From 38958671c3d456e4b16f31ef237aa53c49c04734 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Linus=20L=C3=BCssing?= Date: Tue, 26 Mar 2024 21:07:15 +0100 Subject: [PATCH] gluon-ebtables: don't filter incoming MLD Reports with brmldproxy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If there is no multicast router behind a bridge port then the Linux bridge multicast snooping code itself will refrain from forwarding a report, as recommended/required by RFC4541 ("Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches). So these rules are in most cases redundant. On the other hand, removing them allows to actually run an IPv6 multicast router behind a Gluon node. Since OpenWrt 23.05 it will allow detecting multicast routers via Multicast Router Discovery (RFC4286). And removing these ebtables rules will allow a layer 3 multicast router to then receive MLD reports from the mesh properly and by that to learn about others listeners in the mesh. These incoming MLD report filtering rules are only removed when gluon-mesh-batman-adv-brmldproxy is installed, to avoid any other functional changes otherwise. Signed-off-by: Linus Lüssing --- .../lib/gluon/ebtables/105-mcast-drop-igmp-mld | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/105-mcast-drop-igmp-mld b/package/gluon-ebtables/luasrc/lib/gluon/ebtables/105-mcast-drop-igmp-mld index 3b1ecab3b4..dbd93c00b2 100644 --- a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/105-mcast-drop-igmp-mld +++ b/package/gluon-ebtables/luasrc/lib/gluon/ebtables/105-mcast-drop-igmp-mld @@ -1,5 +1,14 @@ local site = require 'gluon.site' +local function file_exists(file) + local f = io.open(file) + if not f then + return false + end + f:close() + return true +end + rule('MULTICAST_IN -p IPv4 --ip-protocol igmp --ip-igmp-type membership-query -j DROP', 'nat') rule('MULTICAST_OUT -p IPv4 --ip-protocol igmp --ip-igmp-type membership-query -j DROP') @@ -14,7 +23,10 @@ if site.mesh.filter_membership_reports(true) then rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP') -- MLDv1 Done rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP') -- MLDv2 Report - rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP', 'nat') -- MLDv1 Report - rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP', 'nat') -- MLDv1 Done - rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP', 'nat') -- MLDv2 Report + # only install if gluon-mesh-batman-adv-brmldproxy is not + if not file_exists("/lib/gluon/upgrade/400-brmldproxy") then + rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP', 'nat') -- MLDv1 Report + rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP', 'nat') -- MLDv1 Done + rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP', 'nat') -- MLDv2 Report + end end