bookends.m4: Only disable filtering on bridges if we have bridges.

Actually, we're too early in the boot process to tell whether there are
bridges; but we can try to load the applicable module and only do the
hacking if it's available.  This probably bloats some kernels a bit, but
it's not too bad.

diff --git a/bookends.m4 b/bookends.m4
index 495e95a..02f7859 100644 (file)
--- a/bookends.m4
+++ b/bookends.m4
@@ -58,9 +58,14 @@ setopt icmp_echo_ignore_broadcasts 0
 ## Turn off iptables filtering for bridges.  We'll use ebtables if we need
 ## to; but right now the model is that we do filtering at the borders, and
 ## are tolerant of things which are local.
-for filter in arptables iptables ip6tables; do
-  run sysctl -q net/bridge/bridge-nf-call-$filter=0
-done
+if [ -x /sbin/brctl ]; then
+  modprobe bridge || :
+  if [ -d /proc/sys/net/bridge ]; then
+    for filter in arptables iptables ip6tables; do
+      run sysctl -q net.bridge.bridge-nf-call-$filter=0
+    done
+  fi
+fi
 
 ## Turn on the reverse-path filter, and log weird things.
 setdevopt rp_filter 1