Talk: "Bridge filtering with nftables" (Florian Westphal)


The current Linux bridge/ebtables architecture has several shortcomings. In the past those were worked around by adding 'header stripping' features to the bridge netfilter core or by invoking ip(6)tables hooks directly from the bridge layer.

Nftables, a framework to replace and unify the various packet filtering tools in the Linux kernel offers an opportunity to provide a more flexible approach to handling bridge filtering needs.

After a brief summary of the ebtables and bridge filtering issues, this will show some of the advantages that nft bridge offers over ebtables and present some features that are currently being worked on. Two of these will be presented in detail:

  • Stateful filtering (connection tracking) on a bridge.
    We will examine current state of netfilter conntrack in the linux kernel and the problems we have, then see how this could be addressed in nftables bridge.
  • Nfqueue (userspace queuing) for the nft bridge family.
    Often requested for ebtables, but nothing ever materialized. Two possible implementation approaches and their different pros/cons from userspace usability/convenience point of view will be discussed. This also touches on the old topic on how VLAN headers should be presented to userspace.