+function init_ebtables {
+
+ ebtables -N $FROM
+ ebtables -A FORWARD -i $TAP -j $FROM
+ ebtables -N $TO
+ ebtables -A FORWARD -o $TAP -j $TO
+
+}
+
+
+function setup_ebtables {
+
+ # do not allow changes in ip-mac pair
+ if [ -n "$IP"]; then
+ ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
+ fi
+ ebtables -A $FROM -s \! $MAC -j DROP
+ #accept dhcp responses from host (nfdhcpd)
+ ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
+ # allow only packets from the same mac prefix
+ ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
+}
+
+function setup_masq {
+
+ # allow packets from/to router (for masquerading)
+ # ebtables -A $TO -s $PUBLIC_MAC -j ACCEPT
+ # ebtables -A INPUT -i $TAP -j $FROM
+ # ebtables -A OUTPUT -o $TAP -j $TO
+ return
+
+}
+
+function setup_nfdhcpd {