What's bridge-netfilter?

The bridge-netfilter code enables the following functionality:

• {Ip,Ip6,Arp}tables can filter bridged IPv4/IPv6/ARP packets, even when encapsulated in an 802.1Q VLAN or PPPoE header. This enables the functionality of a stateful transparent firewall.
• All filtering, logging and NAT features of the 3 tools can therefore be used on bridged frames.
• Combined with ebtables, the bridge-nf code therefore makes Linux a very powerful transparent firewall.
• This enables, f.e., the creation of a transparent masquerading machine (i.e. all local hosts think they are directly connected to the Internet).
• Letting {ip,ip6,arp}tables see bridged traffic can be disabled or enabled using the appropriate proc entries, located in/proc/sys/net/bridge/:
  • bridge-nf-call-arptables
  • bridge-nf-call-iptables
  • bridge-nf-call-ip6tables
  Also, letting the aforementioned firewall tools see bridged 802.1Q VLAN and PPPoE encapsulated packets can be disabled or enabled with a proc entry in the same directory:
  • bridge-nf-filter-vlan-tagged
  • bridge-nf-filter-pppoe-tagged
These proc entries are just regular files. Writing '1' to the file (echo 1 > file) enables the specific functionality, while writing a '0' to the file disables it.