firewall: add firewall bridge mode

add firewall bridge mode so it can be used as layer 2 inline bridge for either DDoS protection or firewall filter by iptable rules configured in netfilter filter table forward chain. Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
2026-04-25 10:22:59 +02:00 · 2025-04-11 19:13:32 -07:00
parent cb5313ec87
commit 6eef7f8535
3 changed files with 28 additions and 1 deletions
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -55,6 +55,8 @@ SYNPROXY_OPTIONS=(
 	"--mss" "1460"
 )

+FWBRIDGE="fwbridge"
+
 function iptables() {
 	/sbin/iptables --wait "$@"
 }
@@ -432,6 +434,11 @@ iptables_init() {
 	iptables -N POLICYOUT
 	iptables -A OUTPUT -j POLICYOUT

+	# Enable bridge netfilter.
+	if [ "${BRIDGENETFILTER}" = "on" ]; then
+		modprobe br_netfilter
+		sysctl -w net.bridge.bridge-nf-call-iptables=1
+	fi
 	# Initialize firewall policies.
 	/usr/sbin/firewall-policy

@@ -443,6 +450,13 @@ iptables_init() {
 	if [ ! -e "/var/ipfire/red/active" ]; then
 		iptables_red_down
 	fi
+
+	if [ "${FWBRIDGEMODE}" = "on" ]; then
+		ip link add name $FWBRIDGE type bridge
+		ip link set $RED_DEV master $FWBRIDGE
+		ip link set $GREEN_DEV master $FWBRIDGE
+		ip link set $FWBRIDGE up
+	fi
 }

 iptables_red_up() {