Installing OpenVPN-as, there are two reminders and precautions (RHEL does not have reminders)

1、After installing vmware workstation Pro 17.5

2、The installation method is
yum install -y openvpn-as-bundled-clients-28.rpm openvpn-as-2.13.0_c7623b5a-1.el8.x86_64.rpm

3、 Problem details :Reminder displayed on screen (not SSH tool)
bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
tun: Universal TUN/TAP device driver, 1.6

4、Rhel8.9 and Alma8.9 are normal。Both Rocky8 and Rocky9 have these precautions

Regardless if you see or don’t see the message on RHEL, Alma, CentOS Stream, the warning is valid. That warning has existed since RHEL 7 and is harmless and typically occurs when you have the bridge module loaded.

But RHEL and almal don’t have these reminders. Did they update certain configurations while Rocky didn’t do so

Highly unlikely. Our sources match what Red Hat and CentOS Stream provides. We do not make changes to the sources nor the kernel configurations nor do we do any manual changes. Again, it occurs when the bridge module is loaded.

CentOS Stream 8, which is the upstream for RHEL 8, will also have the message. You can verify this in dmesg if you are not seeing it on the console.

Thank you, I have learned some more knowledge

Same with Alma:

[jlehtone@alma9 ~]$ cat /etc/almalinux-release 
AlmaLinux release 9.3 (Shamrock Pampas Cat)
[jlehtone@alma9 ~]$ lsmod | grep bridge
[jlehtone@alma9 ~]$ dmesg | grep br_
[jlehtone@alma9 ~]$ sudo modprobe bridge
[jlehtone@alma9 ~]$ lsmod | grep bridge
bridge                405504  0
stp                    16384  1 bridge
llc                    16384  2 bridge,stp
[jlehtone@alma9 ~]$ dmesg | grep br_
[36547.794219] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.

The above demonstrates what was already said:

In the old times bridged traffic did not visit netfilter at all. Then, about two decades ago, a kernel module did appear that when loaded did allow filtering of bridged traffic. Eventually, the feature was included in the (RHEL) kernel, but Red Hat did add a (sysctl) config to disable the filtering in order to maintain the old “bridged traffic is not filtered” default behaviour. Majority of bridges might be created by libvirt/KVM and host may not want to filter guest traffic. Performance, etc. One could enable filtering via sysctl.

The sysctl config entries are created by loading the module, so one had to load the module before calling sysctl to set the config. That made boot process less trivial, so tasks were refactored. We are now back to kernel not supporting filtering of bridged traffic unless additional kernel module (br_netfilter) is loaded. The main bridge module simply reminds us of the change; if you used to filter bridged traffic, then you have to update your procedures.

PS. Starting with el8 the kernel has nf-tables that takes over most tasks of (arp/eb/iptables) netfilter. I have not checked whom does the br_netfilter actually serve.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.