Compare commits
1 Commits
Author | SHA1 | Date |
---|---|---|
Fabian Bläse | 7efaa780f8 |
|
@ -10,7 +10,8 @@ define Package/$(PKG_NAME)
|
||||||
CATEGORY:=Freifunk
|
CATEGORY:=Freifunk
|
||||||
TITLE:=Freifunk-Franken firewall
|
TITLE:=Freifunk-Franken firewall
|
||||||
URL:=https://www.freifunk-franken.de
|
URL:=https://www.freifunk-franken.de
|
||||||
DEPENDS:=+nftables
|
DEPENDS:=+kmod-nft-bridge \
|
||||||
|
+nftables
|
||||||
endef
|
endef
|
||||||
|
|
||||||
define Package/$(PKG_NAME)/description
|
define Package/$(PKG_NAME)/description
|
||||||
|
|
|
@ -4,7 +4,7 @@ table bridge filter {
|
||||||
# vom Gateway (also vom BATMAN) kommen darf.
|
# vom Gateway (also vom BATMAN) kommen darf.
|
||||||
chain IN_ONLY {
|
chain IN_ONLY {
|
||||||
# -i ! bat0 --logical-in br-client -j DROP
|
# -i ! bat0 --logical-in br-client -j DROP
|
||||||
iifname != "bat0" counter drop
|
iifname != "bat0" ibrname "br-client" counter drop
|
||||||
counter
|
counter
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -12,7 +12,7 @@ table bridge filter {
|
||||||
# in Richtung Gateway (also ins BATMAN) gesendet werden darf.
|
# in Richtung Gateway (also ins BATMAN) gesendet werden darf.
|
||||||
chain OUT_ONLY {
|
chain OUT_ONLY {
|
||||||
# --logical-out br-client -o ! bat0 -j DROP
|
# --logical-out br-client -o ! bat0 -j DROP
|
||||||
oifname != "bat0" counter drop
|
oifname != "bat0" obrname "br-client" counter drop
|
||||||
counter
|
counter
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -24,21 +24,21 @@ table bridge filter {
|
||||||
type filter hook input priority filter; policy accept;
|
type filter hook input priority filter; policy accept;
|
||||||
|
|
||||||
# -d Multicast -i ! bat0 --logical-in br-client -j ACCEPT
|
# -d Multicast -i ! bat0 --logical-in br-client -j ACCEPT
|
||||||
iifname != "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 accept
|
iifname != "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 ibrname "br-client" counter packets 0 bytes 0 accept
|
||||||
}
|
}
|
||||||
|
|
||||||
chain FORWARD {
|
chain FORWARD {
|
||||||
type filter hook forward priority filter; policy accept;
|
type filter hook forward priority filter; policy accept;
|
||||||
|
|
||||||
# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
|
# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
|
||||||
oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 jump MULTICAST_OUT
|
oifname "bat0" obrname "br-client" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 jump MULTICAST_OUT
|
||||||
}
|
}
|
||||||
|
|
||||||
chain OUTPUT {
|
chain OUTPUT {
|
||||||
type filter hook output priority filter; policy accept;
|
type filter hook output priority filter; policy accept;
|
||||||
|
|
||||||
# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
|
# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
|
||||||
oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter jump MULTICAST_OUT
|
oifname "bat0" obrname "br-client" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter jump MULTICAST_OUT
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
__EOF
|
__EOF
|
||||||
|
|
|
@ -4,27 +4,27 @@ table bridge filter {
|
||||||
# No input from/to local node ip from batman
|
# No input from/to local node ip from batman
|
||||||
|
|
||||||
# -p IPv6 -i bat0 --logical-in br-client --ip6-src fdff::1 -j DROP
|
# -p IPv6 -i bat0 --logical-in br-client --ip6-src fdff::1 -j DROP
|
||||||
iifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
|
iifname "bat0" ibrname "br-client" ether type ip6 ip6 saddr fdff::1 counter drop
|
||||||
# -p IPv6 -i bat0 --logical-in br-client --ip6-dst fdff::1 -j DROP
|
# -p IPv6 -i bat0 --logical-in br-client --ip6-dst fdff::1 -j DROP
|
||||||
iifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
|
iifname "bat0" ibrname "br-client" ether type ip6 ip6 daddr fdff::1 counter drop
|
||||||
}
|
}
|
||||||
|
|
||||||
chain FORWARD {
|
chain FORWARD {
|
||||||
# Do not forward local node ip
|
# Do not forward local node ip
|
||||||
|
|
||||||
# -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP
|
# -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP
|
||||||
oifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
|
oifname "bat0" obrname "br-client" ether type ip6 ip6 daddr fdff::1 counter drop
|
||||||
# -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP
|
# -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP
|
||||||
oifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
|
oifname "bat0" obrname "br-client" ether type ip6 ip6 saddr fdff::1 counter drop
|
||||||
}
|
}
|
||||||
|
|
||||||
chain OUTPUT {
|
chain OUTPUT {
|
||||||
# Do not output local node ip to batman
|
# Do not output local node ip to batman
|
||||||
|
|
||||||
# -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP
|
# -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP
|
||||||
oifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
|
oifname "bat0" obrname "br-client" ether type ip6 ip6 daddr fdff::1 counter drop
|
||||||
# -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP
|
# -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP
|
||||||
oifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
|
oifname "bat0" obrname "br-client" ether type ip6 ip6 saddr fdff::1 counter drop
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
__EOF
|
__EOF
|
||||||
|
|
Loading…
Reference in New Issue