gluon-ebtables-filter-multicast: drop icmpv6 type 128 & 139, drop icmp

in a layer 2 mesh network, multicast pings cause a lot of traffic in the network, significantly increasing the 'backgroudn noise' (= Grundrauschen) and stressing nodes in the network. this commit blacklists all icmpv4 multicast traffic as well as multicast icmpv6 echo-requests and node iformation queries. as no application depending on these types of multicast traffic is known, blacklisting is safe.
2015-09-14 23:31:34 +02:00 · 2015-09-14 23:31:34 +02:00 · bc15b6c810
parent a6a281f545
commit bc15b6c810
2 changed files with 4 additions and 2 deletions
--- a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmp
+++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmp
@ -1 +0,0 @@
-rule 'MULTICAST_OUT -p IPv4 --ip-protocol icmp -j RETURN'
--- a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6
+++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6
@ -1,2 +1,5 @@
-rule 'MULTICAST_OUT -p IPv6 --ip6-protocol 0 -j RETURN' -- hop-by-hop
+rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type echo-request -j DROP'
+rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 139 -j DROP'
 rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j RETURN'
+
+rule 'MULTICAST_OUT -p IPv6 --ip6-protocol 0 -j RETURN' -- hop-by-hop
				`@ -1 +0,0 @@`
				`rule 'MULTICAST_OUT -p IPv4 --ip-protocol icmp -j RETURN'`