I wanted to use my router as a transparent bridging firewall, which is kind of weird so nobody seems to have done it. Bridging works in the OpenWRT kernel, and firewalling works, but bridged packets are invisible to ipchains. It turns out that to do this with kernel 2.4.20 you need a patch called bridge-nf which I dug out of the ebtables web site (ebtables is what bridge-nf evolved into).
The patch needed a little work before it would apply cleanly, since the OpenWRT kernel has already been patched so many times. Here is a version that works for me. I applied it by doing the following to my already-once-used buildroot tree:
cd build_mipsel/linux
bzcat ~/091-bridge-nf.bz2 | patch -p1
make zImage
cd ../.. (wd now: buildroot)
makeThis worked but is probably not the best way. It seems reasonable to hope that dropping this patch in sources/kernel-patches before doing a make would be sufficient, but I haven't tried this.
With this kernel, bridged packets will pass through the FORWARD iptable. You can use e.g. "-i eth0" to match packets that came in on physical interface eth0 (even though eth0 is part of br0). I am using this to bridge together vlan0 and vlan1 (both wired interfaces), which I can now use as an invisible firewall between the DSL modem and the rest of the network. (I'm not doing this with NAT because I have more than one static IP on my end.)
Note that it is much more common to be bridging the inside-wired and inside-wireless interfaces, and if you apply this patch in this configuration you will probably have to adjust your FORWARD chain to avoid weird side effects.