Drop egress multicast on clat interface Multicast packets on the clat interface are not supported, so drop them in both clatd and its associated bpf offload. This is required because NsdManager will start sending mDNS packets on the clat interface as the check for IFF_POINTOPOINT was removed. Ingress multicast packets are already dropped elsewhere. Test: TH Change-Id: Icd22ca7f263ea5ff5244c17276ebb1002f72e842

commit: bb08d8083e7ccd9a71de6ca2592a4fb355e0c602 [log] [tgz]
author: Patrick Rohr <prohr@google.com> Thu Feb 27 12:45:26 2025 -0800
committer: Patrick Rohr <prohr@google.com> Thu Feb 27 12:45:26 2025 -0800
tree: b10efa10a49b680c7cea6441a328169ed3384d51
parent: cd99e8c839dae6986d96d949f0f7eabba4218ee9 [diff] [blame]
diff --git a/bpf/progs/clatd.c b/bpf/progs/clatd.c
index 2d4551e..2bb9d6f 100644
--- a/bpf/progs/clatd.c
+++ b/bpf/progs/clatd.c

@@ -288,6 +288,9 @@
     // We cannot handle IP options, just standard 20 byte == 5 dword minimal IPv4 header
     if (ip4->ihl != 5) return TC_ACT_PIPE;
 
+    // Packet must not be multicast
+    if ((ip4->daddr & 0xf0000000) == 0xe0000000) return TC_ACT_PIPE;
+
     // Calculate the IPv4 one's complement checksum of the IPv4 header.
     __wsum sum4 = 0;
     for (unsigned i = 0; i < sizeof(*ip4) / sizeof(__u16); ++i) {
commit	bb08d8083e7ccd9a71de6ca2592a4fb355e0c602	[log] [tgz]
author	Patrick Rohr <prohr@google.com>	Thu Feb 27 12:45:26 2025 -0800
committer	Patrick Rohr <prohr@google.com>	Thu Feb 27 12:45:26 2025 -0800
tree	b10efa10a49b680c7cea6441a328169ed3384d51
parent	cd99e8c839dae6986d96d949f0f7eabba4218ee9 [diff] [blame]