What exactly does the br_netfilter kernel module control?

Question

I'm trying to get a clear understanding of what exactly the br_netfilter Linux kernel module does (I know it has something to do with networking).

My simple question I'm posing here is as follows:

What is an example of something I CAN do with this module enabled which I CAN NOT do when it is disabled? I had thought it had something to do with iptables, but when disabling/enabling the module I was always able to run the same iptables commands.

Note: since I wasn't positive that I wouldn't kill my computer by disabling a kernel module, I created a test AWS EC2 instance to test this.

EDIT: To clarify, what I would like to see is a simple set of steps, aka, run X, Y, Z commands, which when enabled, system acts as expected, when disabled, it does not.

Answer 1

First, in order for that module to be of any use to you, you must first be bridging traffic between two or more network interfaces (physical or virtual).

For example, if you want to run QEMU/KVM virtual machines on your system and to be able to present the virtual machines to the network as separate IP addresses (= no port forwarding needed to set up services in VMs), you could run a bridge between the physical network interface of your host system and the virtual network interfaces of your VMs.

Or if you wish to run hostapd to make your own WiFi access point and don't want the wireless network to be a separate IP subnet, you would run a bridge between the wired and wireless network interfaces.

Basically, once the output of brctl show or ip link show type bridge is not an empty list, you'll be in a position to use ebtables to set up restrictions on the traffic passing through the bridge(s), based on MAC addresses.

If those two commands show no output, br_netfilter will be of no use to you, because you are not using the subsystem which br_netfilter would be filtering. And even if they do show output, if all you need is MAC-based filtering on your bridges, then you still don't need the br_netfilter module at all.

But what if you want to do filtering by IP addresses or TCP/UDP ports in your bridge? Then you could run echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables. This is what enables the br_netfilter module and allows you to apply iptables rules to bridged traffic too.

Untested example, assuming I've understood it correctly:

You are running a virtualization host, which runs a KVM virtual machine that has a virtual network interface named vifX as seen from the host. The virtual networking is implemented using a bridge br0, to which is attached both the physical interface eno1 and the virtual interface vifX. The VM has IP address/mask 10.6.6.6/24. Within the same network segment, directly reachable via eno1, there is another physical server with IP address/mask 10.6.6.100/24.

Initially, SSH connections can be established from 10.6.6.100 to 10.6.6.6 and vice versa. You would like to allow connections from 10.6.6.100 to 10.6.6.6, but block outgoing SSH connections from 10.6.6.6.

You'd make the standard connection-tracking iptables FORWARD rules, by network interface:

iptables -A FORWARD -i vifX -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i vifX -p tcp --dport 22 -j DROP

But initially it does not work, because you are not routing the traffic between the VM and the outside world; you are bridging. So, you enable br_netfilter to apply the iptables rules to bridged traffic too:

 echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables

Now the physical host 10.6.6.100 can SSH into the VM 10.6.6.6, but the VM cannot make outgoing SSH connections to port 22 anywhere. Not even to other hosts in the same network segment.

More info about ebtables here: https://ebtables.netfilter.org/index.html

Specifically about br_netfilter and how to enable it: https://ebtables.netfilter.org/documentation/bridge-nf.html