From 7303e846c10ccb9edced56a971ac5e3c930420bf Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Thu, 10 Apr 2025 19:52:30 +0200
Subject: [PATCH] gluon-ebtables-filter-multicast: block packets with Gluon
 VXLAN multicast destination

An incorrectly connected node may send wired-mesh packets to another
node's client port. For raw batman-adv, such frames are filtered by
batman-adv, but this does not work with VXLAN encapsulation.

While such packets are not flooded through the mesh because of the
batman-adv noflood flag, they may still reach another node that is
connected in the same incorrect way, which could result in loops and
other connectivity issues.

Filter out packets sent to our VXLAN multicast group address to avoid
such problems.

Fixes #3025

(cherry picked from commit 090bcda76ec02c23e4fa847d11556d09eccc4d99)
---
 .../luasrc/lib/gluon/ebtables/355-mcast-drop                     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop
index a47dda7eb..32f011b6e 100644
--- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop
+++ b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop
@@ -1,3 +1,4 @@
 rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff02::1/128 -j DROP')
+rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff02::15c/128 -j DROP') -- Gluon VXLAN multicast group
 rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff00::/8 -j mark --set-mark 0x4 --mark-target RETURN')
 rule ('MULTICAST_OUT -j DROP')
-- 
GitLab