freifunk-franken/firmware
9
7
Fork 14
Code Issues 48 Pull Requests 7 Releases 17 Wiki Activity
9bf2f0a681
firmware/src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp
Fabian Bläse 157fa4eac5 fff-firewall: Switch from ip/ebtables to nftables 
Include nftables and appropriate modules. Translate ip- and ebtables
rules to their nftables counterparts. Remove ip/ebtables and modules.

This change intentionally tries to keep structural changes at a minimum
to keep the rule translation comprehensible.

kmod-nft-bridge is not required for fff-node, because it was merged into
a single kernel module since Linux 4.17:
[1] 02c7b25e5f
[2] fbaf48387e

Fixes: #252

Signed-off-by: Fabian Bläse <fabian@blaese.de>
Co-authored-by: Johannes Kimmel <fff@bareminimum.eu>
2023-12-26 18:51:35 +01:00

20 lines
524 B
Plaintext
Raw Blame History

nft -f - <<__EOF
table bridge filter {
chain MULTICAST_OUT {
# Erlaube DHCP Requests
# -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
ether type ip udp dport 67 counter return
}
chain FORWARD {
# Erlaube nur DHCP Request von CLIENT -> BATMAN
# -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
ether type ip udp dport 67 counter jump OUT_ONLY
# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
# -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
ether type ip udp dport 68 counter jump IN_ONLY
}
}
__EOF
Reference in New Issue View Git Blame Copy Permalink