Posted: Mon Aug 01, 2022 11:08 Post subject: EBTables VS BR_Netfilter
Help me understand whether BR_Netfilter (enforced by net.bridge.bridge-nf-call-iptables=1 sysctl parameter) actually replaces EBTables. BR_Netfilter is supposed to apply IPTables rules to bridge interfaces, but IPTables apply to Layer 3 packets while EBTables apply to Layer 2 frames.
EBTables can filter EtherTypes that IPTables can't. For example, there are no IPTables filters that can specifically drop X25 or NetBEUI or IPX frames. At the same time, an IPTables rule can specify to drop all packets, except IPv4. In such a case, IPTables drops all packets other than IPv4 packets, but I don't understand whether the same IPTables rule drops all frames and/or all packets on bridge interface when "net.bridge.bridge-nf-call-iptables parameter" is set to "1".
When does BR_Netfilter apply itself? Before BROUTING or PREROUTING?
FYI: BR_Netfilter often requires "modprobe br_netfilter" to be activated.
Last edited by OpenSource Ghost on Mon Aug 01, 2022 12:25; edited 1 time in total
FYI, performance hit from EBTables can be significant, but performance hit from enabling BR_Netfilter is negligible. In my previous posts about EBTables, someone mentions that EBTables can reduce performance due to switches using their own (slow) CPU's instead of using router CPU's. Perhaps BR_Netfilter uses router CPU's to accomplish bridge filtering and that is why there is a neglible performance hit from its use.
It definitely forces bridge to use IPTables. Accessing router on port 80 via port 8080 works fine when "net.bridge.bridge-nf-call-iptables" is set to "0" and the following set of rules:
Joined: 08 May 2018 Posts: 14246 Location: Texas, USA
Posted: Tue Aug 02, 2022 14:03 Post subject:
This isn't necessarily a router-specific question or topic, however, I do not see this sysctl option on my TL-WR1043NDv2, but the output of cat /proc/sys/net/bridge/bridge-nf-call-iptables is 0. I would have to check one of the higher-end devices to see if this setting on the Administration -> Sysctl page exists or not. "Inconsistencies in DD-WRT" _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
This isn't necessarily a router-specific question or topic, however, I do not see this sysctl option on my TL-WR1043NDv2, but the output of cat /proc/sys/net/bridge/bridge-nf-call-iptables is 0. I would have to check one of the higher-end devices to see if this setting on the Administration -> Sysctl page exists or not. "Inconsistencies in DD-WRT"
The directory wasn't there and the sysctl option wasn't working for me either until I input "modprobe br_netfilter", which created the needed directory, loaded the module + dependencies, and made the following sysctl paramters functional:
Joined: 08 May 2018 Posts: 14246 Location: Texas, USA
Posted: Tue Aug 02, 2022 15:37 Post subject:
I didn't quite look that far, thanks for the clarifying information. The directory is present, and all of those files are present for me, it's just not on the page in question using the kromo routerstyle theme, which may be culprit, but shouldn't be. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Has anyone looked further into this? I can't get EBTables to show counters. I am using trial and error to test what works and what doesn't. Not having counters makes it very difficult.
There is also "ip -d link" tool that shows a bunch of bridge details, two of which are "nf_call_iptables" and "nf_call_ip6tables". Those 2 parameters are also supposed enable/disable bridge filterings, but both are set "0" by default even when "br_netfilter" is enabled along with "net.bridge.bridge-nf-call-iptables" and "net.bridge.bridge-nf-call-ip6tables" kernel parameters set to "1".
To enable bridge calling for iptables filtering with "ip link" tool, use the following commands:
Code:
ip link set br0 type bridge nf_call_iptables 1
ip link set br0 type bridge nf_call_ip6tables 1
Joined: 08 May 2018 Posts: 14246 Location: Texas, USA
Posted: Sun Aug 28, 2022 1:08 Post subject:
This gives me an idea of something to implement regarding blocking ssh/telnet access via wifi to the router using br_netfilter vs. ebtables, even though I have not seen a huge impact on performance using ebtables, but anything to do a comparison with in a full proof-of-concept environment would be good. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
I also stopped having issues with performance from EBTables, but I corrected my rules to not drop packets from a ton of source ports. There were no logs or counters displayed for EBTables and that made it difficult to understand. I had to use trial and error to figure things out...
If it is of any help, here's how Ubiquiti uses EBTables to isolate Guest Network clients for WiFi and untagged VLAN's (where 3 bridges - brA, brB, and brC enslave corresponding switchA, switchB, switchC, and wlan interfaces):
Code:
ebtables -t nat -A PREROUTING -i wlanX -j GUESTIN
ebtables -t nat -A PREROUTING -i wlanY -j GUESTIN
ebtables -t nat -A PREROUTING -i wlanZ -j GUESTIN
ebtables -t nat -A PREROUTING -i switchA -j GUESTIN
ebtables -t nat -A PREROUTING -i switchB -j GUESTIN
ebtables -t nat -A PREROUTING -i switchC -j GUESTIN
ebtables -t nat -A POSTROUTING -i wlanX -j GUESTOUT
ebtables -t nat -A POSTROUTING -i wlanY -j GUESTOUT
ebtables -t nat -A POSTROUTING -i wlanZ -j GUESTOUT
ebtables -t nat -A POSTROUTING -i switchA -j GUESTOUT
ebtables -t nat -A POSTROUTING -i switchB -j GUESTOUT
ebtables -t nat -A POSTROUTING -i switchC -j GUESTOUT
Brouting drops VLAN-tagged frames for WiFi clients and for untagged native (per-ethernet-port) VLAN's:
Code:
ebtables -t broute -A BROUTING -p 802_1Q -i wlanX -j DROP
ebtables -t broute -A BROUTING -p 802_1Q -i wlanY -j DROP
ebtables -t broute -A BROUTING -p 802_1Q -i wlanZ -j DROP
ebtables -t broute -A BROUTING --vlan-id A -p 802_1Q -j DROP
ebtables -t broute -A BROUTING --vlan-id B -p 802_1Q -j DROP
ebtables -t broute -A BROUTING --vlan-id C -p 802_1Q -j DROP
Ubiquiti API doesn't create any rules for EBTables INPUT, FORWARD, OUTPUT filtering chains, and does not create rules for EBTables NAT OUTPUT chain. API also uses other tools to configure Guest Network, but above is what it does with EBTables.