--- zzzz-none-000/linux-5.15.111/net/bridge/br_netfilter_hooks.c	2023-05-11 14:00:40.000000000 +0000
+++ puma7-atom-6670-761/linux-5.15.111/net/bridge/br_netfilter_hooks.c	2024-02-07 10:23:29.000000000 +0000
@@ -495,8 +495,10 @@
 	brnet = net_generic(state->net, brnf_net_id);
 	if (IS_IPV6(skb) || is_vlan_ipv6(skb, state->net) ||
 	    is_pppoe_ipv6(skb, state->net)) {
-		if (!brnet->call_ip6tables &&
-		    !br_opt_get(br, BROPT_NF_CALL_IP6TABLES))
+		/* If the flag is set for this bridge to disable bridge-netfilter hooks, 
+		   that will override the global flag which enables / disables the hooks */
+		if (br->nf_disable_ip6tables || (!brnet->call_ip6tables &&
+		    !br_opt_get(br, BROPT_NF_CALL_IP6TABLES)))
 			return NF_ACCEPT;
 		if (!ipv6_mod_enabled()) {
 			pr_warn_once("Module ipv6 is disabled, so call_ip6tables is not supported.");
@@ -507,7 +509,9 @@
 		return br_nf_pre_routing_ipv6(priv, skb, state);
 	}
 
-	if (!brnet->call_iptables && !br_opt_get(br, BROPT_NF_CALL_IPTABLES))
+	if (br->nf_disable_iptables || (!brnet->call_iptables && !br_opt_get(br, BROPT_NF_CALL_IPTABLES)))
+	/* If the flag is set for this bridge to disable bridge-netfilter hooks, 
+	   that will override the global flag which enables / disables the hooks */
 		return NF_ACCEPT;
 
 	if (!IS_IP(skb) && !is_vlan_ip(skb, state->net) &&
@@ -655,7 +659,9 @@
 	br = p->br;
 
 	brnet = net_generic(state->net, brnf_net_id);
-	if (!brnet->call_arptables && !br_opt_get(br, BROPT_NF_CALL_ARPTABLES))
+	if (br->nf_disable_arptables || (!brnet->call_arptables && !br_opt_get(br, BROPT_NF_CALL_ARPTABLES)))
+	/* If the flag is set for this bridge to disable bridge-netfilter hooks, 
+	   that will override the global flag which enables / disables the hooks */
 		return NF_ACCEPT;
 
 	if (!IS_ARP(skb)) {