From 12332fbd95be46e7d6ca5dc584ea8be270a01324 Mon Sep 17 00:00:00 2001
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Thu, 20 Apr 2017 17:59:53 +0200
Subject: [PATCH] Drop outgoing IPv4 multicast traffic at AQL

Some packages like gst-rtsp-server1.0 generate multicast traffic in
their testsuite. This triggers protections at AQL. Avoid this by
dropping all the outgoing IPv4 multicast traffic.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
---
 modules/ferm/manifests/aql.pp      | 10 ++++++++++
 modules/ferm/manifests/per_host.pp |  4 ++++
 2 files changed, 14 insertions(+)
 create mode 100644 modules/ferm/manifests/aql.pp

diff --git a/modules/ferm/manifests/aql.pp b/modules/ferm/manifests/aql.pp
new file mode 100644
index 000000000..b5578e2de
--- /dev/null
+++ b/modules/ferm/manifests/aql.pp
@@ -0,0 +1,10 @@
+class ferm::aql {
+	@ferm::rule { 'dsa-drop-multicast':
+		domain      => 'ip',
+		description => 'drop multicast traffic to avoid triggering protection',
+		table       => 'filter',
+		chain       => 'OUTPUT',
+		rule        => 'destination 224.0.0.0/24 jump log_or_drop'
+	}
+}
+
diff --git a/modules/ferm/manifests/per_host.pp b/modules/ferm/manifests/per_host.pp
index f7362135a..d6c4343f6 100644
--- a/modules/ferm/manifests/per_host.pp
+++ b/modules/ferm/manifests/per_host.pp
@@ -3,6 +3,10 @@ class ferm::per_host {
 		include ferm::zivit
 	}
 
+	if (scope.lookupvar('site::nodeinfo')['hoster']['name'] == "aql") {
+		include ferm::aq
+	}
+
 	case $::hostname {
 		czerny,clementi: {
 			@ferm::rule { 'dsa-upsmon':
-- 
2.20.1