build_patches/openwrt/0001-Disable-OpenWrt-config-migration-mechanisms.patch

@@ -6,10 +6,10 @@ This disables all OpenWrt config migration mechanisms except for
 files listed in /etc/sysupgrade.conf
 
 diff --git a/package/base-files/files/sbin/sysupgrade b/package/base-files/files/sbin/sysupgrade
-index 7e0a00e13b8ee4be7163936fd01a7beff0ce5c99..97f50dc83088e29fba651741fff28c70f7585b3f 100755
+index 9315091302..be8325463e 100755
 --- a/package/base-files/files/sbin/sysupgrade
 +++ b/package/base-files/files/sbin/sysupgrade
-@@ -135,14 +135,14 @@ list_static_conffiles() {
+@@ -139,14 +139,14 @@ list_static_conffiles() {
  	local filter=$1
  
  	find $(sed -ne '/^[[:space:]]*$/d; /^#/d; p' \

build_patches/openwrt/0002-set-root-password.patch

@@ -3,7 +3,7 @@ Date: Sat, 8 Jul 2017 10:47:28 +0200
 Subject: set root password
 
 diff --git a/package/base-files/files/etc/shadow b/package/base-files/files/etc/shadow
-index 4b4154f21f478cc025a350363b3e34319c6afacc..b8d180a95691ab09f9c4d759ffd97da34a022623 100644
+index 39bdb9c90a..b8d180a956 100644
 --- a/package/base-files/files/etc/shadow
 +++ b/package/base-files/files/etc/shadow
 @@ -1,4 +1,4 @@

build_patches/openwrt/0004-build-remove-libustream-and-certs-from-default-packa.patch

@@ -5,13 +5,12 @@ Subject: build: remove libustream and certs from default packages
 This effectively reverts upstream commit e79df3516d3e ("build: add
 libustream and certs to default pkgs").
 
-The libustream-wolfssl library conflicts with the libustream-mbedtls
-we are selecting in fff-web-ui and is probably much bigger.
-
 Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
+[fabian@blaese.de: Rebase onto OpenWrt 23.05]
+Signed-off-by: Fabian Bläse <fabian@blaese.de>
 
 diff --git a/include/target.mk b/include/target.mk
-index 7526224972e18148fec8a12318ca7f90a382475f..338e97f836759fc454986210e5818ad390ba6efb 100644
+index b5e3e7ff6f..2324b6cc11 100644
 --- a/include/target.mk
 +++ b/include/target.mk
 @@ -12,12 +12,10 @@ DEVICE_TYPE?=router
@@ -23,7 +22,7 @@ index 7526224972e18148fec8a12318ca7f90a382475f..338e97f836759fc454986210e5818ad3
  	fstools \
  	libc \
  	libgcc \
--	libustream-wolfssl \
+-	libustream-mbedtls \
  	logd \
  	mtd \
  	netifd \

