bookends, classify, local: Fixes for IP multicasting.

  * Allow reception of multicast packets.

  * Ensure that link-local multicasts aren't forwarded.  (Though
    currently no multicasts are forwarded, this isn't necessarily always
    going to be the case).

  * Turn /off/ iptables filtering of bridged packets.  I'm currently
    taking the view that the bridges are a hack introduced because I
    can't just plug all of the guests into a physical switch.  If I need
    to do better filtering, I'll either use ebtables or do something
    more complicated later.

diff --git a/bookends.m4 b/bookends.m4
index 8543f05..6ba2827 100644 (file)
--- a/bookends.m4
+++ b/bookends.m4
@@ -52,6 +52,13 @@ setopt ip_local_port_range $open_port_min $open_port_max
 ## Deploy SYN-cookies if necessary.
 setopt tcp_syncookies 1
 
+## Turn off iptables filtering for bridges.  We'll use ebtables if we need
+## to; but right now the model is that we do filtering at the borders, and
+## are tolerant of things which are local.
+for filter in arptables iptables ip6tables; do
+  run sysctl -q net/bridge/bridge-nf-call-$filter=0
+done
+
 ## Turn on the reverse-path filter, and log weird things.
 setdevopt rp_filter 1
 setdevopt log_martians 1
@@ -111,6 +118,18 @@ run ip6tables -A FORWARD -g bad-source-address \
 run ip6tables -A FORWARD -g bad-destination-address \
        -d fe80::/10
 
+## Also, don't forward link-local broadcast or multicast.
+run iptables -A FORWARD -g bad-destination-address \
+       -d 255.255.255.255
+run iptables -A FORWARD -g bad-destination-address \
+       -m addrtype --dst-type BROADCAST
+run iptables -A FORWARD -g bad-destination-address \
+       -d 224.0.0.0/24
+for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do
+  run ip6tables -A FORWARD -g bad-destination-address \
+       -d fe${x}2::/16
+done
+
 m4_divert(90)m4_dnl
 ###--------------------------------------------------------------------------
 ### Finishing touches.

diff --git a/classify.m4 b/classify.m4
index fcb008d..25b1693 100644 (file)
--- a/classify.m4
+++ b/classify.m4
@@ -69,11 +69,14 @@ clearchain mangle:local-source
 ## of weird stuff happens on lo, and it's best not to second-guess it.
 run ip46tables -t mangle -A in-classify -i lo -j ACCEPT
 
-## Local bootp packets have bizarre addresses.  Don't block them just because
-## of this.
+## Local broadcast and link-local multicast packets sometimes have bizarre
+## addresses.  Don't block them just because of this.
 run iptables -t mangle -A in-classify -j RETURN \
        -s 0.0.0.0 -d 255.255.255.255 \
-       -p udp --source-port $port_bootpc --destination-port $port_bootps
+       -p udp
+run iptables -t mangle -A in-classify -j RETURN \
+       -s 0.0.0.0 -d 224.0.0.0/24 \
+       -p udp
 
 ## Since packets with source and destination addresses both local will go
 ## over the loopback interface, I shouldn't see a packet from me over any

diff --git a/local.m4 b/local.m4
index 0d67a97..4123a77 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -128,6 +128,13 @@ run iptables -A inbound -j ACCEPT \
        -s 172.29.198.0/23 \
        -p udp --source-port $port_bootpc --destination-port $port_bootps
 
+## Incoming broadcast multicast on a network interface associated with the
+## trusted network is OK, since it must have originated there (or been
+## forwarded, but we don't do that yet).
+run iptables -A inbound -j ACCEPT \
+       -s 0.0.0.0 -d 224.0.0.0/24 \
+       -i $if_trusted
+
 ## Allow incoming ping.  This is the only ICMP left.
 run ip46tables -A inbound -j ACCEPT -p icmp