Skip to content
Snippets Groups Projects
Select Git revision
  • testbuild
  • v2020.2.x-ffbs-next
  • v2021.1.x-ffbs-next
  • v2019.1.x-ffbs
  • v2020.1.x-ffbs-next
  • v2019.1.x-ffbs-next
  • dnat
  • master default protected
  • v2018.2.x-ffbs
  • v2018.2.2.1-ffbs
  • topic/wireguard_respondd
  • v2018.1.x-ffbs
  • v2017.1.x
  • v2020.2.3.6-ffbs-next
  • v2020.2.3.5-ffbs-next
  • v2020.2.3.4-ffbs-next
  • v2020.2.3.3-ffbs-next
  • v2020.2.3.2-ffbs-next
  • v2020.2.3.1-ffbs-next
  • v2020.2.3.0-ffbs-next
  • v2020.2.3
  • v2020.2.2.2-ffbs-next
  • v2020.2.2.1-ffbs-next
  • v2020.2.2-ffbs-next
  • v2020.2.2
  • v2020.2.1.2-ffbs-next
  • v2019.1.3-ffbs
  • v2019.1.3
  • v2020.2.1.1-ffbs-next
  • v2020.2.1
  • v2020.1.4
  • v2019.1.2.1-ffbs
  • v2020.2
33 results
Search by author
  • Any Author
  • darkbit darkbit
1 author
  1. Jun 18, 2019
  3. Jun 09, 2019
  5. Apr 13, 2018
  7. Mar 08, 2018
  9. Mar 07, 2018
  11. Dec 27, 2017
  13. Jul 08, 2017
  15. Jul 10, 2016
  17. May 20, 2016
    • Linus Lüssing's avatar
      ebtables-segment-mld: Segment IGMP/MLD domain · 4199b216
      Linus Lüssing authored 
      
This patch adds a new gluon-ebtables package to filter IGMP/MLD messages
via ebtables.

For one thing this reduces multicast overhead: About one third of all
ICMPv6 multicast traffic in Lübeck or Hamburg is MLD.

Furthermore it removes a potential Distributed Denial-of-Service vector
(see Gluon ticket #553).

Finally, it is a prerequisite for enabling bridge multicast snooping in
a decentral and robust fashion.

Note that IGMP/MLD are filtered for multicast traffic coming from
the mesh, too (new MULTICAST_IN), as unfortunately there seem to
be other queriers somewhere in the mesh at least for Freifunk
Lübeck. Also adding these rules to be prepared to anyone intentionally
or unintentionally disabling these filters on his/her node.

Node operators not running Gluon (for instance gateway nodes) should
make sure to either enable multicast_router towards bat0 or disable
multicast snooping entirely if they have a bridge on top of bat0.

Signed-off-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      4199b216
    • Linus Lüssing's avatar
      ebtables-filter-mcast: Remove redundant allow-filter for hop-by-hop · 8e891b2c
      Linus Lüssing authored 
      
ebtables actually skips any IPv6 extension headers like the hop-by-hop
one. So this rule is actually void.

The intend back then was to allow passing MLD messages into the mesh.
Since extension headers are skipped, the general icmpv6 rule will
actually match MLD messages. So the hop-by-hop rule is unnecessary,
too.

Signed-off-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      8e891b2c
  19. Nov 12, 2015
    • Leo Krueger's avatar
      gluon-ebtables-filter-multicast: drop icmpv6 type 128 & 139, drop icmp · bc15b6c8
      Leo Krueger authored 
      in a layer 2 mesh network, multicast pings cause a lot of traffic in the
network, significantly increasing the 'backgroudn noise' (= Grundrauschen)
and stressing nodes in the network.

this commit blacklists all icmpv4 multicast traffic as well as multicast
icmpv6 echo-requests and node iformation queries. as no application
depending on these types of multicast traffic is known, blacklisting is safe.
      bc15b6c8
  21. Mar 16, 2015
  23. Feb 09, 2015
  25. Nov 13, 2014
  27. Oct 19, 2014
    • ohrensessel's avatar
      Fix ebtables dhcpv6 rules · 15adcae3
      ohrensessel authored 
      the ports were interchanged, see the following packet flow:

client:546 --> [ff02::1:2]:547
server:547 --> client:546

therefore we need to allow outgoing multicast packets with dst-port 547
and unicast packets from bat0 to clients with dst-port 546 and 547 in the other direction
      15adcae3
  29. May 14, 2014
  31. Jan 11, 2014
  33. Jan 10, 2014