diff --git a/gluon/gluon-ebtables-filter-multicast/Makefile b/gluon/gluon-ebtables-filter-multicast/Makefile
new file mode 100644
index 0000000..93b7f9a
--- /dev/null
+++ b/gluon/gluon-ebtables-filter-multicast/Makefile
@@ -0,0 +1,40 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-ebtables-filter-multicast
+PKG_VERSION:=1
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/gluon-ebtables-filter-multicast
+  SECTION:=gluon
+  CATEGORY:=Gluon
+  TITLE:=Ebtables filters for multicast packets
+  DEPENDS:=+gluon-core +gluon-ebtables
+endef
+
+define Package/gluon-ebtables-filter-multicast/description
+	Gluon community wifi mesh firmware framework: Ebtables filters for multicast packets
+
+	These filters drop non-essential multicast traffic before it enters the mesh.
+
+	Allowed protocols are: DHCP, DHCPv6, ARP, ICMP, ICMPv6, BitTorrent local peer discovery, BABEL and OSPF
+endef
+
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/gluon-ebtables-filter-multicast/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,gluon-ebtables-filter-multicast))
diff --git a/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain
new file mode 100644
index 0000000..93382f3
--- /dev/null
+++ b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain
@@ -0,0 +1 @@
+chain MULTICAST_OUT DROP
diff --git a/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-arp b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-arp
new file mode 100644
index 0000000..fdb20b1
--- /dev/null
+++ b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-arp
@@ -0,0 +1 @@
+rule MULTICAST_OUT -p ARP -j RETURN
diff --git a/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-babel b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-babel
new file mode 100644
index 0000000..096ae50
--- /dev/null
+++ b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-babel
@@ -0,0 +1 @@
+rule MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 6696 -j RETURN
diff --git a/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-btlpd b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-btlpd
new file mode 100644
index 0000000..9776157
--- /dev/null
+++ b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-btlpd
@@ -0,0 +1 @@
+rule MULTICAST_OUT -p IPv4 --ip-destination 239.192.152.143 --ip-protocol udp --ip-destination-port 6771 -j RETURN
diff --git a/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv4 b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv4
new file mode 100644
index 0000000..440107a
--- /dev/null
+++ b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv4
@@ -0,0 +1 @@
+rule MULTICAST_OUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN
diff --git a/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv6 b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv6
new file mode 100644
index 0000000..1b523ec
--- /dev/null
+++ b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv6
@@ -0,0 +1 @@
+rule MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j RETURN
diff --git a/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmp b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmp
new file mode 100644
index 0000000..e52e5c7
--- /dev/null
+++ b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmp
@@ -0,0 +1 @@
+rule MULTICAST_OUT -p IPv4 --ip-protocol icmp -j RETURN
diff --git a/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6
new file mode 100644
index 0000000..7c50ff5
--- /dev/null
+++ b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6
@@ -0,0 +1 @@
+rule MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j RETURN
diff --git a/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp
new file mode 100644
index 0000000..521af56
--- /dev/null
+++ b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp
@@ -0,0 +1 @@
+rule MULTICAST_OUT -p IPv4 --ip-protocol igmp -j RETURN
diff --git a/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-ospf b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-ospf
new file mode 100644
index 0000000..6e54075
--- /dev/null
+++ b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-ospf
@@ -0,0 +1,2 @@
+rule MULTICAST_OUT -p IPv4 --ip-protocol ospf -j RETURN
+rule MULTICAST_OUT -p IPv6 --ip6-protocol ospf -j RETURN
diff --git a/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast
new file mode 100644
index 0000000..00ff642
--- /dev/null
+++ b/gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast
@@ -0,0 +1,2 @@
+rule FORWARD --logical-out br-freifunk -o bat0 -d Multicast -j MULTICAST_OUT
+rule OUTPUT --logical-out br-freifunk -o bat0 -d Multicast -j MULTICAST_OUT
diff --git a/gluon/gluon-ebtables-filter-ra-dhcp/Makefile b/gluon/gluon-ebtables-filter-ra-dhcp/Makefile
new file mode 100644
index 0000000..ea6a737
--- /dev/null
+++ b/gluon/gluon-ebtables-filter-ra-dhcp/Makefile
@@ -0,0 +1,39 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-ebtables-filter-ra-dhcp
+PKG_VERSION:=1
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/gluon-ebtables-filter-ra-dhcp
+  SECTION:=gluon
+  CATEGORY:=Gluon
+  TITLE:=Ebtables filters for Router Advertisement and DHCP packets
+  DEPENDS:=+gluon-core +gluon-ebtables
+endef
+
+define Package/gluon-ebtables-filter-ra-dhcp/description
+	Gluon community wifi mesh firmware framework: Ebtables filters for Router Advertisement and DHCP packets
+
+	These filters ensure that RA and DHCP packets are only forwarded from the mesh into the
+	client network, and not vice-versa.
+endef
+
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/gluon-ebtables-filter-ra-dhcp/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,gluon-ebtables-filter-ra-dhcp))
diff --git a/gluon/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv4 b/gluon/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv4
new file mode 100644
index 0000000..8771ee1
--- /dev/null
+++ b/gluon/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv4
@@ -0,0 +1,5 @@
+rule FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY
+rule OUTPUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY
+
+rule FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY
+rule INPUT -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY
diff --git a/gluon/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv6 b/gluon/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv6
new file mode 100644
index 0000000..234e54e
--- /dev/null
+++ b/gluon/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv6
@@ -0,0 +1,5 @@
+rule FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j OUT_ONLY
+rule OUTPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j OUT_ONLY
+
+rule FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j IN_ONLY
+rule INPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j IN_ONLY
diff --git a/gluon/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-radv b/gluon/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-radv
new file mode 100644
index 0000000..c725703
--- /dev/null
+++ b/gluon/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-radv
@@ -0,0 +1,5 @@
+rule FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+rule OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+
+rule FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
+rule INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
diff --git a/gluon/gluon-ebtables/files/lib/gluon/ebtables/.keep b/gluon/gluon-ebtables/files/lib/gluon/ebtables/.keep
deleted file mode 100644
index e69de29..0000000
diff --git a/gluon/gluon-ebtables/files/lib/gluon/ebtables/100-dir-chain b/gluon/gluon-ebtables/files/lib/gluon/ebtables/100-dir-chain
new file mode 100644
index 0000000..99908dc
--- /dev/null
+++ b/gluon/gluon-ebtables/files/lib/gluon/ebtables/100-dir-chain
@@ -0,0 +1,2 @@
+chain IN_ONLY RETURN
+chain OUT_ONLY RETURN
diff --git a/gluon/gluon-ebtables/files/lib/gluon/ebtables/101-dir-rules b/gluon/gluon-ebtables/files/lib/gluon/ebtables/101-dir-rules
new file mode 100644
index 0000000..6c8f44c
--- /dev/null
+++ b/gluon/gluon-ebtables/files/lib/gluon/ebtables/101-dir-rules
@@ -0,0 +1,2 @@
+rule IN_ONLY --logical-in br-client -i ! bat0 -j DROP
+rule OUT_ONLY --logical-out br-client -o ! bat0 -j DROP