man: update sysctl example about netfilter

It turns out that since kernel 3.18 netfilter on bridged packets is off anyway, so the example should be reworded (and the module name updated).
2015-06-29 20:34:45 -04:00 · 2015-06-29 20:34:45 -04:00 · 9407bc2d03
parent ea539eb659
commit 9407bc2d03
1 changed files with 17 additions and 4 deletions
--- a/man/sysctl.d.xml
+++ b/man/sysctl.d.xml
@ -123,11 +123,12 @@
    </example>

    <example>
-      <title>Disable packet filter on bridged packets (method one)</title>
+      <title>Apply settings available only when a certain module is loaded (method one)</title>
      <para><filename>/etc/udev/rules.d/99-bridge.rules</filename>:
      </para>

-      <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
+      <programlisting>ACTION=="add", SUBSYSTEM=="module", KERNEL=="br_netfilter", \
+      RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/bridge"
 </programlisting>

      <para><filename>/etc/sysctl.d/bridge.conf</filename>:
@ -137,14 +138,20 @@
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
 </programlisting>
+
+      <para>This method applies settings when the module is
+      loaded. Please note that unless the <filename>br_netfilter</filename>
+      module is loaded, bridged packets will not be filtered by
+      netfilter (starting with kernel 3.18), so simply not loading the
+      module is suffient to avoid filtering.</para>
    </example>

    <example>
-      <title>Disable packet filter on bridged packets (method two)</title>
+      <title>Apply settings available only when a certain module is loaded (method two)</title>
      <para><filename>/etc/modules-load.d/bridge.conf</filename>:
      </para>

-      <programlisting>bridge</programlisting>
+      <programlisting>br_netfilter</programlisting>

      <para><filename>/etc/sysctl.d/bridge.conf</filename>:
      </para>
@ -153,6 +160,12 @@ net.bridge.bridge-nf-call-arptables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
 </programlisting>
+
+      <para>This method forces the module to be always loaded. Please
+      note that unless the <filename>br_netfilter</filename> module is
+      loaded, bridged packets will not be filtered with netfilter
+      (starting with kernel 3.18), so simply not loading the module is
+      suffient to avoid filtering.</para>
    </example>
  </refsect1>