OpenWrt Forum Archive

Topic: patch to enable bridging firewall

The content of this topic has been archived on 28 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I wanted to use my router as a transparent bridging firewall, which is kind of weird so nobody seems to have done it.  Bridging works in the OpenWRT kernel, and firewalling works, but bridged packets are invisible to ipchains.  It turns out that to do this with kernel 2.4.20 you need a patch called bridge-nf which I dug out of the ebtables web site (ebtables is what bridge-nf evolved into).

The patch needed a little work before it would apply cleanly, since the OpenWRT kernel has already been patched so many times.  Here is a version that works for me.  I applied it by doing the following to my already-once-used buildroot tree:

cd build_mipsel/linux
bzcat ~/091-bridge-nf.bz2 | patch -p1
make zImage
cd ../.. (wd now: buildroot)
make

This worked but is probably not the best way.  It seems reasonable to hope that dropping this patch in sources/kernel-patches before doing a make would be sufficient, but I haven't tried this.

With this kernel, bridged packets will pass through the FORWARD iptable.  You can use e.g. "-i eth0" to match packets that came in on physical interface eth0 (even though eth0 is part of br0).  I am using this to bridge together vlan0 and vlan1 (both wired interfaces), which I can now use as an invisible firewall between the DSL modem and the rest of the network.  (I'm not doing this with NAT because I have more than one static IP on my end.)

Note that it is much more common to be bridging the inside-wired and inside-wireless interfaces, and if you apply this patch in this configuration you will probably have to adjust your FORWARD chain to avoid weird side effects.

Interesting.

Don't get me wrong, I find this interesting, but it seems to me that would completely and entirely destroy the specifics of the OSI layer.  Bridging is a layer 3 protocol, which isn't supposed to pay attention to any aspect of protocols beneathe it (in this case, layer 4 which includes TCP/UDP).

Just food for thought.  Otherwise, a neat patch.

Interesting.

Don't get me wrong, I find this interesting, but it seems to me that would completely and entirely destroy the specifics of the OSI layer.  Bridging is a layer 3 protocol, which isn't supposed to pay attention to any aspect of protocols beneathe it (in this case, layer 4 which includes TCP/UDP).

...

Sorry for stepping in here. Of course its not 100% OSI compatible, but it has interesting possibilities, like transparent filters. Btw: bridging, which uses MAC addresses (ethernet), works on layer 2. Layer 3 handles routing (and uses ip addresses).

The discussion might have continued from here.