[PATCH 0/5] netfilter: nf_flow_table_path: L2 bridge offload

Florian Westphal fw at strlen.de
Mon Jun 29 05:56:16 PDT 2026


Daniel Pawlik <pawlik.dan at gmail.com> wrote:
> -----------------------------
> 1. Load kmod-br-netfilter so that bridged IP traffic traverses the
>    netfilter forward chain.

Ouch.  br_netfilter should die.  Really.  Its a gross hack, never
use this thing...

> 2. Enable netfilter hooks on the bridge:
>      echo 1 > /sys/class/net/<br>/bridge/nf_call_iptables
>      echo 1 > /sys/class/net/<br>/bridge/nf_call_ip6tables
>
> 3. Register bridge member interfaces in the nft flowtable:
>      table inet filter {
>          flowtable f {
>              hook ingress priority filter
>              devices = { eth0, wlan0 }
>          }

I think that bridge flowtable should use 'table bridge ...', not
use the br_netfilter compat hacks.

Sorry.

Are you aware of Eric Woudstras bridge flowtable patches?
https://lore.kernel.org/netfilter-devel/20250408142802.96101-5-ericwouds@gmail.com/



More information about the Linux-mediatek mailing list