Freebox Server (Ultra V9/ Pop V8/ Delta V7 / Revolution V6 / Mini 4K)

Bonjour mmakassikis, merci pour votre réponse.

ce n'est pas lié au VPN

Pourriez-vous s'il vous plaît donner quelques éléments sur l'origine et la justification de ces requêtes ARP sur mon réseau ?

Tout d'abord merci d'avoir corrigé mon hypothèse d'un lien avec le serveur VPN, j'ai modifié mon titre initial en conséquence.

« il s'agit de tentatives de connexions de la box vers d'autres équipements free (player, backup 4g) »

OK, merci pour l'information. J'imagine qu'il serait vain d'espérer une modification du design.
En ce qui concerne le Player, j'ai en effet remarqué que les requêtes pour 192.168.27.1 cessent quand il est démarré.
Le "backup 4g" (probablement 192.168.27.98) pourrait cependant peut-être faire l'objet d'une option au choix de l'utilisateur.

La seule solution semble de passer en mode bridge, avec des conséquences qu'il me reste à examiner, et mettre en place une passerelle.

« le backup 4g est censé être plug-and-play pour l'abonné: la box passe automatiquement sur le backup si celui-ci est allumé et connecté au réseau local et le lien fibre/DSL est down. »

D'accord, je comprends. Mais puisque la fonctionnalité n'est utilisée que si la synchro est perdue, pourquoi ne pas lancer les requêtes uniquement dans ce cas ? Si c'est pour des raisons de diagnostic du boîtier backup, le technicien devrait pouvoir lancer les requêtes au besoin. Si c'est pour permettre à l'usager de tester la détection du boîtier, un élément de menu dans l'interface pourrait déclencher cette action. Pardonnez ma question, je suis bien sûr plus que loin d'avoir conscience de l'ensemble des impératifs.

« n'y a-t-il pas moyen de lui indiquer d'ignorer les requêtes ARP en question ? »

Oui,avec Wireshark c'est facile : clic droit sur la partie info du paquet (Who has 192…) → Appliquer comme un filtre → Non sélectionné. Le filtre automatiquement créé est
!(_ws.col.info == "Who has 192.168.27.98? Tell 192.168.27.99")
Mais en fait, j'ai surtout l'habitude de regarder ce qu'il se passe quand j'ai du trafic alors qu'il devrait être à zéro, et maintenant j'ai un trafic permanent. Je choisis les services et limite au strict nécessaire, ce qui me permettait de détecter une activité inhabituelle d'un coup d'œil ou de savoir si un programme communique. Bref, je viens de subir une petite disruption dans mes habitudes :) Vos explications ont cependant le mérite de rationaliser l'origine du problème et d'apporter des justifications recevables pour un service grand public destiné à des usages larges et variés.

Bonjour/Bonsoir mmakassikis. Je travaille sur une solution générale basée sur l'ID du VLAN suite à votre précieux indice. Je cherche à créer une règle nftables, mais ce n'est pas encore gagné :)
Je ferai, j'espère bientôt, une réponse complète à votre précédent message.

Échec :(

table arp filter {
   chain INPUT {
      type filter hook input priority 0; policy accept;
      meta protocol arp arp saddr ether $FbxServerMAC arp ptype vlan counter drop
      counter accept
   }
}

ne matche rien, le compteur drop reste à zéro, même si je supprime la condition saddr. Le compteur accept incrémente doucement (c'est à dire normalement).

table netdev filter {
        chain INGRESS {
                type filter hook ingress device enp3s0 priority 0; policy accept;
                vlan id { 100, 400 } vlan type arp counter drop
                counter accept
        }
}

matche très bien, le compteur drop incrémente au rythme des requêtes du vlan. Mais pour une raison qui me dépasse, les paquets ne sont pas réellement droppés, ils apparaissent toujours dans Wireshark ou tcpdump, et mon indicateur de charge réseau n'est toujours pas à zéro. C'est très mystérieux pour moi.

« le backup peut être connecté alors que le lien principal (fibre/dsl) est encore opérationel, auquel cas la box s'assure qu'il est en mode avion puisque non utilisé. Pour faire ceci, il faut bien s'y connecter. »
« un backup peut être envoyé suite à l'identification d'un problème sur la ligne d'un abonné, sans intervention de technicien. »

Je me doutais qu'il y avait de bonnes raisons. Merci pour les explications.

« dans wireshark, vous pouvez utiliser le filtre "not vlan 400" avant de lancer la capture. »

Votre indice m'a incité à chercher une solution nftables utilisant l'ID du VLAN. Même si j'ai échoué, c'est une recherche intéressante. Merci beaucoup.
Le filtre d'affichage de Wireshark qui fonctionne bien est

!(arp && vlan.id in {100,400})

Dommage que ça ne soit pas aussi simple avec nftables :)

C'est un plaisir et un privilège d'être guidé avec des informations de première main, un grand merci mmakassikis. Je ne manquerai pas de publier un message si je trouve une solution.

J'ai réfléchi (si, si). Pas de mystère. D'après nft(8) :

Table 3. Netdev address family hooks
[…]
ingress
All packets entering the system are processed by this hook. It is invoked after the network taps (ie. tcpdump), right after tc ingress and before layer 3 protocol handlers, it can be used for early filtering and policing.

C'est donc normal que, par exemple, tcpdump voie passer les paquets. Le trafic réel sur l'interface physique ne peut pas être ignoré.
La solution ne peut être qu'un switch manageable. Ou une passerelle intermédiaire (là la règle de drop serait efficiente pour le reste du réseau).

Bonjour

un peu violent mais:

sudo ethtool -K enp3s0 rxvlan off

et

table netdev filter {
    chain INGRESS {
        type filter hook ingress device enp3s0 priority 0; policy accept;
        vlan id { 100, 400 } arp counter drop
    }
}

Puis monitor si vous voyez toujours les vlan:

nft monitor trace
tcpdump -i enp3s0 -e vlan | grep 400

Cordialement
nbanba

Bonjour

Si vous ne voulez pas faire la solution violente proposée avec ethtool -K vous pouvez aussi faire des règles pour chaque vlan
quelque chose comme

Monter une interface vlan pour chaque vlan qui "atrape le trafic"

sudo ip link add link enp3s0 name enp3s0.100 type vlan id 100
sudo ip link set enp3s0.100 up
sudo ip link add link enp3s0 name enp3s0.400 type vlan id 100
sudo ip link set enp3s0.400 up

Puis créer un ingress hook sur chaque vlan interfaces:

table netdev filter {
    chain INGRESS_VLAN100 {
        type filter hook ingress device enp3s0.100 priority 0;
        counter drop
    }
    chain INGRESS_VLAN400 {
        type filter hook ingress device enp3s0.100 priority 0;
        counter drop
    }
}

et confirmer les drop avec

watch -n 0.5 'nft list ruleset | grep counter'

Dans l'idées ça peut marcher

Sinon autre idée, eh oui j'en ai plein (problème intéressant aux limite du L2 dans la stack net du kernel), traffic control:

tc qdisc add dev enp3s0 ingress
tc filter add dev enp3s0 ingress protocol 802.1Q flower vlan_id 100 action drop hw
tc filter add dev enp3s0 ingress protocol 802.1Q flower vlan_id 400 action drop hw

Ou violemment désactiver les vlan sur le hardware (très violent !):

# mellanox
mlxconfig -d <pci> set LINK_TYPE_P1=2
# intel E810 - incompatible sur X710 / XL710
devlink port function set pci/<addr>/1 trust off

Sinon on peut également travailler directement à la couche OSI-L2 (Ethernet) avec ethernet bridge:

ebtables -A INPUT -i enp3s0 -p arp --arp-op Request -vlan-id 100 -j DROP
ebtables -A INPUT -i enp3s0 -p arp --arp-op Request -vlan-id 400 -j DROP

Dites moi si une des solution fonctionne svp

Cordialement
nbanba

Bonjour nbanba, merci beaucoup pour vos propositions de tests. Dans l'ordre:

proposition 1

#> ethtool -K enp3s0 rxvlan off
#> ethtool --show-offload enp3s0 | grep "rx-\?vlan"
rx-vlan-offload: off
rx-vlan-filter: off [fixed]
rx-vlan-stag-hw-parse: off [fixed]
rx-vlan-stag-filter: off [fixed]

table netdev filter {
   chain INGRESS {
      type filter hook ingress device enp3s0 priority 0; policy accept;
      meta nftrace set 1
      vlan id { 100, 400 } vlan type arp counter drop
      counter accept
   }
}

#> nft monitor trace
trace id 98d04b60 netdev filter INGRESS packet: iif "enp3s0" ether saddr 34:27:92:4f:36:d3 ether daddr ff:ff:ff:ff:ff:ff vlan pcp 0 vlan dei 0 vlan id 400 arp operation request
trace id 98d04b60 netdev filter INGRESS rule meta nftrace set 1 (verdict continue)
trace id 98d04b60 netdev filter INGRESS rule vlan id { 100, 400 } vlan type arp counter packets 2956 bytes 124152 drop (verdict drop)
trace id c97e425f netdev filter INGRESS packet: iif "enp3s0" ether saddr 34:27:92:4f:36:d3 ether daddr ff:ff:ff:ff:ff:ff vlan pcp 5 vlan dei 0 vlan id 100 arp operation request
trace id c97e425f netdev filter INGRESS rule meta nftrace set 1 (verdict continue)
trace id c97e425f netdev filter INGRESS rule vlan id { 100, 400 } vlan type arp counter packets 2956 bytes 124152 drop (verdict drop)
[...]
!>#> tcpdump -i enp3s0 -e vlan | grep 400
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
17:34:07.828698 34:27:92:4f:36:d3 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
17:34:08.839236 34:27:92:4f:36:d3 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
17:34:09.879216 34:27:92:4f:36:d3 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
17:34:12.828873 34:27:92:4f:36:d3 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
17:34:13.879128 34:27:92:4f:36:d3 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
17:34:14.919118 34:27:92:4f:36:d3 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
17:34:17.829050 34:27:92:4f:36:d3 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
17:34:18.839029 34:27:92:4f:36:d3 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
17:34:19.879034 34:27:92:4f:36:d3 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
17:34:22.829241 34:27:92:4f:36:d3 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
17:34:23.878977 34:27:92:4f:36:d3 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
17:34:24.918933 34:27:92:4f:36:d3 (oui Unknown) > Broadcast, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
^C21 packets captured
21 packets received by filter
0 packets dropped by kernel
#> tcpdump -nnei enp3s0 -vvt 'ether proto 0x8100 and ether[14:2] & 0xfff == 100 or ether proto 0x0800 or ether proto 0x0806'
tcpdump: listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel

proposition 2

#> ip link add link enp3s0 name enp3s0.100 type vlan id 100
#> ip link set enp3s0.100 up
#> ip link add link enp3s0 name enp3s0.400 type vlan id 400
#> ip link set enp3s0.400 up

table netdev filter {
    chain INGRESS_VLAN100 {
        type filter hook ingress device enp3s0.100 priority 0;
        meta nftrace set 1
        counter drop
    }
    chain INGRESS_VLAN400 {
        type filter hook ingress device enp3s0.400 priority 0;
        meta nftrace set 1
        counter drop
    }
}

#> nft monitor trace
trace id 1397141f netdev filter INGRESS_VLAN100 packet: iif "enp3s0.100" ether saddr 34:27:92:4f:36:d3 ether daddr ff:ff:ff:ff:ff:ff arp operation request
trace id 1397141f netdev filter INGRESS_VLAN100 rule meta nftrace set 1 (verdict continue)
trace id 1397141f netdev filter INGRESS_VLAN100 rule counter packets 26 bytes 1092 drop (verdict drop)
trace id 5389d103 netdev filter INGRESS_VLAN400 packet: iif "enp3s0.400" ether saddr 34:27:92:4f:36:d3 ether daddr ff:ff:ff:ff:ff:ff arp operation request
trace id 5389d103 netdev filter INGRESS_VLAN400 rule meta nftrace set 1 (verdict continue)
trace id 5389d103 netdev filter INGRESS_VLAN400 rule counter packets 24 bytes 1008 drop (verdict drop)
[...]
#> tcpdump -nnei enp3s0 -vvt 'ether proto 0x8100 and ether[14:2] & 0xfff == 100 or ether proto 0x0800 or ether proto 0x0806'
tcpdump: listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel

Je pense qu'on est peu ou prou dans le même cas que ce à quoi j'étais arrivé, c'est à dire que les paquets sont droppés trop tard.

proposition 3

#> tc qdisc add dev enp3s0 ingress
#> tc qdisc show 
qdisc noqueue 0: dev lo root refcnt 2
qdisc fq_codel 0: dev enp3s0 root refcnt 2 limit 10240p flows 1024 quantum 1514 target 5ms interval 100ms memory_limit 32Mb ecn drop_batch 64
qdisc ingress ffff: dev enp3s0 parent ffff:fff1 ----------------
#> tc filter add dev enp3s0 ingress protocol 802.1Q flower vlan_id 100 action drop hw
Command line is not complete. Try option "help"

J'ai tenté de compléter la ligne de commande après quelques recherches dans le manuel de tc et ses manuels affiliés.

#> tc filter add dev enp3s0 ingress protocol 802.1Q prio 1 flower vlan_id 100 flowid ffff:1 action drop hw
Command line is not complete. Try option "help"

Je me suis arrêté là car tc n'est pas une commande qu'on maîtrise en cinq minutes.
Une idée ?

proposition 4

« Ou violemment désactiver les vlan sur le hardware (très violent !): »

# mellanox
mlxconfig -d <pci> set LINK_TYPE_P1=2
# intel E810 - incompatible sur X710 / XL710
devlink port function set pci/<addr>/1 trust off

$> lspci | grep -i "eth"
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8211/8411 PCI Express Gigabit Ethernet Controller (rev 09)

proposition 5

#> ebtables -L
Bridge table: filter
 
Bridge chain: INPUT, entries: 0, policy: ACCEPT
 
Bridge chain: FORWARD, entries: 0, policy: ACCEPT
 
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
#> ebtables -A INPUT -i enp3s0 -p arp --arp-op Request --vlan-id 100 -j DROP
ebtables v1.8.11 (nf_tables):  RULE_APPEND failed (Invalid argument): rule in chain INPUT
#> ### le protocole doit être spécifié comme 802_1Q pour pouvoir utiliser --vlan-id
#> ### --protocol ne peut pas être spécifié plusieurs fois
#> ebtables -A INPUT -i enp3s0 -p 802_1Q --vlan-id 400 -j DROP
#> tcpdump -nnei enp3s0 -vvt 'ether proto 0x8100 and ether[14:2] & 0xfff == 100 or ether proto 0x0800 or ether proto 0x0806'
tcpdump: listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
#> ebtables --delete INPUT -p 802_1Q -i enp3s0 --vlan-id 400 -j DROP
#> ip link add link enp3s0 name enp3s0.4 type vlan id 400
#> ip link set enp3s0.4 up
#> ebtables -A INPUT -i enp3s0.4@enp3s0 -p 802_1Q --vlan-id 400 -j DROP
#> tcpdump -nnei enp3s0 -vvt 'ether proto 0x8100 and ether[14:2] & 0xfff == 100 or ether proto 0x0800 or ether proto 0x0806'
tcpdump: listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 400, p 0, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.98 tell 192.168.27.99, length 42
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel

Peut-être tc s'il est possible de corriger la commande ?

Merci beaucoup nbanba.

note: si un admin en a la possibilité, serait-il possible de corriger mon subjonctif dans mon message précédent ? que […] tcpdump voit passer les paquets → que […] tcpdump voie passer les paquets.

Bonjour

J'ai joué les commandes tc sur une VM avec une NIC VirtIO ⇒ no hardware offload.
Donc dans mes tests, seul les options "softwares" fonctionnent et l'interface est enp0s5 (à modifier par enp3s0):

$ sudo tc filter add dev enp0s5 ingress protocol 802.1Q flower vlan_id 100 skip_hw action drop
$ sudo tc -s filter show dev enp0s5 ingress
filter protocol 802.1Q pref 49152 flower chain 0 
filter protocol 802.1Q pref 49152 flower chain 0 handle 0x1 
  vlan_id 100
  skip_hw
  not_in_hw
	action order 1: gact action drop
	 random type none pass val 0
	 index 1 ref 1 bind 1 installed 305 sec used 305 sec
	Action statistics:
	Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
	backlog 0b 0p requeues 0

On voit clairement le "skip hardware offload" (skip_hw) du à la typologie de NIC que j'utilise pour ce test (redhat virtIO virtual nic)

Chez moi les options sont limités

Mais chez vous sur votre NIC physique 'hw' devrait fonctionner

Vous pouvez également essayer de bloquer l'ARP

sudo tc filter add dev enp0s5 ingress protocol 802.1Q flower vlan_id 100 vlan_ethtype arp action drop skip_hw
sudo tc -s filter show dev enp0s5 ingress
filter protocol 802.1Q pref 49150 flower chain 0 
filter protocol 802.1Q pref 49150 flower chain 0 handle 0x1 
  vlan_id 100
  vlan_ethtype arp
  eth_type arp
  not_in_hw
	action order 1: gact action drop
	 random type none pass val 0
	 index 3 ref 1 bind 1 installed 5 sec used 5 sec
	Action statistics:
	Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) 
	backlog 0b 0p requeues 0

Toujours en essayant les options du tableau ci dessus.

PS: sinon je vois que vous maniez plutôt bien bash donc j'en profite pour faire un peu de pub: Je maintien une library BASH pour gérer les freebox depuis l'API FreeboxOS permettant d'utiliser les fonctionnalités de l'API comme de simples commandes shell dans votre terminal, exemple pour lister les fichiers sur le disque de la freebox (chez moi /FBX24T mais souvent /disque\040dur avec le nopm par défaut) :

$ . loginfbx
$ ls_fs /FBX24T/box-vm-bck/
idx: 0    hidden  dir	20251123-21:17:54	size: 4 KB	name: .
idx: 1    hidden  dir	20251123-17:47:34	size: 4 KB	name: ..
idx: 2  	  dir	20241123-17:29:25	size: 4 KB	name: 20241222_vm
idx: 3  	  dir	20250202-18:50:44	size: 4 KB	name: 20250202_vm
idx: 4  	  dir	20250208-11:59:05	size: 4 KB	name: 20250208_vm
idx: 5  	  dir	20250225-08:28:53	size: 4 KB	name: 20250225_vm
idx: 6  	  dir	20250319-08:36:25	size: 4 KB	name: 20250319_vm
idx: 7  	  dir	20250410-16:28:07	size: 4 KB	name: 20250410_vm
idx: 8  	  dir	20250731-09:55:10	size: 4 KB	name: 20250731_vm
idx: 9  	  dir	20251116-20:04:02	size: 4 KB	name: 20251116_vm
idx: 10  	  dir	20251123-21:17:00	size: 4 KB	name: 20251123_vm
idx: 11  	  dir	20251123-17:58:46	size: 4 KB	name: _bad_20251123_vm
idx: 12  	  file	20250728-09:13:20	size: 10 GB	name: vm-franck-00.qcow2
idx: 13  	  file	20250728-09:13:20	size: 1 MB	name: vm-franck-00.qcow2.efivars
$
$ list_wifi-ap 
---------------------------------------------------------------------------------------------------------
						WIFI GLOBAL STATE
---------------------------------------------------------------------------------------------------------
WIFI STATUS: enabled
POWER SAVE:  supported
RADIO COUNT: 3
---------------------------------------------------------------------------------------------------------
			AP ID, NAME, BAND, STATE, WIDTH, PRIMARY CHANNEL, SECONDARY CHANNEL
---------------------------------------------------------------------------------------------------------
AP-0 id: 0  name: 2.4G 	 band: 2d4g 	width: 20  	chan: 9,0 	state: active
AP-10 id: 10  name: 5G 	 band: 5g 	width: 80  	chan: 36,40 	state: active
AP-30 id: 30  name: 5G1 	 band: 5g 	width: null  	chan: null 	state: disabled_power_saving
$...

Le projet est ici:
https://github.com/nbanb/fbx-delta-nba_bash_api.sh
Il y a la doc en ligne sur la page du projet github et aussi un wiki résumant les actions / configurations :
https://github.com/nbanb/fbx-delta-nba_bash_api.sh/wiki

Et ce wiki contient également 1 page 'quick start' en français ici:
https://github.com/nbanb/fbx-delta-nba_bash_api.sh/wiki#access-quick-start-documentation-in-french
(désolé des users peu à l'aise avec l'anglais me l'ont demandé)

Ça peut vous intéresser !

Cordialement
nbanba

Bonjour

Désolé pour ce second post mais à la relecture de votre réponse, je pensais à:

sudo bash -c 'echo "options r8169 rx_vlan=0 tx_vlan=0" >>/etc/modprobe.d/r8169.conf'
sudo modprobe -r r8169
sudo modprobe r8169

ethtool -k ne devrait pas pouvoir réactiver le support de vlan en faisant ça

ethtool --show-offload enp3s0 | grep "rx-\?vlan"

Vous devriez voir toutes les options flag avec

[fixed]

Cordialement
nbanba

Bonjour nbanba, merci d'avoir creusé le sujet. Pas d'action sur le problème, ça ne semble pas possible, en tout cas avec mon interface Realtek.

