[PATCH] bridge: Support nf_call_{ip,ip6,arp}tables attributes

Tue Sep 13 14:16:01 PDT 2022

The bridge driver allows passing bridged frames to netfilter.  Add
bridge config options nf_call_iptables, nf_call_ip6tables,
nf_call_arptables to opt in.

Signed-off-by: Maximilian Riemensberger <riemensberger at cadami.net>
---
 bridge.c       | 15 +++++++++++++++
 system-dummy.c |  6 ++++--
 system-linux.c |  3 +++
 system.h       |  4 ++++
 4 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/bridge.c b/bridge.c
index 7e61b9d..153e41f 100644
--- a/bridge.c
+++ b/bridge.c
@@ -43,6 +43,9 @@ enum {
 	BRIDGE_ATTR_HAS_VLANS,
 	BRIDGE_ATTR_STP_KERNEL,
 	BRIDGE_ATTR_STP_PROTO,
+	BRIDGE_ATTR_NF_CALL_IPTABLES,
+	BRIDGE_ATTR_NF_CALL_IP6TABLES,
+	BRIDGE_ATTR_NF_CALL_ARPTABLES,
 	__BRIDGE_ATTR_MAX
 };
 
@@ -66,6 +69,9 @@ static const struct blobmsg_policy bridge_attrs[__BRIDGE_ATTR_MAX] = {
 	[BRIDGE_ATTR_HAS_VLANS] = { "__has_vlans", BLOBMSG_TYPE_BOOL }, /* internal */
 	[BRIDGE_ATTR_STP_KERNEL] = { "stp_kernel", BLOBMSG_TYPE_BOOL },
 	[BRIDGE_ATTR_STP_PROTO] = { "stp_proto", BLOBMSG_TYPE_STRING },
+	[BRIDGE_ATTR_NF_CALL_IPTABLES] = { "nf_call_iptables", BLOBMSG_TYPE_BOOL },
+	[BRIDGE_ATTR_NF_CALL_IP6TABLES] = { "nf_call_ip6tables", BLOBMSG_TYPE_BOOL },
+	[BRIDGE_ATTR_NF_CALL_ARPTABLES] = { "nf_call_arptables", BLOBMSG_TYPE_BOOL },
 };
 
 static const struct uci_blob_param_info bridge_attr_info[__BRIDGE_ATTR_MAX] = {
@@ -1114,6 +1120,15 @@ bridge_apply_settings(struct bridge_state *bst, struct blob_attr **tb)
 
 	if ((cur = tb[BRIDGE_ATTR_VLAN_FILTERING]))
 		cfg->vlan_filtering = blobmsg_get_bool(cur);
+
+	if ((cur = tb[BRIDGE_ATTR_NF_CALL_IPTABLES]))
+		cfg->nf_call_iptables = blobmsg_get_bool(cur);
+
+	if ((cur = tb[BRIDGE_ATTR_NF_CALL_IP6TABLES]))
+		cfg->nf_call_ip6tables = blobmsg_get_bool(cur);
+
+	if ((cur = tb[BRIDGE_ATTR_NF_CALL_ARPTABLES]))
+		cfg->nf_call_arptables = blobmsg_get_bool(cur);
 }
 
 static enum dev_change_type
diff --git a/system-dummy.c b/system-dummy.c
index b13bc87..811404d 100644
--- a/system-dummy.c
+++ b/system-dummy.c
@@ -32,8 +32,10 @@ int system_init(void)
 
 int system_bridge_addbr(struct device *bridge, struct bridge_config *cfg)
 {
-	D(SYSTEM, "brctl addbr %s vlan_filtering=%d\n",
-	  bridge->ifname, cfg->vlan_filtering);
+	D(SYSTEM,
+	  "brctl addbr %s vlan_filtering=%d nf_call_iptables=%d nf_call_ip6tables=%d nf_call_arptables=%d\n",
+	  bridge->ifname, cfg->vlan_filtering, cfg->nf_call_iptables,
+	  cfg->nf_call_ip6tables, cfg->nf_call_arptables);
 	return 0;
 }
 
diff --git a/system-linux.c b/system-linux.c
index 0f13a99..71e9ec6 100644
--- a/system-linux.c
+++ b/system-linux.c
@@ -1342,6 +1342,9 @@ int system_bridge_addbr(struct device *bridge, struct bridge_config *cfg)
 	}
 
 	nla_put_u8(msg, IFLA_BR_VLAN_FILTERING, !!cfg->vlan_filtering);
+	nla_put_u8(msg, IFLA_BR_NF_CALL_IPTABLES, !!cfg->nf_call_iptables);
+	nla_put_u8(msg, IFLA_BR_NF_CALL_IP6TABLES, !!cfg->nf_call_ip6tables);
+	nla_put_u8(msg, IFLA_BR_NF_CALL_ARPTABLES, !!cfg->nf_call_arptables);
 	nla_put_u16(msg, IFLA_BR_PRIORITY, cfg->priority);
 	nla_put_u32(msg, IFLA_BR_HELLO_TIME, sec_to_jiffies(cfg->hello_time));
 	nla_put_u32(msg, IFLA_BR_MAX_AGE, sec_to_jiffies(cfg->max_age));
diff --git a/system.h b/system.h
index 0f08c26..c551b13 100644
--- a/system.h
+++ b/system.h
@@ -208,6 +208,10 @@ struct bridge_config {
 	int hash_max;
 
 	bool vlan_filtering;
+
+	bool nf_call_iptables;
+	bool nf_call_ip6tables;
+	bool nf_call_arptables;
 };
 
 enum macvlan_opt {
-- 
2.25.1


