firewall: add firewall bridge mode

add firewall bridge mode so it can be used as layer 2 inline bridge for either DDoS protection or firewall filter by iptable rules configured in netfilter filter table forward chain. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
2026-04-21 16:32:59 +02:00 · 2025-04-11 19:13:32 -07:00
parent cb5313ec87
commit 6eef7f8535
3 changed files with 28 additions and 1 deletions
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -122,6 +122,9 @@ case "${POLICY}" in
 				fi
 				iptables -A POLICYFWD -j REJECT --reject-with icmp-host-unreachable -m comment --comment "DROP_FORWARD"
 				;;
+			ACCEPT) # ACCEPT for firewall bridge mode
+				iptables -A POLICYFWD -j ACCEPT -m comment --comment "ACCEPT_FORWARD"
+				;;
 			*) # DROP
 				if [ "${DROPFORWARD}" = "on" ]; then
 					iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD "
@@ -162,7 +165,15 @@ case "${POLICY}" in
 		if [ "${DROPFORWARD}" = "on" ]; then
 			iptables -A POLICYFWD -m limit --limit 10/second -j LOG --log-prefix "DROP_FORWARD "
 		fi
-		iptables -A POLICYFWD -m comment --comment "DROP_FORWARD" -j DROP
+
+		case "${FWPOLICY}" in
+                        ACCEPT) # ACCEPT for firewall bridge mode
+                                iptables -A POLICYFWD -j ACCEPT -m comment --comment "ACCEPT_FORWARD"
+                                ;;
+                        *) # DROP
+                                iptables -A POLICYFWD -j DROP -m comment --comment "DROP_FORWARD"
+                                ;;
+                esac
 		;;
 esac

--- a/lfs/configroot
+++ b/lfs/configroot
@@ -119,6 +119,8 @@ $(TARGET) :
 	echo  "ENABLED=off"		> $(CONFIG_ROOT)/vpn/settings
 	echo  "01"			> $(CONFIG_ROOT)/certs/serial
 	echo  "nameserver    1.2.3.4"	> $(CONFIG_ROOT)/ppp/fake-resolv.conf
+	echo  "FWBRIDGEMODE=off"	>> $(CONFIG_ROOT)/optionsfw/settings
+	echo  "BRIDGENETFILTER=off"	>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "DROPNEWNOTSYN=on"	>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "DROPINPUT=on"		>> $(CONFIG_ROOT)/optionsfw/settings
 	echo  "DROPFORWARD=on"		>> $(CONFIG_ROOT)/optionsfw/settings
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -55,6 +55,8 @@ SYNPROXY_OPTIONS=(
 	"--mss" "1460"
 )

+FWBRIDGE="fwbridge"
+
 function iptables() {
 	/sbin/iptables --wait "$@"
 }
@@ -432,6 +434,11 @@ iptables_init() {
 	iptables -N POLICYOUT
 	iptables -A OUTPUT -j POLICYOUT

+	# Enable bridge netfilter.
+	if [ "${BRIDGENETFILTER}" = "on" ]; then
+		modprobe br_netfilter
+		sysctl -w net.bridge.bridge-nf-call-iptables=1
+	fi
 	# Initialize firewall policies.
 	/usr/sbin/firewall-policy

@@ -443,6 +450,13 @@ iptables_init() {
 	if [ ! -e "/var/ipfire/red/active" ]; then
 		iptables_red_down
 	fi
+
+	if [ "${FWBRIDGEMODE}" = "on" ]; then
+		ip link add name $FWBRIDGE type bridge
+		ip link set $RED_DEV master $FWBRIDGE
+		ip link set $GREEN_DEV master $FWBRIDGE
+		ip link set $FWBRIDGE up
+	fi
 }

 iptables_red_up() {