-call-iptables is 0. I would have to check one of the higher-end devices to see if this setting on the Administration -> Sysctl page exists or not. "Inconsistencies in DD-WRT" WinkCool


The directory wasn't there and the sysctl option wasn't working for me either until I input "modprobe br_netfilter", which created the needed directory, loaded the module + dependencies, and made the following sysctl paramters functional:
Code:
net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-filter-vlan-tagged=1
net.bridge.bridge-nf-filter-pppoe-tagged=1
net.bridge.bridge-nf-pass-vlan-input-dev=1


I think the following page summarizes it nicely - https://ebtables.netfilter.org/documentation/bridge-nf.html .
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Tue Aug 02, 2022 15:37    Post subject: Reply with quote
I didn't quite look that far, thanks for the clarifying information. The directory is present, and all of those files are present for me, it's just not on the page in question using the kromo routerstyle theme, which may be culprit, but shouldn't be.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Wed Aug 24, 2022 15:51    Post subject: Reply with quote
Has anyone looked further into this? I can't get EBTables to show counters. I am using trial and error to test what works and what doesn't. Not having counters makes it very difficult.
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Sat Aug 27, 2022 23:42    Post subject: Reply with quote
There is also "ip -d link" tool that shows a bunch of bridge details, two of which are "nf_call_iptables" and "nf_call_ip6tables". Those 2 parameters are also supposed enable/disable bridge filterings, but both are set "0" by default even when "br_netfilter" is enabled along with "net.bridge.bridge-nf-call-iptables" and "net.bridge.bridge-nf-call-ip6tables" kernel parameters set to "1".

To enable bridge calling for iptables filtering with "ip link" tool, use the following commands:
Code:
ip link set br0 type bridge nf_call_iptables 1
ip link set br0 type bridge nf_call_ip6tables 1
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sun Aug 28, 2022 1:08    Post subject: Reply with quote
This gives me an idea of something to implement regarding blocking ssh/telnet access via wifi to the router using br_netfilter vs. ebtables, even though I have not seen a huge impact on performance using ebtables, but anything to do a comparison with in a full proof-of-concept environment would be good.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Sun Aug 28, 2022 15:55    Post subject: Reply with quote
I also stopped having issues with performance from EBTables, but I corrected my rules to not drop packets from a ton of source ports. There were no logs or counters displayed for EBTables and that made it difficult to understand. I had to use trial and error to figure things out...

If it is of any help, here's how Ubiquiti uses EBTables to isolate Guest Network clients for WiFi and untagged VLAN's (where 3 bridges - brA, brB, and brC enslave corresponding switchA, switchB, switchC, and wlan interfaces):
Code:

ebtables -t nat -A PREROUTING -i wlanX -j GUESTIN
ebtables -t nat -A PREROUTING -i wlanY -j GUESTIN
ebtables -t nat -A PREROUTING -i wlanZ -j GUESTIN
ebtables -t nat -A PREROUTING -i switchA -j GUESTIN
ebtables -t nat -A PREROUTING -i switchB -j GUESTIN
ebtables -t nat -A PREROUTING -i switchC -j GUESTIN
ebtables -t nat -A POSTROUTING -i wlanX -j GUESTOUT
ebtables -t nat -A POSTROUTING -i wlanY -j GUESTOUT
ebtables -t nat -A POSTROUTING -i wlanZ -j GUESTOUT
ebtables -t nat -A POSTROUTING -i switchA -j GUESTOUT
ebtables -t nat -A POSTROUTING -i switchB -j GUESTOUT
ebtables -t nat -A POSTROUTING -i switchC -j GUESTOUT

Code:
ebtables -t nat -N GUESTIN -P ACCEPT
ebtables -t nat -N GUESTOUT -P ACCEPT
ebtables -t nat -A PREROUTING --in-interface switchA -j GUESTIN
ebtables -t nat -A POSTROUTING --out-interface switchA -j GUESTOUT
ebtables -t nat -A PREROUTING --in-interface switchB -j GUESTIN
ebtables -t nat -A POSTROUTING --out-interface switchB -j GUESTOUT
ebtables -t nat -A PREROUTING --in-interface switchC -j GUESTIN
ebtables -t nat -A POSTROUTING --out-interface switchC -j GUESTOUT
ebtables -t nat -A GUESTIN -p 0x800 --pkttype-type broadcast --ip-proto 17 --ip-sport 68 --ip-dport 67 -j ACCEPT
ebtables -t nat -A GUESTIN -p arp --arp-opcode Request -j ACCEPT
ebtables -t nat -N GUEST_DNS -P ACCEPT
ebtables -t nat -A GUESTIN -p 0x800 --ip-proto 17 --ip-dport 53 -j GUEST_DNS
ebtables -t nat -A GUESTIN -p 0x800 --ip-proto 6 --ip-dport 53 -j GUEST_DNS
ebtables -t nat -A GUESTIN -p 0x800 --set UBIOS_guest_pre_allow --set-flags dst --set-family inet -j ACCEPT
ebtables -t nat -A GUESTIN -p 0x86dd -j DROP
ebtables -t nat -A GUESTIN --pkttype-type broadcast -j DROP
ebtables -t nat -A GUESTOUT -p 0x800 --pkttype-type broadcast --ip-proto 17 --ip-sport 67 --ip-dport 68 -j ACCEPT
ebtables -t nat -A GUESTOUT -p arp --arp-opcode Request -j ACCEPT
ebtables -t nat -A GUESTOUT -p 0x86dd -j DROP
ebtables -t nat -A GUESTOUT --pkttype-type broadcast -j DROP
ebtables -t nat -N CAPTIVE_PORTAL -P RETURN
ebtables -t nat -A GUESTIN -p 0x800 --ip-proto 6 --ip-dport 443 -j CAPTIVE_PORTAL
ebtables -t nat -A GUESTOUT -p 0x800 --set UBIOS_guest_pre_allow --set-flags dst --set-family inet -j ACCEPT
ebtables -t nat -A GUESTIN -p 0x800 --set UBIOS_guest_restricted --set-flags dst --set-family inet -j DROP


Brouting drops VLAN-tagged frames for WiFi clients and for untagged native (per-ethernet-port) VLAN's:
Code:
ebtables -t broute -A BROUTING -p 802_1Q -i wlanX -j DROP
ebtables -t broute -A BROUTING -p 802_1Q -i wlanY -j DROP
ebtables -t broute -A BROUTING -p 802_1Q -i wlanZ -j DROP
ebtables -t broute -A BROUTING --vlan-id A -p 802_1Q -j DROP
ebtables -t broute -A BROUTING --vlan-id B -p 802_1Q -j DROP
ebtables -t broute -A BROUTING --vlan-id C -p 802_1Q -j DROP


Ubiquiti API doesn't create any rules for EBTables INPUT, FORWARD, OUTPUT filtering chains, and does not create rules for EBTables NAT OUTPUT chain. API also uses other tools to configure Guest Network, but above is what it does with EBTables.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum