WIP: fff-firewall: Switch from ip/ebtables to nftables

Include nftables and appropriate modules. Translate ip- and ebtables
rules to their nftables counterparts. Remove ip/ebtables and modules.

This change intentionally tries to keep structural changes at a minimum
to keep the rule translation comprehensible.

kmod-nft-bridge is not required for fff-node, because it was merged into
a single kernel module since Linux 4.17:
[1] 02c7b25e5f
[2] fbaf48387e

Signed-off-by: Fabian Bläse <fabian@blaese.de>
Co-authored-by: Johannes Kimmel <fff@bareminimum.eu>

README.md

@@ -56,6 +56,10 @@ Dieses Kommando arbeitet folgendermaßen:
 ### `./buildscript updatefeeds`
 Aktualisiert die OpenWrt Feeds für zusätzliche Pakete, die in die Firmware eingebaut werden. Dabei werden die Referenzen im build/ Verzeichnis aktualisiert. Dieser Schritt wird bereits von `./buildscript prepare` übernommen, daher ist dies nur bei manuellen Änderungen der Feeds nötig.
 
+### `./buildscript clean`
+Entfernt den Inhalt der bin/ und build/ Verzeichnisse und die Feeds in src/packages/. Damit werden beim nächsten `./buildscript prepare` alle Dateien die für das Bauen der Firmware nötig sind neu heruntergeladen. Dies kann nötig sein wenn z.B. seit dem letzen build ein größerer Versionssprung in OpenWRT gemacht wurde. Wenn es Fehler beim bauen gibt, wie fehlende Dependencies o.Ä., ist ein clean mal einen Versuch wert.
+* Nach einem clean muss daher erst noch einmal `./buildscript prepare` ausgeführt werden, bevor man mit `./buildscipt build` bauen kann!
+
 ### `./buildscript build`
 Sollte man am besten mit Hilfe des Tools 'screen' oder ähnlichem laufen lassen um einen Abbruch des Builds bei Verbindungsproblemen oder ähnlichem zu verhindern.
 * prebuild
@@ -132,9 +136,14 @@ scp root@[ipv6ll%scope]:/etc/network.tl-wr1043nd-v2 /path/to/git/firmware/bsp/wr
 ```
 
 ### BSP commiten und Patch erzeugen
-Nun kann man mit `git status` die Änderungen sehen. Mit `git add` staged man diese und mit `git commit` checkt man sie ein. `git format-patch origin/HEAD` erzeugt dann aus deinen Commits ein (oder mehr) Patches. Diese schickst du dann mit `git send-email --to franken-dev@freifunk.net *.patch` an unsere Liste. Dort nimmt sich jemand die Zeit und schaut kurz drüber und wenn alles passt finden deine Änderungen in den Hauptentwicklungszweig und sind ab dann Teil der Freifunk-Franken-Firmware.
+Nun kann man mit `git status` die Änderungen sehen.
+
+Damit man an mehreren Änderungen gleichzeitig arbeiten kann, sollte zunächst mit `git checkout -b mein-neues-feature` ein neuer Branch erzeugt werden. Dann können die Änderungen mit `git add` gestaged und danach mit `git commit` eingecheckt werden.
+
+Die so erzeugten Änderungen können dann mit einem Pull Request im [Gitea](https://git.freifunk-franken.de/freifunk-franken/firmware) submitted werden. Dafür ist ein [Account](https://docs.freifunk-franken.de/services/git.freifunk-franken/#anmeldung) nötig. Dazu muss das Firmware-Repository zunächst geforkt werden. Die SSH-Adresse des Forks (steht oben rechts) kann dann mit `git remote set-url origin gitea@git.freifunk-franken.de:meinname/firmware.git` in das lokale Repository eingetragen werden. Danach kann der weiter oben erstellte Branch mit `git push origin mein-neues-feature` in den Fork hochgeladen werden. Nun kann der Pull Request im Freifunk Franken Repository [angelegt](https://git.freifunk-franken.de/freifunk-franken/firmware/pulls) werden.
+
+Soll der Pull Request später geändert werden, dann müssen zunächst die nötigen Änderungen gemacht und danach mit `git commit --amend` in den bereits bestehenden Commit eingefügt werden. Dies kann dann mit `git push --force origin mein-neues-feature` in den Fork hochgeladen werden. Force ist hierbei nötig, da bereits bestehende Commits geändert werden. Der Pull Request wird dann automatisch aktualisiert. Um Reviews zu erleichtern sollten die Änderungen im Pull Request als Kommentar beschrieben werden.
 
-### Patch schicken
 Auf der Mailingliste franken-dev@freifunk.net kannst du natürlich jederzeit Fragen stellen, falls etwas nicht klar sein sollte.
 
 ## Hinzufügen von Paketen zum Image

bsp/ath79-generic.bsp

@@ -5,6 +5,7 @@ images=("openwrt-${chipset}-${subtarget}-glinet_gl-ar150-squashfs-*"
         "openwrt-${chipset}-${subtarget}-tplink_archer-c60-v1-squashfs-*"
         "openwrt-${chipset}-${subtarget}-tplink_archer-c60-v2-squashfs-*"
         "openwrt-${chipset}-${subtarget}-tplink_archer-c7-v2-squashfs-*"
+        "openwrt-${chipset}-${subtarget}-tplink_archer-c7-v4-squashfs-*"
         "openwrt-${chipset}-${subtarget}-tplink_archer-c7-v5-squashfs-*"
         "openwrt-${chipset}-${subtarget}-tplink_cpe210-v1-squashfs-*"
         "openwrt-${chipset}-${subtarget}-tplink_cpe210-v2-squashfs-*"

bsp/ath79-generic/.config

@@ -14,6 +14,8 @@ CONFIG_TARGET_DEVICE_ath79_generic_DEVICE_tplink_archer-c60-v2=y
 CONFIG_TARGET_DEVICE_PACKAGES_ath79_generic_DEVICE_tplink_archer-c60-v2="-kmod-ath10k-ct-smallbuffers kmod-ath10k-smallbuffers -ath10k-firmware-qca9888-ct ath10k-firmware-qca9888"
 CONFIG_TARGET_DEVICE_ath79_generic_DEVICE_tplink_archer-c7-v2=y
 CONFIG_TARGET_DEVICE_PACKAGES_ath79_generic_DEVICE_tplink_archer-c7-v2="-kmod-ath10k-ct kmod-ath10k -ath10k-firmware-qca988x-ct ath10k-firmware-qca988x"
+CONFIG_TARGET_DEVICE_ath79_generic_DEVICE_tplink_archer-c7-v4=y
+CONFIG_TARGET_DEVICE_PACKAGES_ath79_generic_DEVICE_tplink_archer-c7-v4="-kmod-ath10k-ct kmod-ath10k -ath10k-firmware-qca988x-ct ath10k-firmware-qca988x"
 CONFIG_TARGET_DEVICE_ath79_generic_DEVICE_tplink_archer-c7-v5=y
 CONFIG_TARGET_DEVICE_PACKAGES_ath79_generic_DEVICE_tplink_archer-c7-v5="-kmod-ath10k-ct kmod-ath10k -ath10k-firmware-qca988x-ct ath10k-firmware-qca988x"
 CONFIG_TARGET_DEVICE_ath79_generic_DEVICE_tplink_cpe210-v1=y
@@ -83,7 +85,10 @@ CONFIG_KERNEL_SQUASHFS_FRAGMENT_CACHE_SIZE=1
 CONFIG_PACKAGE_hostapd-mini=y
 CONFIG_PACKAGE_iwinfo=m
 CONFIG_PACKAGE_libiwinfo=m
+CONFIG_PACKAGE_libwolfssl=m
 CONFIG_PACKAGE_opkg=m
+CONFIG_PACKAGE_wpad-basic=y
+CONFIG_PACKAGE_wpad-basic-wolfssl=m
 CONFIG_PACKAGE_wpad-mini=m
 CONFIG_PACKAGE_ath10k-firmware-qca9887=m
 CONFIG_PACKAGE_ath10k-firmware-qca9888=m

bsp/ipq40xx-generic/.config

@@ -20,6 +20,9 @@ CONFIG_PACKAGE_ath10k-firmware-qca4019=m
 CONFIG_PACKAGE_ath10k-firmware-qca4019-ct=m
 CONFIG_PACKAGE_kmod-ath10k=m
 CONFIG_PACKAGE_kmod-ath10k-ct=m
+CONFIG_PACKAGE_libwolfssl=m
 CONFIG_PACKAGE_opkg=m
+CONFIG_PACKAGE_wpad-basic=y
+CONFIG_PACKAGE_wpad-basic-wolfssl=m
 CONFIG_STRIP_KERNEL_EXPORTS=y
 CONFIG_PACKAGE_kmod-hwmon-core=y

bsp/ipq806x-generic/.config

@@ -23,7 +23,10 @@ CONFIG_CLEAN_IPKG=y
 # CONFIG_FASTD_ENABLE_METHOD_GENERIC_GMAC is not set
 # CONFIG_FASTD_ENABLE_METHOD_GENERIC_UMAC is not set
 # CONFIG_PACKAGE_ALFRED_VIS is not set
+CONFIG_PACKAGE_libwolfssl=m
 CONFIG_PACKAGE_opkg=m
+CONFIG_PACKAGE_wpad-basic=y
+CONFIG_PACKAGE_wpad-basic-wolfssl=m
 CONFIG_PACKAGE_ath10k-firmware-qca99x0=m
 CONFIG_PACKAGE_kmod-ath10k=y
 CONFIG_PACKAGE_ath10k-firmware-qca99x0-ct=m

bsp/mpc85xx-p1010/.config

@@ -23,6 +23,9 @@ CONFIG_CLEAN_IPKG=y
 # CONFIG_FASTD_ENABLE_METHOD_GENERIC_GMAC is not set
 # CONFIG_FASTD_ENABLE_METHOD_GENERIC_UMAC is not set
 # CONFIG_PACKAGE_ALFRED_VIS is not set
+CONFIG_PACKAGE_libwolfssl=m
 CONFIG_PACKAGE_opkg=m
+CONFIG_PACKAGE_wpad-basic=y
+CONFIG_PACKAGE_wpad-basic-wolfssl=m
 CONFIG_STRIP_KERNEL_EXPORTS=y
 CONFIG_TARGET_SQUASHFS_BLOCK_SIZE=512

bsp/octeon.bsp

@@ -2,5 +2,5 @@ chipset=octeon
 subtarget=generic
 
 images=(
-        "openwrt-${chipset}-ubnt_edgerouter-4-*"
+        "openwrt-${chipset}-${subtarget}-ubnt_edgerouter-4-*"
        )

bsp/octeon/.config

@@ -2,10 +2,10 @@
 # Do no edit manually
 #
 CONFIG_TARGET_octeon=y
+CONFIG_TARGET_octeon_generic=y
 CONFIG_TARGET_MULTI_PROFILE=y
-CONFIG_TARGET_PER_DEVICE_ROOTFS=y
-CONFIG_TARGET_DEVICE_octeon_DEVICE_ubnt_edgerouter-4=y
-CONFIG_TARGET_DEVICE_PACKAGES_octeon_DEVICE_ubnt_edgerouter-4=""
+CONFIG_TARGET_DEVICE_octeon_generic_DEVICE_ubnt_edgerouter-4=y
+CONFIG_TARGET_DEVICE_PACKAGES_octeon_generic_DEVICE_ubnt_edgerouter-4=""
 CONFIG_BUSYBOX_CUSTOM=y
 CONFIG_TARGET_PER_DEVICE_ROOTFS=y
 # CONFIG_BUSYBOX_CONFIG_BRCTL is not set
@@ -16,6 +16,9 @@ CONFIG_TARGET_PER_DEVICE_ROOTFS=y
 CONFIG_CLEAN_IPKG=y
 # CONFIG_DROPBEAR_CURVE25519 is not set
 # CONFIG_PACKAGE_ALFRED_VIS is not set
+CONFIG_PACKAGE_libwolfssl=m
 CONFIG_PACKAGE_opkg=m
+CONFIG_PACKAGE_wpad-basic=y
+CONFIG_PACKAGE_wpad-basic-wolfssl=m
 CONFIG_STRIP_KERNEL_EXPORTS=y
 CONFIG_TARGET_SQUASHFS_BLOCK_SIZE=512

bsp/ramips-mt7621/.config

@@ -29,6 +29,9 @@ CONFIG_CLEAN_IPKG=y
 # CONFIG_FASTD_ENABLE_METHOD_GENERIC_GMAC is not set
 # CONFIG_FASTD_ENABLE_METHOD_GENERIC_UMAC is not set
 # CONFIG_PACKAGE_ALFRED_VIS is not set
+CONFIG_PACKAGE_libwolfssl=m
 CONFIG_PACKAGE_opkg=m
+CONFIG_PACKAGE_wpad-basic=y
+CONFIG_PACKAGE_wpad-basic-wolfssl=m
 CONFIG_STRIP_KERNEL_EXPORTS=y
 CONFIG_TARGET_SQUASHFS_BLOCK_SIZE=512

bsp/ramips-mt76x8/.config

@@ -29,5 +29,8 @@ CONFIG_CLEAN_IPKG=y
 # CONFIG_FASTD_ENABLE_METHOD_GENERIC_GMAC is not set
 # CONFIG_FASTD_ENABLE_METHOD_GENERIC_UMAC is not set
 # CONFIG_PACKAGE_ALFRED_VIS is not set
+CONFIG_PACKAGE_libwolfssl=m
 CONFIG_PACKAGE_opkg=m
+CONFIG_PACKAGE_wpad-basic=y
+CONFIG_PACKAGE_wpad-basic-wolfssl=m
 CONFIG_STRIP_KERNEL_EXPORTS=y

bsp/x86-64/.config

@@ -15,5 +15,8 @@ CONFIG_TARGET_PER_DEVICE_ROOTFS=y
 CONFIG_CLEAN_IPKG=y
 # CONFIG_PACKAGE_ALFRED_VIS is not set
 CONFIG_PACKAGE_kmod-vmxnet3=y
+CONFIG_PACKAGE_libwolfssl=m
 CONFIG_PACKAGE_opkg=m
+CONFIG_PACKAGE_wpad-basic=y
+CONFIG_PACKAGE_wpad-basic-wolfssl=m
 CONFIG_STRIP_KERNEL_EXPORTS=y

build_patches/openwrt/0002-set-root-password.patch

@@ -7,7 +7,7 @@ index 4b4154f21f478cc025a350363b3e34319c6afacc..b8d180a95691ab09f9c4d759ffd97da3
 --- a/package/base-files/files/etc/shadow
 +++ b/package/base-files/files/etc/shadow
 @@ -1,4 +1,4 @@
--root::0:0:99999:7:::
+-root:::0:99999:7:::
 +root:$1$OmvoKpjK$e.lPVnBxsrAbNV4EoH3xb1:0:0:99999:7:::
  daemon:*:0:0:99999:7:::
  ftp:*:0:0:99999:7:::

build_patches/openwrt/0010-ramips-add-missing-label-mac-device-mi-router-4a.patch

@@ -1,25 +0,0 @@
-From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= <fabian@blaese.de>
-Date: Mon, 19 Jul 2021 21:54:29 +0200
-Subject: [PATCH] ramips: add missing label-mac-device for Xiaomi Mi Router 4A
- (100M)
-
-As both the Mi Router 4A (100M) and the Mi Router 4C use the same
-label-mac-device, the alias can be moved to the shared dtsi.