#> tc -s filter show dev enp3s0 ingress
#> tc filter add dev enp3s0 ingress protocol 802.1Q flower vlan_id 100 action drop
#> tc -s filter show dev enp3s0 ingress
filter protocol 802.1Q pref 49152 flower chain 0
filter protocol 802.1Q pref 49152 flower chain 0 handle 0x1
  vlan_id 100
  not_in_hw
   action order 1: gact action drop
    random type none pass val 0
    index 1 ref 1 bind 1 installed 11 sec used 0 sec firstused 10 sec
   Action statistics:
   Sent 252 bytes 6 pkt (dropped 6, overlimits 0 requeues 0)
   backlog 0b 0p requeues 0
#> tcpdump -nnei enp3s0 -vvt 'ether proto 0x8100 and ether[14:2] & 0xfff == 100 or ether proto 0x0806' | grep "vlan 100"
tcpdump: listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
^C22 packets captured
23 packets received by filter
0 packets dropped by kernel
#> tc filter delete dev enp3s0 ingress prio 49152
#> tc -s filter show dev enp3s0 ingress
#> tc filter add dev enp3s0 ingress protocol 802.1Q flower vlan_id 100 skip_sw action drop
RTNETLINK answers: Operation not supported
We have an error talking to the kernel
#> tc filter add dev enp3s0 ingress protocol 802.1Q flower vlan_id 100 skip_hw action drop
#> tc -s filter show dev enp3s0 ingress
filter protocol 802.1Q pref 49152 flower chain 0
filter protocol 802.1Q pref 49152 flower chain 0 handle 0x1
  vlan_id 100
  skip_hw
  not_in_hw
   action order 1: gact action drop
    random type none pass val 0
    index 1 ref 1 bind 1 installed 2 sec used 0 sec firstused 1 sec
   Action statistics:
   Sent 84 bytes 2 pkt (dropped 2, overlimits 0 requeues 0)
   backlog 0b 0p requeues 0
#> tcpdump -nnei enp3s0 -vvt 'ether proto 0x8100 and ether[14:2] & 0xfff == 100 or ether proto 0x0806' | grep "vlan 100"
tcpdump: listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
^C22 packets captured
23 packets received by filter
0 packets dropped by kernel

#> tc -s filter show dev enp3s0 ingress
#> tc filter add dev enp3s0 ingress protocol 802.1Q flower vlan_id 100 vlan_ethtype arp action drop
#> tc -s filter show dev enp3s0 ingress
filter protocol 802.1Q pref 49152 flower chain 0
filter protocol 802.1Q pref 49152 flower chain 0 handle 0x1
  vlan_id 100
  vlan_ethtype arp
  eth_type arp
  not_in_hw
   action order 1: gact action drop
    random type none pass val 0
    index 1 ref 1 bind 1 installed 2 sec used 0 sec firstused 0 sec
   Action statistics:
   Sent 42 bytes 1 pkt (dropped 1, overlimits 0 requeues 0)
   backlog 0b 0p requeues 0
#> tcpdump -nnei enp3s0 -vvt 'ether proto 0x8100 and ether[14:2] & 0xfff == 100 or ether proto 0x0806' | grep "vlan 100"
 
tcpdump: listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
^C24 packets captured
24 packets received by filter
0 packets dropped by kernel
#> tc filter delete dev enp3s0 ingress prio 49152
#> tc -s filter show dev enp3s0 ingress
#> tc filter add dev enp3s0 ingress protocol 802.1Q flower vlan_id 100 vlan_ethtype arp action drop skip_sw
Error: Mismatch between action and filter offload flags.
We have an error talking to the kernel
#> tc filter add dev enp3s0 ingress protocol 802.1Q flower vlan_id 100 vlan_ethtype arp skip_sw action drop
RTNETLINK answers: Operation not supported
We have an error talking to the kernel
#> tc filter add dev enp3s0 ingress protocol 802.1Q flower vlan_id 100 vlan_ethtype arp skip_hw action drop
#> tc -s filter show dev enp3s0 ingress
filter protocol 802.1Q pref 49152 flower chain 0
filter protocol 802.1Q pref 49152 flower chain 0 handle 0x1
  vlan_id 100
  vlan_ethtype arp
  eth_type arp
  skip_hw
  not_in_hw
   action order 1: gact action drop
    random type none pass val 0
    index 1 ref 1 bind 1 installed 8 sec used 0 sec firstused 2 sec
   Action statistics:
   Sent 126 bytes 3 pkt (dropped 3, overlimits 0 requeues 0)
   backlog 0b 0p requeues 0
#> tcpdump -nnei enp3s0 -vvt 'ether proto 0x8100 and ether[14:2] & 0xfff == 100 or ether proto 0x0806' | grep "vlan 100"
tcpdump: listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
34:27:92:4f:36:d3 > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 60: vlan 100, p 5, ethertype ARP (0x0806), Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.27.1 tell 192.168.27.14, length 42
^C22 packets captured
22 packets received by filter
0 packets dropped by kernel

#> cat /etc/modprobe.d/r8169.conf
options r8169 rx_vlan=0 tx_vlan=0
#> modprobe -r r8169
#> modprobe r8169

#> tail -f /var/log/syslog
[...]
[...] kernel: r8169: unknown parameter 'rx_vlan' ignored
[...] kernel: r8169: unknown parameter 'tx_vlan' ignored

« j'en profite pour faire un peu de pub: Je maintien une library BASH pour gérer les freebox depuis l'API FreeboxOS »

Vous faites bien de faire un peu de pub, on ne travaille pas pour rien :) Merci pour le lien. Vous trouverez certains de mes scripts ici https://forums.debian.net/viewtopic.php?t=151887 (apt-fly, schow-pkg, why-pkg). Actuellement il faut créer un compte pour y accéder en raison du comportement déraisonnable des bots AI qui saturent le site. Si vous n'utilisez pas Debian vous pourriez néanmoins trouver des choses qui pourraient vous intéresser dans les scripts. Si vous avez des questions ou des remarques, il y a un e-mail de contact en début des scripts.

Encore merci et bonne journée nbanba !

Bonjour

Merci pour votre retour !
La difficultée est d'attraper les trames arp en tout premier.
Si traffic control "queuing disciplines" n'y arrive pas malgré sa place d'action dans la stack netfilter:
https://fr.wikipedia.org/wiki/Netfilter#/media/Fichier%3ANetfilter-packet-flow.svg

Il ne reste plus qu'à écrire un petit hoock en C pour eBPF, et tester !

Sinon merci pour les scripts, en fait Debian et moi c'est une longue histoire, j'utilise Debian à titre personnel depuis potaeto et j'ai mon ordi pro sous Debian depuis2que je travaille…
Merci encore

PS: la lib bash contient plus de 115 fonctions dont plusieurs dizaines dites "frontend" utilisables comme de simples commandes dans un terminal. Dans certains cas comme l'upload de fichiers par websocket API (utilisant des pipes bidirectionnels), on arrive aux limites de bash. J'assure le support, n'hésitez pas à me solliciter si besoin.

Cordialement
nbanba

Bonjour

Alors désolé je n'ai que mon téléphone donc je n'ai pas pu build ni tester mais dans l'esprit pour drop l'ARP avant la queuing disciplines dans netfilter, j'essayerai un truc comme ça :

// file: drop_arp_vlan.c
#include <linux/bpf.h>
#include <linux/pkt_cls.h>
#include <linux/if_ether.h>
#include <linux/if_vlan.h>
#include "bpf_helpers.h"
 
SEC("tc")
int drop_arp_vlan(struct __sk_buff *skb)
{
    void *data = (void *)(long)skb->data;
    void *data_end = (void *)(long)skb->data_end;
 
    struct ethhdr *eth = data;
    if ((void*)(eth + 1) > data_end)
        return TC_ACT_OK;
 
    __u16 h_proto = bpf_ntohs(eth->h_proto);
 
    /* Single VLAN tag? */
    if (h_proto == ETH_P_8021Q || h_proto == ETH_P_8021AD) {
        struct vlan_hdr *vh = (void *)(eth + 1);
        if ((void*)(vh + 1) > data_end)
            return TC_ACT_OK;
 
        __u16 vlan_tci = bpf_ntohs(vh->h_vlan_TCI);
        __u16 vlan_id = vlan_tci & 0x0fff;
        __u16 inner_proto = bpf_ntohs(vh->h_vlan_encapsulated_proto);
 
        /* Drop ARP on VLAN 100 or 400 */
        if ((vlan_id == 100 || vlan_id == 400) && inner_proto == ETH_P_ARP)
            return TC_ACT_SHOT;
    }
 
    return TC_ACT_OK;
}
 
char _license[] SEC("license") = "GPL";

Puis pour build :

clang -O2 -target bpf -c drop_arp_vlan.c -o drop_arp_vlan.o

Puis attacher le filtre a l'interface avec traffic control

# Create clsact qdisc
tc qdisc add dev enp3s0 clsact
 
# Attach program
tc filter add dev enp3s0 ingress bpf obj drop_arp_vlan.o sec tc

Vérification

tc filter show dev enp3s0 ingress

Voilà dans l'esprit ce que j'essayerai de faire.
Je tenterai de build + run quand j'aurais un pc sous la main.

Cordialement
nbanba

Bonjour nbanba, pardonnez mon retard, je suis désolé de ne pas avoir pu vous apporter une réponse plus tôt.
Je vois que vous ne lâchez rien :)

Dans une VM, j'ai installé clang. Comme je rencontrais des erreurs, j'ai également successivement installé libbpf-dev et gcc-multilib ; ce qui en bref donne (j'épargne la liste des dépendances) :

#> apt install clang libbpf-dev gcc-multilib

J'ai modifié les includes, ce qui pour l'instant donne :

#include <stdio.h>
#include "/usr/include/bpf/bpf_helpers.h"
 
SEC("tc")
int drop_arp_vlan(struct __sk_buff *skb)
{
void *data = (void *)(long)skb->data;
void *data_end = (void *)(long)skb->data_end;
 
struct ethhdr *eth = data;
if ((void*)(eth + 1) > data_end)
return TC_ACT_OK;
 
__u16 h_proto = bpf_ntohs(eth->h_proto);
 
/* Single VLAN tag? */
if (h_proto == ETH_P_8021Q || h_proto == ETH_P_8021AD) {
struct vlan_hdr *vh = (void *)(eth + 1);
if ((void*)(vh + 1) > data_end)
return TC_ACT_OK;
 
__u16 vlan_tci = bpf_ntohs(vh->h_vlan_TCI);
__u16 vlan_id = vlan_tci & 0x0fff;
__u16 inner_proto = bpf_ntohs(vh->h_vlan_encapsulated_proto);
 
/* Drop ARP on VLAN 100 or 400 */
if ((vlan_id == 100 || vlan_id == 400) && inner_proto == ETH_P_ARP)
return TC_ACT_SHOT;
}
 
return TC_ACT_OK;
}
 
char _license[] SEC("license") = "GPL";

Ça ne compile toujours pas :

