-
Linus Lüssing authoredThis patch adds a new gluon-ebtables package to filter IGMP/MLD messages via ebtables. For one thing this reduces multicast overhead: About one third of all ICMPv6 multicast traffic in Lübeck or Hamburg is MLD. Furthermore it removes a potential Distributed Denial-of-Service vector (see Gluon ticket #553). Finally, it is a prerequisite for enabling bridge multicast snooping in a decentral and robust fashion. Note that IGMP/MLD are filtered for multicast traffic coming from the mesh, too (new MULTICAST_IN), as unfortunately there seem to be other queriers somewhere in the mesh at least for Freifunk Lübeck. Also adding these rules to be prepared to anyone intentionally or unintentionally disabling these filters on his/her node. Node operators not running Gluon (for instance gateway nodes) should make sure to either enable multicast_router towards bat0 or disable multicast snooping entirely if they have a bridge on top of bat0. Signed-off-by:
Linus Lüssing <linus.luessing@c0d3.blue>Linus Lüssing authoredThis patch adds a new gluon-ebtables package to filter IGMP/MLD messages via ebtables. For one thing this reduces multicast overhead: About one third of all ICMPv6 multicast traffic in Lübeck or Hamburg is MLD. Furthermore it removes a potential Distributed Denial-of-Service vector (see Gluon ticket #553). Finally, it is a prerequisite for enabling bridge multicast snooping in a decentral and robust fashion. Note that IGMP/MLD are filtered for multicast traffic coming from the mesh, too (new MULTICAST_IN), as unfortunately there seem to be other queriers somewhere in the mesh at least for Freifunk Lübeck. Also adding these rules to be prepared to anyone intentionally or unintentionally disabling these filters on his/her node. Node operators not running Gluon (for instance gateway nodes) should make sure to either enable multicast_router towards bat0 or disable multicast snooping entirely if they have a bridge on top of bat0. Signed-off-by:Linus Lüssing <linus.luessing@c0d3.blue>
Loading