What's bridge-netfilter?

Since Linux kernel 3.18-rc1, you have to modprobe br_netfilter to enable bridge-netfilter.

The bridge-netfilter code enables the following functionality:

  • {Ip,Ip6,Arp}tables can filter bridged IPv4/IPv6/ARP packets, even when encapsulated in an 802.1Q VLAN or PPPoE header. This enables the functionality of a stateful transparent firewall.
  • All filtering, logging and NAT features of the 3 tools can therefore be used on bridged frames.
  • Combined with ebtables, the bridge-nf code therefore makes Linux a very powerful transparent firewall.
  • This enables, f.e., the creation of a transparent masquerading machine (i.e. all local hosts think they are directly connected to the Internet).
  • Letting {ip,ip6,arp}tables see bridged traffic can be disabled or enabled using the appropriate proc entries, located in /proc/sys/net/bridge/:
    • bridge-nf-call-arptables
    • bridge-nf-call-iptables
    • bridge-nf-call-ip6tables
    Also, letting the aforementioned firewall tools see bridged 802.1Q VLAN and PPPoE encapsulated packets can be disabled or enabled with a proc entry in the same directory:
    • bridge-nf-filter-vlan-tagged
    • bridge-nf-filter-pppoe-tagged
  • These proc entries are just regular files. Writing '1' to the file (echo 1 > file) enables the specific functionality, while writing a '0' to the file disables it.