From: "Linus Lüssing" <linus.luessing@web.de>
To: The list for a Better Approach To Mobile Ad-hoc Networking
<b.a.t.m.a.n@lists.open-mesh.org>
Subject: Re: [B.A.T.M.A.N.] Blocking OGMs from a node for testing purpose
Date: Wed, 12 May 2010 23:02:50 +0200 (CEST) [thread overview]
Message-ID: <21142356.1006178.1273698170378.JavaMail.fmail@mwmweb072> (raw)
In-Reply-To: <20100510115755.GA2510@ritirata.org>
Hi Antonio,
>Then I tried to block any kind of packets from a known mac (say MACa).
>
># ebtables -A INPUT -s MACa -j DROP
>
>After this I checked with "battctl o" if I was still able to see the other host, and even waiting a few minutes, the host was still in the list.
I tried it on two routers with ebtables and iptables here, too. I fired away all (redundant and like the forwarding stuff usually even useless) commands that came to my mind that could possibly block ANY traffic at all:
---
ebtables -A INPUT -j DROP
ebtables -A OUTPUT -j DROP
ebtables -A FORWARD -j DROP
ebtables -t broute -A BROUTING -j DROP
ebtables -t nat -A PREROUTING -j DROP
iptables -I INPUT -m physdev --physdev-is-in -j DROP
iptables -I OUDPUT -m physdev --physdev-is-out -j DROP
iptables -I FORWARD -m physdev --physdev-is-brigded -j DROP
---
Of course, no ssh connection and stuff like that and basically no other communication got through... despite batman-adv's OGMs and batping packets, looking at that over a serial console! So it looks like batman-adv is getting hold of the OGMs before any filtering rules of the iptables/ebtables modules can get hold of them.
Additionally, the iptables/ebtables packet counts didn't seem to recognise any packets.
So it looks like either this is intended and batman-adv is also a very stealthy super-trojan (but couldn't find any proof for this in the source code yet ;) ) or batman-adv is just mistakenly catching them (and maybe even dropping them although the skb-copy should prevent this?) before the kernel or any other (filtering) kernel modules could have a glance at them.
I'm sorry having said that this should work on IRC before, but filtering (even bridged) arp/ip-packets over bat0 works like a charm - hadn't tried filtering raw batman-adv ethernet frames yet.
Cheers, Linus
___________________________________________________________
GRATIS: Movie-Flat mit über 300 Top-Videos. Für WEB.DE Nutzer
dauerhaft kostenlos! Jetzt freischalten unter http://movieflat.web.de
next prev parent reply other threads:[~2010-05-12 21:02 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-05-08 17:07 [B.A.T.M.A.N.] Blocking OGMs from a node for testing purpose Antonio Quartulli
2010-05-09 17:47 ` Marek Lindner
2010-05-10 11:57 ` Antonio Quartulli
2010-05-12 21:02 ` Linus Lüssing [this message]
2010-05-13 16:38 ` Antonio Quartulli
2010-05-16 19:37 ` Marek Lindner
2010-05-16 21:27 ` Antonio Quartulli
2010-05-16 22:53 ` Marek Lindner
2010-05-17 7:20 ` Antonio Quartulli
2010-05-19 1:25 ` [B.A.T.M.A.N.] [PATCH] batman-adv: Adding netfilter-bridge hooks Linus Lüssing
2010-05-21 8:21 ` Antonio Quartulli
2010-05-21 10:17 ` Linus Lüssing
2010-05-21 18:45 ` Antonio Quartulli
2010-05-22 10:51 ` Marek Lindner
2010-05-25 23:56 ` Linus Lüssing
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=21142356.1006178.1273698170378.JavaMail.fmail@mwmweb072 \
--to=linus.luessing@web.de \
--cc=b.a.t.m.a.n@lists.open-mesh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox