Skip to content
Snippets Groups Projects
Unverified Commit 090bcda7 authored by Matthias Schiffer's avatar Matthias Schiffer
Browse files

gluon-ebtables-filter-multicast: block packets with Gluon VXLAN multicast destination 

An incorrectly connected node may send wired-mesh packets to another
node's client port. For raw batman-adv, such frames are filtered by
batman-adv, but this does not work with VXLAN encapsulation.

While such packets are not flooded through the mesh because of the
batman-adv noflood flag, they may still reach another node that is
connected in the same incorrect way, which could result in loops and
other connectivity issues.

Filter out packets sent to our VXLAN multicast group address to avoid
such problems.

Fixes #3025
parent 373e2b8e
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop
+ 1
0
View file @ 090bcda7
rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff02::1/128 -j DROP') rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff02::1/128 -j DROP')
rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff02::15c/128 -j DROP') -- Gluon VXLAN multicast group
rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff00::/8 -j mark --set-mark 0x4 --mark-target RETURN') rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff00::/8 -j mark --set-mark 0x4 --mark-target RETURN')
rule ('MULTICAST_OUT -j DROP') rule ('MULTICAST_OUT -j DROP')
  • Nico @nrb

    mentioned in commit 7303e846

     ·

    mentioned in commit 7303e846

    Toggle commit list
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

Impressum - Datenschutz