From bc15b6c8101edec5dca358c597cd2f3fbe2399d3 Mon Sep 17 00:00:00 2001 From: Leo Krueger Date: Mon, 14 Sep 2015 23:31:34 +0200 Subject: [PATCH] gluon-ebtables-filter-multicast: drop icmpv6 type 128 & 139, drop icmp in a layer 2 mesh network, multicast pings cause a lot of traffic in the network, significantly increasing the 'backgroudn noise' (= Grundrauschen) and stressing nodes in the network. this commit blacklists all icmpv4 multicast traffic as well as multicast icmpv6 echo-requests and node iformation queries. as no application depending on these types of multicast traffic is known, blacklisting is safe. --- .../files/lib/gluon/ebtables/110-mcast-allow-icmp | 1 - .../files/lib/gluon/ebtables/110-mcast-allow-icmpv6 | 5 ++++- 2 files changed, 4 insertions(+), 2 deletions(-) delete mode 100644 package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmp diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmp b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmp deleted file mode 100644 index 25a95f39..00000000 --- a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmp +++ /dev/null @@ -1 +0,0 @@ -rule 'MULTICAST_OUT -p IPv4 --ip-protocol icmp -j RETURN' diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 index a7b67414..8d3b7ec2 100644 --- a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 @@ -1,2 +1,5 @@ -rule 'MULTICAST_OUT -p IPv6 --ip6-protocol 0 -j RETURN' -- hop-by-hop +rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type echo-request -j DROP' +rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 139 -j DROP' rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j RETURN' + +rule 'MULTICAST_OUT -p IPv6 --ip6-protocol 0 -j RETURN' -- hop-by-hop