build_patches/openwrt/0050-Disable-ipq40xx-lan-wan-separation.patch

@@ -1,132 +0,0 @@
-From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= <fabian@blaese.de>
-Date: Sat, 7 Aug 2021 00:40:34 +0200
-Subject: [PATCH] Disable ipq40xx lan/wan separation
-
-While the ipq40xx only has a single MDIO connection to the switch chip,
-the ipq40xx essedma ethernet driver configures two gmac interfaces,
-which are seperated into WAN and LAN ports using vlan cid at driver
-level. Linux is not aware of these vlan tags.
-
-However, this configuration does interfere with the vlan ids we use in
-our firmware. Therefore, this feature is disabled by setting the default
-vlan id for all gmacs to 0, changing the port mask so all physical ports
-are connected to the first gmac, and reducing the amount of configured
-gmacs to one. The definition of the second gmac is kept, because it is
-referenced by some devices. The default configuration of the switch chip
-is removed accordingly.
-
-These changes are currently only done with the FritzBox 4040 in mind.
----
- .../linux/ipq40xx/base-files/etc/board.d/01_leds |  2 +-
- .../ipq40xx/base-files/etc/board.d/02_network    |  3 +--
- .../ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c |  2 ++
- .../drivers/net/ethernet/qualcomm/essedma/edma.h | 16 ++++++++--------
- ...1-dts-ipq4019-add-ethernet-essedma-node.patch |  6 +++---
- 5 files changed, 15 insertions(+), 14 deletions(-)
-
-diff --git a/target/linux/ipq40xx/base-files/etc/board.d/01_leds b/target/linux/ipq40xx/base-files/etc/board.d/01_leds
-index 884b265dcb..77b0754635 100644
---- a/target/linux/ipq40xx/base-files/etc/board.d/01_leds
-+++ b/target/linux/ipq40xx/base-files/etc/board.d/01_leds
-@@ -24,7 +24,7 @@ asus,rt-ac58u)
- 	;;
- avm,fritzbox-4040)
- 	ucidef_set_led_wlan "wlan" "WLAN" "green:wlan" "phy0tpt" "phy1tpt"
--	ucidef_set_led_netdev "wan" "WAN" "green:wan" "eth1"
-+	ucidef_set_led_switch "wan" "WAN" "green:wan" "switch0" "0x20"
- 	ucidef_set_led_switch "lan" "LAN" "green:lan" "switch0" "0x1e"
- 	;;
- avm,fritzbox-7530 |\
-diff --git a/target/linux/ipq40xx/base-files/etc/board.d/02_network b/target/linux/ipq40xx/base-files/etc/board.d/02_network
-index 2aa4886e6a..7390769661 100644
---- a/target/linux/ipq40xx/base-files/etc/board.d/02_network
-+++ b/target/linux/ipq40xx/base-files/etc/board.d/02_network
-@@ -68,9 +68,8 @@ ipq40xx_setup_interfaces()
- 	avm,fritzbox-4040|\
- 	linksys,ea6350v3|\
- 	linksys,ea8300)
--		ucidef_set_interfaces_lan_wan "eth0" "eth1"
- 		ucidef_add_switch "switch0" \
--			"0u@eth0" "1:lan" "2:lan" "3:lan" "4:lan"
-+			"0@eth0" "1:lan" "2:lan" "3:lan" "4:lan" "5:wan"
- 		;;
- 	linksys,mr8300)
- 		ucidef_set_interfaces_lan_wan "eth0" "eth1"
-diff --git a/target/linux/ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c b/target/linux/ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c
