diff options
| author | Reuben Dowle <reuben.dowle@4rf.com> | 2021-03-09 13:52:23 +1300 |
|---|---|---|
| committer | Reuben Dowle <reuben.dowle@4rf.com> | 2021-04-06 09:23:42 +1200 |
| commit | ab9ad933d087676b4fb78f558ffa4469e5df1b03 (patch) | |
| tree | e01e0d99ca5f77d53dd1ae05c575eccf5458e57a | |
| parent | ca317495b8aa18bfacf8b9ac83479cf14d8651db (diff) | |
nhrpd: Document how to block redirected multicast packets
Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>
| -rw-r--r-- | doc/user/nhrpd.rst | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/doc/user/nhrpd.rst b/doc/user/nhrpd.rst index c7c4975aee..cbbc2dc10a 100644 --- a/doc/user/nhrpd.rst +++ b/doc/user/nhrpd.rst @@ -189,11 +189,14 @@ nhrpd can be configured to forward multicast packets, allowing routing protocols that use multicast (such as OSPF) to be supported in the DMVPN network. -This support requires an NFLOG redirection rule to work: +This support requires an iptables NFLOG rule to allow nhrpd to intercept +multicast packets. A second iptables rule is also usually used to drop the +original multicast packet. .. code-block:: shell - iptables -I OUTPUT -d 224.0.0.0/24 -o gre1 -j NFLOG --nflog-group 2 + iptables -A OUTPUT -d 224.0.0.0/24 -o gre1 -j NFLOG --nflog-group 2 + iptables -A OUTPUT -d 224.0.0.0/24 -o gre1 -j DROP .. index:: nhrp multicast-nflog-group (1-65535) .. clicmd:: nhrp multicast-nflog-group (1-65535) |