nils/gluon
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
98c6bd245e
gluon/package/gluon-ebtables-limit-arp/Makefile
Linus Lüssing 98c6bd245e gluon-mesh-batman-adv: unconditionally rate limit ARP 
With a reasoning similar to "gluon-ebtables: unconditionally segment
IGMP/MLD" also make the ARP rate limiting mandatory.

It turned out to be very common that there is a client device with
an application scanning the IP subnet, causing congestion and high
load for any community which did not add the gluon-ebtables-limit-arp
package yet.

Therefore just always add gluon-ebtables-limit-arp via a dependency.

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
2018-06-13 14:53:02 +02:00

48 lines
1.6 KiB
Makefile
Raw Blame History

include $(TOPDIR)/rules.mk
PKG_NAME:=gluon-ebtables-limit-arp
PKG_VERSION:=1
PKG_RELEASE:=1
include ../gluon.mk
define Package/gluon-ebtables-limit-arp
TITLE:=Ebtables limiter for ARP packets
DEPENDS:=+gluon-core +gluon-ebtables \
+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_LIMIT \
+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_MARK \
+@GLUON_SPECIALIZE_KERNEL:KERNEL_BRIDGE_EBT_MARK_T
endef
define Package/gluon-ebtables-limit-arp/description
Gluon community wifi mesh firmware framework: Ebtables rules to
rate-limit ARP packets.
This package adds filters to limit the amount of ARP Requests
devices are allowed to send into the mesh. The limits are 6 packets
per minute per client device, by MAC address, and 1 per second per
node in total.
A burst of up to 50 ARP Requests is allowed until the rate-limiting
takes effect (see --limit-burst in the ebtables manpage).
Furthermore, ARP Requests with a target IP already present in the
batman-adv DAT Cache are excluded from the rate-limiting,
both regarding counting and filtering, as batman-adv will respond
locally with no burden for the mesh. Therefore, this limiter
should not affect popular target IPs, like gateways.
However it should mitigate the problem of curious people or
smart devices scanning the whole IP range. Which could create
a significant amount of overhead for all participants so far.
endef
define Package/gluon-ebtables-limit-arp/install
$(Gluon/Build/Install)
$(INSTALL_DIR) $(1)/usr/sbin/
$(CP) $(PKG_BUILD_DIR)/gluon-arp-limiter $(1)/usr/sbin/gluon-arp-limiter
endef
$(eval $(call BuildPackageGluon,gluon-ebtables-limit-arp))
Reference in New Issue View Git Blame Copy Permalink