-
-Signed-off-by: Fabian Bläse <fabian@blaese.de>
----
- target/linux/ramips/dts/mt7628an_xiaomi_mi-router-4.dtsi | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/target/linux/ramips/dts/mt7628an_xiaomi_mi-router-4.dtsi b/target/linux/ramips/dts/mt7628an_xiaomi_mi-router-4.dtsi
-index 0f5897f5c593..d3f5e33be732 100644
---- a/target/linux/ramips/dts/mt7628an_xiaomi_mi-router-4.dtsi
-+++ b/target/linux/ramips/dts/mt7628an_xiaomi_mi-router-4.dtsi
-@@ -11,6 +11,7 @@
- 		led-failsafe = &led_power_yellow;
- 		led-running = &led_power_blue;
- 		led-upgrade = &led_power_yellow;
-+		label-mac-device = &ethernet;
- 	};
- 
- 	chosen {

build_patches/openwrt/0011-generic-add-support-for-EON-EN25QX128A-spi-nor-flash.patch

@@ -1,106 +0,0 @@
-From 3b63209f03007e755c4a076d0a81a60fdf15dcd0 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= <fabian@blaese.de>
-Date: Wed, 16 Nov 2022 11:41:32 +0100
-Subject: [PATCH] generic: add support for EON EN25QX128A spi nor flash
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add support for EON EN25QX128A spi nor flash with no flags as it does
-support SFDP parsing.
-
-Fixes: #9442
-Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
-Tested-by: Szabolcs Hubai <szab.hu@gmail.com> [ramips/mt7621: xiaomi_mi-router-4a-gigabit]
-[fabian@blaese.de: Backport to Kernel 5.4]
-Signed-off-by: Fabian Bläse <fabian@blaese.de>
----
- .../477-mtd-spi-nor-add-eon-en25qx128a.patch  | 21 +++++++++++++++++++
- .../477-mtd-spi-nor-add-eon-en25qx128a.patch  | 21 +++++++++++++++++++
- .../477-mtd-spi-nor-add-eon-en25qx128a.patch  | 21 +++++++++++++++++++
- 3 files changed, 63 insertions(+)
- create mode 100644 target/linux/generic/pending-5.10/477-mtd-spi-nor-add-eon-en25qx128a.patch
- create mode 100644 target/linux/generic/pending-5.15/477-mtd-spi-nor-add-eon-en25qx128a.patch
- create mode 100644 target/linux/generic/pending-5.4/477-mtd-spi-nor-add-eon-en25qx128a.patch
-
-diff --git a/target/linux/generic/pending-5.10/477-mtd-spi-nor-add-eon-en25qx128a.patch b/target/linux/generic/pending-5.10/477-mtd-spi-nor-add-eon-en25qx128a.patch
-new file mode 100644
-index 0000000000..0a681d6753
---- /dev/null
-+++ b/target/linux/generic/pending-5.10/477-mtd-spi-nor-add-eon-en25qx128a.patch
-@@ -0,0 +1,21 @@
-+From: Christian Marangi <ansuelsmth@gmail.com>
-+Subject: kernel/mtd: add support for EON EN25QX128A
-+
-+Add support for EON EN25QX128A with no flags as it does
-+support SFDP parsing.
-+
-+Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
-+---
-+ drivers/mtd/spi-nor/spi-nor.c | 1 +
-+ 1 file changed, 1 insertion(+)
-+
-+--- a/drivers/mtd/spi-nor/eon.c
-++++ b/drivers/mtd/spi-nor/eon.c
-+@@ -15,6 +15,7 @@ static const struct flash_info eon_parts
-+ 	{ "en25q64",    INFO(0x1c3017, 0, 64 * 1024,  128, SECT_4K) },
-+ 	{ "en25q128",   INFO(0x1c3018, 0, 64 * 1024,  256,
-+ 			     SECT_4K | SPI_NOR_DUAL_READ) },
-++	{ "en25qx128a", INFO(0x1c7118, 0, 64 * 1024, 256, 0) },
-+ 	{ "en25q80a",   INFO(0x1c3014, 0, 64 * 1024,   16,
-+ 			     SECT_4K | SPI_NOR_DUAL_READ) },
-+ 	{ "en25qh16",   INFO(0x1c7015, 0, 64 * 1024,   32,
-diff --git a/target/linux/generic/pending-5.15/477-mtd-spi-nor-add-eon-en25qx128a.patch b/target/linux/generic/pending-5.15/477-mtd-spi-nor-add-eon-en25qx128a.patch
-new file mode 100644
-index 0000000000..0a681d6753
---- /dev/null
-+++ b/target/linux/generic/pending-5.15/477-mtd-spi-nor-add-eon-en25qx128a.patch
-@@ -0,0 +1,21 @@
-+From: Christian Marangi <ansuelsmth@gmail.com>
-+Subject: kernel/mtd: add support for EON EN25QX128A
-+
-+Add support for EON EN25QX128A with no flags as it does
-+support SFDP parsing.
-+
-+Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
-+---
-+ drivers/mtd/spi-nor/spi-nor.c | 1 +
-+ 1 file changed, 1 insertion(+)
-+
-+--- a/drivers/mtd/spi-nor/eon.c
-++++ b/drivers/mtd/spi-nor/eon.c
-+@@ -15,6 +15,7 @@ static const struct flash_info eon_parts
-+ 	{ "en25q64",    INFO(0x1c3017, 0, 64 * 1024,  128, SECT_4K) },
-+ 	{ "en25q128",   INFO(0x1c3018, 0, 64 * 1024,  256,
-+ 			     SECT_4K | SPI_NOR_DUAL_READ) },
-++	{ "en25qx128a", INFO(0x1c7118, 0, 64 * 1024, 256, 0) },
-+ 	{ "en25q80a",   INFO(0x1c3014, 0, 64 * 1024,   16,
-+ 			     SECT_4K | SPI_NOR_DUAL_READ) },
-+ 	{ "en25qh16",   INFO(0x1c7015, 0, 64 * 1024,   32,
-diff --git a/target/linux/generic/pending-5.4/477-mtd-spi-nor-add-eon-en25qx128a.patch b/target/linux/generic/pending-5.4/477-mtd-spi-nor-add-eon-en25qx128a.patch
-new file mode 100644
-index 0000000000..0a681d6753
---- /dev/null
-+++ b/target/linux/generic/pending-5.4/477-mtd-spi-nor-add-eon-en25qx128a.patch
-@@ -0,0 +1,18 @@
-+From: Fabian Bläse <fabian@blaese.de>
-+Subject: kernel/mtd: add support for EON EN25QX128A
-+
-+Signed-off-by: Fabian Bläse <fabian@blaese.de>
-+---
-+ drivers/mtd/spi-nor/spi-nor.c | 1 +
-+ 1 file changed, 1 insertion(+)
-+
-+--- a/drivers/mtd/spi-nor/spi-nor.c
-++++ b/drivers/mtd/spi-nor/spi-nor.c
-+@@ -2240,8 +2240,9 @@ static const struct flash_info spi_nor_i
-+ 	{ "en25p64",    INFO(0x1c2017, 0, 64 * 1024,  128, 0) },
-+ 	{ "en25q64",    INFO(0x1c3017, 0, 64 * 1024,  128, SECT_4K) },
-+ 	{ "en25q128",   INFO(0x1c3018, 0, 64 * 1024,  256, SECT_4K) },
-++	{ "en25qx128a", INFO(0x1c7118, 0, 64 * 1024,  256, 0) },
-+ 	{ "en25q80a",   INFO(0x1c3014, 0, 64 * 1024,   16,
-+ 			SECT_4K | SPI_NOR_DUAL_READ) },
-+ 	{ "en25qh32",   INFO(0x1c7016, 0, 64 * 1024,   64, 0) },
--- 
-2.38.1
-

build_patches/openwrt/0050-Disable-ipq40xx-lan-wan-separation.patch

@@ -19,16 +19,16 @@ These changes are currently only done with the FritzBox 4040 in mind.