-index f7ce42b9ff..a8da7ac653 100644
---- a/target/linux/ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c
-+++ b/target/linux/ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c
-@@ -1481,6 +1481,7 @@ ar40xx_vlan_init(struct ar40xx_priv *priv)
- 	unsigned long bmp;
- 
- 	/* By default Enable VLAN */
-+	/*
- 	priv->vlan = 1;
- 	priv->vlan_table[AR40XX_LAN_VLAN] = priv->cpu_bmp | priv->lan_bmp;
- 	priv->vlan_table[AR40XX_WAN_VLAN] = priv->cpu_bmp | priv->wan_bmp;
-@@ -1492,6 +1493,7 @@ ar40xx_vlan_init(struct ar40xx_priv *priv)
- 	bmp = priv->wan_bmp;
- 	for_each_set_bit(port, &bmp, AR40XX_NUM_PORTS)
- 			priv->pvid[port] = AR40XX_WAN_VLAN;
-+	*/
- 
- 	return 0;
- }
-diff --git a/target/linux/ipq40xx/files/drivers/net/ethernet/qualcomm/essedma/edma.h b/target/linux/ipq40xx/files/drivers/net/ethernet/qualcomm/essedma/edma.h
-index 015e5f5026..daa60639d1 100644
---- a/target/linux/ipq40xx/files/drivers/net/ethernet/qualcomm/essedma/edma.h
-+++ b/target/linux/ipq40xx/files/drivers/net/ethernet/qualcomm/essedma/edma.h
-@@ -57,14 +57,14 @@
- #define EDMA_LAN 1
- 
- /* VLAN tag */
--#define EDMA_LAN_DEFAULT_VLAN 1
--#define EDMA_WAN_DEFAULT_VLAN 2
--
--#define EDMA_DEFAULT_GROUP1_VLAN 1
--#define EDMA_DEFAULT_GROUP2_VLAN 2
--#define EDMA_DEFAULT_GROUP3_VLAN 3
--#define EDMA_DEFAULT_GROUP4_VLAN 4
--#define EDMA_DEFAULT_GROUP5_VLAN 5
-+#define EDMA_LAN_DEFAULT_VLAN 0
-+#define EDMA_WAN_DEFAULT_VLAN 0
-+
-+#define EDMA_DEFAULT_GROUP1_VLAN 0
-+#define EDMA_DEFAULT_GROUP2_VLAN 0
-+#define EDMA_DEFAULT_GROUP3_VLAN 0
-+#define EDMA_DEFAULT_GROUP4_VLAN 0
-+#define EDMA_DEFAULT_GROUP5_VLAN 0
- 
- /* Queues exposed to linux kernel */
- #define EDMA_NETDEV_TX_QUEUE 4
-diff --git a/target/linux/ipq40xx/patches-5.10/711-dts-ipq4019-add-ethernet-essedma-node.patch b/target/linux/ipq40xx/patches-5.10/711-dts-ipq4019-add-ethernet-essedma-node.patch
-index 3567eb7810..b13b312a91 100644
---- a/target/linux/ipq40xx/patches-5.10/711-dts-ipq4019-add-ethernet-essedma-node.patch
-+++ b/target/linux/ipq40xx/patches-5.10/711-dts-ipq4019-add-ethernet-essedma-node.patch
-@@ -36,7 +36,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
- +			qcom,rx_head_buf_size = <1540>;
- +			qcom,mdio_supported;
- +			qcom,poll_required = <1>;
--+			qcom,num_gmac = <2>;
-++			qcom,num_gmac = <1>;
- +			interrupts = <0  65 IRQ_TYPE_EDGE_RISING
- +				      0  66 IRQ_TYPE_EDGE_RISING
- +				      0  67 IRQ_TYPE_EDGE_RISING
-@@ -74,7 +74,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
- +
- +			gmac0: gmac0 {
- +				local-mac-address = [00 00 00 00 00 00];
--+				vlan_tag = <1 0x1f>;
-++				vlan_tag = <0 0x3f>;
- +			};
- +
- +			gmac1: gmac1 {
-@@ -83,7 +83,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
- +				qcom,poll_required = <1>;
- +				qcom,forced_speed = <1000>;
- +				qcom,forced_duplex = <1>;
--+				vlan_tag = <2 0x20>;
-++				vlan_tag = <0 0x00>;
- +			};
- +		};
- +

