This doesn't work:
Code:
$ cat make-bridge
#! /bin/bash

nmcli connection add ifname br0         type bridge                  con-name br0
nmcli connection add ifname eno1        type bridge-slave master br0 con-name eno1-bridge-slave
nmcli connection add ifname wlp0s29u1u2 type bridge-slave master br0 con-name wifi-bridge-slave

nmcli connection modify br0 ipv4.method manual ipv4.addr "192.168.0.254/24"
# The reason DNS points back to the same host is that it's running Pi-hole.
nmcli connection modify br0 ipv4.dns "192.168.0.254 8.8.8.8"
Well it partially works, the bridge slave wlp0s29u1u2 never connects because the bridge has to be up before hostapd runs.

Of note, just using brctl addif shows this issue too:
Code:
$ sudo strace brctl addif br0 wlp0s29u1u2
execve("/sbin/brctl", ["brctl", "addif", "br0", "wlp0s29u1u2"], 0x7fffcb636a48 /* 20 vars */) = 0
brk(NULL)                               = 0x55ce165bd000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6aa92c2000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=206069, ...}) = 0
mmap(NULL, 206069, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6aa928f000
close(3)                                = 0
openat(AT_FDCWD, "/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\21\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2254296, ...}) = 0
mmap(NULL, 4082272, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6aa8cb8000
mprotect(0x7f6aa8e93000, 2097152, PROT_NONE) = 0
mmap(0x7f6aa9093000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1db000) = 0x7f6aa9093000
mmap(0x7f6aa9099000, 14944, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6aa9099000
close(3)                                = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6aa928c000
arch_prctl(ARCH_SET_FS, 0x7f6aa928c740) = 0
mprotect(0x7f6aa9093000, 16384, PROT_READ) = 0
mprotect(0x55ce1635d000, 4096, PROT_READ) = 0
mprotect(0x7f6aa92c4000, 4096, PROT_READ) = 0
munmap(0x7f6aa928f000, 206069)          = 0
socket(AF_UNIX, SOCK_STREAM, 0)         = 3
access("/proc/net", R_OK)               = 0
access("/proc/net/unix", R_OK)          = 0
socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
ioctl(4, SIOCGIFINDEX, {ifr_name="wlp0s29u1u2", }) = 0
close(4)                                = 0
ioctl(3, SIOCBRADDIF)                   = -1 EOPNOTSUPP (Operation not supported)
ioctl(3, SIOCDEVPRIVATE, 0x7ffd90054450) = -1 EOPNOTSUPP (Operation not supported)
write(2, "can't add wlp0s29u1u2 to bridge "..., 61can't add wlp0s29u1u2 to bridge br0: Operation not supported
) = 61
exit_group(1)                           = ?
+++ exited with 1 +++
With hostapd you don't run "nmcli" or "brctl", you just put "bridge=br0" in hostapd.conf and something automagically takes care of things.

Code:
$ sudo cat /etc/hostapd/hostapd.conf
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel

# Some usable default settings...
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0

wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
wpa_passphrase=fat-chance

interface=wlp0s29u1u2
bridge=br0
hw_mode=g
ieee80211n=1
wmm_enabled=1
channel=10
ssid=honeypot
country_code=US
ieee80211d=1
If each time after the system reboots, I run
Code:
$ cat bin/make-bridge2
#! /bin/bash

if [ -e /usr/sbin/wpa_supplicant ]; then
    killall wpa_supplicant
    mv /usr/sbin/wpa_supplicant /usr/sbin/wpa_supplicant-
fi

nmcli connection del $(nmcli connection | awk '/^br0/  {print $2}')
nmcli connection del $(nmcli connection | awk '/^eno1/ {print $2}')

nmcli connection add ifname br0         type bridge                  con-name br0
nmcli connection add ifname eno1        type bridge-slave master br0 con-name eno1-bridge-slave
# nmcli connection add ifname wlp0s29u1u2 type bridge-slave master br0 con-name wifi-bridge-slave

nmcli connection modify br0 ipv4.method manual ipv4.addr "192.168.0.6/24"
nmcli connection modify br0 ipv4.dns "192.168.0.6 75.75.75.75"

systemctl stop hostapd
ifup br0
systemctl start hostapd
Everything is running and Wifi clients are bridged on the the LAN. Just like with LEDE but with Pi-hole.

Any suggestions about how to do this the right way?