Skip to content

Commit 9407bc2

Browse files
keszybzkeszybz
committed
man: update sysctl example about netfilter
It turns out that since kernel 3.18 netfilter on bridged packets is off anyway, so the example should be reworded (and the module name updated).
1 parent ea539eb commit 9407bc2

File tree

1 file changed

+17
-4
lines changed

1 file changed

+17
-4
lines changed

man/sysctl.d.xml

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -123,11 +123,12 @@
123123
</example>
124124

125125
<example>
126-
<title>Disable packet filter on bridged packets (method one)</title>
126+
<title>Apply settings available only when a certain module is loaded (method one)</title>
127127
<para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
128128
</para>
129129

130-
<programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
130+
<programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
131+
RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
131132
</programlisting>
132133

133134
<para><filename>/etc/sysctl.d/bridge.conf</filename>:
@@ -137,14 +138,20 @@
137138
net.bridge.bridge-nf-call-iptables = 0
138139
net.bridge.bridge-nf-call-arptables = 0
139140
</programlisting>
141+
142+
<para>This method applies settings when the module is
143+
loaded. Please note that unless the <filename>br_netfilter</filename>
144+
module is loaded, bridged packets will not be filtered by
145+
netfilter (starting with kernel 3.18), so simply not loading the
146+
module is suffient to avoid filtering.</para>
140147
</example>
141148

142149
<example>
143-
<title>Disable packet filter on bridged packets (method two)</title>
150+
<title>Apply settings available only when a certain module is loaded (method two)</title>
144151
<para><filename>/etc/modules-load.d/bridge.conf</filename>:
145152
</para>
146153

147-
<programlisting>bridge</programlisting>
154+
<programlisting>br_netfilter</programlisting>
148155

149156
<para><filename>/etc/sysctl.d/bridge.conf</filename>:
150157
</para>
@@ -153,6 +160,12 @@ net.bridge.bridge-nf-call-arptables = 0
153160
net.bridge.bridge-nf-call-iptables = 0
154161
net.bridge.bridge-nf-call-arptables = 0
155162
</programlisting>
163+
164+
<para>This method forces the module to be always loaded. Please
165+
note that unless the <filename>br_netfilter</filename> module is
166+
loaded, bridged packets will not be filtered with netfilter
167+
(starting with kernel 3.18), so simply not loading the module is
168+
suffient to avoid filtering.</para>
156169
</example>
157170
</refsect1>
158171

0 commit comments

Comments
 (0)