From 090bcda76ec02c23e4fa847d11556d09eccc4d99 Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Thu, 10 Apr 2025 19:52:30 +0200
Subject: [PATCH] gluon-ebtables-filter-multicast: block packets with Gluon
 VXLAN multicast destination

An incorrectly connected node may send wired-mesh packets to another
node's client port. For raw batman-adv, such frames are filtered by
batman-adv, but this does not work with VXLAN encapsulation.

While such packets are not flooded through the mesh because of the
batman-adv noflood flag, they may still reach another node that is
connected in the same incorrect way, which could result in loops and
other connectivity issues.

Filter out packets sent to our VXLAN multicast group address to avoid
such problems.

Fixes #3025
---
 .../luasrc/lib/gluon/ebtables/355-mcast-drop                     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop
index a47dda7eb..32f011b6e 100644
--- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop
+++ b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop
@@ -1,3 +1,4 @@
 rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff02::1/128 -j DROP')
+rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff02::15c/128 -j DROP') -- Gluon VXLAN multicast group
 rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff00::/8 -j mark --set-mark 0x4 --mark-target RETURN')
 rule ('MULTICAST_OUT -j DROP')
-- 
GitLab