$> clang -O2 -target bpf -c drop_arp_vlan.c -o drop_arp_vlan.o
In file included from drop_arp_vlan.c:1:
In file included from /usr/include/stdio.h:437:
/usr/include/bits/floatn.h:83:52: error: unsupported machine mode '__TC__'
   83 | typedef _Complex float __cfloat128 __attribute__ ((__mode__ (__TC__)));
      |                                                    ^
/usr/include/bits/floatn.h:97:9: error: __float128 is not supported on this target
   97 | typedef __float128 _Float128;
      |         ^
In file included from drop_arp_vlan.c:2:
In file included from /usr/include/bpf/bpf_helpers.h:11:
/usr/include/bpf/bpf_helper_defs.h:86:90: error: unknown type name '__u64'
   86 | static long (* const bpf_map_update_elem)(void *map, const void *key, const void *value, __u64 flags) = (void *) 2;
      |                                                                                          ^
/usr/include/bpf/bpf_helper_defs.h:110:49: error: unknown type name '__u32'
  110 | static long (* const bpf_probe_read)(void *dst, __u32 size, const void *unsafe_ptr) = (void *) 4;
      |                                                 ^
/usr/include/bpf/bpf_helper_defs.h:122:23: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int]
  122 | static __u64 (* const bpf_ktime_get_ns)(void) = (void *) 5;
      |                       ^
      |               int
/usr/include/bpf/bpf_helper_defs.h:122:8: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int]
  122 | static __u64 (* const bpf_ktime_get_ns)(void) = (void *) 5;
      | ~~~~~~ ^
      | int
/usr/include/bpf/bpf_helper_defs.h:122:14: error: function cannot return function type 'int (void)'
  122 | static __u64 (* const bpf_ktime_get_ns)(void) = (void *) 5;
      |              ^
/usr/include/bpf/bpf_helper_defs.h:122:8: error: illegal initializer (only variables can be initialized)
  122 | static __u64 (* const bpf_ktime_get_ns)(void) = (void *) 5;
      |        ^
/usr/include/bpf/bpf_helper_defs.h:185:57: error: unknown type name '__u32'
  185 | static long (* const bpf_trace_printk)(const char *fmt, __u32 fmt_size, ...) = (void *) 6;
      |                                                         ^
/usr/include/bpf/bpf_helper_defs.h:201:23: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int]
  201 | static __u32 (* const bpf_get_prandom_u32)(void) = (void *) 7;
      |                       ^
      |               int
/usr/include/bpf/bpf_helper_defs.h:201:8: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int]
  201 | static __u32 (* const bpf_get_prandom_u32)(void) = (void *) 7;
      | ~~~~~~ ^
      | int
/usr/include/bpf/bpf_helper_defs.h:201:14: error: function cannot return function type 'int (void)'
  201 | static __u32 (* const bpf_get_prandom_u32)(void) = (void *) 7;
      |              ^
/usr/include/bpf/bpf_helper_defs.h:201:8: error: illegal initializer (only variables can be initialized)
  201 | static __u32 (* const bpf_get_prandom_u32)(void) = (void *) 7;
      |        ^
/usr/include/bpf/bpf_helper_defs.h:214:38: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int]
  214 | static __bpf_fastcall __u32 (* const bpf_get_smp_processor_id)(void) = (void *) 8;
      |                                      ^
      |                              int
/usr/include/bpf/bpf_helper_defs.h:214:23: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int]
  214 | static __bpf_fastcall __u32 (* const bpf_get_smp_processor_id)(void) = (void *) 8;
      | ~~~~~~                ^
      | int
/usr/include/bpf/bpf_helper_defs.h:214:29: error: function cannot return function type 'int (void)'
  214 | static __bpf_fastcall __u32 (* const bpf_get_smp_processor_id)(void) = (void *) 8;
      |                             ^
/usr/include/bpf/bpf_helper_defs.h:214:23: error: illegal initializer (only variables can be initialized)
  214 | static __bpf_fastcall __u32 (* const bpf_get_smp_processor_id)(void) = (void *) 8;
      |                       ^
/usr/include/bpf/bpf_helper_defs.h:235:66: error: unknown type name '__u32'
  235 | static long (* const bpf_skb_store_bytes)(struct __sk_buff *skb, __u32 offset, const void *from, __u32 len, __u64 flags) = (void *) 9;
      |                                                                  ^
/usr/include/bpf/bpf_helper_defs.h:235:98: error: unknown type name '__u32'
  235 | static long (* const bpf_skb_store_bytes)(struct __sk_buff *skb, __u32 offset, const void *from, __u32 len, __u64 flags) = (void *) 9;
      |                                                                                                  ^
fatal error: too many errors emitted, stopping now [-ferror-limit=]
20 errors generated.

Il y a bien longtemps (bien bien longtemps) que je n'ai pas eu l'occasion de compiler quoi que ce soit et il ne reste plus que de la rouille de mes capacités en la matière, je me suis donc arrêté là. Une idée ? (mais n'en faites pas une priorité.)

Note : merci beaucoup à l'admin qui a corrigé ma faute de conjugaison dans l'un de mes messages précédents.

Bonjour

Désolé moi-même n'ai pas build depuis mon derniers message, pourtant je build tous les jours (pour ajout de features à openssh + wireshark 4.5) …

Je termine juste le boulot et c'est le week-end ⇒ je prendrai le temps de build dans 1 vm vierge ce week-end.

Si erreur dans mon code je corrigerai et vous transmettrai ce que j'ai fait pour build (patch, install des libs, debug, etc…)

Encore désolé

Cordialement
nbanba

Bonjour

Désolé j'avais oublié 1 header et de déclarer la structure 'vlan_hdr'
Pour build, vous avez installé ce qu'il faut, mais vérifiez que vous avez le paquet 'linux-libc-dev'
Je recommande également (pas indispensable mais peut servir) d'installer linux-headers-$(uname -r)

$ sudo apt install linux-libc-dev linux-headers-$(uname -r) clang libbpf1 libbpf-dev

Puis (mon user courrant est 'nba'):

$ echo $USER
nba
$ sudo adduser nba src
$ sudo mkdir /usr/src/eBPF/
$ sudo chown -R nba: /usr/src/eBPF/
$ mv drop_arp_vlan.c /usr/src/eBPF/
$ cd /usr/src/eBPF/

Donc le code donne
(tous les #include sont important ! et pas besoin de STDIO (stdio.h) )

// file: drop_arp_vlan.c
#include <linux/bpf.h>
#include <linux/pkt_cls.h>
#include <linux/if_ether.h>
#include <linux/if_vlan.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_endian.h>
 
struct vlan_hdr {
    __be16 h_vlan_TCI;
    __be16 h_vlan_encapsulated_proto;
};
 
 
SEC("tc")
int drop_arp_vlan(struct __sk_buff *skb)
{
    void *data = (void *)(long)skb->data;
    void *data_end = (void *)(long)skb->data_end;
 
    struct ethhdr *eth = data;
    if ((void*)(eth + 1) > data_end)
        return TC_ACT_OK;
 
    __u16 h_proto = bpf_ntohs(eth->h_proto);
 
    /* Single VLAN tag? */
    if (h_proto == ETH_P_8021Q || h_proto == ETH_P_8021AD) {
        struct vlan_hdr *vh = (void *)(eth + 1);
        if ((void*)(vh + 1) > data_end)
            return TC_ACT_OK;
 
        __u16 vlan_tci = bpf_ntohs(vh->h_vlan_TCI);
        __u16 vlan_id = vlan_tci & 0x0fff;
        __u16 inner_proto = bpf_ntohs(vh->h_vlan_encapsulated_proto);
 
        /* Drop ARP on VLAN 100 or 400 */
        if ((vlan_id == 100 || vlan_id == 400) && inner_proto == ETH_P_ARP)
            return TC_ACT_SHOT;
    }
 
    return TC_ACT_OK;
}
 
char _license[] SEC("license") = "GPL";

Pour build:
/!\ attention je suis sur ARM64 ⇒ pour x86_64 : -I/usr/include/x86_64-linux-gnu

$ clang -O2 -g -target bpf -I/usr/include/aarch64-linux-gnu -c drop_arp_vlan.c -o drop_arp_vlan.o

ou plutôt chez vous:

$ clang -O2 -g -target bpf -I/usr/include/x86_64-linux-gnu -c drop_arp_vlan.c -o drop_arp_vlan.o

Chez moi 0 (zéro) erreurs, donc j'attache avec tc (chez vous changez enp0s5 par enp3s0):

$ tc qdisc add dev enp0s5 clsact
$ tc filter add dev enp0s5 ingress bpf obj /usr/src/eBPF/drop_arp_vlan.o sec tc
# vérification
$ tc filter show dev enp0s5 ingress
filter protocol all pref 49152 bpf chain 0 
filter protocol all pref 49152 bpf chain 0 handle 0x1 drop_arp_vlan.o:[tc] not_in_hw id 73 name drop_arp tag 991544dbfd60aaf2 jited

NB: pour remove le filter:

# query 'prio' (= pref)
$ tc filter show dev enp0s5 ingress
filter protocol all pref 49152 bpf chain 0 
filter protocol all pref 49152 bpf chain 0 handle 0x1 drop_arp_vlan.o:[tc] not_in_hw id 73 name drop_arp tag 991544dbfd60aaf2 jited  
# remove 'prio'
$ tc filter del dev enp0s5 ingress prio 49152
$ tc filter show dev enp0s5 ingress

END OF PART 1

Bon alors on pourrait s'arrêter là mais comme vous n'avez pas compilé depuis longtemps, je suppose que vous n'avez pas non plus développé en C depuis longtemps.

J'ai donc fait une version plus avancée du filtre que j'ai intégralement commentée et qui :
- drop ARP vlan100
- drop ARP vlan400
- drop ARP from GATEWAY (ici 192.168.100.254) on vlan100 + vlan400
- drop ARP from GATEWAY (ici 192.168.100.254) on untagged frames

la voici:
désolé pour les commentaires en anglais, je ne code qu'en anglais

// file: drop_arp_vlan_from_gw.c
/* --------------------------- Core eBPF headers --------------------------- */
#include <linux/bpf.h>           // Core eBPF types, structs, and helper macros
#include <linux/if_ether.h>      // Ethernet header (struct ethhdr, ETH_P_*)
#include <linux/pkt_cls.h>       // TC action codes (TC_ACT_OK, TC_ACT_SHOT)
#include <linux/if_arp.h>        // ARP header (struct arphdr, ARPHRD_*)
#include <bpf/bpf_helpers.h>     // libbpf helpers (SEC(), maps, etc.)
#include <bpf/bpf_endian.h>      // Endianness helpers (bpf_ntohs(), bpf_htonl(), etc.)
 
/* --------------------------- VLAN header --------------------------- */
/* Minimal VLAN header structure for eBPF parsing.
 * Avoids kernel header issues and incomplete types.
 */
struct vlan_hdr {
    __be16 h_vlan_TCI;                 // VLAN Tag Control Information: PCP + DEI + VLAN ID
    __be16 h_vlan_encapsulated_proto;  // Inner encapsulated protocol (e.g., ETH_P_ARP)
};
 
/* --------------------------- TC ingress hook --------------------------- */
/* This function is executed for every packet arriving on the interface
 * when attached to clsact ingress.
 */
SEC("tc")
int drop_arp(struct __sk_buff *skb)
{
    /* --------------------------- Packet pointers --------------------------- */
    /* skb->data     : pointer to the start of the packet
     * skb->data_end : pointer to the end of the packet
     *
     * The eBPF verifier requires bounds checks before any memory access.
     */
    void *data     = (void *)(long)skb->data;
    void *data_end = (void *)(long)skb->data_end;
 
    /* --------------------------- Ethernet header --------------------------- */
    struct ethhdr *eth = data;
 
    /* Verify Ethernet header is fully inside the packet */
    if ((void *)(eth + 1) > data_end)
        return TC_ACT_OK;
 
    /* Ethernet type field in host byte order */
    __u16 h_proto = bpf_ntohs(eth->h_proto);
 
    /* --------------------------- Case 1: Plain ARP (no VLAN) --------------------------- */
    if (h_proto == ETH_P_ARP) {
        struct arphdr *arp = (void *)(eth + 1);
 
        /* Bounds check for ARP header */
        if ((void *)(arp + 1) > data_end)
            return TC_ACT_OK;
 
        /* Only handle Ethernet + IPv4 ARP packets.
         * This ensures predictable payload layout.
         */
        if (arp->ar_hrd != bpf_htons(ARPHRD_ETHER) ||
            arp->ar_pro != bpf_htons(ETH_P_IP)   ||
            arp->ar_hln != ETH_ALEN               ||
            arp->ar_pln != 4)
            return TC_ACT_OK;
 
        /* Sender IP address is located after struct arphdr + sender MAC (6 bytes) */
            /*
             * ARP payload layout (after struct arphdr):
             *
             *   sender MAC  (6 bytes)
             *   sender IP   (4 bytes)  <-- we want this
             *   target MAC  (6 bytes)
             *   target IP   (4 bytes)
             */
 
        __u8 *sender_ip = (void *)(arp + 1) + ETH_ALEN;
 
        /* Bounds check for sender IP */
        if (sender_ip + 4 > (unsigned char *)data_end)
            return TC_ACT_OK;
 
        /* Read sender IPv4 address safely */
        __be32 spa;
        __builtin_memcpy(&spa, sender_ip, sizeof(spa));
 
        /* Drop ARP if sender IP is 192.168.100.254 */
        if (spa == bpf_htonl(0xC0A8645F))
            return TC_ACT_SHOT;
    }
 
