diff --git a/build_patches/openwrt/0001-Disable-OpenWrt-config-migration-mechanisms.patch b/build_patches/openwrt/0001-Disable-OpenWrt-config-migration-mechanisms.patch index f6e86e1a..84a74ccf 100644 --- a/build_patches/openwrt/0001-Disable-OpenWrt-config-migration-mechanisms.patch +++ b/build_patches/openwrt/0001-Disable-OpenWrt-config-migration-mechanisms.patch @@ -6,10 +6,10 @@ This disables all OpenWrt config migration mechanisms except for files listed in /etc/sysupgrade.conf diff --git a/package/base-files/files/sbin/sysupgrade b/package/base-files/files/sbin/sysupgrade -index 7e0a00e13b8ee4be7163936fd01a7beff0ce5c99..97f50dc83088e29fba651741fff28c70f7585b3f 100755 +index 9315091302..be8325463e 100755 --- a/package/base-files/files/sbin/sysupgrade +++ b/package/base-files/files/sbin/sysupgrade -@@ -135,14 +135,14 @@ list_static_conffiles() { +@@ -139,14 +139,14 @@ list_static_conffiles() { local filter=$1 find $(sed -ne '/^[[:space:]]*$/d; /^#/d; p' \ diff --git a/build_patches/openwrt/0002-set-root-password.patch b/build_patches/openwrt/0002-set-root-password.patch index 9655010d..571ae771 100644 --- a/build_patches/openwrt/0002-set-root-password.patch +++ b/build_patches/openwrt/0002-set-root-password.patch @@ -3,7 +3,7 @@ Date: Sat, 8 Jul 2017 10:47:28 +0200 Subject: set root password diff --git a/package/base-files/files/etc/shadow b/package/base-files/files/etc/shadow -index 4b4154f21f478cc025a350363b3e34319c6afacc..b8d180a95691ab09f9c4d759ffd97da34a022623 100644 +index 39bdb9c90a..b8d180a956 100644 --- a/package/base-files/files/etc/shadow +++ b/package/base-files/files/etc/shadow @@ -1,4 +1,4 @@ diff --git a/build_patches/openwrt/0004-build-remove-libustream-and-certs-from-default-packa.patch b/build_patches/openwrt/0004-build-remove-libustream-and-certs-from-default-packa.patch index 3c1369f4..b45398ee 100644 --- a/build_patches/openwrt/0004-build-remove-libustream-and-certs-from-default-packa.patch +++ b/build_patches/openwrt/0004-build-remove-libustream-and-certs-from-default-packa.patch @@ -5,13 +5,12 @@ Subject: build: remove libustream and certs from default packages This effectively reverts upstream commit e79df3516d3e ("build: add libustream and certs to default pkgs"). -The libustream-wolfssl library conflicts with the libustream-mbedtls -we are selecting in fff-web-ui and is probably much bigger. - Signed-off-by: Adrian Schmutzler +[fabian@blaese.de: Rebase onto OpenWrt 23.05] +Signed-off-by: Fabian Bläse diff --git a/include/target.mk b/include/target.mk -index 7526224972e18148fec8a12318ca7f90a382475f..338e97f836759fc454986210e5818ad390ba6efb 100644 +index b5e3e7ff6f..2324b6cc11 100644 --- a/include/target.mk +++ b/include/target.mk @@ -12,12 +12,10 @@ DEVICE_TYPE?=router @@ -23,7 +22,7 @@ index 7526224972e18148fec8a12318ca7f90a382475f..338e97f836759fc454986210e5818ad3 fstools \ libc \ libgcc \ -- libustream-wolfssl \ +- libustream-mbedtls \ logd \ mtd \ netifd \ diff --git a/build_patches/openwrt/0050-Disable-ipq40xx-lan-wan-separation.patch b/build_patches/openwrt/0050-Disable-ipq40xx-lan-wan-separation.patch deleted file mode 100644 index f318485c..00000000 --- a/build_patches/openwrt/0050-Disable-ipq40xx-lan-wan-separation.patch +++ /dev/null @@ -1,132 +0,0 @@ -From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= -Date: Sat, 7 Aug 2021 00:40:34 +0200 -Subject: [PATCH] Disable ipq40xx lan/wan separation - -While the ipq40xx only has a single MDIO connection to the switch chip, -the ipq40xx essedma ethernet driver configures two gmac interfaces, -which are seperated into WAN and LAN ports using vlan cid at driver -level. Linux is not aware of these vlan tags. - -However, this configuration does interfere with the vlan ids we use in -our firmware. Therefore, this feature is disabled by setting the default -vlan id for all gmacs to 0, changing the port mask so all physical ports -are connected to the first gmac, and reducing the amount of configured -gmacs to one. The definition of the second gmac is kept, because it is -referenced by some devices. The default configuration of the switch chip -is removed accordingly. - -These changes are currently only done with the FritzBox 4040 in mind. ---- - .../linux/ipq40xx/base-files/etc/board.d/01_leds | 2 +- - .../ipq40xx/base-files/etc/board.d/02_network | 3 +-- - .../ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c | 2 ++ - .../drivers/net/ethernet/qualcomm/essedma/edma.h | 16 ++++++++-------- - ...1-dts-ipq4019-add-ethernet-essedma-node.patch | 6 +++--- - 5 files changed, 15 insertions(+), 14 deletions(-) - -diff --git a/target/linux/ipq40xx/base-files/etc/board.d/01_leds b/target/linux/ipq40xx/base-files/etc/board.d/01_leds -index 884b265dcb..77b0754635 100644 ---- a/target/linux/ipq40xx/base-files/etc/board.d/01_leds -+++ b/target/linux/ipq40xx/base-files/etc/board.d/01_leds -@@ -24,7 +24,7 @@ asus,rt-ac58u) - ;; - avm,fritzbox-4040) - ucidef_set_led_wlan "wlan" "WLAN" "green:wlan" "phy0tpt" "phy1tpt" -- ucidef_set_led_netdev "wan" "WAN" "green:wan" "eth1" -+ ucidef_set_led_switch "wan" "WAN" "green:wan" "switch0" "0x20" - ucidef_set_led_switch "lan" "LAN" "green:lan" "switch0" "0x1e" - ;; - avm,fritzbox-7530 |\ -diff --git a/target/linux/ipq40xx/base-files/etc/board.d/02_network b/target/linux/ipq40xx/base-files/etc/board.d/02_network -index 2aa4886e6a..7390769661 100644 ---- a/target/linux/ipq40xx/base-files/etc/board.d/02_network -+++ b/target/linux/ipq40xx/base-files/etc/board.d/02_network -@@ -68,9 +68,8 @@ ipq40xx_setup_interfaces() - avm,fritzbox-4040|\ - linksys,ea6350v3|\ - linksys,ea8300) -- ucidef_set_interfaces_lan_wan "eth0" "eth1" - ucidef_add_switch "switch0" \ -- "0u@eth0" "1:lan" "2:lan" "3:lan" "4:lan" -+ "0@eth0" "1:lan" "2:lan" "3:lan" "4:lan" "5:wan" - ;; - linksys,mr8300) - ucidef_set_interfaces_lan_wan "eth0" "eth1" -diff --git a/target/linux/ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c b/target/linux/ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c -index f7ce42b9ff..a8da7ac653 100644 ---- a/target/linux/ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c -+++ b/target/linux/ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c -@@ -1481,6 +1481,7 @@ ar40xx_vlan_init(struct ar40xx_priv *priv) - unsigned long bmp; - - /* By default Enable VLAN */ -+ /* - priv->vlan = 1; - priv->vlan_table[AR40XX_LAN_VLAN] = priv->cpu_bmp | priv->lan_bmp; - priv->vlan_table[AR40XX_WAN_VLAN] = priv->cpu_bmp | priv->wan_bmp; -@@ -1492,6 +1493,7 @@ ar40xx_vlan_init(struct ar40xx_priv *priv) - bmp = priv->wan_bmp; - for_each_set_bit(port, &bmp, AR40XX_NUM_PORTS) - priv->pvid[port] = AR40XX_WAN_VLAN; -+ */ - - return 0; - } -diff --git a/target/linux/ipq40xx/files/drivers/net/ethernet/qualcomm/essedma/edma.h b/target/linux/ipq40xx/files/drivers/net/ethernet/qualcomm/essedma/edma.h -index 015e5f5026..daa60639d1 100644 ---- a/target/linux/ipq40xx/files/drivers/net/ethernet/qualcomm/essedma/edma.h -+++ b/target/linux/ipq40xx/files/drivers/net/ethernet/qualcomm/essedma/edma.h -@@ -57,14 +57,14 @@ - #define EDMA_LAN 1 - - /* VLAN tag */ --#define EDMA_LAN_DEFAULT_VLAN 1 --#define EDMA_WAN_DEFAULT_VLAN 2 -- --#define EDMA_DEFAULT_GROUP1_VLAN 1 --#define EDMA_DEFAULT_GROUP2_VLAN 2 --#define EDMA_DEFAULT_GROUP3_VLAN 3 --#define EDMA_DEFAULT_GROUP4_VLAN 4 --#define EDMA_DEFAULT_GROUP5_VLAN 5 -+#define EDMA_LAN_DEFAULT_VLAN 0 -+#define EDMA_WAN_DEFAULT_VLAN 0 -+ -+#define EDMA_DEFAULT_GROUP1_VLAN 0 -+#define EDMA_DEFAULT_GROUP2_VLAN 0 -+#define EDMA_DEFAULT_GROUP3_VLAN 0 -+#define EDMA_DEFAULT_GROUP4_VLAN 0 -+#define EDMA_DEFAULT_GROUP5_VLAN 0 - - /* Queues exposed to linux kernel */ - #define EDMA_NETDEV_TX_QUEUE 4 -diff --git a/target/linux/ipq40xx/patches-5.10/711-dts-ipq4019-add-ethernet-essedma-node.patch b/target/linux/ipq40xx/patches-5.10/711-dts-ipq4019-add-ethernet-essedma-node.patch -index 3567eb7810..b13b312a91 100644 ---- a/target/linux/ipq40xx/patches-5.10/711-dts-ipq4019-add-ethernet-essedma-node.patch -+++ b/target/linux/ipq40xx/patches-5.10/711-dts-ipq4019-add-ethernet-essedma-node.patch -@@ -36,7 +36,7 @@ Signed-off-by: Christian Lamparter - + qcom,rx_head_buf_size = <1540>; - + qcom,mdio_supported; - + qcom,poll_required = <1>; --+ qcom,num_gmac = <2>; -++ qcom,num_gmac = <1>; - + interrupts = <0 65 IRQ_TYPE_EDGE_RISING - + 0 66 IRQ_TYPE_EDGE_RISING - + 0 67 IRQ_TYPE_EDGE_RISING -@@ -74,7 +74,7 @@ Signed-off-by: Christian Lamparter - + - + gmac0: gmac0 { - + local-mac-address = [00 00 00 00 00 00]; --+ vlan_tag = <1 0x1f>; -++ vlan_tag = <0 0x3f>; - + }; - + - + gmac1: gmac1 { -@@ -83,7 +83,7 @@ Signed-off-by: Christian Lamparter - + qcom,poll_required = <1>; - + qcom,forced_speed = <1000>; - + qcom,forced_duplex = <1>; --+ vlan_tag = <2 0x20>; -++ vlan_tag = <0 0x00>; - + }; - + }; - + diff --git a/build_patches/openwrt/0050-ipq40xx-restore-label-mac-alias.patch b/build_patches/openwrt/0050-ipq40xx-restore-label-mac-alias.patch