How to bridge only IPv6 while forwarding IPv4?

Thor-x86 · 2022-04-20 04:15:53

I would like to put IPv4 of Linux Containers behind NAT but still allow them to use IPv6 from ISP. Previously, I attempted to configure broute with ebtables like this

sudo ebtables -t broute -A BROUTING -i enp1s0 -p ! ipv6 -j DROP && sudo brctl addif lxdbr0 enp1s0

However, it outputs errors as below

ebtables: No chain/target/match by that name

Turns out that ebtables support is now dropped from ArchLinux and now I have no idea how to do the BROUTING on ArchLinux these days. Anyone know how to workaround this? Or perhaps there's already permanent solution? Thanks!

-thc · 2022-04-20 06:50:18

nftables has an equivalent: the bridge family.

Thor-x86 · 2022-04-20 11:46:14

-thc wrote:

nftables has an equivalent: the bridge family.

Wow thanks! Anyway, any recommended command for that case? I'm trying to digest the documentation as it has kinda different configuration structure

-thc · 2022-04-20 12:25:33

If I understand your ebtables command correctly, you want to enable bridge forwarding coming in from enp1s0 for IPv6 only:

% nft add table bridge filter
% nft add chain bridge filter forward '{type filter hook forward priority 0; }'
% nft add rule bridge filter forward iifname "enp1s0" meta nfproto != ipv6 drop

progandy · 2022-04-20 15:22:22

The iptables-nft package has also tools that take old style commands and apply them to nftables. Then you can dump the nftable rules to see the result.
Sometimes that works, but other times it uses some compatibility modules in the kernel, so I would suggest not to rely too much on these tools.

Last edited by progandy (2022-04-20 15:33:34)

Thor-x86 · 2022-04-21 21:05:26

-thc wrote:

If I understand your ebtables command correctly, you want to enable bridge forwarding coming in from enp1s0 for IPv6 only:
% nft add table bridge filter
% nft add chain bridge filter forward '{type filter hook forward priority 0; }'
% nft add rule bridge filter forward iifname "enp1s0" meta nfproto != ipv6 drop

I get this error

Error: meta nfproto is only useful in the inet family
add rule bridge filter forward iifname enp1s0 meta nfproto != ipv6 drop
                                              ^^^^^^^^^^^^

Wonder if I missed something

Thor-x86 · 2022-04-21 21:06:58

progandy wrote:

The iptables-nft package has also tools that take old style commands and apply them to nftables.

Which tool? Is it supports broute?

progandy · 2022-04-21 21:08:49

Thor-x86 wrote:

progandy wrote:
The iptables-nft package has also tools that take old style commands and apply them to nftables.
Which tool? Is it supports broute?

ebtables-nft. And I just found a note in the manpage that broute tables are unsupported.

Last edited by progandy (2022-04-21 21:08:59)

-thc · 2022-04-22 06:27:32

Thor-x86 wrote:

Error: meta nfproto is only useful in the inet family
add rule bridge filter forward iifname enp1s0 meta nfproto != ipv6 drop
                                              ^^^^^^^^^^^^

Wonder if I missed something

No - my mistake. I wrongly assumed that meta matches can be used in bridge tables.

This should work:

nft add rule bridge filter forward iifname "enp1s0" ether type != ip6 drop

Arch Linux

#1 2022-04-20 04:15:53

How to bridge only IPv6 while forwarding IPv4?

#2 2022-04-20 06:50:18

Re: How to bridge only IPv6 while forwarding IPv4?

#3 2022-04-20 11:46:14

Re: How to bridge only IPv6 while forwarding IPv4?

#4 2022-04-20 12:25:33

Re: How to bridge only IPv6 while forwarding IPv4?

#5 2022-04-20 15:22:22

Re: How to bridge only IPv6 while forwarding IPv4?

#6 2022-04-21 21:05:26

Re: How to bridge only IPv6 while forwarding IPv4?

#7 2022-04-21 21:06:58

Re: How to bridge only IPv6 while forwarding IPv4?

#8 2022-04-21 21:08:49

Re: How to bridge only IPv6 while forwarding IPv4?

#9 2022-04-22 06:27:32

Re: How to bridge only IPv6 while forwarding IPv4?

Board footer