    /* --------------------------- Case 2: Single VLAN tag --------------------------- */
    if (h_proto == ETH_P_8021Q || h_proto == ETH_P_8021AD) {
        struct vlan_hdr *vh = (void *)(eth + 1);
 
        /* Bounds check for VLAN header */
        if ((void *)(vh + 1) > data_end)
            return TC_ACT_OK;
 
        /* Extract VLAN ID (lowest 12 bits of TCI) */
        __u16 vlan_id    = bpf_ntohs(vh->h_vlan_TCI) & 0x0fff;
 
        /* Inner protocol after VLAN tag */
        __u16 inner_proto = bpf_ntohs(vh->h_vlan_encapsulated_proto);
 
        /* --------------------------- ARP inside VLAN --------------------------- */
        if (inner_proto == ETH_P_ARP) {
            struct arphdr *arp = (void *)(vh + 1);
 
            /* Bounds check for ARP header */
            if ((void *)(arp + 1) > data_end)
                return TC_ACT_OK;
 
            /* Only handle Ethernet + IPv4 ARP */
            if (arp->ar_hrd != bpf_htons(ARPHRD_ETHER) ||
                arp->ar_pro != bpf_htons(ETH_P_IP)   ||
                arp->ar_hln != ETH_ALEN               ||
                arp->ar_pln != 4)
                return TC_ACT_OK;
 
            /* Sender IP address is after struct arphdr + sender MAC (6 bytes) */
            /*
             * ARP payload layout (after struct arphdr):
             *
             *   sender MAC  (6 bytes)
             *   sender IP   (4 bytes)  <-- we want this
             *   target MAC  (6 bytes)
             *   target IP   (4 bytes)
             */
 
            __u8 *sender_ip = (void *)(arp + 1) + ETH_ALEN;
 
            /* Bounds check for sender IP */
            if (sender_ip + 4 > (unsigned char *)data_end)
                return TC_ACT_OK;
 
            /* Read sender IPv4 address */
            __be32 spa;
            __builtin_memcpy(&spa, sender_ip, sizeof(spa));
 
            /* --------------------------- Drop conditions --------------------------- */
            /* Drop if VLAN is 100 or 400 */
            if (vlan_id == 100 || vlan_id == 400)
                return TC_ACT_SHOT;
 
            /* Drop if sender IP is 192.168.100.254 */
            if (spa == bpf_htonl(0xC0A864FE))
                return TC_ACT_SHOT;
        }
    }
 
    /* --------------------------- Allow all other packets --------------------------- */
    return TC_ACT_OK;
}
 
/* --------------------------- eBPF license --------------------------- */
/* GPL is required for TC eBPF programs to use most helper functions */
char _license[] SEC("license") = "GPL";

Pour build and attach, toujours pareil chez vous ça donnerait:

$ clang -O2 -g -target bpf -I/usr/include/x86_64-linux-gnu -c drop_arp_vlan_from_gw.c -o drop_arp_vlan_from_gw.o

$ tc qdisc add dev enp3s0 clsact
$ tc filter add dev enp3s0 ingress bpf obj /usr/src/eBPF/drop_arp_vlan_from_gw.o sec tc
# vérification
$ tc filter show dev enp3s0 ingress    
filter protocol all pref 49152 bpf chain 0 
filter protocol all pref 49152 bpf chain 0 handle 0x1 drop_arp_vlan_from_gw.o:[tc] not_in_hw id 73 name drop_arp tag 991544dbfd60aaf2 jited

Bon ici je bloque la gateway commé désigné dans les commentaires par :

            /*
             * ARP payload layout (after struct arphdr):
             *
             *   sender MAC  (6 bytes)
             *   sender IP   (4 bytes)  <-- we want this
             *   target MAC  (6 bytes)
             *   target IP   (4 bytes)
             */

Mais ça peut certaine fois avoir des effets de bord… (la GW quand même !)

Pour éviter des effets de bords délicats et comme eBPF est souple (on peut coder ce qu'on veut), on peut imaginer bloquer les paquets à destination d'une certaine IP (car on a accès à la structure arphdr)

            /*
             * ARP payload layout (after struct arphdr):
             *
             *   sender MAC  (6 bytes)
             *   sender IP   (4 bytes)
             *   target MAC  (6 bytes)
             *   target IP   (4 bytes)  <-- we want this
             */

Dites moi si besoin d'un filtre pour bloquer l'ARP vers certaines destination, je pourrais écrire le filtre.

NB:
Si besoin d'adapter les IP dans le filtre:

            /* 
             * (192.168.100.254 => 0xC0A864FE in hex, network byte order)
             * 192.168.1.1 = 0xC0A80101
             * 192.168.27.1 = 0xC0A81B01
             * 192.168.27.98 = 0xC0A81B62
             */

Dites moi si vous vous en sortez ou si vous avez besoin d'aide

Cordialement
nbanba

Bonjour

Pour info si vous utilisez STDIO:

#include <stdio.h>

vous obtiendrez l'erreur:

$ clang -O2 -g -target bpf -I/usr/include/x86_64-linux-gnu -c drop_arp_vlan.c -o drop_arp_vlan.o
In file included from drop_arp_vlan.c:6:
In file included from /usr/include/stdio.h:437:
/usr/include/x86_64-linux-gnu/bits/floatn.h:83:52: error: unsupported machine mode '__TC__'
   83 | typedef _Complex float __cfloat128 __attribute__ ((__mode__ (__TC__)));
      |                                                    ^
/usr/include/x86_64-linux-gnu/bits/floatn.h:97:9: error: __float128 is not supported on this target
   97 | typedef __float128 _Float128;
      |         ^
2 errors generated.

mais aucune erreur de build avec les headers (<bpf/bpf_endian.h> est important):

#include <linux/bpf.h>
#include <linux/pkt_cls.h>
#include <linux/if_ether.h>
#include <linux/if_vlan.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_endian.h>

J'ai compilé sur une machine x86_64 et ça build…

Si vous n'arrivez pas à build, je poste ici les binaires en base64:

base64 drop_arp_vlan.o (x86_64):

