Hey guys, I’m having trouble with my bridge setup. I want to filter packets based on which physical interface they came from. I thought I could use ‘meta iffname’ in nftables rules, but it’s not working as expected.
Here’s what I tried:
bridge input meta iifname "eth0" counter accept
bridge input meta iifname "eth1" counter drop
bridge input counter log
But all packets end up in the last rule, even those from eth0 or eth1. I’ve disabled STP on the bridge, but that doesn’t seem to be the issue.
Can anyone help me figure out how to:
- See the actual ‘meta iifname’ value for incoming packets?
- Correctly filter bridge traffic based on the original input interface?
- Apply rules to both forwarded and local-destined packets?
Any tips or tricks would be super helpful. Thanks!
hey leapingfox, sounds tricky! have u tried using ebtables instead? it’s designed for bridge filtering and might work better for wat ur trying to do. also, check if ur bridge is in promisc mode - that can mess with interface detection. good luck troubleshooting!
I’ve faced similar issues when dealing with bridge filtering. One workaround was to use iptables with the physdev module rather than relying on nftables. The physdev module lets you match packets based on their originating interface, which can be crucial for proper filtering on a bridge.
For example, you can try:
iptables -A FORWARD -m physdev --physdev-in eth0 -j ACCEPT
iptables -A FORWARD -m physdev --physdev-in eth1 -j DROP
This configuration directs packets from eth0 to be accepted and those from eth1 to be dropped. Make sure that your kernel supports and has loaded the physdev module. Additionally, using tools like tcpdump can help in verifying that the packets are handled as expected.