From: "Linus Lüssing" <linus.luessing@web.de>
To: The list for a Better Approach To Mobile Ad-hoc Networking
<b.a.t.m.a.n@lists.open-mesh.org>
Subject: Re: [B.A.T.M.A.N.] Blocking OGMs from a node for testing purpose
Date: Wed, 12 May 2010 23:02:50 +0200 (CEST) [thread overview]
Message-ID: <21142356.1006178.1273698170378.JavaMail.fmail@mwmweb072> (raw)
In-Reply-To: <20100510115755.GA2510@ritirata.org>
Hi Antonio,
>Then I tried to block any kind of packets from a known mac (say MACa).
>
># ebtables -A INPUT -s MACa -j DROP
>
>After this I checked with "battctl o" if I was still able to see the other host, and even waiting a few minutes, the host was still in the list.
I tried it on two routers with ebtables and iptables here, too. I fired away all (redundant and like the forwarding stuff usually even useless) commands that came to my mind that could possibly block ANY traffic at all:
---
ebtables -A INPUT -j DROP
ebtables -A OUTPUT -j DROP
ebtables -A FORWARD -j DROP
ebtables -t broute -A BROUTING -j DROP
ebtables -t nat -A PREROUTING -j DROP
iptables -I INPUT -m physdev --physdev-is-in -j DROP
iptables -I OUDPUT -m physdev --physdev-is-out -j DROP
iptables -I FORWARD -m physdev --physdev-is-brigded -j DROP
---
Of course, no ssh connection and stuff like that and basically no other communication got through... despite batman-adv's OGMs and batping packets, looking at that over a serial console! So it looks like batman-adv is getting hold of the OGMs before any filtering rules of the iptables/ebtables modules can get hold of them.
Additionally, the iptables/ebtables packet counts didn't seem to recognise any packets.
So it looks like either this is intended and batman-adv is also a very stealthy super-trojan (but couldn't find any proof for this in the source code yet ;) ) or batman-adv is just mistakenly catching them (and maybe even dropping them although the skb-copy should prevent this?) before the kernel or any other (filtering) kernel modules could have a glance at them.
I'm sorry having said that this should work on IRC before, but filtering (even bridged) arp/ip-packets over bat0 works like a charm - hadn't tried filtering raw batman-adv ethernet frames yet.
Cheers, Linus
___________________________________________________________
GRATIS: Movie-Flat mit über 300 Top-Videos. Für WEB.DE Nutzer
dauerhaft kostenlos! Jetzt freischalten unter http://movieflat.web.de
next prev parent reply other threads:[~2010-05-12 21:02 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-05-08 17:07 [B.A.T.M.A.N.] Blocking OGMs from a node for testing purpose Antonio Quartulli
2010-05-09 17:47 ` Marek Lindner
2010-05-10 11:57 ` Antonio Quartulli
2010-05-12 21:02 ` Linus Lüssing [this message]
2010-05-13 16:38 ` Antonio Quartulli
2010-05-16 19:37 ` Marek Lindner
2010-05-16 21:27 ` Antonio Quartulli
2010-05-16 22:53 ` Marek Lindner
2010-05-17 7:20 ` Antonio Quartulli
2010-05-19 1:25 ` [B.A.T.M.A.N.] [PATCH] batman-adv: Adding netfilter-bridge hooks Linus Lüssing
2010-05-21 8:21 ` Antonio Quartulli
2010-05-21 10:17 ` Linus Lüssing
2010-05-21 18:45 ` Antonio Quartulli
2010-05-22 10:51 ` Marek Lindner
2010-05-25 23:56 ` Linus Lüssing
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=21142356.1006178.1273698170378.JavaMail.fmail@mwmweb072 \
--to=linus.luessing@web.de \
--cc=b.a.t.m.a.n@lists.open-mesh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.