f0VMRgIBAQAAAAAAAAAAAAEA9wABAAAAAAAAAAAAAAAAAAAAAAAAAFggAAAAAAAAAAAAAEAAAAAAAEAAGQABALcAAAAAAAAAYRJQAAAAAABhEUwAAAAAAL8TAAAAAAAABwMAAA4AAAAtIxgAAAAAAHEUDAAAAAAAcRMNAAAAAABnAwAACAAAAE9DAAAAAAAAFQMBAIEAAABVAxEAiKgAAL8TAAAAAAAABwMAABIAAAAtIw8AAAAAAGkTDgAAAAAAVwMAAA//AAC3AgAAAQAAALcEAAABAAAAVQMBAAGQAAC3BAAAAAAAAFUDAQAAZAAAtwIAAAAAAABfQgAAAAAAAFcCAAABAAAAVQIDAAAAAAC3AAAAAgAAAGkREAAAAAAAFQEBAAgGAAC3AAAAAAAAAJUAAAAAAAAAR1BMACgAAAAFAAgAAwAAAAwAAAASAAAAGQAAAAQAGAFRAAQY4AEBUQAEGJABAVIAAREBJSUTBQMlchcQFxslERsSBnMXjAEXAAACNAADJUkTPxk6CzsLAhgAAAMBAUkTAAAEIQBJEzcLAAAFJAADJT4LCwsAAAYkAAMlCws+CwAABw8AAAAIFgBJEwMlOgs7CwAACS4BERsSBkAYehkDJToLOwsnGUkTPxkAAAoFAAIiAyU6CzsLSRMAAAs0AAIiAyU6CzsLSRMAAAw0AAMlOgs7C0kTAAANCwERGxIGAAAONAACGAMlOgs7C0kTAAAPDwBJEwAAEBMBAyULCzoLOwUAABENAAMlSRM6CzsFOAsAABINAEkTOgs7BYgBDzgLAAATFwELCzoLOwWIAQ8AABQNAEkTOgs7BTgLAAAVFwELCzoLOwUAABYTAQsLOgs7BQAAFxMBAyULCzoLOwsAABgNAAMlSRM6CzsLOAsAAABUBAAABQABCAAAAAABAB0AAQgAAAAAAAAAAgH4AAAACAAAAAwAAAACAzIAAAAATQKhAAM+AAAABEIAAAAEAAUEBgEGBQgHBwUGBQgIUwAAAAgBGAUHBwIJAfgAAAABWgkAML0AAAAKAAsAMMEAAAALAVQANQgEAAALAh4AM0YAAAAMHQAyRgAAAAxXADlLAAAADQJwAAAADgNxDp9ZAD06BAAADBQAQUsAAAAMXQBCSwAAAAxeAENLAAAAAAAFCgUED8YAAAAQU8ACWRgRDEMCAAACWhgAEQ9DAgAAAlsYBBEQQwIAAAJcGAgREUMCAAACXRgMERJDAgAAAl4YEBETQwIAAAJfGBQRFEMCAAACYBgYERVDAgAAAmEYHBEWQwIAAAJiGCARF0MCAAACYxgkERhDAgAAAmQYKBEZQwIAAAJlGCwRGk8CAAACZhgwERtDAgAAAmcYRBEcQwIAAAJoGEgRHUMCAAACaRhMER5DAgAAAmoYUBEfQwIAAAJrGFQRIEMCAAACbhhYESFDAgAAAm8YXBEiQwIAAAJwGGARI1sCAAACcRhkESRbAgAAAnIYdBElQwIAAAJzGIQRJkMCAAACdBiIESdDAgAAAncYjBLaAQAAAngYCJATCAJ4GAgRKGcCAAACeBgAABE+XAMAAAJ5GJgRQUMCAAACehigEUJDAgAAAnsYpBITAgAAAnwYCKgTCAJ8GAgRQ2gDAAACfBgAABFQQwIAAAJ9GLARUUADAAACfhi0EVJcAwAAAoAYuAAISwIAAA4BGwUNBwQDQwIAAARCAAAABQADQwIAAARCAAAABAAPbAIAABA9OAJsHBEpSwAAAAJtHAARKksAAAACbhwCEStLAAAAAm8cBBEsQAMAAAJwHAYRL0ADAAACcRwHETBAAwAAAnIcCBExQAMAAAJzHAkRMkwDAAACdBwKETRMAwAAAnUcDBE1TAMAAAJ2HA4U3wIAAAJ3HBAVIAJ3HBTtAgAAAngcABYIAngcETZUAwAAAnkcABE4VAMAAAJ6HAQAFBADAAACfBwAFiACfBwROVsCAAACfRwAETpbAgAAAn4cEAAAETtDAgAAAoEcMBE8VAMAAAKCHDQACEgDAAAuARUFLQgBCEsAAAAzAyAIQwIAADcDIghkAwAAQAEfBT8HCA9tAwAAEE9QAsEYEURDAgAAAsIYABEgQwIAAALDGAQRRUMCAAACxBgIERJDAgAAAsUYDBEQQwIAAALGGBARFkMCAAACxxgUEUZDAgAAAskYGBFHWwIAAALKGBwRSEMCAAACyxgsEUlMAwAAAswYMBFKQwIAAALOGDQRS1sCAAACzxg4EUxDAgAAAtAYSBFNAAQAAALRGEwACL0AAABOARoPDQQAABdYDgStGFUuBAAABK4AGFYuBAAABK8GGFdMAwAABLAMAANIAwAABEIAAAAGAA8/BAAAF1wEACcYWkwDAAAAKAAYW0wDAAAAKQIAAIABAAAFAAAAAAAAACMAAAAzAAAARwAAAFAAAABVAAAAaQAAAG4AAAB9AAAAgwAAAJEAAACVAAAAmQAAAJ0AAACqAAAAsAAAALkAAAC+AAAAzAAAANUAAADiAAAA6wAAAPYAAAD/AAAADwEAABcBAAAgAQAAIwEAACgBAAAzAQAAOAEAAEEBAABJAQAAUAEAAFsBAABlAQAAcAEAAHoBAACGAQAAkQEAAJsBAAClAQAAqwEAALEBAAC8AQAAxAEAANIBAADXAQAA5QEAAO4BAAD3AQAA/wEAAAYCAAAMAgAAEgIAABsCAAAiAgAAKwIAADQCAAA9AgAAQwIAAE4CAABcAgAAYwIAAHYCAAB8AgAAhQIAAI4CAACRAgAAngIAAKMCAACrAgAAswIAALwCAADFAgAAzQIAANUCAADbAgAA7AIAAPICAAD7AgAABAMAABADAAAZAwAAIwMAACcDAAAuAwAANwMAAD8DAABGAwAASQMAAFQDAABuAwAAdwMAAH8DAABEZWJpYW4gY2xhbmcgdmVyc2lvbiAxOS4xLjcgKDMrYjEpAGRyb3BfYXJwX3ZsYW4uYwAvdXNyL3NyYy9idWlsZC9lQlBGAF9saWNlbnNlAGNoYXIAX19BUlJBWV9TSVpFX1RZUEVfXwBsb25nAHVuc2lnbmVkIHNob3J0AF9fdTE2AGRyb3BfYXJwX3ZsYW4AaW50AHNrYgBsZW4AdW5zaWduZWQgaW50AF9fdTMyAHBrdF90eXBlAG1hcmsAcXVldWVfbWFwcGluZwBwcm90b2NvbAB2bGFuX3ByZXNlbnQAdmxhbl90Y2kAdmxhbl9wcm90bwBwcmlvcml0eQBpbmdyZXNzX2lmaW5kZXgAaWZpbmRleAB0Y19pbmRleABjYgBoYXNoAHRjX2NsYXNzaWQAZGF0YQBkYXRhX2VuZABuYXBpX2lkAGZhbWlseQByZW1vdGVfaXA0AGxvY2FsX2lwNAByZW1vdGVfaXA2AGxvY2FsX2lwNgByZW1vdGVfcG9ydABsb2NhbF9wb3J0AGRhdGFfbWV0YQBmbG93X2tleXMAbmhvZmYAdGhvZmYAYWRkcl9wcm90bwBpc19mcmFnAHVuc2lnbmVkIGNoYXIAX191OABpc19maXJzdF9mcmFnAGlzX2VuY2FwAGlwX3Byb3RvAG5fcHJvdG8AX19iZTE2AHNwb3J0AGRwb3J0AGlwdjRfc3JjAF9fYmUzMgBpcHY0X2RzdABpcHY2X3NyYwBpcHY2X2RzdABmbGFncwBmbG93X2xhYmVsAGJwZl9mbG93X2tleXMAdHN0YW1wAHVuc2lnbmVkIGxvbmcgbG9uZwBfX3U2NAB3aXJlX2xlbgBnc29fc2VncwBzawBib3VuZF9kZXZfaWYAdHlwZQBzcmNfaXA0AHNyY19pcDYAc3JjX3BvcnQAZHN0X3BvcnQAZHN0X2lwNABkc3RfaXA2AHN0YXRlAHJ4X3F1ZXVlX21hcHBpbmcAX19zMzIAYnBmX3NvY2sAZ3NvX3NpemUAdHN0YW1wX3R5cGUAaHd0c3RhbXAAX19za19idWZmAGV0aABoX2Rlc3QAaF9zb3VyY2UAaF9wcm90bwBldGhoZHIAdmgAaF92bGFuX1RDSQBoX3ZsYW5fZW5jYXBzdWxhdGVkX3Byb3RvAHZsYW5faGRyAHZsYW5faWQAaW5uZXJfcHJvdG8AHAAAAAUACAAAAAAAAAAAAAAAAAAAAAAAYAAAAAAAAAAAn+sBABgAAAAAAAAAJAMAACQDAADkAwAAAAAAAAAAAAICAAAAAQAAACIAAATAAAAACwAAAAMAAAAAAAAADwAAAAMAAAAgAAAAGAAAAAMAAABAAAAAHQAAAAMAAABgAAAAKwAAAAMAAACAAAAANAAAAAMAAACgAAAAQQAAAAMAAADAAAAASgAAAAMAAADgAAAAVQAAAAMAAAAAAQAAXgAAAAMAAAAgAQAAbgAAAAMAAABAAQAAdgAAAAMAAABgAQAAfwAAAAUAAACAAQAAggAAAAMAAAAgAgAAhwAAAAMAAABAAgAAkgAAAAMAAABgAgAAlwAAAAMAAACAAgAAoAAAAAMAAACgAgAAqAAAAAMAAADAAgAArwAAAAMAAADgAgAAugAAAAMAAAAAAwAAxAAAAAcAAAAgAwAAzwAAAAcAAACgAwAA2QAAAAMAAAAgBAAA5QAAAAMAAABABAAA8AAAAAMAAABgBAAAAAAAAAgAAACABAAA+gAAAAoAAADABAAAAQEAAAMAAAAABQAACgEAAAMAAAAgBQAAAAAAAAwAAABABQAAEwEAAAMAAACABQAAHAEAAA4AAACgBQAAKAEAAAoAAADABQAAMQEAAAAAAAgEAAAANwEAAAAAAAEEAAAAIAAAAAAAAAAAAAADAAAAAAMAAAAGAAAABQAAAEQBAAAAAAABBAAAACAAAAAAAAAAAAAAAwAAAAADAAAABgAAAAQAAAAAAAAAAQAABQgAAABYAQAACQAAAAAAAAAAAAAAAAAAAhcAAABiAQAAAAAACAsAAABoAQAAAAAAAQgAAABAAAAAAAAAAAEAAAUIAAAAewEAAA0AAAAAAAAAAAAAAAAAAAIYAAAAfgEAAAAAAAgPAAAAgwEAAAAAAAEBAAAACAAAAAAAAAABAAANEQAAAJEBAAABAAAAlQEAAAAAAAEEAAAAIAAAAZkBAAABAAAMEAAAALcDAAAAAAABAQAAAAgAAAEAAAAAAAAAAwAAAAATAAAABgAAAAQAAAC8AwAAAAAADhQAAAABAAAAxQMAAAEAAA8AAAAAFQAAAAAAAAAEAAAAzQMAAAAAAAcAAAAA2wMAAAAAAAcAAAAAAF9fc2tfYnVmZgBsZW4AcGt0X3R5cGUAbWFyawBxdWV1ZV9tYXBwaW5nAHByb3RvY29sAHZsYW5fcHJlc2VudAB2bGFuX3RjaQB2bGFuX3Byb3RvAHByaW9yaXR5AGluZ3Jlc3NfaWZpbmRleABpZmluZGV4AHRjX2luZGV4AGNiAGhhc2gAdGNfY2xhc3NpZABkYXRhAGRhdGFfZW5kAG5hcGlfaWQAZmFtaWx5AHJlbW90ZV9pcDQAbG9jYWxfaXA0AHJlbW90ZV9pcDYAbG9jYWxfaXA2AHJlbW90ZV9wb3J0AGxvY2FsX3BvcnQAZGF0YV9tZXRhAHRzdGFtcAB3aXJlX2xlbgBnc29fc2VncwBnc29fc2l6ZQB0c3RhbXBfdHlwZQBod3RzdGFtcABfX3UzMgB1bnNpZ25lZCBpbnQAX19BUlJBWV9TSVpFX1RZUEVfXwBmbG93X2tleXMAX191NjQAdW5zaWduZWQgbG9uZyBsb25nAHNrAF9fdTgAdW5zaWduZWQgY2hhcgBza2IAaW50AGRyb3BfYXJwX3ZsYW4AdGMAL3Vzci9zcmMvYnVpbGQvZUJQRi9kcm9wX2FycF92bGFuLmMAaW50IGRyb3BfYXJwX3ZsYW4oc3RydWN0IF9fc2tfYnVmZiAqc2tiKQAgICAgdm9pZCAqZGF0YV9lbmQgPSAodm9pZCAqKShsb25nKXNrYi0+ZGF0YV9lbmQ7ACAgICB2b2lkICpkYXRhID0gKHZvaWQgKikobG9uZylza2ItPmRhdGE7ACAgICBpZiAoKHZvaWQqKShldGggKyAxKSA+IGRhdGFfZW5kKQAgICAgX191MTYgaF9wcm90byA9IGJwZl9udG9ocyhldGgtPmhfcHJvdG8pOwAgICAgaWYgKGhfcHJvdG8gPT0gRVRIX1BfODAyMVEgfHwgaF9wcm90byA9PSBFVEhfUF84MDIxQUQpIHsAICAgICAgICBpZiAoKHZvaWQqKSh2aCArIDEpID4gZGF0YV9lbmQpACAgICAgICAgX191MTYgdmxhbl90Y2kgPSBicGZfbnRvaHModmgtPmhfdmxhbl9UQ0kpOwAgICAgICAgIF9fdTE2IHZsYW5faWQgPSB2bGFuX3RjaSAmIDB4MGZmZjsAICAgICAgICBpZiAoKHZsYW5faWQgPT0gMTAwIHx8IHZsYW5faWQgPT0gNDAwKSAmJiBpbm5lcl9wcm90byA9PSBFVEhfUF9BUlApAH0AY2hhcgBfbGljZW5zZQBsaWNlbnNlAGJwZl9mbG93X2tleXMAYnBmX3NvY2sAn+sBACAAAAAAAAAAFAAAABQAAADsAAAAAAEAAAAAAAAIAAAApwEAAAEAAAAAAAAAEgAAABAAAACnAQAADgAAAAAAAACqAQAAzgEAAADAAAAIAAAAqgEAAPcBAAApzAAAEAAAAKoBAAApAgAAJcgAABgAAACqAQAAUwIAABXYAAAoAAAAqgEAAFMCAAAJ2AAAMAAAAKoBAAB4AgAAFeQAAFAAAACqAQAApQIAACDwAABgAAAAqgEAAOICAAAY+AAAcAAAAKoBAADiAgAADfgAAHgAAACqAQAACgMAABoEAQCAAAAAqgEAAD4DAAAiCAEAqAAAAKoBAABpAwAAFhgBALgAAACqAQAAaQMAAB0YAQDwAAAAqgEAALUDAAABLAEADAAAAP////8EAAgACHwLABQAAAAAAAAAAAAAAAAAAAD4AAAAAAAAAPEAAAAFAAgAjwAAAAgBAfsODQABAQEBAAAAAQAAAQEBHwIAAAAAFAAAAAMBHwIPBR4FGQAAAADsq9Deu6ONQpRM99fpafyHKQAAAAG4EPJwcz4QYxm2fvUSxiRuSAAAAAHjBdrTMhjzw13Sbzy+3zLGXAAAAAHAreGhownWiWzmCApRotEFcgAAAAEWP1T7GvLiH+pBDxTrGPp2BAAACQIAAAAAAAAAAAMwAQUpCiIFJR8FFSQFCQYuBRUGIwUgTQUYMAUNBi4FGgYjBSIhBgO+fy4FFgYDxgA8BgO6fyAFHQPGACADun8gBQEGA8sAZgIBAAEBL3Vzci9zcmMvYnVpbGQvZUJQRgAvdXNyAGRyb3BfYXJwX3ZsYW4uYwBpbmNsdWRlL2FzbS1nZW5lcmljL2ludC1sbDY0LmgAaW5jbHVkZS9saW51eC9icGYuaABpbmNsdWRlL2xpbnV4L3R5cGVzLmgAaW5jbHVkZS9saW51eC9pZl9ldGhlci5oAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAM0AAAAEAPH/AAAAAAAAAAAAAAAAAAAAAAAAAAADAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAkAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAsAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAADABIAAAAAAAAAAAAAAAAAAAAAAAAAAAADABQAAAAAAAAAAAAAAAAAAAAAAAAAAAADABYAAAAAAAAAAAAAAAAAAAAAAIQAAAASAAMAAAAAAAAAAAD4AAAAAAAAAKAAAAARAAQAAAAAAAAAAAAEAAAAAAAAAAgAAAAAAAAAAwAAAAQAAAARAAAAAAAAAAMAAAAFAAAAFQAAAAAAAAADAAAACQAAAB8AAAAAAAAAAwAAAAcAAAAjAAAAAAAAAAMAAAADAAAACAAAAAAAAAADAAAABgAAAAwAAAAAAAAAAwAAAAYAAAAQAAAAAAAAAAMAAAAGAAAAFAAAAAAAAAADAAAABgAAABgAAAAAAAAAAwAAAAYAAAAcAAAAAAAAAAMAAAAGAAAAIAAAAAAAAAADAAAABgAAACQAAAAAAAAAAwAAAAYAAAAoAAAAAAAAAAMAAAAGAAAALAAAAAAAAAADAAAABgAAADAAAAAAAAAAAwAAAAYAAAA0AAAAAAAAAAMAAAAGAAAAOAAAAAAAAAADAAAABgAAADwAAAAAAAAAAwAAAAYAAABAAAAAAAAAAAMAAAAGAAAARAAAAAAAAAADAAAABgAAAEgAAAAAAAAAAwAAAAYAAABMAAAAAAAAAAMAAAAGAAAAUAAAAAAAAAADAAAABgAAAFQAAAAAAAAAAwAAAAYAAABYAAAAAAAAAAMAAAAGAAAAXAAAAAAAAAADAAAABgAAAGAAAAAAAAAAAwAAAAYAAABkAAAAAAAAAAMAAAAGAAAAaAAAAAAAAAADAAAABgAAAGwAAAAAAAAAAwAAAAYAAABwAAAAAAAAAAMAAAAGAAAAdAAAAAAAAAADAAAABgAAAHgAAAAAAAAAAwAAAAYAAAB8AAAAAAAAAAMAAAAGAAAAgAAAAAAAAAADAAAABgAAAIQAAAAAAAAAAwAAAAYAAACIAAAAAAAAAAMAAAAGAAAAjAAAAAAAAAADAAAABgAAAJAAAAAAAAAAAwAAAAYAAACUAAAAAAAAAAMAAAAGAAAAmAAAAAAAAAADAAAABgAAAJwAAAAAAAAAAwAAAAYAAACgAAAAAAAAAAMAAAAGAAAApAAAAAAAAAADAAAABgAAAKgAAAAAAAAAAwAAAAYAAACsAAAAAAAAAAMAAAAGAAAAsAAAAAAAAAADAAAABgAAALQAAAAAAAAAAwAAAAYAAAC4AAAAAAAAAAMAAAAGAAAAvAAAAAAAAAADAAAABgAAAMAAAAAAAAAAAwAAAAYAAADEAAAAAAAAAAMAAAAGAAAAyAAAAAAAAAADAAAABgAAAMwAAAAAAAAAAwAAAAYAAADQAAAAAAAAAAMAAAAGAAAA1AAAAAAAAAADAAAABgAAANgAAAAAAAAAAwAAAAYAAADcAAAAAAAAAAMAAAAGAAAA4AAAAAAAAAADAAAABgAAAOQAAAAAAAAAAwAAAAYAAADoAAAAAAAAAAMAAAAGAAAA7AAAAAAAAAADAAAABgAAAPAAAAAAAAAAAwAAAAYAAAD0AAAAAAAAAAMAAAAGAAAA+AAAAAAAAAADAAAABgAAAPwAAAAAAAAAAwAAAAYAAAAAAQAAAAAAAAMAAAAGAAAABAEAAAAAAAADAAAABgAAAAgBAAAAAAAAAwAAAAYAAAAMAQAAAAAAAAMAAAAGAAAAEAEAAAAAAAADAAAABgAAABQBAAAAAAAAAwAAAAYAAAAYAQAAAAAAAAMAAAAGAAAAHAEAAAAAAAADAAAABgAAACABAAAAAAAAAwAAAAYAAAAkAQAAAAAAAAMAAAAGAAAAKAEAAAAAAAADAAAABgAAACwBAAAAAAAAAwAAAAYAAAAwAQAAAAAAAAMAAAAGAAAANAEAAAAAAAADAAAABgAAADgBAAAAAAAAAwAAAAYAAAA8AQAAAAAAAAMAAAAGAAAAQAEAAAAAAAADAAAABgAAAEQBAAAAAAAAAwAAAAYAAABIAQAAAAAAAAMAAAAGAAAATAEAAAAAAAADAAAABgAAAFABAAAAAAAAAwAAAAYAAABUAQAAAAAAAAMAAAAGAAAAWAEAAAAAAAADAAAABgAAAFwBAAAAAAAAAwAAAAYAAABgAQAAAAAAAAMAAAAGAAAAZAEAAAAAAAADAAAABgAAAGgBAAAAAAAAAwAAAAYAAABsAQAAAAAAAAMAAAAGAAAAcAEAAAAAAAADAAAABgAAAHQBAAAAAAAAAwAAAAYAAAB4AQAAAAAAAAMAAAAGAAAAfAEAAAAAAAADAAAABgAAAIABAAAAAAAAAwAAAAYAAAAIAAAAAAAAAAIAAAAMAAAAEAAAAAAAAAACAAAAAgAAABgAAAAAAAAAAgAAAAIAAAAcAwAAAAAAAAQAAAAMAAAALAAAAAAAAAAEAAAAAgAAAEAAAAAAAAAABAAAAAIAAABQAAAAAAAAAAQAAAACAAAAYAAAAAAAAAAEAAAAAgAAAHAAAAAAAAAABAAAAAIAAACAAAAAAAAAAAQAAAACAAAAkAAAAAAAAAAEAAAAAgAAAKAAAAAAAAAABAAAAAIAAACwAAAAAAAAAAQAAAACAAAAwAAAAAAAAAAEAAAAAgAAANAAAAAAAAAABAAAAAIAAADgAAAAAAAAAAQAAAACAAAA8AAAAAAAAAAEAAAAAgAAAAABAAAAAAAABAAAAAIAAAAQAQAAAAAAAAQAAAACAAAAFAAAAAAAAAADAAAACAAAABgAAAAAAAAAAgAAAAIAAAAiAAAAAAAAAAMAAAAKAAAAJgAAAAAAAAADAAAACgAAADIAAAAAAAAAAwAAAAoAAABHAAAAAAAAAAMAAAAKAAAAXAAAAAAAAAADAAAACgAAAHEAAAAAAAAAAwAAAAoAAACGAAAAAAAAAAMAAAAKAAAAoAAAAAAAAAACAAAAAgAAAAsMAC5kZWJ1Z19hYmJyZXYALnRleHQALnJlbC5CVEYuZXh0AC5kZWJ1Z19sb2NsaXN0cwAucmVsLmRlYnVnX3N0cl9vZmZzZXRzAC5kZWJ1Z19zdHIALmRlYnVnX2xpbmVfc3RyAC5yZWwuZGVidWdfYWRkcgAucmVsLmRlYnVnX2luZm8AZHJvcF9hcnBfdmxhbgAubGx2bV9hZGRyc2lnAF9saWNlbnNlAC5yZWwuZGVidWdfbGluZQAucmVsLmRlYnVnX2ZyYW1lAHRjAGRyb3BfYXJwX3ZsYW4uYwAuc3RydGFiAC5zeW10YWIALnJlbC5CVEYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN0AAAADAAAAAAAAAAAAAAAAAAAAAAAAAGIfAAAAAAAA9gAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAPAAAAAQAAAAYAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAygAAAAEAAAAGAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAD4AAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAKEAAAABAAAAAwAAAAAAAAAAAAAAAAAAADgBAAAAAAAABAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAiAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAA8AQAAAAAAACwAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAaAEAAAAAAABAAQAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAHgAAAABAAAAAAAAAAAAAAAAAAAAAAAAAKgCAAAAAAAAWAQAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAB0AAAACQAAAEAAAAAAAAAAAAAAAAAAAABQFwAAAAAAAFAAAAAAAAAAGAAAAAcAAAAIAAAAAAAAABAAAAAAAAAANgAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAcAAAAAAACEAQAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAADIAAAAJAAAAQAAAAAAAAAAAAAAAAAAAAKAXAAAAAAAA8AUAAAAAAAAYAAAACQAAAAgAAAAAAAAAEAAAAAAAAABJAAAAAQAAADAAAAAAAAAAAAAAAAAAAACECAAAAAAAAIsDAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAaAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAADwwAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAGQAAAAJAAAAQAAAAAAAAAAAAAAAAAAAAJAdAAAAAAAAMAAAAAAAAAAYAAAADAAAAAgAAAAAAAAAEAAAAAAAAADxAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAwDAAAAAAAACAHAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAA7QAAAAkAAABAAAAAAAAAAAAAAAAAAAAAwB0AAAAAAAAQAAAAAAAAABgAAAAOAAAACAAAAAAAAAAQAAAAAAAAABkAAAABAAAAAAAAAAAAAAAAAAAAAAAAAFATAAAAAAAAIAEAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAVAAAACQAAAEAAAAAAAAAAAAAAAAAAAADQHQAAAAAAAPAAAAAAAAAAGAAAABAAAAAIAAAAAAAAABAAAAAAAAAAvQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAcBQAAAAAAAAoAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAALkAAAAJAAAAQAAAAAAAAAAAAAAAAAAAAMAeAAAAAAAAIAAAAAAAAAAYAAAAEgAAAAgAAAAAAAAAEAAAAAAAAACtAAAAAQAAAAAAAAAAAAAAAAAAAAAAAACYFAAAAAAAAPUAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAqQAAAAkAAABAAAAAAAAAAAAAAAAAAAAA4B4AAAAAAACAAAAAAAAAABgAAAAUAAAACAAAAAAAAAAQAAAAAAAAAFQAAAABAAAAMAAAAAAAAAAAAAAAAAAAAI0VAAAAAAAAiwAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAACSAAAAA0z/bwAAAIAAAAAAAAAAAAAAAABgHwAAAAAAAAIAAAAAAAAAGAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA5QAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAGBYAAAAAAAA4AQAAAAAAAAEAAAALAAAACAAAAAAAAAAYAAAAAAAAAA==