new file mode 100644 index 00000000..93c7b5a6 --- /dev/null +++ b/build_patches/openwrt/0050-ipq40xx-restore-label-mac-alias.patch @@ -0,0 +1,27 @@ +From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= +Date: Sun, 6 Aug 2023 19:57:16 +0200 +Subject: [PATCH 1/2] ipq40xx: re-add label MAC address for FritzBox 4040 + +The MAC address of the GMAC is contained inside the CWMP-Account +number on the label. + +The label MAC address alias was defined previously, but it has been +removed with the switch to IPQESS / DSA. + +Restore the label MAC address alias. + +Fixes: 27b441cbaf42 ("ipq40xx: drop ESSEDMA + AR40xx DTS nodes") +Signed-off-by: Fabian Bläse + +diff --git a/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-fritzbox-4040.dts b/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-fritzbox-4040.dts +index e448206c36..ec1112ee2b 100644 +--- a/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-fritzbox-4040.dts ++++ b/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-fritzbox-4040.dts +@@ -14,6 +14,7 @@ + led-failsafe = &flash; + led-running = &power; + led-upgrade = &flash; ++ label-mac-device = &gmac; + }; + + soc { diff --git a/build_patches/openwrt/0051-ipq40xx-retain-old-compat_version.patch b/build_patches/openwrt/0051-ipq40xx-retain-old-compat_version.patch new file mode 100644 index 00000000..a0237b90 --- /dev/null +++ b/build_patches/openwrt/0051-ipq40xx-retain-old-compat_version.patch @@ -0,0 +1,17 @@ +From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= +Date: Tue, 8 Aug 2023 20:59:16 +0200 +Subject: [PATCH] ipq40xx: retain old compat_version + +diff --git a/target/linux/ipq40xx/image/Makefile b/target/linux/ipq40xx/image/Makefile +index 2ba4c779a0..5851b29875 100644 +--- a/target/linux/ipq40xx/image/Makefile ++++ b/target/linux/ipq40xx/image/Makefile +@@ -10,8 +10,6 @@ define Device/Default + IMAGES := sysupgrade.bin + IMAGE/sysupgrade.bin = sysupgrade-tar | append-metadata + IMAGE/sysupgrade.bin/squashfs := +- DEVICE_COMPAT_VERSION := 1.1 +- DEVICE_COMPAT_MESSAGE := Config cannot be migrated from swconfig to DSA + endef + + include $(SUBTARGET).mk diff --git a/build_patches/openwrt/0100-Add-hack-which-fixes-forwarding-on-a-stacked-bridge-.patch b/build_patches/openwrt/0100-Add-hack-which-fixes-forwarding-on-a-stacked-bridge-.patch index 1be06519..f20c0929 100644 --- a/build_patches/openwrt/0100-Add-hack-which-fixes-forwarding-on-a-stacked-bridge-.patch +++ b/build_patches/openwrt/0100-Add-hack-which-fixes-forwarding-on-a-stacked-bridge-.patch @@ -6,13 +6,13 @@ Subject: [PATCH] Add hack which fixes forwarding on a stacked bridge --- .../999-fix-stacked-bridge-forwarding.patch | 12 ++++++++++++ 1 file changed, 12 insertions(+) - create mode 100644 target/linux/generic/hack-5.10/999-fix-stacked-bridge-forwarding.patch + create mode 100644 target/linux/generic/hack-5.15/999-fix-stacked-bridge-forwarding.patch -diff --git a/target/linux/generic/hack-5.10/999-fix-stacked-bridge-forwarding.patch b/target/linux/generic/hack-5.10/999-fix-stacked-bridge-forwarding.patch +diff --git a/target/linux/generic/hack-5.15/999-fix-stacked-bridge-forwarding.patch b/target/linux/generic/hack-5.15/999-fix-stacked-bridge-forwarding.patch new file mode 100644 index 0000000000..e1d4cb9cd5 --- /dev/null -+++ b/target/linux/generic/hack-5.10/999-fix-stacked-bridge-forwarding.patch ++++ b/target/linux/generic/hack-5.15/999-fix-stacked-bridge-forwarding.patch @@ -0,0 +1,12 @@ +--- a/net/bridge/br_input.c ++++ b/net/bridge/br_input.c diff --git a/buildscript b/buildscript index ce95bd1e..d7e81d37 100755 --- a/buildscript +++ b/buildscript @@ -7,9 +7,9 @@ set -o pipefail builddir=./build # OpenWrt: package hashes correspond to core repo version -OPENWRTREV="v22.03.3" -PACKAGEREV="2048c5bbf6c482e45b080eef4c1c531936f7f41b" -ROUTINGREV="1a87333f268bcf0a11e3a665a357cb0d4ec2d680" +OPENWRTREV="v23.05.0" +PACKAGEREV="0da9f622975aa1e4efe452da4acbae15479bee63" +ROUTINGREV="2272106e0839ee06957e88e3596489e1b510d3c2" # Gluon packages: master from 2020-02-04 GLUONREV="12e41d0ff07ec54bbd67a31ab50d12ca04f2238c" diff --git a/src/packages/fff/fff-base/Makefile b/src/packages/fff/fff-base/Makefile index ff7e810e..29f06746 100644 --- a/src/packages/fff/fff-base/Makefile +++ b/src/packages/fff/fff-base/Makefile @@ -12,8 +12,6 @@ define Package/fff-base URL:=https://www.freifunk-franken.de DEFAULT:=y DEPENDS:= \ - +iptables-legacy \ - +ip6tables-legacy \ +micrond \ +odhcp6c \ +fff-config \ diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile index 1bb42d57..89275474 100644 --- a/src/packages/fff/fff-firewall/Makefile +++ b/src/packages/fff/fff-firewall/Makefile @@ -10,11 +10,7 @@ define Package/$(PKG_NAME) CATEGORY:=Freifunk TITLE:=Freifunk-Franken firewall URL:=https://www.freifunk-franken.de - DEPENDS:=+arptables-legacy \ - +ebtables-legacy +ebtables-legacy-utils \ - +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \ - +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra \ - +kmod-nf-conntrack6 + DEPENDS:=+nftables endef define Package/$(PKG_NAME)/description diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare index c2175f62..38578cc1 100644 --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare @@ -1,6 +1,3 @@ -######## CLEAN UP ############ -ebtables -F -ebtables -X - -iptables-save | awk '/^[*]/ { print $1 } /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; } /COMMIT/ { print $0; }' | iptables-restore -ip6tables-save | awk '/^[*]/ { print $1 } /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; } /COMMIT/ { print $0; }' | ip6tables-restore +nft -f - <<__EOF +flush ruleset +__EOF diff --git a/src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801 b/src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801 index 0be1e6cb..15621305 100644 --- a/src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801 +++ b/src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801 @@ -1,5 +1,15 @@ -# Erlaube nur fe80::1 von BATMAN -> CLIENT -ebtables -A FORWARD -p IPv6 --ip6-source fe80::1 -j IN_ONLY +nft -f - <<__EOF +table bridge filter { + chain INPUT { + # Erlaube nur fe80::1 von BATMAN -> CLIENT + # -p IPv6 --ip6-src fe80::1 -j IN_ONLY + ether type ip6 ip6 saddr fe80::1 counter jump IN_ONLY + } -# Erlaube nur fe80::1 von KNOTEN -> CLIENT -ebtables -A INPUT -p IPv6 --ip6-source fe80::1 -j IN_ONLY + chain FORWARD { + # Erlaube nur fe80::1 von KNOTEN -> CLIENT + # -p IPv6 --ip6-src fe80::1 -j IN_ONLY + ether type ip6 ip6 saddr fe80::1 counter jump IN_ONLY + } +} +__EOF diff --git a/src/packages/fff/fff-layer3-snat/Makefile b/src/packages/fff/fff-layer3-snat/Makefile index b1f27570..4340568d 100644 --- a/src/packages/fff/fff-layer3-snat/Makefile +++ b/src/packages/fff/fff-layer3-snat/Makefile @@ -13,7 +13,7 @@ define Package/fff-layer3-snat DEPENDS:= \ +fff-firewall \ +fff-layer3-config \ - +kmod-ipt-nat + +kmod-nft-nat endef define Package/fff-layer3-snat/description diff --git a/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat b/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat index b4ec9799..23c765e9 100644 --- a/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat +++ b/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat @@ -1,4 +1,10 @@ if [ "$(uci -q get network.client.fff_snat)" = '1' ]; then - iptables -t mangle -A PREROUTING -i br-client -j MARK --set-mark 0x736e6174 - iptables -t nat -A POSTROUTING -m mark --mark 0x736e6174 -j SNAT --to-source $(uci -q get network.client.fff_snat_sourceip) + nft add table ip mangle + nft add chain ip mangle PREROUTING '{ type filter hook prerouting priority mangle; policy accept; }' + + nft add table ip nat + nft add chain ip nat POSTROUTING '{ type nat hook postrouting priority srcnat; policy accept; }' + + nft add rule ip mangle PREROUTING iifname "br-client" counter mark set 0x736e6174 + nft add rule ip nat POSTROUTING meta mark 0x736e6174 counter snat ip to $(uci -q get network.client.fff_snat_sourceip) fi diff --git a/src/packages/fff/fff-layer3/Makefile b/src/packages/fff/fff-layer3/Makefile index e01ed84f..ad74804e 100644 --- a/src/packages/fff/fff-layer3/Makefile +++ b/src/packages/fff/fff-layer3/Makefile @@ -23,21 +23,13 @@ define Package/fff-layer3 +fff-ra \ +fff-web-mqtt \ +fff-wireguard \ - +arptables-legacy \ +bmon \ - +ebtables-legacy \ - +ebtables-legacy-utils \ - +kmod-ebtables-ipv4 \ - +kmod-ebtables-ipv6 \ +kmod-sched-cake \ +gre \ +@PACKAGE_grev4 \ +@PACKAGE_grev6 \ +iperf3 \ +ip-full \ - +iptables-mod-filter \ - +iptables-mod-ipopt \ - +iptables-mod-conntrack-extra \ +mtr \ +nftables \ +snmp-utils \ diff --git a/src/packages/fff/fff-layer3/files/usr/lib/firewall.d/10-no-forward-wan b/src/packages/fff/fff-layer3/files/usr/lib/firewall.d/10-no-forward-wan index 2d4ee926..55a43d00 100644 --- a/src/packages/fff/fff-layer3/files/usr/lib/firewall.d/10-no-forward-wan +++ b/src/packages/fff/fff-layer3/files/usr/lib/firewall.d/10-no-forward-wan @@ -1,5 +1,10 @@ # Ensure nothing is forwarded onto WAN interface if [ -n "$IF_WAN" ]; then - iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable - ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route + nft add table ip filter + nft add chain ip filter FORWARD '{ type filter hook forward priority filter; policy accept; }' + nft add table ip6 filter + nft add chain ip6 filter FORWARD '{ type filter hook forward priority filter; policy accept; }' + + nft add rule ip filter FORWARD oifname "$IF_WAN" counter reject with icmp net-unreachable + nft add rule ip6 filter FORWARD oifname "$IF_WAN" counter reject with icmpv6 no-route fi diff --git a/src/packages/fff/fff-network/arm/network.avm,fritzbox-4040 b/src/packages/fff/fff-network/arm/network.avm,fritzbox-4040 index 6586ff24..2aff959c 100644 --- a/src/packages/fff/fff-network/arm/network.avm,fritzbox-4040 +++ b/src/packages/fff/fff-network/arm/network.avm,fritzbox-4040 @@ -1,5 +1,6 @@ -WANDEV=eth0 -SWITCHDEV=eth0 -CLIENT_PORTS="0t 3 4" -WAN_PORTS="0t 5" -BATMAN_PORTS="0t 1 2" +WANDEV=switch0 +SWITCHDEV=switch0 +CLIENT_PORTS="lan3 lan4" +WAN_PORTS="wan" +BATMAN_PORTS="lan1 lan2" +DSA=1 diff --git a/src/packages/fff/fff-network/files/lib/functions/fff/portorder b/src/packages/fff/fff-network/files/lib/functions/fff/portorder index 6736438d..98dfc038 100644 --- a/src/packages/fff/fff-network/files/lib/functions/fff/portorder +++ b/src/packages/fff/fff-network/files/lib/functions/fff/portorder @@ -7,9 +7,6 @@ get_port_order() { local PORTORDER case "$BOARD" in - avm,fritzbox-4040) - PORTORDER="5 1 2 3 4" - ;; glinet,gl-ar150) PORTORDER="1" ;; diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/05-setup-batman-chains b/src/packages/fff/fff-node/files/usr/lib/firewall.d/05-setup-batman-chains index 5db92968..68867341 100644 --- a/src/packages/fff/fff-node/files/usr/lib/firewall.d/05-setup-batman-chains +++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/05-setup-batman-chains @@ -1,34 +1,44 @@ -######## IN_ONLY ############ -ebtables -N IN_ONLY -P RETURN +nft -f - <<__EOF +table bridge filter { + # IN_ONLY wird angesprungen, wenn dieses Paket nur + # vom Gateway (also vom BATMAN) kommen darf. + chain IN_ONLY { + # -i ! bat0 --logical-in br-client -j DROP + iifname != "bat0" counter drop + counter + } -# Daten aus dem BATMAN werden erlaubt -# Alles ausser Daten von BATMAN werden DROP'ed -ebtables -A IN_ONLY -i ! bat0 --logical-in br-client -j DROP + # OUT_ONLY wird angesprungen, wenn dieses Paket nur + # in Richtung Gateway (also ins BATMAN) gesendet werden darf. + chain OUT_ONLY { + # --logical-out br-client -o ! bat0 -j DROP + oifname != "bat0" counter drop + counter + } -######## OUT_ONLY ############ -ebtables -N OUT_ONLY -P RETURN + # MULTICAST_OUT filtert/reduziert Multicast-Frames, die ins BATMAN gesendet werden. + chain MULTICAST_OUT { + } -# Daten ins BATMAN werden erlaubt -# Alles ausser Daten ins BATMAN werden DROP'ed -ebtables -A OUT_ONLY --logical-out br-client -o ! bat0 -j DROP + chain INPUT { + type filter hook input priority filter; policy accept; -######## MULTICAST_OUT ############ -ebtables -N MULTICAST_OUT -P DROP + # -d Multicast -i ! bat0 --logical-in br-client -j ACCEPT + iifname != "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 accept + } -######## INPUT ############ -ebtables -P INPUT ACCEPT + chain FORWARD { + type filter hook forward priority filter; policy accept; -# Regelt alles was an Multicast/Broadcast von CLIENT -> KNOTEN geht bei MULTICAST_OUT -ebtables -A INPUT -d Multicast --logical-in br-client -i ! bat0 -j ACCEPT + # -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT + oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 jump MULTICAST_OUT + } -######## FORWARD ############ -ebtables -P FORWARD ACCEPT + chain OUTPUT { + type filter hook output priority filter; policy accept; -# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT -ebtables -A FORWARD -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT - -######## OUTPUT ############ -ebtables -P OUTPUT ACCEPT - -# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT -ebtables -A OUTPUT -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT + # -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT + oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter jump MULTICAST_OUT + } +} +__EOF diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-forwarding