diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile index 89275474..9bd89ae1 100644 --- a/src/packages/fff/fff-firewall/Makefile +++ b/src/packages/fff/fff-firewall/Makefile @@ -10,7 +10,8 @@ define Package/$(PKG_NAME) CATEGORY:=Freifunk TITLE:=Freifunk-Franken firewall URL:=https://www.freifunk-franken.de - DEPENDS:=+nftables + DEPENDS:=+kmod-nft-bridge \ + +nftables endef define Package/$(PKG_NAME)/description diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/05-setup-batman-chains b/src/packages/fff/fff-node/files/usr/lib/firewall.d/05-setup-batman-chains index 68867341..d2b983a0 100644 --- a/src/packages/fff/fff-node/files/usr/lib/firewall.d/05-setup-batman-chains +++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/05-setup-batman-chains @@ -4,7 +4,7 @@ table bridge filter { # vom Gateway (also vom BATMAN) kommen darf. chain IN_ONLY { # -i ! bat0 --logical-in br-client -j DROP - iifname != "bat0" counter drop + iifname != "bat0" ibrname "br-client" counter drop counter } @@ -12,7 +12,7 @@ table bridge filter { # in Richtung Gateway (also ins BATMAN) gesendet werden darf. chain OUT_ONLY { # --logical-out br-client -o ! bat0 -j DROP - oifname != "bat0" counter drop + oifname != "bat0" obrname "br-client" counter drop counter } @@ -24,21 +24,21 @@ table bridge filter { type filter hook input priority filter; policy accept; # -d Multicast -i ! bat0 --logical-in br-client -j ACCEPT - iifname != "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 accept + iifname != "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 ibrname "br-client" counter packets 0 bytes 0 accept } chain FORWARD { type filter hook forward priority filter; policy accept; # -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT - oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 jump MULTICAST_OUT + oifname "bat0" obrname "br-client" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 jump MULTICAST_OUT } chain OUTPUT { type filter hook output priority filter; policy accept; # -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT - oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter jump MULTICAST_OUT + oifname "bat0" obrname "br-client" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter jump MULTICAST_OUT } } __EOF diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node b/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node index b5e733fc..efc42104 100644 --- a/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node +++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node @@ -4,27 +4,27 @@ table bridge filter { # No input from/to local node ip from batman # -p IPv6 -i bat0 --logical-in br-client --ip6-src fdff::1 -j DROP - iifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop + iifname "bat0" ibrname "br-client" ether type ip6 ip6 saddr fdff::1 counter drop # -p IPv6 -i bat0 --logical-in br-client --ip6-dst fdff::1 -j DROP - iifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop + iifname "bat0" ibrname "br-client" ether type ip6 ip6 daddr fdff::1 counter drop } chain FORWARD { # Do not forward local node ip # -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP - oifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop + oifname "bat0" obrname "br-client" ether type ip6 ip6 daddr fdff::1 counter drop # -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP - oifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop + oifname "bat0" obrname "br-client" ether type ip6 ip6 saddr fdff::1 counter drop } chain OUTPUT { # Do not output local node ip to batman # -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP - oifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop + oifname "bat0" obrname "br-client" ether type ip6 ip6 daddr fdff::1 counter drop # -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP - oifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop + oifname "bat0" obrname "br-client" ether type ip6 ip6 saddr fdff::1 counter drop } } __EOF