build_patches/openwrt/0050-ipq40xx-restore-label-mac-alias.patch

@@ -0,0 +1,27 @@
+From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= <fabian@blaese.de>
+Date: Sun, 6 Aug 2023 19:57:16 +0200
+Subject: [PATCH 1/2] ipq40xx: re-add label MAC address for FritzBox 4040
+
+The MAC address of the GMAC is contained inside the CWMP-Account
+number on the label.
+
+The label MAC address alias was defined previously, but it has been
+removed with the switch to IPQESS / DSA.
+
+Restore the label MAC address alias.
+
+Fixes: 27b441cbaf42 ("ipq40xx: drop ESSEDMA + AR40xx DTS nodes")
+Signed-off-by: Fabian Bläse <fabian@blaese.de>
+
+diff --git a/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-fritzbox-4040.dts b/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-fritzbox-4040.dts
+index e448206c36..ec1112ee2b 100644
+--- a/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-fritzbox-4040.dts
++++ b/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-fritzbox-4040.dts
+@@ -14,6 +14,7 @@
+ 		led-failsafe = &flash;
+ 		led-running = &power;
+ 		led-upgrade = &flash;
++		label-mac-device = &gmac;
+ 	};
+ 
+ 	soc {

build_patches/openwrt/0051-ipq40xx-retain-old-compat_version.patch

@@ -0,0 +1,17 @@
+From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= <fabian@blaese.de>
+Date: Tue, 8 Aug 2023 20:59:16 +0200
+Subject: [PATCH] ipq40xx: retain old compat_version
+
+diff --git a/target/linux/ipq40xx/image/Makefile b/target/linux/ipq40xx/image/Makefile
+index 2ba4c779a0..5851b29875 100644
+--- a/target/linux/ipq40xx/image/Makefile
++++ b/target/linux/ipq40xx/image/Makefile
+@@ -10,8 +10,6 @@ define Device/Default
+ 	IMAGES := sysupgrade.bin
+ 	IMAGE/sysupgrade.bin = sysupgrade-tar | append-metadata
+ 	IMAGE/sysupgrade.bin/squashfs :=
+-	DEVICE_COMPAT_VERSION := 1.1
+-	DEVICE_COMPAT_MESSAGE := Config cannot be migrated from swconfig to DSA
+ endef
+ 
+ include $(SUBTARGET).mk

build_patches/openwrt/0100-Add-hack-which-fixes-forwarding-on-a-stacked-bridge-.patch

@@ -6,13 +6,13 @@ Subject: [PATCH] Add hack which fixes forwarding on a stacked bridge
 ---
  .../999-fix-stacked-bridge-forwarding.patch          | 12 ++++++++++++
  1 file changed, 12 insertions(+)
- create mode 100644 target/linux/generic/hack-5.10/999-fix-stacked-bridge-forwarding.patch
+ create mode 100644 target/linux/generic/hack-5.15/999-fix-stacked-bridge-forwarding.patch
 
-diff --git a/target/linux/generic/hack-5.10/999-fix-stacked-bridge-forwarding.patch b/target/linux/generic/hack-5.10/999-fix-stacked-bridge-forwarding.patch
+diff --git a/target/linux/generic/hack-5.15/999-fix-stacked-bridge-forwarding.patch b/target/linux/generic/hack-5.15/999-fix-stacked-bridge-forwarding.patch
 new file mode 100644
 index 0000000000..e1d4cb9cd5
 --- /dev/null
-+++ b/target/linux/generic/hack-5.10/999-fix-stacked-bridge-forwarding.patch
++++ b/target/linux/generic/hack-5.15/999-fix-stacked-bridge-forwarding.patch
 @@ -0,0 +1,12 @@
 +--- a/net/bridge/br_input.c
 ++++ b/net/bridge/br_input.c

buildscript

@@ -7,9 +7,9 @@ set -o pipefail
 builddir=./build
 
 # OpenWrt: package hashes correspond to core repo version
-OPENWRTREV="v22.03.3"
-PACKAGEREV="2048c5bbf6c482e45b080eef4c1c531936f7f41b"
-ROUTINGREV="1a87333f268bcf0a11e3a665a357cb0d4ec2d680"
+OPENWRTREV="v23.05.0"
+PACKAGEREV="0da9f622975aa1e4efe452da4acbae15479bee63"
+ROUTINGREV="2272106e0839ee06957e88e3596489e1b510d3c2"
 
 # Gluon packages: master from 2020-02-04
 GLUONREV="12e41d0ff07ec54bbd67a31ab50d12ca04f2238c"

src/packages/fff/fff-base/Makefile

@@ -12,8 +12,6 @@ define Package/fff-base
 	URL:=https://www.freifunk-franken.de
 	DEFAULT:=y
 	DEPENDS:= \
-		+iptables-legacy \
-		+ip6tables-legacy \
 		+micrond \
 		+odhcp6c \
 		+fff-config \

src/packages/fff/fff-firewall/Makefile

@@ -10,11 +10,7 @@ define Package/$(PKG_NAME)
 	CATEGORY:=Freifunk
 	TITLE:=Freifunk-Franken firewall
 	URL:=https://www.freifunk-franken.de
-	DEPENDS:=+arptables-legacy \
-			 +ebtables-legacy +ebtables-legacy-utils \
-			 +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \
-			 +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra \
-			 +kmod-nf-conntrack6
+	DEPENDS:=+nftables
 endef
 
