4199b216c6
This patch adds a new gluon-ebtables package to filter IGMP/MLD messages via ebtables. For one thing this reduces multicast overhead: About one third of all ICMPv6 multicast traffic in Lübeck or Hamburg is MLD. Furthermore it removes a potential Distributed Denial-of-Service vector (see Gluon ticket #553). Finally, it is a prerequisite for enabling bridge multicast snooping in a decentral and robust fashion. Note that IGMP/MLD are filtered for multicast traffic coming from the mesh, too (new MULTICAST_IN), as unfortunately there seem to be other queriers somewhere in the mesh at least for Freifunk Lübeck. Also adding these rules to be prepared to anyone intentionally or unintentionally disabling these filters on his/her node. Node operators not running Gluon (for instance gateway nodes) should make sure to either enable multicast_router towards bat0 or disable multicast snooping entirely if they have a bridge on top of bat0. Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
77 lines
1.5 KiB
Bash
Executable File
77 lines
1.5 KiB
Bash
Executable File
#!/bin/sh /etc/rc.common
|
|
# Copyright (C) 2013 Project Gluon
|
|
#
|
|
# Firewall script for inserting and removing ebtables rules.
|
|
#
|
|
# Example format, for filtering any IPv4 multicast packets to the SSDP UDP port:
|
|
# rule FORWARD --logical-out br-client -d Multicast -p IPv4 --ip-protocol udp --ip-destination-port 5355 -j DROP
|
|
#
|
|
# Removing all rules:
|
|
# $ ./firewall-ebtables stop
|
|
# Inserting all rules:
|
|
# $ ./firewall-ebtables start
|
|
# Inserting a specific rule file:
|
|
# $ ./firewall-ebtables start /lib/gluon/ebtables/100-mcast-chain
|
|
# Removing a specific rule file:
|
|
# $ ./firewall-ebtables stop /lib/gluon/ebtables/100-mcast-chain
|
|
|
|
|
|
START=19
|
|
STOP=91
|
|
|
|
|
|
exec_file() {
|
|
local file="$1"
|
|
|
|
/usr/bin/lua -e "
|
|
function rule(command, table)
|
|
table = table or 'filter'
|
|
os.execute($EBTABLES_RULE)
|
|
end
|
|
function chain(name, policy, table)
|
|
table = table or 'filter'
|
|
os.execute($EBTABLES_CHAIN)
|
|
end
|
|
|
|
" "$file"
|
|
}
|
|
|
|
exec_all() {
|
|
local sort_arg="$1"
|
|
|
|
local old_ifs="$IFS"
|
|
IFS='
|
|
'
|
|
for file in `find /lib/gluon/ebtables -type f | sort $sort_arg`; do
|
|
exec_file "$file"
|
|
done
|
|
IFS="$old_ifs"
|
|
}
|
|
|
|
|
|
start() {
|
|
(
|
|
export EBTABLES_RULE='"ebtables -t " .. table .. " -A " .. command'
|
|
export EBTABLES_CHAIN='"ebtables -t " .. table .. " -N " .. name .. " -P " .. policy'
|
|
|
|
if [ -z "$1" ]; then
|
|
exec_all ''
|
|
else
|
|
exec_file "$1"
|
|
fi
|
|
)
|
|
}
|
|
|
|
stop() {
|
|
(
|
|
export EBTABLES_RULE='"ebtables -t " .. table .. " -D " .. command'
|
|
export EBTABLES_CHAIN='"ebtables -t " .. table .. " -X " .. name'
|
|
|
|
if [ -z "$1" ]; then
|
|
exec_all '-r'
|
|
else
|
|
exec_file "$1"
|
|
fi
|
|
)
|
|
}
|