30 lines
1.1 KiB
ReStructuredText
30 lines
1.1 KiB
ReStructuredText
gluon-nftables-limit-arp
|
|
========================
|
|
|
|
The *gluon-nftables-limit-arp* package adds filters to limit the
|
|
amount of ARP requests client devices are allowed to send into the
|
|
mesh.
|
|
|
|
The limits per client device, identified by its MAC address, are
|
|
6 packets per minute and 1 per second per node in total.
|
|
A burst of up to 50 ARP requests is allowed until the rate-limiting
|
|
takes effect (see ``--limit-burst`` in ``nftables(8)``).
|
|
|
|
Furthermore, ARP requests for a target IP already present in the
|
|
batman-adv DAT cache are excluded from rate-limiting, in regard
|
|
to both counting and filtering, as batman-adv will be able
|
|
to respond locally without a burden for the mesh. Therefore, this
|
|
limiter should not affect popular target IP addresses, like those
|
|
of gateways or nameservers.
|
|
|
|
However it mitigates the impact on the mesh when a larger range of
|
|
its IPv4 subnet is being scanned, which would otherwise result in
|
|
a significant amount of ARP chatter, even for unused IP addresses.
|
|
|
|
This package is installed by default if the selected routing
|
|
feature is *mesh-batman-adv-15*.
|
|
It can be unselected via::
|
|
|
|
GLUON_SITE_PACKAGES := \
|
|
-gluon-nftables-limit-arp
|