 define Package/$(PKG_NAME)/description

src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare

@@ -1,6 +1,3 @@
-######## CLEAN UP ############
-ebtables -F
-ebtables -X
-
-iptables-save  | awk '/^[*]/ { print $1 } /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; }  /COMMIT/ { print $0; }' | iptables-restore
-ip6tables-save | awk '/^[*]/ { print $1 } /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; }  /COMMIT/ { print $0; }' | ip6tables-restore
+nft -f - <<__EOF
+flush ruleset
+__EOF

src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801

@@ -1,5 +1,15 @@
-# Erlaube nur fe80::1 von BATMAN -> CLIENT
-ebtables -A FORWARD -p IPv6 --ip6-source fe80::1 -j IN_ONLY
+nft -f - <<__EOF
+table bridge filter {
+	chain INPUT {
+		# Erlaube nur fe80::1 von BATMAN -> CLIENT
+		# -p IPv6 --ip6-src fe80::1 -j IN_ONLY
+		ether type ip6 ip6 saddr fe80::1 counter jump IN_ONLY
+	}
 
-# Erlaube nur fe80::1 von KNOTEN -> CLIENT
-ebtables -A INPUT -p IPv6 --ip6-source fe80::1 -j IN_ONLY
+	chain FORWARD {
+		# Erlaube nur fe80::1 von KNOTEN -> CLIENT
+		# -p IPv6 --ip6-src fe80::1 -j IN_ONLY
+		ether type ip6 ip6 saddr fe80::1 counter jump IN_ONLY
+	}
+}
+__EOF

src/packages/fff/fff-layer3-snat/Makefile

@@ -13,7 +13,7 @@ define Package/fff-layer3-snat
 	DEPENDS:= \
 		+fff-firewall \
 		+fff-layer3-config \
-		+kmod-ipt-nat
+		+kmod-nft-nat
 endef
 
 define Package/fff-layer3-snat/description

src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat

@@ -1,4 +1,10 @@
 if [ "$(uci -q get network.client.fff_snat)" = '1' ]; then
-	iptables -t mangle -A PREROUTING -i br-client -j MARK --set-mark 0x736e6174
-	iptables -t nat -A POSTROUTING -m mark --mark 0x736e6174 -j SNAT --to-source $(uci -q get network.client.fff_snat_sourceip)
+	nft add table ip mangle
+	nft add chain ip mangle PREROUTING '{ type filter hook prerouting priority mangle; policy accept; }'
+
+	nft add table ip nat
+	nft add chain ip nat POSTROUTING '{ type nat hook postrouting priority srcnat; policy accept; }'
+
+	nft add rule ip mangle PREROUTING iifname "br-client" counter mark set 0x736e6174
+	nft add rule ip nat POSTROUTING meta mark 0x736e6174 counter snat ip to $(uci -q get network.client.fff_snat_sourceip)
 fi

src/packages/fff/fff-layer3/Makefile

@@ -23,21 +23,13 @@ define Package/fff-layer3
 	         +fff-ra \
 	         +fff-web-mqtt \
 	         +fff-wireguard \
-	         +arptables-legacy \
 	         +bmon \
-	         +ebtables-legacy \
-	         +ebtables-legacy-utils \
-	         +kmod-ebtables-ipv4 \
-	         +kmod-ebtables-ipv6 \
 	         +kmod-sched-cake \
 	         +gre \
 	         +@PACKAGE_grev4 \
 	         +@PACKAGE_grev6 \
 	         +iperf3 \
 	         +ip-full \
-	         +iptables-mod-filter \
-	         +iptables-mod-ipopt \
-	         +iptables-mod-conntrack-extra \
 	         +mtr \
 	         +nftables \
 	         +snmp-utils \

src/packages/fff/fff-layer3/files/usr/lib/firewall.d/10-no-forward-wan

@@ -1,5 +1,10 @@
 # Ensure nothing is forwarded onto WAN interface
 if [ -n "$IF_WAN" ]; then
-	iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
-	ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
+	nft add table ip filter
+	nft add chain ip filter FORWARD '{ type filter hook forward priority filter; policy accept; }'
+	nft add table ip6 filter
+	nft add chain ip6 filter FORWARD '{ type filter hook forward priority filter; policy accept; }'
+
+	nft add rule ip filter FORWARD oifname "$IF_WAN" counter reject with icmp net-unreachable
+	nft add rule ip6 filter FORWARD oifname "$IF_WAN" counter reject with icmpv6 no-route
 fi

