jaroslav@xxxxxxxxxxx <jaroslav@xxxxxxxxxxx> wrote: > Hello, > > I hope this is the correct list to post to (based on info on > https://netfilter.org/mailinglists.html), I apologize for the noise if not. > > I am trying to replace these iptables rules: > > iptables -P FORWARD DROP > iptables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT rmmod br_netfilter or set net.bridge.bridge-nf-call-arptables=0 net.bridge.bridge-nf-call-iptables=0 net.bridge.bridge-nf-call-ip6tables=0 Then remove the "-m physdev" rule. After this, nft ip,ip6,arp and inet tables will only see forwarded (routed) packets. Dedicated bridge filtering can be done via "bridge" family.