b/src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-forwarding index 083db822..26aacc0a 100644 --- a/src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-forwarding +++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-forwarding @@ -1,2 +1,12 @@ -/usr/sbin/iptables -P FORWARD DROP -/usr/sbin/ip6tables -P FORWARD DROP +nft -f - <<__EOF +table ip filter { + chain FORWARD { + type filter hook forward priority filter; policy drop; + } +} +table ip6 filter { + chain FORWARD { + type filter hook forward priority filter; policy drop; + } +} +__EOF diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp index a50c799f..68f1387b 100644 --- a/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp +++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp @@ -1,8 +1,19 @@ -# Erlaube DHCP Requests -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN +nft -f - <<__EOF +table bridge filter { + chain MULTICAST_OUT { + # Erlaube DHCP Requests + # -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN + ether type ip udp dport 67 counter return + } -# Erlaube nur DHCP Request von CLIENT -> BATMAN -ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY + chain FORWARD { + # Erlaube nur DHCP Request von CLIENT -> BATMAN + # -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY + ether type ip udp dport 67 counter jump OUT_ONLY -# Erlaube nur DHCP Antworten von BATMAN -> CLIENT -ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY + # Erlaube nur DHCP Antworten von BATMAN -> CLIENT + # -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY + ether type ip udp dport 68 counter jump IN_ONLY + } +} +__EOF diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6 b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6 index 068ef06e..cb4ac9b1 100644 --- a/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6 +++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6 @@ -1,8 +1,19 @@ -# Erlaube DHCPv6 Requests -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN +nft -f - <<__EOF +table bridge filter { + chain MULTICAST_OUT { + # Erlaube DHCPv6 Requests + # -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN + ether type ip6 udp dport 547 counter return + } -# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN -ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY + chain FORWARD { + # Erlaube nur DHCPv6 Request von CLIENT -> BATMAN + # -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY + ether type ip6 udp dport 547 counter jump OUT_ONLY -# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT -ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY + # Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT + # -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY + ether type ip6 udp dport 546 counter jump IN_ONLY + } +} +__EOF diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra index 29562ded..8ea5aef2 100644 --- a/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra +++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra @@ -1,5 +1,13 @@ -# Erlaube nur Router-Solicitation von CLIENT -> BATMAN -ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY +nft -f - <<__EOF +table bridge filter { + chain FORWARD { + # Erlaube nur Router-Solicitation von CLIENT -> BATMAN + # -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY + ether type ip6 icmpv6 type nd-router-solicit counter jump OUT_ONLY -# Erlaube nur Router-Advertisment von BATMAN -> CLIENT -ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY + # Erlaube nur Router-Advertisment von BATMAN -> CLIENT + # -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY + ether type ip6 icmpv6 type nd-router-advert counter jump IN_ONLY + } +} +__EOF diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp index 9280a918..045fdc39 100644 --- a/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp +++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp @@ -1,5 +1,15 @@ -# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN -ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY +nft -f - <<__EOF +table bridge filter { + chain INPUT { + # Erlaube nur DHCP Antworten von BATMAN -> KNOTEN + # -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY + ether type ip udp dport 68 counter jump IN_ONLY + } -# Erlaube nur DHCP Request von KNOTEN -> BATMAN -ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY + chain OUTPUT { + # Erlaube nur DHCP Request von KNOTEN -> BATMAN + # -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY + ether type ip udp dport 67 counter jump OUT_ONLY + } +} +__EOF diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6 b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6 index 97c3df35..05913de4 100644 --- a/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6 +++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6 @@ -1,5 +1,15 @@ -# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN -ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY +nft -f - <<__EOF +table bridge filter { + chain INPUT { + # Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN + # -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY + ether type ip6 udp dport 546 counter jump IN_ONLY + } -# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN -ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY + chain OUTPUT { + # Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN + # -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY + ether type ip6 udp dport 547 counter jump OUT_ONLY + } +} +__EOF diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-ra b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-ra index e619201c..86e4266c 100644 --- a/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-ra +++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-ra @@ -1,11 +1,23 @@ -# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN -ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY +nft -f - <<__EOF +table bridge filter { + chain INPUT { + # Erlaube nur Router-Advertisment von BATMAN -> KNOTEN + # -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY + ether type ip6 ip6 nexthdr icmpv6 icmpv6 type nd-router-advert counter jump IN_ONLY -# Verbiete Router-Solicitation von BATMAN -> KNOTEN -ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP + # Verbiete Router-Solicitation von BATMAN -> KNOTEN + # -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP + iifname "bat0" ether type ip6 ip6 nexthdr icmpv6 icmpv6 type nd-router-solicit counter drop + } -# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN -ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY + chain OUTPUT { + # Erlaube nur Router-Solicitation von KNOTEN -> BATMAN + # -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY + ether type ip6 icmpv6 type nd-router-solicit counter jump OUT_ONLY -# Verbiete Router-Advertisment von KNOTEN -> BATMAN -ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP + # Verbiete Router-Advertisment von KNOTEN -> BATMAN + # -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP + oifname "bat0" ether type ip6 icmpv6 type nd-router-advert counter drop + } +} +__EOF diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc index 50cc31f8..6bd68d37 100644 --- a/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc +++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc @@ -1,6 +1,13 @@ -# Erlaube alles was nicht IP ?? ist " hop-by-hop " ?? -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN - -# Erlaube Organisation der Multicast Gruppen -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN +nft -f - <<__EOF +table bridge filter { + chain MULTICAST_OUT { + # Erlaube alles was nicht IP ?? ist " hop-by-hop " ?? + # -p IPv6 --ip6-proto ip -j RETURN + ether type ip6 ip6 nexthdr 0 counter return + # Erlaube Organisation der Multicast Gruppen + # -p IPv4 --ip-proto igmp -j RETURN + ether type ip meta l4proto igmp counter return + } +} +__EOF diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-arp b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-arp index 50e0191e..84b01faf 100644 --- a/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-arp +++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-arp @@ -1,8 +1,17 @@ -# Verbiete ARP Antworten an alle -ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP +nft -f - <<__EOF +table bridge filter { + chain MULTICAST_OUT { + # Verbiete ARP Antworten an alle + # -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP + ether type arp arp operation reply arp daddr ip 0.0.0.0 counter drop -# Verbiete ARP Requests an alle -ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP + # Verbiete ARP Requests an alle + # -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP + ether type arp arp operation request arp daddr ip 0.0.0.0 counter drop -# Erlaube alle anderen ARP's -ebtables -A MULTICAST_OUT -p ARP -j RETURN + # Erlaube alle anderen ARP's + # -p ARP -j