From b9f86e1d83216a604e78f98fa5ee484ab84def4f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20Kr=C3=BCger?= <mkg20001@gmail.com>
Date: Mon, 1 May 2023 19:34:51 +0200
Subject: [PATCH] gluon-radv-filterd: migrate to nftables

---
 package/gluon-radv-filterd/Makefile               |  2 +-
 .../luasrc/lib/gluon/ebtables/400-radv-filterd    |  3 ---
 .../lib/gluon/nftables/400-radv-filterd.lua       | 15 +++++++++++++++
 3 files changed, 16 insertions(+), 4 deletions(-)
 delete mode 100644 package/gluon-radv-filterd/luasrc/lib/gluon/ebtables/400-radv-filterd
 create mode 100644 package/gluon-radv-filterd/luasrc/lib/gluon/nftables/400-radv-filterd.lua

diff --git a/package/gluon-radv-filterd/Makefile b/package/gluon-radv-filterd/Makefile
index 4cab8960..0015d5ee 100644
--- a/package/gluon-radv-filterd/Makefile
+++ b/package/gluon-radv-filterd/Makefile
@@ -6,7 +6,7 @@ include ../gluon.mk
 
 define Package/gluon-radv-filterd
   TITLE:=Filter IPv6 router advertisements
-  DEPENDS:=+gluon-ebtables +libgluonutil +libbatadv +libnl-tiny
+  DEPENDS:=+gluon-nftables +libgluonutil +libbatadv +libnl-tiny
 endef
 
 MAKE_VARS += \
diff --git a/package/gluon-radv-filterd/luasrc/lib/gluon/ebtables/400-radv-filterd b/package/gluon-radv-filterd/luasrc/lib/gluon/ebtables/400-radv-filterd
deleted file mode 100644
index 178084d4..00000000
--- a/package/gluon-radv-filterd/luasrc/lib/gluon/ebtables/400-radv-filterd
+++ /dev/null
@@ -1,3 +0,0 @@
-chain('RADV_FILTER', 'DROP')
-rule 'FORWARD -p IPv6 -i bat0 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j RADV_FILTER'
-rule 'RADV_FILTER -j ACCEPT'
diff --git a/package/gluon-radv-filterd/luasrc/lib/gluon/nftables/400-radv-filterd.lua b/package/gluon-radv-filterd/luasrc/lib/gluon/nftables/400-radv-filterd.lua
new file mode 100644
index 00000000..0e516b36
--- /dev/null
+++ b/package/gluon-radv-filterd/luasrc/lib/gluon/nftables/400-radv-filterd.lua
@@ -0,0 +1,15 @@
+bridge_table('pre', [[set radv_allow {
+	type ether_addr
+}
+
+set radv_filter {
+	type ether_addr
+}
+]])
+
+-- This rule starts filtering once the address is in radv_filter
+
+-- Daemon adds 00:00:../ff:ff:.. to radv_filter (todo) so everything gets picked up,
+-- effectivly turning radv_filter into a bool
+
+bridge_rule('FORWARD', 'ether saddr @radv_filter iifname "bat0" icmpv6 type nd-router-advert ether saddr != @radv_allow drop')