src/packages/fff/fff-firewall/Makefile

@@ -10,7 +10,8 @@ define Package/$(PKG_NAME)
 	CATEGORY:=Freifunk
 	TITLE:=Freifunk-Franken firewall
 	URL:=https://www.freifunk-franken.de
-	DEPENDS:=+nftables
+	DEPENDS:=+kmod-nft-bridge \
+	         +nftables
 endef
 
 define Package/$(PKG_NAME)/description

src/packages/fff/fff-node/files/usr/lib/firewall.d/05-setup-batman-chains

@@ -4,7 +4,7 @@ table bridge filter {
 	# vom Gateway (also vom BATMAN) kommen darf.
 	chain IN_ONLY {
 		# -i ! bat0 --logical-in br-client -j DROP
-		iifname != "bat0" counter drop
+		iifname != "bat0" ibrname "br-client" counter drop
 		counter
 	}
 
@@ -12,7 +12,7 @@ table bridge filter {
 	# in Richtung Gateway (also ins BATMAN) gesendet werden darf.
 	chain OUT_ONLY {
 		# --logical-out br-client -o ! bat0 -j DROP
-		oifname != "bat0" counter drop
+		oifname != "bat0" obrname "br-client" counter drop
 		counter
 	}
 
@@ -24,21 +24,21 @@ table bridge filter {
 		type filter hook input priority filter; policy accept;
 
 		# -d Multicast -i ! bat0 --logical-in br-client -j ACCEPT
-		iifname != "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 accept
+		iifname != "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 ibrname "br-client" counter packets 0 bytes 0 accept
 	}
 
 	chain FORWARD {
 		type filter hook forward priority filter; policy accept;
 
 		# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
-		oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 jump MULTICAST_OUT
+		oifname "bat0" obrname "br-client" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 jump MULTICAST_OUT
 	}
 
 	chain OUTPUT {
 		type filter hook output priority filter; policy accept;
 
 		# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
-		oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter jump MULTICAST_OUT
+		oifname "bat0" obrname "br-client" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter jump MULTICAST_OUT
 	}
 }
 __EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node

@@ -4,27 +4,27 @@ table bridge filter {
 		# No input from/to local node ip from batman
 
 		# -p IPv6 -i bat0 --logical-in br-client --ip6-src fdff::1 -j DROP
-		iifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
+		iifname "bat0" ibrname "br-client" ether type ip6 ip6 saddr fdff::1 counter drop
 		# -p IPv6 -i bat0 --logical-in br-client --ip6-dst fdff::1 -j DROP
-		iifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
+		iifname "bat0" ibrname "br-client" ether type ip6 ip6 daddr fdff::1 counter drop
 	}
 
 	chain FORWARD {
 		# Do not forward local node ip
 
 		# -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP
-		oifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
+		oifname "bat0" obrname "br-client" ether type ip6 ip6 daddr fdff::1 counter drop
 		# -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP
-		oifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
+		oifname "bat0" obrname "br-client" ether type ip6 ip6 saddr fdff::1 counter drop
 	}
 
 	chain OUTPUT {
 		# Do not output local node ip to batman
 
 		# -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP
-		oifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
+		oifname "bat0" obrname "br-client" ether type ip6 ip6 daddr fdff::1 counter drop
 		# -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP
-		oifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
+		oifname "bat0" obrname "br-client" ether type ip6 ip6 saddr fdff::1 counter drop
 	}
 }
 __EOF