Ebtables - disable dhcp from a device

Hi All, I have looked through the help topics but it seems the something is missing to make the following work.

ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP                     
ebtables -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP                
ebtables -A FORWARD --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP                   
ebtables -A FORWARD --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP

the result of any of these is

Unable to update the kernel. Two possible causes:
1. Multiple ebtables programs were executing simultaneously. The ebtables
   userspace tool doesn't by default support multiple ebtables programs running
   concurrently. The ebtables option --concurrent or a tool like flock can be
   used to support concurrent scripts that update the ebtables kernel tables.
2. The kernel doesn't support a certain ebtables extension, consider
   recompiling your kernel or insmod the extension.

Some googling and it seems that maybe ebt_ip is missing? I have the following

root@OpenWrt:/etc/config# ls /lib/modules/5.10.134/ebt*
/lib/modules/5.10.134/ebt_802_3.ko       /lib/modules/5.10.134/ebt_stp.ko
/lib/modules/5.10.134/ebt_among.ko       /lib/modules/5.10.134/ebt_vlan.ko
/lib/modules/5.10.134/ebt_limit.ko       /lib/modules/5.10.134/ebtable_broute.ko
/lib/modules/5.10.134/ebt_mark.ko        /lib/modules/5.10.134/ebtable_filter.ko
/lib/modules/5.10.134/ebt_mark_m.ko      /lib/modules/5.10.134/ebtable_nat.ko
/lib/modules/5.10.134/ebt_pkttype.ko     /lib/modules/5.10.134/ebtables.ko
/lib/modules/5.10.134/ebt_redirect.ko

Or maybe I am too old and there is a better way to disable dhcp over a device that is part of an interface. Basically I dont want to get dhcp requests on my interface from my vpn device.

Using OpenWrt 22.03.0-rc6, r19590-042d558536

Thanks for any help

22.03 is using nftables, which should replace the iptables and ebtables.

You need to specifically install ebtables-nft, not ebtables.

OK thanks for the pointer, seem to now be running into another problem

root@OpenWrt:~# ebtables-nft -A INPUT --in-interface tap0 --protocol ipv4 --ip-protocol udp --ip-source-port 67:68 -j DROP   
                  
ebtables v1.8.7 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain INPUT

Not the most useful error message nothing in dmesg,

I have done the following for the moment which seems to work

opkg install kmod-br-netfilter
opkg install iptables-mod-physdev

cat << EOF >> /etc/sysctl.conf
net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
EOF
/etc/init.d/sysctl restart

root@OpenWrt:~# iptables -A INPUT -i br-lan -m physdev --physdev-in tap0 -p udp --dport 67:68 --sport 67:68 -j DROP
root@OpenWrt:~# iptables -A INPUT -i br-lan -m physdev --physdev-out tap0 -p udp --dport 67:68 --sport 67:68 -j DROP
root@OpenWrt:~# iptables -A FORWARD -i br-lan -m physdev --physdev-out tap0 -p udp --dport 67:68 --sport 67:68 -j DROP
root@OpenWrt:~# iptables -A FORWARD -i br-lan -m physdev --physdev-in tap0 -p udp --dport 67:68 --sport 67:68 -j DROP

I am guessing there is some overlap on the rules

Looking at the example here Bridge Firewall

I am guessing I can get the same result with

# Deny DHCP on lan from device TAP0 to OTHERS
uci -q delete firewall.lan_tap0
uci set firewall.lan_tap0="rule"
uci set firewall.lan_tap0.name="Deny-DHCP-TAP0"
uci set firewall.lan_tap0.src="lan"
uci set firewall.lan_tap0.dest="lan"
uci set firewall.lan_tap0.extra="-m physdev --physdev-in tap0 --physdev-out tap0"
uci set firewall.lan_tap0.proto="udp"
uci set firewall.lan_tap0.src_port="67 68"
uci set firewall.lan_tap0.dest_port="67 68"
uci set firewall.lan_tap0.target="DROP"
uci commit firewall
/etc/init.d/firewall restart