Add filtering of IGMP packets
When a user application registers itself in a multicast group
(IP_ADD_MEMBERSHIP), the underlying kernel mechanism sends appropriate
IGMP packets out. These packets don't contain any information about
credentials, as they are not associated with any socket. This additional
netfilter rule causes this kind of packets to be accepted before they reach
the Nether service. Prior to this change, IGMP packets were accepted by
Nether's default back-end, so this change is only for optimization purposes.
It is worth to mention that an application is not able to send IGMP packets
on its own, because the CAP_NET_RAW capability is required to do that.
Change-Id: Id2b6756f0e5737bed606742d87c5d09f04b6866a
projects / platform / core / security / nether.git / commit