3、 Problem details :Reminder displayed on screen (not SSH tool)
bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
tun: Universal TUN/TAP device driver, 1.6
Regardless if you see or don’t see the message on RHEL, Alma, CentOS Stream, the warning is valid. That warning has existed since RHEL 7 and is harmless and typically occurs when you have the bridge module loaded.
Highly unlikely. Our sources match what Red Hat and CentOS Stream provides. We do not make changes to the sources nor the kernel configurations nor do we do any manual changes. Again, it occurs when the bridge module is loaded.
CentOS Stream 8, which is the upstream for RHEL 8, will also have the message. You can verify this in dmesg if you are not seeing it on the console.
[jlehtone@alma9 ~]$ cat /etc/almalinux-release
AlmaLinux release 9.3 (Shamrock Pampas Cat)
[jlehtone@alma9 ~]$ lsmod | grep bridge
[jlehtone@alma9 ~]$ dmesg | grep br_
[jlehtone@alma9 ~]$ sudo modprobe bridge
[jlehtone@alma9 ~]$ lsmod | grep bridge
bridge 405504 0
stp 16384 1 bridge
llc 16384 2 bridge,stp
[jlehtone@alma9 ~]$ dmesg | grep br_
[36547.794219] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
The above demonstrates what was already said:
In the old times bridged traffic did not visit netfilter at all. Then, about two decades ago, a kernel module did appear that when loaded did allow filtering of bridged traffic. Eventually, the feature was included in the (RHEL) kernel, but Red Hat did add a (sysctl) config to disable the filtering in order to maintain the old “bridged traffic is not filtered” default behaviour. Majority of bridges might be created by libvirt/KVM and host may not want to filter guest traffic. Performance, etc. One could enable filtering via sysctl.
The sysctl config entries are created by loading the module, so one had to load the module before calling sysctl to set the config. That made boot process less trivial, so tasks were refactored. We are now back to kernel not supporting filtering of bridged traffic unless additional kernel module (br_netfilter) is loaded. The main bridge module simply reminds us of the change; if you used to filter bridged traffic, then you have to update your procedures.
PS. Starting with el8 the kernel has nf-tables that takes over most tasks of (arp/eb/iptables) netfilter. I have not checked whom does the br_netfilter actually serve.
