Hi,

My problem was this: Some guy installed some lame wifi bridges. They have a strange behavior of sending a burst of udp broadcasts every 10 seconds. The payload of the broadcasted UDP packets is always the same, source port is 1024, destination port is 5899, they send it to the broadcast address of their local subnet. With 4 of these devices in our network they can generate 95 packets per second in average. So i wanted to filter out this useless broadcast but wanted to keep other broadcast traffic like samba untouched. OpenWRT is ideal for a task like this.

Make note the device i was using was an Asus WL-500gP so there can be differences if you try this on other devices. I was using X-Wrt firmware whiterussian 0.9 milestone 3rc2 pptp-extra.

The first thing to do was to split the LAN switch ports and bridge them together with the linux bridge so i can use ebtables. I used the web interface for this:http://bud.hok.sk/openwrt-splitlan.png
The resulting nvram settings:

$ nvram show 2>- | grep 'vlan.[hp]' | sort
vlan0hwname=et0
vlan0ports=1 5*
vlan1hwname=et0
vlan1ports=0 5
vlan2hwname=et0
vlan2ports=2 5
vlan3hwname=et0
vlan3ports=3 5
vlan4hwname=et0
vlan4ports=4 5

Additionally i had to manually set lan_ifnames, this way the bridge is set up correctly after boot:

$ nvram set lan_ifnames="vlan0 eth2 vlan2 vlan3 vlan4"

So vlan0 is lan port 1, vlan2 is lan2, vlan3 is lan3 and vlan4 is lan4.
I have also disabled stp, because i did read it can cause strange things with ebtables and i didnt need it anyway:

$ nvram set lan_stp=0

We are halfway now.

Second thing was to install the ebtables package:

ipkg install ebtables

And finally to create an ebtables rule which matches the unwanted traffic, and put it somewhere so it gets executed at boot (i did put it into /etc/init.d/S95custom-user-startup):

insmod ebtables &&
  insmod ebtable_filter &&
  insmod ebt_ip &&
  ebtables --append FORWARD --proto IPv4 --dst Broadcast --ip-proto udp --ip-sport 1024 --ip-dport 5899 -j DROP

You can test it with hping for example:

hping2 --count 1 --udp --keep --baseport 1024 --destport 5899 --sign testing 192.168.4.255

And on the other side listen for it with netcat (be careful here, netcat displays only the first packet for reasons unknown to me, so restart netcat after every packet):

nc -l -p 5899 -u -b

Have a nice day, hope this helps somebody.

Peace, Bud

(Last edited by budee on 28 Sep 2007, 22:54)