src/packages/fff/fff-network/arm/network.avm,fritzbox-4040

@@ -1,5 +1,6 @@
-WANDEV=eth0
-SWITCHDEV=eth0
-CLIENT_PORTS="0t 3 4"
-WAN_PORTS="0t 5"
-BATMAN_PORTS="0t 1 2"
+WANDEV=switch0
+SWITCHDEV=switch0
+CLIENT_PORTS="lan3 lan4"
+WAN_PORTS="wan"
+BATMAN_PORTS="lan1 lan2"
+DSA=1

src/packages/fff/fff-network/files/lib/functions/fff/portorder

@@ -7,9 +7,6 @@ get_port_order() {
 	local PORTORDER
 
 	case "$BOARD" in
-		avm,fritzbox-4040)
-			PORTORDER="5 1 2 3 4"
-			;;
 		glinet,gl-ar150)
 			PORTORDER="1"
 			;;

src/packages/fff/fff-node/files/usr/lib/firewall.d/05-setup-batman-chains

@@ -1,34 +1,44 @@
-######## IN_ONLY ############
-ebtables -N IN_ONLY -P RETURN
+nft -f - <<__EOF
+table bridge filter {
+	# IN_ONLY wird angesprungen, wenn dieses Paket nur
+	# vom Gateway (also vom BATMAN) kommen darf.
+	chain IN_ONLY {
+		# -i ! bat0 --logical-in br-client -j DROP
+		iifname != "bat0" counter drop
+		counter
+	}
 
-# Daten aus dem BATMAN werden erlaubt
-# Alles ausser Daten von BATMAN werden DROP'ed
-ebtables -A IN_ONLY -i ! bat0 --logical-in br-client -j DROP
+	# OUT_ONLY wird angesprungen, wenn dieses Paket nur
+	# in Richtung Gateway (also ins BATMAN) gesendet werden darf.
+	chain OUT_ONLY {
+		# --logical-out br-client -o ! bat0 -j DROP
+		oifname != "bat0" counter drop
+		counter
+	}
 
-######## OUT_ONLY ############
-ebtables -N OUT_ONLY -P RETURN
+	# MULTICAST_OUT filtert/reduziert Multicast-Frames, die ins BATMAN gesendet werden.
+	chain MULTICAST_OUT {
+	}
 
-# Daten ins BATMAN werden erlaubt
-# Alles ausser Daten ins BATMAN werden DROP'ed
-ebtables -A OUT_ONLY --logical-out br-client -o ! bat0 -j DROP
+	chain INPUT {
+		type filter hook input priority filter; policy accept;
 
-######## MULTICAST_OUT ############
-ebtables -N MULTICAST_OUT -P DROP
+		# -d Multicast -i ! bat0 --logical-in br-client -j ACCEPT
+		iifname != "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 accept
+	}
 
-######## INPUT ############
-ebtables -P INPUT ACCEPT
+	chain FORWARD {
+		type filter hook forward priority filter; policy accept;
 
-# Regelt alles was an Multicast/Broadcast von CLIENT -> KNOTEN geht bei MULTICAST_OUT
-ebtables -A INPUT -d Multicast --logical-in br-client -i ! bat0 -j ACCEPT
+		# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
+		oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 jump MULTICAST_OUT
+	}
 
-######## FORWARD ############
-ebtables -P FORWARD ACCEPT
+	chain OUTPUT {
+		type filter hook output priority filter; policy accept;
 
-# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT
-ebtables -A FORWARD -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
-
-######## OUTPUT ############
-ebtables -P OUTPUT ACCEPT
-
-# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT
-ebtables -A OUTPUT -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
+		# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
+		oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter jump MULTICAST_OUT
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-forwarding

