Actually, we're too early in the boot process to tell whether there are
bridges; but we can try to load the applicable module and only do the
hacking if it's available. This probably bloats some kernels a bit, but
it's not too bad.
## Turn off iptables filtering for bridges. We'll use ebtables if we need
## to; but right now the model is that we do filtering at the borders, and
## are tolerant of things which are local.
-for filter in arptables iptables ip6tables; do
- run sysctl -q net/bridge/bridge-nf-call-$filter=0
-done
+if [ -x /sbin/brctl ]; then
+ modprobe bridge || :
+ if [ -d /proc/sys/net/bridge ]; then
+ for filter in arptables iptables ip6tables; do
+ run sysctl -q net.bridge.bridge-nf-call-$filter=0
+ done
+ fi
+fi
## Turn on the reverse-path filter, and log weird things.
setdevopt rp_filter 1