firmware/src/packages/fff/fff-node/files/usr/lib/firewall.d/05-setup-batman-chains

nft -f - <<__EOF
table bridge filter {
	# IN_ONLY wird angesprungen, wenn dieses Paket nur
	# vom Gateway (also vom BATMAN) kommen darf.
	chain IN_ONLY {
		# -i ! bat0 --logical-in br-client -j DROP
		iifname != "bat0" counter drop
		counter
	}

	# OUT_ONLY wird angesprungen, wenn dieses Paket nur
	# in Richtung Gateway (also ins BATMAN) gesendet werden darf.
	chain OUT_ONLY {
		# --logical-out br-client -o ! bat0 -j DROP
		oifname != "bat0" counter drop
		counter
	}

	# MULTICAST_OUT filtert/reduziert Multicast-Frames, die ins BATMAN gesendet werden.
	chain MULTICAST_OUT {
	}

	chain INPUT {
		type filter hook input priority filter; policy accept;

		# -d Multicast -i ! bat0 --logical-in br-client -j ACCEPT
		iifname != "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 accept
	}

	chain FORWARD {
		type filter hook forward priority filter; policy accept;

		# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
		oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 jump MULTICAST_OUT
	}

	chain OUTPUT {
		type filter hook output priority filter; policy accept;

		# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
		oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter jump MULTICAST_OUT
	}
}
__EOF