Select Git revision
gluon-ebtables-segment-mld.rst
-
Linus Lüssing authoredThis patch adds a new gluon-ebtables package to filter IGMP/MLD messages via ebtables. For one thing this reduces multicast overhead: About one third of all ICMPv6 multicast traffic in Lübeck or Hamburg is MLD. Furthermore it removes a potential Distributed Denial-of-Service vector (see Gluon ticket #553). Finally, it is a prerequisite for enabling bridge multicast snooping in a decentral and robust fashion. Note that IGMP/MLD are filtered for multicast traffic coming from the mesh, too (new MULTICAST_IN), as unfortunately there seem to be other queriers somewhere in the mesh at least for Freifunk Lübeck. Also adding these rules to be prepared to anyone intentionally or unintentionally disabling these filters on his/her node. Node operators not running Gluon (for instance gateway nodes) should make sure to either enable multicast_router towards bat0 or disable multicast snooping entirely if they have a bridge on top of bat0. Signed-off-by:
Linus Lüssing <linus.luessing@c0d3.blue>Linus Lüssing authoredThis patch adds a new gluon-ebtables package to filter IGMP/MLD messages via ebtables. For one thing this reduces multicast overhead: About one third of all ICMPv6 multicast traffic in Lübeck or Hamburg is MLD. Furthermore it removes a potential Distributed Denial-of-Service vector (see Gluon ticket #553). Finally, it is a prerequisite for enabling bridge multicast snooping in a decentral and robust fashion. Note that IGMP/MLD are filtered for multicast traffic coming from the mesh, too (new MULTICAST_IN), as unfortunately there seem to be other queriers somewhere in the mesh at least for Freifunk Lübeck. Also adding these rules to be prepared to anyone intentionally or unintentionally disabling these filters on his/her node. Node operators not running Gluon (for instance gateway nodes) should make sure to either enable multicast_router towards bat0 or disable multicast snooping entirely if they have a bridge on top of bat0. Signed-off-by:Linus Lüssing <linus.luessing@c0d3.blue>
gluon-ebtables-segment-mld.rst 752 B
gluon-ebtables-segment-mld
These filters drop IGMP/MLD packets before they enter the mesh and filter any IGMP/MLD packets coming from the mesh.
IGMP/MLD have the concept of a local, elected Querier. For more decentralization and increased robustness, the idea of this package is to split the IGMP/MLD domain a querier is responsible for, allowing to have a querier per node. The split IGMP/MLD domain will also reduce overhead for this packet type, increasing scalability.
Beware of the consequences of using this package though: You might need to explicitly, manually mark ports on snooping switches leading towards your mesh node as multicast router ports for now (Multicast Router Discovery, MRD, not implemented yet).