RETURN + ether type arp counter return + } +} +__EOF diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-ping b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-ping index 877b0276..c45baf6a 100644 --- a/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-ping +++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-ping @@ -1,6 +1,13 @@ -# Erlaube PING -ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN - -# Erlaube PINGv6 -ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN +nft -f - <<__EOF +table bridge filter { + chain MULTICAST_OUT { + # Erlaube PING + # -p IPv4 --ip-proto icmp -j RETURN + ether type ip meta l4proto icmp counter return + # Erlaube PINGv6 + # -p IPv6 --ip6-proto ipv6-icmp -j RETURN + ether type ip6 meta l4proto icmpv6 counter return + } +} +__EOF diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/36-mc-policy b/src/packages/fff/fff-node/files/usr/lib/firewall.d/36-mc-policy new file mode 100644 index 00000000..dc3e24f0 --- /dev/null +++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/36-mc-policy @@ -0,0 +1,8 @@ +nft -f - <<__EOF +table bridge filter { + chain MULTICAST_OUT { + # policy: DROP + counter drop + } +} +__EOF diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node b/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node index 33c4a6d9..b5e733fc 100644 --- a/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node +++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node @@ -1,11 +1,30 @@ -# No input from/to local node ip from batman -ebtables -A INPUT --logical-in br-client -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP -ebtables -A INPUT --logical-in br-client -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP +nft -f - <<__EOF +table bridge filter { + chain INPUT { + # No input from/to local node ip from batman -# Do not forward local node ip -ebtables -A FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP -ebtables -A FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP + # -p IPv6 -i bat0 --logical-in br-client --ip6-src fdff::1 -j DROP + iifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop + # -p IPv6 -i bat0 --logical-in br-client --ip6-dst fdff::1 -j DROP + iifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop + } -# Do not output local node ip to batman -ebtables -A OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP -ebtables -A OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP + chain FORWARD { + # Do not forward local node ip + + # -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP + oifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop + # -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP + oifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop + } + + chain OUTPUT { + # Do not output local node ip to batman + + # -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP + oifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop + # -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP + oifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop + } +} +__EOF diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-nft-counter b/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-nft-counter new file mode 100644 index 00000000..b08bfb1d --- /dev/null +++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-nft-counter @@ -0,0 +1,15 @@ +nft -f - <<__EOF +table bridge filter { + chain INPUT { + counter + } + + chain FORWARD { + counter + } + + chain OUTPUT { + counter + } +} +__EOF diff --git a/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra index ae2dba25..37b230ba 100644 --- a/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra +++ b/src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra @@ -1,5 +1,15 @@ -# Erlaube router solicitation von client zu knoten -ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT +nft -f - <<__EOF +table bridge filter { + chain INPUT { + # Erlaube router solicitation von client zu knoten + # -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT + iifname != "bat0" ether type ip6 ip6 nexthdr icmpv6 icmpv6 type nd-router-solicit counter accept + } -# Erlaube router advertisment von knoten zu client -ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT + chain OUTPUT { + # Erlaube router advertisment von knoten zu client + # -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT + oifname != "bat0" ether type ip6 icmpv6 type nd-router-advert counter accept + } +} +__EOF