From: Reuben Dowle <reuben.dowle@4rf.com>
Date: Tue, 9 Mar 2021 00:52:23 +0000 (+1300)
Subject: nhrpd: Document how to block redirected multicast packets
X-Git-Tag: base_8.0~145^2~9
X-Git-Url: https://git.puffer.fish/?a=commitdiff_plain;h=ab9ad933d087676b4fb78f558ffa4469e5df1b03;p=matthieu%2Ffrr.git

nhrpd: Document how to block redirected multicast packets

Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>
---

diff --git a/doc/user/nhrpd.rst b/doc/user/nhrpd.rst
index c7c4975aee..cbbc2dc10a 100644
--- a/doc/user/nhrpd.rst
+++ b/doc/user/nhrpd.rst
@@ -189,11 +189,14 @@ nhrpd can be configured to forward multicast packets, allowing routing
 protocols that use multicast (such as OSPF) to be supported in the DMVPN
 network.
 
-This support requires an NFLOG redirection rule to work:
+This support requires an iptables NFLOG rule to allow nhrpd to intercept
+multicast packets. A second iptables rule is also usually used to drop the
+original multicast packet.
 
  .. code-block:: shell
 
-   iptables -I OUTPUT -d 224.0.0.0/24 -o gre1 -j NFLOG --nflog-group 2
+   iptables -A OUTPUT -d 224.0.0.0/24 -o gre1 -j NFLOG --nflog-group 2
+   iptables -A OUTPUT -d 224.0.0.0/24 -o gre1 -j DROP
 
 .. index::  nhrp multicast-nflog-group (1-65535)
 .. clicmd:: nhrp multicast-nflog-group (1-65535)