Fabian Bläse
157fa4eac5
Include nftables and appropriate modules. Translate ip- and ebtables rules to their nftables counterparts. Remove ip/ebtables and modules. This change intentionally tries to keep structural changes at a minimum to keep the rule translation comprehensible. kmod-nft-bridge is not required for fff-node, because it was merged into a single kernel module since Linux 4.17: [1]02c7b25e5f[2]fbaf48387eFixes: #252 Signed-off-by: Fabian Bläse <fabian@blaese.de> Co-authored-by: Johannes Kimmel <fff@bareminimum.eu>
18 lines
484 B
Plaintext
18 lines
484 B
Plaintext
nft -f - <<__EOF
|
|
table bridge filter {
|
|
chain MULTICAST_OUT {
|
|
# Verbiete ARP Antworten an alle
|
|
# -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
|
|
ether type arp arp operation reply arp daddr ip 0.0.0.0 counter drop
|
|
|
|
# Verbiete ARP Requests an alle
|
|
# -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
|
|
ether type arp arp operation request arp daddr ip 0.0.0.0 counter drop
|
|
|
|
# Erlaube alle anderen ARP's
|
|
# -p ARP -j RETURN
|
|
ether type arp counter return
|
|
}
|
|
}
|
|
__EOF
|