2022-12-18 13:46:03 +01:00
|
|
|
nft -f - <<__EOF
|
|
|
|
table bridge filter {
|
|
|
|
# IN_ONLY wird angesprungen, wenn dieses Paket nur
|
|
|
|
# vom Gateway (also vom BATMAN) kommen darf.
|
|
|
|
chain IN_ONLY {
|
|
|
|
# -i ! bat0 --logical-in br-client -j DROP
|
2024-03-11 23:16:24 +01:00
|
|
|
iifname != "bat0" ibrname "br-client" counter drop
|
2022-12-18 13:46:03 +01:00
|
|
|
counter
|
|
|
|
}
|
|
|
|
|
|
|
|
# OUT_ONLY wird angesprungen, wenn dieses Paket nur
|
|
|
|
# in Richtung Gateway (also ins BATMAN) gesendet werden darf.
|
|
|
|
chain OUT_ONLY {
|
|
|
|
# --logical-out br-client -o ! bat0 -j DROP
|
2024-03-11 23:16:24 +01:00
|
|
|
oifname != "bat0" obrname "br-client" counter drop
|
2022-12-18 13:46:03 +01:00
|
|
|
counter
|
|
|
|
}
|
|
|
|
|
|
|
|
# MULTICAST_OUT filtert/reduziert Multicast-Frames, die ins BATMAN gesendet werden.
|
|
|
|
chain MULTICAST_OUT {
|
|
|
|
}
|
|
|
|
|
|
|
|
chain INPUT {
|
|
|
|
type filter hook input priority filter; policy accept;
|
|
|
|
|
|
|
|
# -d Multicast -i ! bat0 --logical-in br-client -j ACCEPT
|
2024-03-11 23:16:24 +01:00
|
|
|
iifname != "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 ibrname "br-client" counter packets 0 bytes 0 accept
|
2022-12-18 13:46:03 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
chain FORWARD {
|
|
|
|
type filter hook forward priority filter; policy accept;
|
|
|
|
|
|
|
|
# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
|
2024-03-11 23:16:24 +01:00
|
|
|
oifname "bat0" obrname "br-client" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 jump MULTICAST_OUT
|
2022-12-18 13:46:03 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
chain OUTPUT {
|
|
|
|
type filter hook output priority filter; policy accept;
|
|
|
|
|
|
|
|
# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
|
2024-03-11 23:16:24 +01:00
|
|
|
oifname "bat0" obrname "br-client" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter jump MULTICAST_OUT
|
2022-12-18 13:46:03 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
__EOF
|