I have written a netfilter module to check packets incoming and outgoing from the Linux box for some specific patterns.
nfho1.owner = THIS_MODULE;
nfho1.hook = dhcp_hook_function;
nfho1.hooknum = NF_INET_POST_ROUTING;
nfho1.priority = NF_IP_PRI_FIRST;
if(use_bridge == 1)
{
nfho1.pf = PF_BRIDGE; // on bridge interface
}
else
{
nfho1.pf = PF_INET; // not on bridge interface
}
nfho2.owner = THIS_MODULE;
nfho2.hook = data_hook_function;
nfho2.hooknum = NF_INET_PRE_ROUTING;
nfho2.priority = NF_IP_PRI_FIRST;
if(use_bridge == 1)
{
nfho2.pf = PF_BRIDGE; // on bridge interface
}
else
{
nfho2.pf = PF_INET;
}
nf_register_hook(&nfho1);
nf_register_hook(&nfho2);
The use_bridge parameter decides which Protocol Family to use.
However, My question is, IS THE PF_BRIDGE necessary.
Test Cases: Case 1: br0 is configured using brctl
with PF_BRIDGE the post_routing hooks get called. without PF_BRIDGE the post_routing hook does not get called.
Why doesn't the post-routing hook get called. AFAIK the post routing hook cannot be bypassed.
Case 2: br0 is not confugured but ip_forwarding is ON.
without PF_BRIDGE both hooks get called. I do not configure PF_BRIDGE for this test case.
So why is PF_BRIDGE required to make the POST ROUTING hook to be called.
I figured out why this is happening so sharing:
By default in Linux the iptables will deal with a IP layer packet while ebtables deal with Layer 2 packets.
However there is a configuration parameter to be set in:
/proc/sys/net/bridge/bridge-nf-call-iptables.
If it is **set to 1 then even the bridge layer packets seem to be calling the iptables hooks.
I checked this in my set up and turned it on!!