Hello, I'm trying to wrap my mind around how mDNS, multicast and netfilter work together. While I've been able to get mDNS (Avahi) working fine across the machines in my home lab, an aspect of firewalling through nftables isn't entirely clear to me.
To accept incomming mDNS requests onto individual machines I have a rule on the input hook chain of my fw config.
udp dport {5353} ip saddr {$lan} meta pkttype {multicast} accept;
Through this rule I'm only accepting udp 5353 traffic if it originates on my local network & if the meta packet type is multicast. If I swap out the packet type for "unicast" I lose mDNS functionality which I consider expected behavior. The part I struggle to understand is how outbound traffic is handled in the case of mDNS and multicast.
If I were to on purpose attempt to drop outbound traffic with the following rule:
udp dport {5353} meta pkttype {multicast} drop;
mDNS would still function correctly, however swapping pkttype to "unicast" prevents mDNS from working. Is outbound traffic still considered as "unicast" at this stage?
Performing packet capture with tcpdump produces the following entry when I attempt to ping a .local address. Clearly the packet is directed at "224.0.0.251", is traffic directed at the range between 224.0.0.0 to 239.255.255.255 not automatically considered multicast or is traffic only considered "multicast" when you're on the receiving end of it?
192.168.8.33.5353 > 224.0.0.251.5353: [udp sum ok] 0 A (QM)? test.local.
I apologize if this post isn't r/networking material and thank you.
EDIT: I had also just attempted to place the outbound traffic rule into the "postrouting" hook chain to see if routing operations have to be performed on the packet. The result was the same as before with the "output" hook chain.
No comments:
Post a Comment