 ---
  .../linux/ipq40xx/base-files/etc/board.d/01_leds |  2 +-
  .../ipq40xx/base-files/etc/board.d/02_network    |  3 +--
+ .../ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c |  2 ++
  .../drivers/net/ethernet/qualcomm/essedma/edma.h | 16 ++++++++--------
- .../linux/ipq40xx/files/drivers/net/phy/ar40xx.c |  2 ++
  ...1-dts-ipq4019-add-ethernet-essedma-node.patch |  6 +++---
  5 files changed, 15 insertions(+), 14 deletions(-)
 
 diff --git a/target/linux/ipq40xx/base-files/etc/board.d/01_leds b/target/linux/ipq40xx/base-files/etc/board.d/01_leds
-index ac11655904..147e159ea1 100755
+index 884b265dcb..77b0754635 100644
 --- a/target/linux/ipq40xx/base-files/etc/board.d/01_leds
 +++ b/target/linux/ipq40xx/base-files/etc/board.d/01_leds
-@@ -19,7 +19,7 @@ asus,rt-ac58u)
+@@ -24,7 +24,7 @@ asus,rt-ac58u)
  	;;
  avm,fritzbox-4040)
  	ucidef_set_led_wlan "wlan" "WLAN" "green:wlan" "phy0tpt" "phy1tpt"
@@ -38,10 +38,10 @@ index ac11655904..147e159ea1 100755
  	;;
  avm,fritzbox-7530 |\
 diff --git a/target/linux/ipq40xx/base-files/etc/board.d/02_network b/target/linux/ipq40xx/base-files/etc/board.d/02_network
-index 87c79db5e1..666be0d145 100755
+index 2aa4886e6a..7390769661 100644
 --- a/target/linux/ipq40xx/base-files/etc/board.d/02_network
 +++ b/target/linux/ipq40xx/base-files/etc/board.d/02_network
-@@ -58,9 +58,8 @@ ipq40xx_setup_interfaces()
+@@ -68,9 +68,8 @@ ipq40xx_setup_interfaces()
  	avm,fritzbox-4040|\
  	linksys,ea6350v3|\
  	linksys,ea8300)
@@ -52,6 +52,26 @@ index 87c79db5e1..666be0d145 100755
  		;;
  	linksys,mr8300)
  		ucidef_set_interfaces_lan_wan "eth0" "eth1"
+diff --git a/target/linux/ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c b/target/linux/ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c
+index f7ce42b9ff..a8da7ac653 100644
+--- a/target/linux/ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c
++++ b/target/linux/ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c
+@@ -1481,6 +1481,7 @@ ar40xx_vlan_init(struct ar40xx_priv *priv)
+ 	unsigned long bmp;
+ 
+ 	/* By default Enable VLAN */
++	/*
+ 	priv->vlan = 1;
+ 	priv->vlan_table[AR40XX_LAN_VLAN] = priv->cpu_bmp | priv->lan_bmp;
+ 	priv->vlan_table[AR40XX_WAN_VLAN] = priv->cpu_bmp | priv->wan_bmp;
+@@ -1492,6 +1493,7 @@ ar40xx_vlan_init(struct ar40xx_priv *priv)
+ 	bmp = priv->wan_bmp;
+ 	for_each_set_bit(port, &bmp, AR40XX_NUM_PORTS)
+ 			priv->pvid[port] = AR40XX_WAN_VLAN;
++	*/
+ 
+ 	return 0;
+ }
 diff --git a/target/linux/ipq40xx/files/drivers/net/ethernet/qualcomm/essedma/edma.h b/target/linux/ipq40xx/files/drivers/net/ethernet/qualcomm/essedma/edma.h
 index 015e5f5026..daa60639d1 100644
 --- a/target/linux/ipq40xx/files/drivers/net/ethernet/qualcomm/essedma/edma.h
@@ -79,30 +99,10 @@ index 015e5f5026..daa60639d1 100644
  
  /* Queues exposed to linux kernel */
  #define EDMA_NETDEV_TX_QUEUE 4
-diff --git a/target/linux/ipq40xx/files/drivers/net/phy/ar40xx.c b/target/linux/ipq40xx/files/drivers/net/phy/ar40xx.c
-index 545e3985ae..28453c2363 100644
---- a/target/linux/ipq40xx/files/drivers/net/phy/ar40xx.c
-+++ b/target/linux/ipq40xx/files/drivers/net/phy/ar40xx.c
-@@ -1483,6 +1483,7 @@ ar40xx_vlan_init(struct ar40xx_priv *priv)
- 	unsigned long bmp;
- 
- 	/* By default Enable VLAN */
-+	/*
- 	priv->vlan = 1;
- 	priv->vlan_table[AR40XX_LAN_VLAN] = priv->cpu_bmp | priv->lan_bmp;
- 	priv->vlan_table[AR40XX_WAN_VLAN] = priv->cpu_bmp | priv->wan_bmp;
-@@ -1494,6 +1495,7 @@ ar40xx_vlan_init(struct ar40xx_priv *priv)
- 	bmp = priv->wan_bmp;
- 	for_each_set_bit(port, &bmp, AR40XX_NUM_PORTS)
- 			priv->pvid[port] = AR40XX_WAN_VLAN;
-+	*/
- 
- 	return 0;
- }
-diff --git a/target/linux/ipq40xx/patches-5.4/711-dts-ipq4019-add-ethernet-essedma-node.patch b/target/linux/ipq40xx/patches-5.4/711-dts-ipq4019-add-ethernet-essedma-node.patch
+diff --git a/target/linux/ipq40xx/patches-5.10/711-dts-ipq4019-add-ethernet-essedma-node.patch b/target/linux/ipq40xx/patches-5.10/711-dts-ipq4019-add-ethernet-essedma-node.patch
 index 3567eb7810..b13b312a91 100644
---- a/target/linux/ipq40xx/patches-5.4/711-dts-ipq4019-add-ethernet-essedma-node.patch
-+++ b/target/linux/ipq40xx/patches-5.4/711-dts-ipq4019-add-ethernet-essedma-node.patch
+--- a/target/linux/ipq40xx/patches-5.10/711-dts-ipq4019-add-ethernet-essedma-node.patch
++++ b/target/linux/ipq40xx/patches-5.10/711-dts-ipq4019-add-ethernet-essedma-node.patch
 @@ -36,7 +36,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
  +			qcom,rx_head_buf_size = <1540>;
  +			qcom,mdio_supported;

build_patches/openwrt/0100-Add-hack-which-fixes-forwarding-on-a-stacked-bridge-.patch

@@ -1,19 +1,18 @@
-From f53b71d2907eeb0d80e79d99fa7b756b5e5bf32b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= <fabian@blaese.de>
 Date: Thu, 24 Feb 2022 00:04:47 +0100
 Subject: [PATCH] Add hack which fixes forwarding on a stacked bridge
  configuration using DSA
 
 ---
- .../hack-5.4/999-fix-stacked-bridge-forwarding.patch | 12 ++++++++++++
+ .../999-fix-stacked-bridge-forwarding.patch          | 12 ++++++++++++
  1 file changed, 12 insertions(+)
- create mode 100644 target/linux/generic/hack-5.4/999-fix-stacked-bridge-forwarding.patch
+ create mode 100644 target/linux/generic/hack-5.10/999-fix-stacked-bridge-forwarding.patch
 
-diff --git a/target/linux/generic/hack-5.4/999-fix-stacked-bridge-forwarding.patch b/target/linux/generic/hack-5.4/999-fix-stacked-bridge-forwarding.patch
+diff --git a/target/linux/generic/hack-5.10/999-fix-stacked-bridge-forwarding.patch b/target/linux/generic/hack-5.10/999-fix-stacked-bridge-forwarding.patch
 new file mode 100644
 index 0000000000..e1d4cb9cd5
 --- /dev/null
-+++ b/target/linux/generic/hack-5.4/999-fix-stacked-bridge-forwarding.patch
++++ b/target/linux/generic/hack-5.10/999-fix-stacked-bridge-forwarding.patch
 @@ -0,0 +1,12 @@
 +--- a/net/bridge/br_input.c
 ++++ b/net/bridge/br_input.c
@@ -27,6 +26,4 @@ index 0000000000..e1d4cb9cd5
 + 	indev = skb->dev;
 + 	skb->dev = brdev;
 + 	skb = br_handle_vlan(br, NULL, vg, skb);
--- 
-2.35.1
 

build_patches/openwrt/0200-mpc85xx-Drop-pci-aliases-to-avoid-domain-changes.patch

@@ -1,158 +0,0 @@
-From 7f4b4c29f3489697dca7495216460d0ed5023e02 Mon Sep 17 00:00:00 2001
-From: Martin Kennedy <hurricos@gmail.com>
-Date: Mon, 29 Aug 2022 20:47:24 -0400
-Subject: [PATCH] mpc85xx: Drop pci aliases to avoid domain changes
-
-As of upstream Linux commit 0fe1e96fef0a ("powerpc/pci: Prefer PCI
-domain assignment via DT 'linux,pci-domain' and alias"), the PCIe
-domain address is no longer numbered by the lowest 16 bits of the PCI
-register address after a fallthrough. Instead of the fallthrough, the
-enumeration process accepts the alias ID (as determined by
-`of_alias_scan()`). This causes e.g.:
-
-9000:00:00.0 PCI bridge: Freescale Semiconductor Inc P1020E (rev 11)
-9000:01:00.0 Network controller: Qualcomm Atheros AR958x 802.11abgn ...
