mkresin:

Since Linux kernel 3.18-rc1, you have to install kmod-br-netfilter. Pleae report back if it fixed your issue.

pparent76:

Ok thanks a lot, it works!

If the module is not installed by default shouldn't the bridge related lines be removed by default from /etc/sysctl.conf?

mkresin:

Yes they should be and I have already a patch in my local git tree to remove them.

mkresin:

As it turned out, it isn't that easy to get rid of the sysctl parameters in /etc/sysctl.conf.

The reason behind disabling the net.bridge.bridge-nf-call-* is to prevent that a bridge hits the {ip,ip6,arp}tables overhead if kmod-br-netfilter is installed. kmod-br-netfilter is installed as a dependency of the physdev-match kernel module (via kmod-ipt-extra) for example. If someone only wants to filter based on the incoming or outgoing bridge port, the ip,ip6,arp}tables overhead penalty is something that should be prevented.

In theory it would be possible to add a file to /etc/sysctl.d/ which disables net.bridge.bridge-nf-call-* if kmod-ipt-extra gets installed. This way the full {ip,ip6,arp}tables power can be used if one only installs kmod-br-netfilter. As far as I can see, it isn't possible to bundle files with kmods at the moment. Hence, in theory.

Long story short, at the moment it isn't possible to drop the sysctl parameters from the default config.

pparent76:

How do you solve this problem in lede 17.01.2? I'm trying to compile the package kmod-br-netfilter, but it does not seem to work:

:/code/lede-mt7628$ scripts/feeds install kmod-br-netfilter
:/code/lede-mt7628$ make package/kmod-br-netfilter/install V=s
make[1]: Entering directory '/home/pparent/code/lede-mt7628'
make[1]: *** No rule to make target 'package/kmod-br-netfilter/install'. Stop.
make[1]: Leaving directory '/home/pparent/code/lede-mt7628'
/home/pparent/code/lede-mt7628/include/toplevel.mk:198: recipe for target 'package/kmod-br-netfilter/install' failed
make: *** [package/kmod-br-netfilter/install] Error 2