Add filtering of IGMP packets

When a user application registers itself in a multicast group
(IP_ADD_MEMBERSHIP), the underlying kernel mechanism sends appropriate
IGMP packets out. These packets don't contain any information about
credentials, as they are not associated with any socket. This additional
netfilter rule causes this kind of packets to be accepted before they reach
the Nether service. Prior to this change, IGMP packets were accepted by
Nether's default back-end, so this change is only for optimization purposes.
It is worth to mention that an application is not able to send IGMP packets
on its own, because the CAP_NET_RAW capability is required to do that.

Change-Id: Id2b6756f0e5737bed606742d87c5d09f04b6866a

diff --git a/conf/nether.rules b/conf/nether.rules
index 4ef668fe8909841e5ea0f297b8a00672bdf5a392..6207174f6bcdef98b217ef601e9d9d07ebdc1491 100644 (file)
--- a/conf/nether.rules
+++ b/conf/nether.rules
@@ -26,6 +26,7 @@
 :CHECK-LOCALHOST -
 -A INPUT ! -i lo -j SECMARK --selctx System
 -A OUTPUT -o lo -j CHECK-LOCALHOST
+-A OUTPUT -p igmp -j ACCEPT
 -A OUTPUT -m conntrack --ctstate NEW ! --ctstatus CONFIRMED -j NFQUEUE --queue-num 0 --queue-bypass
 -A OUTPUT -p udplite -j NFQUEUE --queue-num 0 --queue-bypass
 -A CHECK-LOCALHOST -p udp --dport 53 -j RETURN