-
-to become
-
-0000:00:00.0 PCI bridge: Freescale Semiconductor Inc P1020E (rev 11)
-0000:01:00.0 Network controller: Qualcomm Atheros AR958x 802.11abgn ...
-
-... which then causes the sysfs path of the netdev to change,
-invalidating the `wifi_device.path`s enumerated in
-`/etc/config/wireless`.
-
-One other solution might be to migrate the uci configuration, as was
-done for mvebu in commit 0bd5aa89fcf2 ("mvebu: Migrate uci config to
-new PCIe path"). However, there are concerns that the sysfs path will
-change once again once some upstream patches[^2][^3] are merged and
-backported (and `CONFIG_PPC_PCI_BUS_NUM_DOMAIN_DEPENDENT` is enabled).
-
-Instead, remove the aliases and allow the fallthrough to continue for
-now. We will provide a migration in a later release.
-
-This was first reported as a Github issue[^1].
-
-[^1]: https://github.com/openwrt/openwrt/issues/10530
-[^2]: https://lore.kernel.org/linuxppc-dev/20220706104308.5390-1-pali@kernel.org/t/#u
-[^3]: https://lore.kernel.org/linuxppc-dev/20220706101043.4867-1-pali@kernel.org/
-
-Fixes: #10530
-Tested-by: Martin Kennedy <hurricos@gmail.com>
-[Tested on the Aerohive HiveAP 330 and Extreme Networks WS-AP3825i]
-Signed-off-by: Martin Kennedy <hurricos@gmail.com>
----
- .../files/arch/powerpc/boot/dts/hiveap-330.dts     | 13 +++++++++++++
- .../mpc85xx/files/arch/powerpc/boot/dts/panda.dts  | 14 ++++++++++++++
- .../files/arch/powerpc/boot/dts/red-15w-rev1.dts   | 14 ++++++++++++++
- .../files/arch/powerpc/boot/dts/tl-wdr4900-v1.dts  | 13 +++++++++++++
- .../files/arch/powerpc/boot/dts/ws-ap3710i.dts     | 13 +++++++++++++
- 6 files changed, 80 insertions(+)
-
-diff --git a/target/linux/mpc85xx/files/arch/powerpc/boot/dts/hiveap-330.dts b/target/linux/mpc85xx/files/arch/powerpc/boot/dts/hiveap-330.dts
-index ccf60eaeed0e1..d6a8da84ef66d 100644
---- a/target/linux/mpc85xx/files/arch/powerpc/boot/dts/hiveap-330.dts
-+++ b/target/linux/mpc85xx/files/arch/powerpc/boot/dts/hiveap-330.dts
-@@ -300,3 +300,16 @@
- 	};
- };
- /include/ "fsl/p1020si-post.dtsi"
-+
-+/*
-+ * For the OpenWrt 22.03 release, since Linux 5.10.138 now uses
-+ * aliases to determine PCI domain numbers, drop aliases so as not to
-+ * change the sysfs path of our wireless netdevs.
-+ */
-+
-+/ {
-+	aliases {
-+		/delete-property/ pci0;
-+		/delete-property/ pci1;
-+	};
-+};
-diff --git a/target/linux/mpc85xx/files/arch/powerpc/boot/dts/panda.dts b/target/linux/mpc85xx/files/arch/powerpc/boot/dts/panda.dts
-index baaa4a43fd559..9be822f7bb8ac 100644
---- a/target/linux/mpc85xx/files/arch/powerpc/boot/dts/panda.dts
-+++ b/target/linux/mpc85xx/files/arch/powerpc/boot/dts/panda.dts
-@@ -265,3 +265,17 @@
- 	};
- };
- /include/ "fsl/p1020si-post.dtsi"
-+
-+/*
-+ * For the OpenWrt 22.03 release, since Linux 5.10.138 now uses
-+ * aliases to determine PCI domain numbers, drop aliases so as not to
-+ * change the sysfs path of our wireless netdevs.
-+ */
-+
-+/ {
-+	aliases {
-+		/delete-property/ pci0;
-+		/delete-property/ pci1;
-+	};
-+};
-+
-diff --git a/target/linux/mpc85xx/files/arch/powerpc/boot/dts/red-15w-rev1.dts b/target/linux/mpc85xx/files/arch/powerpc/boot/dts/red-15w-rev1.dts
-index 1fd6a4aa49713..db35602b94b5b 100644
---- a/target/linux/mpc85xx/files/arch/powerpc/boot/dts/red-15w-rev1.dts
-+++ b/target/linux/mpc85xx/files/arch/powerpc/boot/dts/red-15w-rev1.dts
-@@ -214,3 +214,17 @@
- };
- 
- /include/ "fsl/p1010si-post.dtsi"
-+
-+/*
-+ * For the OpenWrt 22.03 release, since Linux 5.10.138 now uses
-+ * aliases to determine PCI domain numbers, drop aliases so as not to
-+ * change the sysfs path of our wireless netdevs.
-+ */
-+
-+/ {
-+	aliases {
-+		/delete-property/ pci0;
-+		/delete-property/ pci1;
-+	};
-+};
-+
-diff --git a/target/linux/mpc85xx/files/arch/powerpc/boot/dts/tl-wdr4900-v1.dts b/target/linux/mpc85xx/files/arch/powerpc/boot/dts/tl-wdr4900-v1.dts
-index fbe1c0ee705d2..12281808aa5b6 100644
---- a/target/linux/mpc85xx/files/arch/powerpc/boot/dts/tl-wdr4900-v1.dts
-+++ b/target/linux/mpc85xx/files/arch/powerpc/boot/dts/tl-wdr4900-v1.dts
-@@ -302,3 +302,16 @@
- 		/delete-node/ crypto@30000; /* Pulled in by p1010si-post */
- 	};
- };
-+
-+/*
-+ * For the OpenWrt 22.03 release, since Linux 5.10.138 now uses
-+ * aliases to determine PCI domain numbers, drop aliases so as not to
-+ * change the sysfs path of our wireless netdevs.
-+ */
-+
-+/ {
-+	aliases {
-+		/delete-property/ pci0;
-+		/delete-property/ pci1;
-+	};
-+};
-diff --git a/target/linux/mpc85xx/files/arch/powerpc/boot/dts/ws-ap3710i.dts b/target/linux/mpc85xx/files/arch/powerpc/boot/dts/ws-ap3710i.dts
-index c5588d80275e2..5d81da4686413 100644
---- a/target/linux/mpc85xx/files/arch/powerpc/boot/dts/ws-ap3710i.dts
-+++ b/target/linux/mpc85xx/files/arch/powerpc/boot/dts/ws-ap3710i.dts
-@@ -173,3 +173,16 @@
- 
- };
- /include/ "fsl/p1020si-post.dtsi"
-+
-+/*
-+ * For the OpenWrt 22.03 release, since Linux 5.10.138 now uses
-+ * aliases to determine PCI domain numbers, drop aliases so as not to
-+ * change the sysfs path of our wireless netdevs.
-+ */
-+
-+/ {
-+	aliases {
-+		/delete-property/ pci0;
-+		/delete-property/ pci1;
-+	};
-+};

buildscript

@@ -7,9 +7,9 @@ set -o pipefail
 builddir=./build
 
 # OpenWrt: package hashes correspond to core repo version
-OPENWRTREV="v21.02.5"
-PACKAGEREV="0b16e3f359fe9d015861596d63c5bde4c56daa2e"
-ROUTINGREV="25e76489c83cfcee61e36a491896e1e9bfc3ec13"
+OPENWRTREV="v22.03.3"
+PACKAGEREV="2048c5bbf6c482e45b080eef4c1c531936f7f41b"
+ROUTINGREV="1a87333f268bcf0a11e3a665a357cb0d4ec2d680"
 
 # Gluon packages: master from 2020-02-04
 GLUONREV="12e41d0ff07ec54bbd67a31ab50d12ca04f2238c"

src/packages/fff/fff-babel-bird2/files/lib/functions/fff/babeldaemon/bird2

@@ -68,5 +68,5 @@ babel_reload_implementation() {
 }
 
 babel_revert() {
-	rm -r /tmp/bird/fff
+	rm -rf /tmp/bird/fff
 }

src/packages/fff/fff-base/Makefile

@@ -12,8 +12,6 @@ define Package/fff-base
 	URL:=https://www.freifunk-franken.de
 	DEFAULT:=y
 	DEPENDS:= \
-		+iptables \
-		+ip6tables \
 		+micrond \
 		+odhcp6c \
 		+fff-config \

src/packages/fff/fff-firewall/Makefile

@@ -10,11 +10,7 @@ define Package/$(PKG_NAME)
 	CATEGORY:=Freifunk
 	TITLE:=Freifunk-Franken firewall
 	URL:=https://www.freifunk-franken.de
-	DEPENDS:=+arptables \
-			 +ebtables +ebtables-utils \
-			 +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \
-			 +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra \
-			 +kmod-nf-conntrack6
+	DEPENDS:=+nftables
 endef
 
 define Package/$(PKG_NAME)/description

src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare

@@ -1,6 +1,3 @@
-######## CLEAN UP ############
-ebtables -F
-ebtables -X
-
-iptables-save  | awk '/^[*]/ { print $1 } /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; }  /COMMIT/ { print $0; }' | iptables-restore
-ip6tables-save | awk '/^[*]/ { print $1 } /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; }  /COMMIT/ { print $0; }' | ip6tables-restore
+nft -f - <<__EOF
+flush ruleset
+__EOF

src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801

@@ -1,5 +1,15 @@
-# Erlaube nur fe80::1 von BATMAN -> CLIENT
-ebtables -A FORWARD -p IPv6 --ip6-source fe80::1 -j IN_ONLY
+nft -f - <<__EOF
+table bridge filter {
+	chain INPUT {
+		# Erlaube nur fe80::1 von BATMAN -> CLIENT
+		# -p IPv6 --ip6-src fe80::1 -j IN_ONLY
+		ether type ip6 ip6 saddr fe80::1 counter jump IN_ONLY
+	}
 
-# Erlaube nur fe80::1 von KNOTEN -> CLIENT
-ebtables -A INPUT -p IPv6 --ip6-source fe80::1 -j IN_ONLY
+	chain FORWARD {
+		# Erlaube nur fe80::1 von KNOTEN -> CLIENT
+		# -p IPv6 --ip6-src fe80::1 -j IN_ONLY
+		ether type ip6 ip6 saddr fe80::1 counter jump IN_ONLY
+	}
+}
+__EOF

src/packages/fff/fff-layer3-snat/Makefile

@@ -13,7 +13,7 @@ define Package/fff-layer3-snat
 	DEPENDS:= \
 		+fff-firewall \
 		+fff-layer3-config \
-		+kmod-ipt-nat
+		+kmod-nft-nat
 endef
 
 define Package/fff-layer3-snat/description

src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat

@@ -1,4 +1,10 @@
 if [ "$(uci -q get network.client.fff_snat)" = '1' ]; then
-	iptables -t mangle -A PREROUTING -i br-client -j MARK --set-mark 0x736e6174
-	iptables -t nat -A POSTROUTING -m mark --mark 0x736e6174 -j SNAT --to-source $(uci -q get network.client.fff_snat_sourceip)
+	nft add table ip mangle
+	nft add chain ip mangle PREROUTING '{ type filter hook prerouting priority mangle; policy accept; }'
+
+	nft add table ip nat
+	nft add chain ip nat POSTROUTING '{ type nat hook postrouting priority srcnat; policy accept; }'
+
+	nft add rule ip mangle PREROUTING iifname "br-client" counter mark set 0x736e6174
+	nft add rule ip nat POSTROUTING meta mark 0x736e6174 counter snat ip to $(uci -q get network.client.fff_snat_sourceip)
 fi

src/packages/fff/fff-layer3/Makefile

@@ -23,22 +23,15 @@ define Package/fff-layer3
 	         +fff-ra \
 	         +fff-web-mqtt \
 	         +fff-wireguard \
-	         +arptables \
 	         +bmon \
-	         +ebtables \
-	         +ebtables-utils \
-	         +kmod-ebtables-ipv4 \
-	         +kmod-ebtables-ipv6 \
 	         +kmod-sched-cake \
 	         +gre \
 	         +@PACKAGE_grev4 \
 	         +@PACKAGE_grev6 \
 	         +iperf3 \
 	         +ip-full \
-	         +iptables-mod-filter \
-	         +iptables-mod-ipopt \
-	         +iptables-mod-conntrack-extra \
 	         +mtr \
+	         +nftables \
 	         +snmp-utils \
 	         +tc \
 	         +tcpdump \

src/packages/fff/fff-layer3/files/usr/lib/firewall.d/10-no-forward-wan

@@ -1,5 +1,10 @@
 # Ensure nothing is forwarded onto WAN interface
 if [ -n "$IF_WAN" ]; then
-	iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
-	ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
+	nft add table ip filter
+	nft add chain ip filter FORWARD '{ type filter hook forward priority filter; policy accept; }'
+	nft add table ip6 filter
+	nft add chain ip6 filter FORWARD '{ type filter hook forward priority filter; policy accept; }'
+
+	nft add rule ip filter FORWARD oifname "$IF_WAN" counter reject with icmp net-unreachable
+	nft add rule ip6 filter FORWARD oifname "$IF_WAN" counter reject with icmpv6 no-route
 fi

src/packages/fff/fff-macnock/Makefile

@@ -11,7 +11,7 @@ PKG_SOURCE_VERSION:=d0bdfdba569934442e9d8bfc01bcc6c3712b6011
 include $(INCLUDE_DIR)/package.mk
 include $(INCLUDE_DIR)/cmake.mk
 
-CMAKE_OPTIONS:=-DMACNOCK_DEBUG=ON
+CMAKE_OPTIONS+=-DMACNOCK_DEBUG=ON
 
 define Package/$(PKG_NAME)
 	SECTION:=base

src/packages/fff/fff-network/mips/network.tplink,archer-c7-v4

@@ -0,0 +1,12 @@
+. /lib/functions/fff/network
+
+WANDEV=eth0
+SWITCHDEV=eth0
+CLIENT_PORTS="4 5 0t"
+WAN_PORTS="1 0t"
+BATMAN_PORTS="2 3 0t"
+
+# use mac address from phy1 with 'locally administered' bit set to '1'
+# only possible, because wXmesh is created first and therefore gets the 'universally administered address'
+
+ETHMESHMAC=$(macFlipLocalBit "$(cat /sys/class/ieee80211/phy1/macaddress)")

src/packages/fff/fff-node/files/usr/lib/firewall.d/05-setup-batman-chains

@@ -1,34 +1,44 @@
-######## IN_ONLY ############
-ebtables -N IN_ONLY -P RETURN
+nft -f - <<__EOF
+table bridge filter {
+	# IN_ONLY wird angesprungen, wenn dieses Paket nur
+	# vom Gateway (also vom BATMAN) kommen darf.
