From 429f4314d0d1be69f7500cf7f97671595804fdd0 Mon Sep 17 00:00:00 2001 From: Mark Wooding Date: Sun, 19 Jun 2011 19:01:34 +0100 Subject: [PATCH] bookends, classify, local: Fixes for IP multicasting. * Allow reception of multicast packets. * Ensure that link-local multicasts aren't forwarded. (Though currently no multicasts are forwarded, this isn't necessarily always going to be the case). * Turn /off/ iptables filtering of bridged packets. I'm currently taking the view that the bridges are a hack introduced because I can't just plug all of the guests into a physical switch. If I need to do better filtering, I'll either use ebtables or do something more complicated later. --- bookends.m4 | 19 +++++++++++++++++++ classify.m4 | 9 ++++++--- local.m4 | 7 +++++++ 3 files changed, 32 insertions(+), 3 deletions(-) diff --git a/bookends.m4 b/bookends.m4 index 8543f05..6ba2827 100644 --- a/bookends.m4 +++ b/bookends.m4 @@ -52,6 +52,13 @@ setopt ip_local_port_range $open_port_min $open_port_max ## Deploy SYN-cookies if necessary. setopt tcp_syncookies 1 +## Turn off iptables filtering for bridges. We'll use ebtables if we need +## to; but right now the model is that we do filtering at the borders, and +## are tolerant of things which are local. +for filter in arptables iptables ip6tables; do + run sysctl -q net/bridge/bridge-nf-call-$filter=0 +done + ## Turn on the reverse-path filter, and log weird things. setdevopt rp_filter 1 setdevopt log_martians 1 @@ -111,6 +118,18 @@ run ip6tables -A FORWARD -g bad-source-address \ run ip6tables -A FORWARD -g bad-destination-address \ -d fe80::/10 +## Also, don't forward link-local broadcast or multicast. +run iptables -A FORWARD -g bad-destination-address \ + -d 255.255.255.255 +run iptables -A FORWARD -g bad-destination-address \ + -m addrtype --dst-type BROADCAST +run iptables -A FORWARD -g bad-destination-address \ + -d 224.0.0.0/24 +for x in 0 1 2 3 4 5 6 7 8 9 a b c d e f; do + run ip6tables -A FORWARD -g bad-destination-address \ + -d fe${x}2::/16 +done + m4_divert(90)m4_dnl ###-------------------------------------------------------------------------- ### Finishing touches. diff --git a/classify.m4 b/classify.m4 index fcb008d..25b1693 100644 --- a/classify.m4 +++ b/classify.m4 @@ -69,11 +69,14 @@ clearchain mangle:local-source ## of weird stuff happens on lo, and it's best not to second-guess it. run ip46tables -t mangle -A in-classify -i lo -j ACCEPT -## Local bootp packets have bizarre addresses. Don't block them just because -## of this. +## Local broadcast and link-local multicast packets sometimes have bizarre +## addresses. Don't block them just because of this. run iptables -t mangle -A in-classify -j RETURN \ -s 0.0.0.0 -d 255.255.255.255 \ - -p udp --source-port $port_bootpc --destination-port $port_bootps + -p udp +run iptables -t mangle -A in-classify -j RETURN \ + -s 0.0.0.0 -d 224.0.0.0/24 \ + -p udp ## Since packets with source and destination addresses both local will go ## over the loopback interface, I shouldn't see a packet from me over any diff --git a/local.m4 b/local.m4 index 0d67a97..4123a77 100644 --- a/local.m4 +++ b/local.m4 @@ -128,6 +128,13 @@ run iptables -A inbound -j ACCEPT \ -s 172.29.198.0/23 \ -p udp --source-port $port_bootpc --destination-port $port_bootps +## Incoming broadcast multicast on a network interface associated with the +## trusted network is OK, since it must have originated there (or been +## forwarded, but we don't do that yet). +run iptables -A inbound -j ACCEPT \ + -s 0.0.0.0 -d 224.0.0.0/24 \ + -i $if_trusted + ## Allow incoming ping. This is the only ICMP left. run ip46tables -A inbound -j ACCEPT -p icmp -- 2.11.0