nhrpd: Document how to block redirected multicast packets

author Reuben Dowle <reuben.dowle@4rf.com>

Tue, 9 Mar 2021 00:52:23 +0000 (13:52 +1300)

committer Reuben Dowle <reuben.dowle@4rf.com>

Mon, 5 Apr 2021 21:23:42 +0000 (09:23 +1200)
author Reuben Dowle <reuben.dowle@4rf.com>
Tue, 9 Mar 2021 00:52:23 +0000 (13:52 +1300)
committer Reuben Dowle <reuben.dowle@4rf.com>
Mon, 5 Apr 2021 21:23:42 +0000 (09:23 +1200)
diff --git a/doc/user/nhrpd.rst b/doc/user/nhrpd.rst

index c7c4975aee5f3340d9851c68753a0707ad5839a4..cbbc2dc10a5d56ecf5c724cd552bcfd11928bd51 100644 (file)
--- a/doc/user/nhrpd.rst
+++ b/doc/user/nhrpd.rst
@@ -189,11 +189,14 @@ nhrpd can be configured to forward multicast packets, allowing routing
  protocols that use multicast (such as OSPF) to be supported in the DMVPN
  network.
  
-This support requires an NFLOG redirection rule to work:
+This support requires an iptables NFLOG rule to allow nhrpd to intercept
+multicast packets. A second iptables rule is also usually used to drop the
+original multicast packet.
  
   .. code-block:: shell
  
-   iptables -I OUTPUT -d 224.0.0.0/24 -o gre1 -j NFLOG --nflog-group 2
+   iptables -A OUTPUT -d 224.0.0.0/24 -o gre1 -j NFLOG --nflog-group 2
+   iptables -A OUTPUT -d 224.0.0.0/24 -o gre1 -j DROP
  
  .. index::  nhrp multicast-nflog-group (1-65535)
  .. clicmd:: nhrp multicast-nflog-group (1-65535)
author	Reuben Dowle <reuben.dowle@4rf.com>
	Tue, 9 Mar 2021 00:52:23 +0000 (13:52 +1300)
committer	Reuben Dowle <reuben.dowle@4rf.com>
	Mon, 5 Apr 2021 21:23:42 +0000 (09:23 +1200)