Linus Lüssing <linus.luessing@xxxxxxxxx> wrote: > Ah! Okay, so adding something like > "-m physdev ! --physdev-is-in" to all OpenWrt firewall rules should work? Yes. > So from a bridge netfilter hook "--physdev-in" will always either > point to a bridge port or the bridge interface itself? > And "--physdev-is-in" will always be true? --physdev-is-in is true when call-iptables infra is 1 and packet came in via a bridge port. > And in "native" IP netfilter hooks "--physdev-in" will never match It won't match if packet came in via a normal (not bridged) interface. > and "--physdev-is-in" will always be false? Yes.
