The bridge-netfilter code enables the following functionality:
- {Ip,Ip6,Arp}tables can filter bridged IPv4/IPv6/ARP packets, even when encapsulated in an 802.1Q VLAN or PPPoE header. This enables the functionality of a stateful transparent firewall.
- All filtering, logging and NAT features of the 3 tools can therefore be used on bridged frames.
- Combined with ebtables, the bridge-nf code therefore makes Linux a very powerful transparent firewall.
- This enables, f.e., the creation of a transparent masquerading machine (i.e. all local hosts think they are directly connected to the Internet).
- Letting {ip,ip6,arp}tables see bridged traffic can be disabled or enabled using the appropriate proc entries, located in
/proc/sys/net/bridge/
:bridge-nf-call-arptables
bridge-nf-call-iptables
bridge-nf-call-ip6tables
bridge-nf-filter-vlan-tagged
bridge-nf-filter-pppoe-tagged
These proc entries are just regular files. Writing '1' to the file (
echo 1 > file
) enables the specific functionality, while writing a '0' to the file disables it.