@@ -1,2 +1,12 @@
-/usr/sbin/iptables -P FORWARD DROP
-/usr/sbin/ip6tables -P FORWARD DROP
+nft -f - <<__EOF
+table ip filter {
+	chain FORWARD {
+		type filter hook forward priority filter; policy drop;
+	}
+}
+table ip6 filter {
+	chain FORWARD {
+		type filter hook forward priority filter; policy drop;
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp

@@ -1,8 +1,19 @@
-# Erlaube DHCP Requests
-ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
+nft -f - <<__EOF
+table bridge filter {
+	chain MULTICAST_OUT {
+		# Erlaube DHCP Requests
+		# -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
+		ether type ip udp dport 67 counter return
+	}
 
-# Erlaube nur DHCP Request von CLIENT -> BATMAN
-ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
+	chain FORWARD {
+		# Erlaube nur DHCP Request von CLIENT -> BATMAN
+		# -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
+		ether type ip udp dport 67 counter jump OUT_ONLY
 
-# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
-ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
+		# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
+		# -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
+		ether type ip udp dport 68 counter jump IN_ONLY
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6

@@ -1,8 +1,19 @@
-# Erlaube DHCPv6 Requests
-ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
+nft -f - <<__EOF
+table bridge filter {
+	chain MULTICAST_OUT {
+		# Erlaube DHCPv6 Requests
+		# -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
+		ether type ip6 udp dport 547 counter return
+	}
 
-# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
-ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
+	chain FORWARD {
+		# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
+		# -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
+		ether type ip6 udp dport 547 counter jump OUT_ONLY
 
-# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
-ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
+		# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
+		# -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
+		ether type ip6 udp dport 546 counter jump IN_ONLY
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra

@@ -1,5 +1,13 @@
-# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
-ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+nft -f - <<__EOF
+table bridge filter {
+	chain FORWARD {
+		# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
+		# -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+		ether type ip6 icmpv6 type nd-router-solicit counter jump OUT_ONLY
 
-# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
-ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
+		# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
+		# -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
+		ether type ip6 icmpv6 type nd-router-advert counter jump IN_ONLY
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp

@@ -1,5 +1,15 @@
-# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
-ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
+nft -f - <<__EOF
+table bridge filter {
+	chain INPUT {
+		# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
+		# -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
+		ether type ip udp dport 68 counter jump IN_ONLY
+	}
 
-# Erlaube nur DHCP Request von KNOTEN -> BATMAN
-ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
+	chain OUTPUT {
+		# Erlaube nur DHCP Request von KNOTEN -> BATMAN
+		# -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
+		ether type ip udp dport 67 counter jump OUT_ONLY
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6

@@ -1,5 +1,15 @@
-# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
-ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
+nft -f - <<__EOF
+table bridge filter {
+	chain INPUT {
+		# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
+		# -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
+		ether type ip6 udp dport 546 counter jump IN_ONLY
+	}
 
-# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
-ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
+	chain OUTPUT {
+		# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
+		# -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
+		ether type ip6 udp dport 547 counter jump OUT_ONLY
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-ra

@@ -1,11 +1,23 @@
-# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
-ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
+nft -f - <<__EOF
+table bridge filter {
+	chain INPUT {
+		# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
+		# -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
+		ether type ip6 ip6 nexthdr icmpv6 icmpv6 type nd-router-advert counter jump IN_ONLY
 
-# Verbiete Router-Solicitation von BATMAN -> KNOTEN
-ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
+		# Verbiete Router-Solicitation von BATMAN -> KNOTEN
+		# -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
+		iifname "bat0" ether type ip6 ip6 nexthdr icmpv6 icmpv6 type nd-router-solicit counter drop
+	}
 
-# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
-ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+	chain OUTPUT {
+		# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
+		# -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+		ether type ip6 icmpv6 type nd-router-solicit counter jump OUT_ONLY
 
-# Verbiete Router-Advertisment von KNOTEN -> BATMAN
-ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
+		# Verbiete Router-Advertisment von KNOTEN -> BATMAN
+		# -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
+		oifname "bat0" ether type ip6 icmpv6 type nd-router-advert counter drop
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc

@@ -1,6 +1,13 @@
-# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
-ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
-
-# Erlaube Organisation der Multicast Gruppen
-ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
+nft -f - <<__EOF
+table bridge filter {
+	chain MULTICAST_OUT {
+		# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
+		# -p IPv6 --ip6-proto ip -j RETURN
+		ether type ip6 ip6 nexthdr 0 counter return
 
+		# Erlaube Organisation der Multicast Gruppen
+		# -p IPv4 --ip-proto igmp -j RETURN
+		ether type ip meta l4proto igmp counter return
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-arp

@@ -1,8 +1,17 @@
-# Verbiete ARP Antworten an alle
-ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
+nft -f - <<__EOF
+table bridge filter {
+	chain MULTICAST_OUT {
+		# Verbiete ARP Antworten an alle
+		# -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
+		ether type arp arp operation reply arp daddr ip 0.0.0.0 counter drop
 
-# Verbiete ARP Requests an alle
-ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
+		# Verbiete ARP Requests an alle
+		# -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
+		ether type arp arp operation request arp daddr ip 0.0.0.0 counter drop
 
-# Erlaube alle anderen ARP's
-ebtables -A MULTICAST_OUT -p ARP -j RETURN
+		# Erlaube alle anderen ARP's
+		# -p ARP -j RETURN
+		ether type arp counter return
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-ping

@@ -1,6 +1,13 @@
-# Erlaube PING
-ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
-
-# Erlaube PINGv6
-ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
+nft -f - <<__EOF
+table bridge filter {
+	chain MULTICAST_OUT {
+		# Erlaube PING
+		# -p IPv4 --ip-proto icmp -j RETURN
+		ether type ip meta l4proto icmp counter return
 
+		# Erlaube PINGv6
+		# -p IPv6 --ip6-proto ipv6-icmp -j RETURN
+		ether type ip6 meta l4proto icmpv6 counter return
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/36-mc-policy

@@ -0,0 +1,8 @@
+nft -f - <<__EOF
+table bridge filter {
+	chain MULTICAST_OUT {
+		# policy: DROP
+		counter drop
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node

@@ -1,11 +1,30 @@
-# No input from/to local node ip from batman
-ebtables -A INPUT --logical-in br-client -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
-ebtables -A INPUT --logical-in br-client -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+nft -f - <<__EOF
+table bridge filter {
+	chain INPUT {
+		# No input from/to local node ip from batman
 
-# Do not forward local node ip
-ebtables -A FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
-ebtables -A FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+		# -p IPv6 -i bat0 --logical-in br-client --ip6-src fdff::1 -j DROP
+		iifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
+		# -p IPv6 -i bat0 --logical-in br-client --ip6-dst fdff::1 -j DROP
+		iifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
+	}
 
-# Do not output local node ip to batman
-ebtables -A OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
-ebtables -A OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+	chain FORWARD {
+		# Do not forward local node ip
+
+		# -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP
+		oifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
+		# -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP
+		oifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
+	}
+
+	chain OUTPUT {
+		# Do not output local node ip to batman
+
+		# -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP
+		oifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
+		# -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP
+		oifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/40-nft-counter

@@ -0,0 +1,15 @@
+nft -f - <<__EOF
+table bridge filter {
+	chain INPUT {
+		counter
+	}
+
+	chain FORWARD {
+		counter
+	}
+
+	chain OUTPUT {
+		counter
+	}
+}
+__EOF

src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra

@@ -1,5 +1,15 @@
-# Erlaube router solicitation von client zu knoten
-ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
+nft -f - <<__EOF
+table bridge filter {
+	chain INPUT {
+		# Erlaube router solicitation von client zu knoten
+		# -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
+		iifname != "bat0" ether type ip6 ip6 nexthdr icmpv6 icmpv6 type nd-router-solicit counter accept
+	}
 
-# Erlaube router advertisment von knoten zu client
-ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
+	chain OUTPUT {
+		# Erlaube router advertisment von knoten zu client
+		# -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
+		oifname != "bat0" ether type ip6 icmpv6 type nd-router-advert counter accept
+	}
+}
+__EOF