+	chain IN_ONLY {
+		# -i ! bat0 --logical-in br-client -j DROP
+		iifname != "bat0" counter drop
+		counter
+	}
 
-# Daten aus dem BATMAN werden erlaubt
-# Alles ausser Daten von BATMAN werden DROP'ed
-ebtables -A IN_ONLY -i ! bat0 --logical-in br-client -j DROP
+	# OUT_ONLY wird angesprungen, wenn dieses Paket nur
+	# in Richtung Gateway (also ins BATMAN) gesendet werden darf.
+	chain OUT_ONLY {
+		# --logical-out br-client -o ! bat0 -j DROP
+		oifname != "bat0" counter drop
+		counter
+	}
 
-######## OUT_ONLY ############
-ebtables -N OUT_ONLY -P RETURN
+	# MULTICAST_OUT filtert/reduziert Multicast-Frames, die ins BATMAN gesendet werden.
+	chain MULTICAST_OUT {
+	}
 
-# Daten ins BATMAN werden erlaubt
-# Alles ausser Daten ins BATMAN werden DROP'ed
-ebtables -A OUT_ONLY --logical-out br-client -o ! bat0 -j DROP
+	chain INPUT {
+		type filter hook input priority filter; policy accept;
 
-######## MULTICAST_OUT ############
-ebtables -N MULTICAST_OUT -P DROP
+		# -d Multicast -i ! bat0 --logical-in br-client -j ACCEPT
+		iifname != "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 accept
+	}
 
-######## INPUT ############
-ebtables -P INPUT ACCEPT
+	chain FORWARD {
+		type filter hook forward priority filter; policy accept;
 
-# Regelt alles was an Multicast/Broadcast von CLIENT -> KNOTEN geht bei MULTICAST_OUT
-ebtables -A INPUT -d Multicast --logical-in br-client -i ! bat0 -j ACCEPT
+		# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
+		oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 jump MULTICAST_OUT
+	}
 
-######## FORWARD ############
-ebtables -P FORWARD ACCEPT
+	chain OUTPUT {
+		type filter hook output priority filter; policy accept;
 
-# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT
-ebtables -A FORWARD -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
-
-######## OUTPUT ############
-ebtables -P OUTPUT ACCEPT
-
-# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT
-ebtables -A OUTPUT -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
+		# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
+		oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter jump MULTICAST_OUT
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/06-disable-forwarding

@@ -1,2 +1,12 @@
-/usr/sbin/iptables -P FORWARD DROP
-/usr/sbin/ip6tables -P FORWARD DROP
+nft -f - <<__EOF
+table ip filter {
+	chain FORWARD {
+		type filter hook forward priority filter; policy drop;
+	}
+}
+table ip6 filter {
+	chain FORWARD {
+		type filter hook forward priority filter; policy drop;
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcp

@@ -1,8 +1,19 @@
-# Erlaube DHCP Requests
-ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
+nft -f - <<__EOF
+table bridge filter {
+	chain MULTICAST_OUT {
+		# Erlaube DHCP Requests
+		# -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
+		ether type ip udp dport 67 counter return
+	}
 
-# Erlaube nur DHCP Request von CLIENT -> BATMAN
-ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
+	chain FORWARD {
+		# Erlaube nur DHCP Request von CLIENT -> BATMAN
+		# -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
+		ether type ip udp dport 67 counter jump OUT_ONLY
 
-# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
-ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
+		# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
+		# -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
+		ether type ip udp dport 68 counter jump IN_ONLY
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-dhcpv6

@@ -1,8 +1,19 @@
-# Erlaube DHCPv6 Requests
-ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
+nft -f - <<__EOF
+table bridge filter {
+	chain MULTICAST_OUT {
+		# Erlaube DHCPv6 Requests
+		# -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
+		ether type ip6 udp dport 547 counter return
+	}
 
-# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
-ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
+	chain FORWARD {
+		# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
+		# -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
+		ether type ip6 udp dport 547 counter jump OUT_ONLY
 
-# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
-ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
+		# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
+		# -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
+		ether type ip6 udp dport 546 counter jump IN_ONLY
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/30-client-ra

@@ -1,5 +1,13 @@
-# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
-ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+nft -f - <<__EOF
+table bridge filter {
+	chain FORWARD {
+		# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
+		# -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+		ether type ip6 icmpv6 type nd-router-solicit counter jump OUT_ONLY
 
-# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
-ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
+		# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
+		# -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
+		ether type ip6 icmpv6 type nd-router-advert counter jump IN_ONLY
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcp

@@ -1,5 +1,15 @@
-# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
-ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
+nft -f - <<__EOF
+table bridge filter {
+	chain INPUT {
+		# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
+		# -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
+		ether type ip udp dport 68 counter jump IN_ONLY
+	}
 
-# Erlaube nur DHCP Request von KNOTEN -> BATMAN
-ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
+	chain OUTPUT {
+		# Erlaube nur DHCP Request von KNOTEN -> BATMAN
+		# -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
+		ether type ip udp dport 67 counter jump OUT_ONLY
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-dhcpv6

@@ -1,5 +1,15 @@
-# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
-ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
+nft -f - <<__EOF
+table bridge filter {
+	chain INPUT {
+		# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
+		# -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
+		ether type ip6 udp dport 546 counter jump IN_ONLY
+	}
 
-# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
-ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
+	chain OUTPUT {
+		# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
+		# -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
+		ether type ip6 udp dport 547 counter jump OUT_ONLY
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/31-node-ra

@@ -1,11 +1,23 @@
-# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
-ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
+nft -f - <<__EOF
+table bridge filter {
+	chain INPUT {
+		# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
+		# -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
+		ether type ip6 ip6 nexthdr icmpv6 icmpv6 type nd-router-advert counter jump IN_ONLY
 
-# Verbiete Router-Solicitation von BATMAN -> KNOTEN
-ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
+		# Verbiete Router-Solicitation von BATMAN -> KNOTEN
+		# -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
+		iifname "bat0" ether type ip6 ip6 nexthdr icmpv6 icmpv6 type nd-router-solicit counter drop
+	}
 
-# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
-ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+	chain OUTPUT {
+		# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
+		# -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+		ether type ip6 icmpv6 type nd-router-solicit counter jump OUT_ONLY
 
-# Verbiete Router-Advertisment von KNOTEN -> BATMAN
-ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
+		# Verbiete Router-Advertisment von KNOTEN -> BATMAN
+		# -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
+		oifname "bat0" ether type ip6 icmpv6 type nd-router-advert counter drop
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc

@@ -1,6 +1,13 @@
-# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
-ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
-
-# Erlaube Organisation der Multicast Gruppen
-ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
+nft -f - <<__EOF
+table bridge filter {
+	chain MULTICAST_OUT {
+		# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
+		# -p IPv6 --ip6-proto ip -j RETURN
+		ether type ip6 ip6 nexthdr 0 counter return
 
+		# Erlaube Organisation der Multicast Gruppen
+		# -p IPv4 --ip-proto igmp -j RETURN
+		ether type ip meta l4proto igmp counter return
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-arp

@@ -1,8 +1,17 @@
-# Verbiete ARP Antworten an alle
-ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
+nft -f - <<__EOF
+table bridge filter {
+	chain MULTICAST_OUT {
+		# Verbiete ARP Antworten an alle
+		# -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
+		ether type arp arp operation reply arp daddr ip 0.0.0.0 counter drop
 
-# Verbiete ARP Requests an alle
-ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
+		# Verbiete ARP Requests an alle
+		# -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
+		ether type arp arp operation request arp daddr ip 0.0.0.0 counter drop
 
-# Erlaube alle anderen ARP's
-ebtables -A MULTICAST_OUT -p ARP -j RETURN
+		# Erlaube alle anderen ARP's
+		# -p ARP -j RETURN
+		ether type arp counter return
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/35-mc-ping

@@ -1,6 +1,13 @@
-# Erlaube PING
-ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
-
-# Erlaube PINGv6
-ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
+nft -f - <<__EOF
+table bridge filter {
+	chain MULTICAST_OUT {
+		# Erlaube PING
+		# -p IPv4 --ip-proto icmp -j RETURN
+		ether type ip meta l4proto icmp counter return
 
+		# Erlaube PINGv6
+		# -p IPv6 --ip6-proto ipv6-icmp -j RETURN
+		ether type ip6 meta l4proto icmpv6 counter return
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/36-mc-policy

@@ -0,0 +1,8 @@
+nft -f - <<__EOF
+table bridge filter {
+	chain MULTICAST_OUT {
+		# policy: DROP
+		counter drop
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node

@@ -1,11 +1,30 @@
-# No input from/to local node ip from batman
-ebtables -A INPUT --logical-in br-client -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
-ebtables -A INPUT --logical-in br-client -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+nft -f - <<__EOF
+table bridge filter {
+	chain INPUT {
+		# No input from/to local node ip from batman
 
-# Do not forward local node ip
-ebtables -A FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
-ebtables -A FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+		# -p IPv6 -i bat0 --logical-in br-client --ip6-src fdff::1 -j DROP
+		iifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
+		# -p IPv6 -i bat0 --logical-in br-client --ip6-dst fdff::1 -j DROP
+		iifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
+	}
 
-# Do not output local node ip to batman
-ebtables -A OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
-ebtables -A OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+	chain FORWARD {
+		# Do not forward local node ip
+
+		# -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP
+		oifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
+		# -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP
+		oifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
+	}
+
+	chain OUTPUT {
+		# Do not output local node ip to batman
+
+		# -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP
+		oifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
+		# -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP
+		oifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
+	}
+}
+__EOF

src/packages/fff/fff-node/files/usr/lib/firewall.d/40-nft-counter

@@ -0,0 +1,15 @@
+nft -f - <<__EOF
+table bridge filter {
+	chain INPUT {
+		counter
+	}
+
+	chain FORWARD {
+		counter
+	}
+
+	chain OUTPUT {
+		counter
+	}
+}
+__EOF

src/packages/fff/fff-uradvd/files/usr/lib/firewall.d/32-local-ra

@@ -1,5 +1,15 @@
-# Erlaube router solicitation von client zu knoten
-ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
+nft -f - <<__EOF
+table bridge filter {
+	chain INPUT {
+		# Erlaube router solicitation von client zu knoten
+		# -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
+		iifname != "bat0" ether type ip6 ip6 nexthdr icmpv6 icmpv6 type nd-router-solicit counter accept
+	}
 
-# Erlaube router advertisment von knoten zu client
-ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
+	chain OUTPUT {
+		# Erlaube router advertisment von knoten zu client
+		# -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
+		oifname != "bat0" ether type ip6 icmpv6 type nd-router-advert counter accept
+	}
+}
+__EOF

src/packages/fff/fff-wireless/files/etc/layer3.d/28-wifi

@@ -5,6 +5,22 @@ configure() {
 	essid=$(uci -q get gateway.@client[0].essid)
 	chan2ghz=$(uci -q get gateway.@client[0].chan2ghz)
 	chan5ghz=$(uci -q get gateway.@client[0].chan5ghz)
+	width2ghz=$(uci -q get gateway.@client[0].width2ghz || echo 20)
+	width5ghz=$(uci -q get gateway.@client[0].width5ghz || echo 20)
+
+	if [ "$width2ghz" != 20 ] && [ "$width2ghz" != 40 ]; then
+		echo "ERROR: Invalid 2.4 GHz channel width: $width2ghz. Only 20 and 40 MHz are possible."
+		return 1
+	fi
+
+	if [ "$width5ghz" != 20 ] && [ "$width5ghz" != 40 ] && [ "$width5ghz" != 80 ]; then
+		echo "ERROR: Invalid 5 GHz channel width: $width5ghz. Only 20, 40 and 80 MHz are possible."
+		return 1
+	fi
+
+	if [ "$width2ghz" == 40 ]; then
+		echo "WARNING: Using 40 MHz channel width on 2.4 GHz is highly discouraged and will probably result in worse throughput"
+	fi
 
 	if [ -z "$essid" ]; then
 		echo "WARNING: No ESSID set! WiFi AP is disabled"
@@ -18,23 +34,33 @@ configure() {
 		uci -q del wireless.w${freq}mesh
 		uci -q del wireless.w${freq}configap
 
+		# Get htmode
+		ht=$(uci -q get wireless.${radio}.htmode)
+
 		if [ -n "$essid" ]; then
-			# set channel for 5ghz
+			# set channel and bandwidth for 5ghz
 			if [ "$freq" = "5" ]; then
+				if ! echo "$ht" | grep -q VHT && [ "$width5ghz" == 80 ]; then
+					echo "ERROR: 5 GHz radio does not support 80 MHz channel width"
+					return 1
+				fi
+
 				if [ -z "$chan5ghz" ]; then
 					echo "WARNING: No 5 GHz channel set! Disabling AP on $radio"
 				else
 					uci set wireless.${radio}.channel="$chan5ghz"
+					uci set wireless.${radio}.htmode="${ht%%HT*}HT${width5ghz}"
 					disabled=0
 				fi
 			fi
 
-			# set channel for 2.4ghz
+			# set channel and bandwidth for 2.4ghz
 			if [ "$freq" = "2" ]; then
 				if [ -z "$chan2ghz" ]; then
 					echo "WARNING: No 2.4 GHz channel set! Disabling AP on $radio"
 				else
 					uci set wireless.${radio}.channel="$chan2ghz"
+					uci set wireless.${radio}.htmode="${ht%%HT*}HT${width2ghz}"
 					disabled=0
 				fi
 			fi