base64 drop_arp_vlan_from_gw.o (x86_64):

f0VMRgIBAQAAAAAAAAAAAAEA9wABAAAAAAAAAAAAAAAAAAAAAAAAAGgpAAAAAAAAAAAAAEAAAAAAAEAAGQABALcAAAAAAAAAYRJQAAAAAABhEUwAAAAAAL8UAAAAAAAABwQAAA4AAAAtJEsAAAAAAHEVDAAAAAAAcRMNAAAAAABnAwAACAAAAE9TAAAAAAAAVQMaAAgGAAC/FQAAAAAAAAcFAAAWAAAALSVDAAAAAABpRAAAAAAAAFUEQQAAAQAAaRQQAAAAAABVBD8ACAAAAHEUEgAAAAAAVQQ9AAYAAABxFBMAAAAAAFUEOwAEAAAAvxQAAAAAAAAHBAAAIAAAAC0kOAAAAAAAcRQdAAAAAABnBAAACAAAAHEVHAAAAAAAT1QAAAAAAABxFR4AAAAAAGcFAAAQAAAAcRYfAAAAAABnBgAAGAAAAE9WAAAAAAAAT0YAAAAAAAC3AAAAAgAAABUGLADAqGRfFQMCAIioAAC3AAAAAAAAAFUDKQCBAAAAvxMAAAAAAAAHAwAAEgAAALcAAAAAAAAALSMlAAAAAABpFBAAAAAAAFUEIwAIBgAAvxQAAAAAAAAHBAAAGgAAAC0kIAAAAAAAaTMAAAAAAABVAx4AAAEAAGkTFAAAAAAAVQMcAAgAAABxExYAAAAAAFUDGgAGAAAAcRMXAAAAAABVAxgABAAAAL8TAAAAAAAABwMAACQAAAAtIxUAAAAAAGkSDgAAAAAAVwIAAA////9XAgAA//8AALcAAAACAAAAFQIQAABkAAAVAg8AAZAAAHESIQAAAAAAZwIAAAgAAABxEyAAAAAAAE8yAAAAAAAAcRMiAAAAAABnAwAAEAAAAHERIwAAAAAAZwEAABgAAABPMQAAAAAAAE8hAAAAAAAAGAIAAMCoZP4AAAAAAAAAALcAAAAAAAAAXSEBAAAAAAC3AAAAAgAAAJUAAAAAAAAAR1BMAGYAAAAFAAgACAAAACAAAAAmAAAALQAAADQAAAA6AAAARAAAAEwAAABWAAAABAAYAVEABBjIBAFRAAQY6AMBUgAEWHgBVAAEoAGoAgNxHJ8ABJgCqAIBVgAEuAPIBANxIJ8ABOAEgAUBUQABEQElJRMFAyVyFxAXGyURGxIGcxeMARcAAAI0AAMlSRM/GToLOwsCGAAAAwEBSRMAAAQhAEkTNwsAAAUkAAMlPgsLCwAABiQAAyULCz4LAAAHDwAAAAgWAEkTAyU6CzsLAAAJDwBJEwAACi4BERsSBkAYehkDJToLOwsnGUkTPxkAAAsFAAIiAyU6CzsLSRMAAAw0AAIiAyU6CzsLSRMAAA00AAMlOgs7C0kTAAAOCwERGxIGAAAPEwEDJQsLOgs7BQAAEA0AAyVJEzoLOwU4CwAAEQ0ASRM6CzsFiAEPOAsAABIXAQsLOgs7BYgBDwAAEw0ASRM6CzsFOAsAABQXAQsLOgs7BQAAFRMBCws6CzsFAAAWEwEDJQsLOgs7CwAAFw0AAyVJEzoLOws4CwAAAM0EAAAFAAEIAAAAAAEAHQABCAAAAAAAAAACAZACAAAIAAAADAAAAAIDMgAAAACHAqEAAz4AAAAEQgAAAAQABQQGAQYFCAcHBQYFCAhTAAAACAEYBQcHAglcAAAABQkIAQhoAAAACwEbBQoHBAoBkAIAAAFaDAAXCQEAAAsADgAXDQEAAAwBVAAjRAQAAAwCHwAgRgAAAA0eAB9GAAAADVcAKksAAAAOAtAAAAAMA1kALnYEAAAMBGAAPq4EAAAMBWEARZADAAAADgNAAQAADWIAULMEAAANZgBXSwAAAA1nAFpLAAAADgT4AAAADAZgAGyuBAAADAdhAHOQAwAADVkAXnYEAAAAAAAFDQUECRIBAAAPU8ACWRgQD2AAAAACWhgAEBBgAAAAAlsYBBARYAAAAAJcGAgQEmAAAAACXRgMEBNgAAAAAl4YEBAUYAAAAAJfGBQQFWAAAAACYBgYEBZgAAAAAmEYHBAXYAAAAAJiGCAQGGAAAAACYxgkEBlgAAAAAmQYKBAaYAAAAAJlGCwQG48CAAACZhgwEBxgAAAAAmcYRBAdYAAAAAJoGEgQHmAAAAACaRhMEB9gAAAAAmoYUBAgYAAAAAJrGFQQIWAAAAACbhhYECJgAAAAAm8YXBAjYAAAAAJwGGAQJJsCAAACcRhkECWbAgAAAnIYdBAmYAAAAAJzGIQQJ2AAAAACdBiIEChgAAAAAncYjBEmAgAAAngYCJASCAJ4GAgQKacCAAACeBgAABA+mAMAAAJ5GJgQQWAAAAACehigEEJgAAAAAnsYpBFfAgAAAnwYCKgSCAJ8GAgQQ6QDAAACfBgAABBQYAAAAAJ9GLAQUYADAAACfhi0EFKYAwAAAoAYuAADYAAAAARCAAAABQADYAAAAARCAAAABAAJrAIAAA89OAJsHBAqSwAAAAJtHAAQK0sAAAACbhwCECxLAAAAAm8cBBAtgAMAAAJwHAYQL4ADAAACcRwHEDCAAwAAAnIcCBAxgAMAAAJzHAkQMogDAAACdBwKEDSIAwAAAnUcDBA1iAMAAAJ2HA4THwMAAAJ3HBAUIAJ3HBMtAwAAAngcABUIAngcEDaQAwAAAnkcABA4kAMAAAJ6HAQAE1ADAAACfBwAFSACfBwQOZsCAAACfRwAEDqbAgAAAn4cEAAAEDtgAAAAAoEcMBA8kAMAAAKCHDQACFwAAAAuARUISwAAADMDIAhgAAAANwMiCKADAABAAR8FPwcICakDAAAPT1ACwRgQRGAAAAACwhgAECFgAAAAAsMYBBBFYAAAAALEGAgQE2AAAAACxRgMEBFgAAAAAsYYEBAXYAAAAALHGBQQRmAAAAACyRgYEEebAgAAAsoYHBBIYAAAAALLGCwQSYgDAAACzBgwEEpgAAAAAs4YNBBLmwIAAALPGDgQTGAAAAAC0BhIEE08BAAAAtEYTAAICQEAAE4BGglJBAAAFlgOBK0XVWoEAAAErgAXVmoEAAAErwYXV4gDAAAEsAwAA1wAAAAEQgAAAAYACXsEAAAWXwgFkRdaiAMAAAWSABdbiAMAAAWTAhdcXAAAAAWUBBddXAAAAAWVBRdeiAMAAAWWBgAJgAMAAAm4BAAAFmUEAA0XY4gDAAAADgAXZIgDAAAADwIAAKQBAAAFAAAAAAAAACMAAAA8AAAAUAAAAFkAAABeAAAAcgAAAHcAAACGAAAAjAAAAJoAAACnAAAArQAAALYAAAC6AAAAvgAAAMIAAADLAAAA0AAAAN4AAADnAAAA9AAAAP0AAAAIAQAAEQEAACEBAAApAQAAMgEAADUBAAA6AQAARQEAAEoBAABTAQAAWwEAAGIBAABtAQAAdwEAAIIBAACMAQAAmAEAAKMBAACtAQAAtwEAAL0BAADDAQAAzgEAANYBAADbAQAA6QEAAPIBAAD7AQAAAwIAAAoCAAAQAgAAFgIAAB8CAAAmAgAALwIAADgCAABBAgAARwIAAFICAABgAgAAZwIAAHoCAACAAgAAiQIAAJICAACVAgAAogIAAKcCAACvAgAAtwIAAMACAADJAgAA0QIAANkCAADfAgAA8AIAAPYCAAD/AgAACAMAABQDAAAdAwAAJwMAACsDAAAyAwAAOwMAAEMDAABKAwAATgMAAFUDAABcAwAAYwMAAGoDAABwAwAAdwMAAIEDAACFAwAAiAMAAJMDAACtAwAAtgMAAL4DAABEZWJpYW4gY2xhbmcgdmVyc2lvbiAxOS4xLjcgKDMrYjEpAGRyb3BfYXJwX3ZsYW5fZnJvbV9ndzIuYwAvdXNyL3NyYy9idWlsZC9lQlBGAF9saWNlbnNlAGNoYXIAX19BUlJBWV9TSVpFX1RZUEVfXwBsb25nAHVuc2lnbmVkIHNob3J0AF9fdTE2AHVuc2lnbmVkIGNoYXIAdW5zaWduZWQgaW50AF9fdTMyAGRyb3BfYXJwAGludABza2IAbGVuAHBrdF90eXBlAG1hcmsAcXVldWVfbWFwcGluZwBwcm90b2NvbAB2bGFuX3ByZXNlbnQAdmxhbl90Y2kAdmxhbl9wcm90bwBwcmlvcml0eQBpbmdyZXNzX2lmaW5kZXgAaWZpbmRleAB0Y19pbmRleABjYgBoYXNoAHRjX2NsYXNzaWQAZGF0YQBkYXRhX2VuZABuYXBpX2lkAGZhbWlseQByZW1vdGVfaXA0AGxvY2FsX2lwNAByZW1vdGVfaXA2AGxvY2FsX2lwNgByZW1vdGVfcG9ydABsb2NhbF9wb3J0AGRhdGFfbWV0YQBmbG93X2tleXMAbmhvZmYAdGhvZmYAYWRkcl9wcm90bwBpc19mcmFnAF9fdTgAaXNfZmlyc3RfZnJhZwBpc19lbmNhcABpcF9wcm90bwBuX3Byb3RvAF9fYmUxNgBzcG9ydABkcG9ydABpcHY0X3NyYwBfX2JlMzIAaXB2NF9kc3QAaXB2Nl9zcmMAaXB2Nl9kc3QAZmxhZ3MAZmxvd19sYWJlbABicGZfZmxvd19rZXlzAHRzdGFtcAB1bnNpZ25lZCBsb25nIGxvbmcAX191NjQAd2lyZV9sZW4AZ3NvX3NlZ3MAc2sAYm91bmRfZGV2X2lmAHR5cGUAc3JjX2lwNABzcmNfaXA2AHNyY19wb3J0AGRzdF9wb3J0AGRzdF9pcDQAZHN0X2lwNgBzdGF0ZQByeF9xdWV1ZV9tYXBwaW5nAF9fczMyAGJwZl9zb2NrAGdzb19zaXplAHRzdGFtcF90eXBlAGh3dHN0YW1wAF9fc2tfYnVmZgBldGgAaF9kZXN0AGhfc291cmNlAGhfcHJvdG8AZXRoaGRyAGFycABhcl9ocmQAYXJfcHJvAGFyX2hsbgBhcl9wbG4AYXJfb3AAYXJwaGRyAHNlbmRlcl9pcABzcGEAdmgAaF92bGFuX1RDSQBoX3ZsYW5fZW5jYXBzdWxhdGVkX3Byb3RvAHZsYW5faGRyAHZsYW5faWQAaW5uZXJfcHJvdG8ALAAAAAUACAAAAAAAAAAAAAAAAAAAAAAAWAAAAAAAAABAAQAAAAAAAIgBAAAAAAAAAACf6wEAGAAAAAAAAAAkAwAAJAMAACYGAAAAAAAAAAAAAgIAAAABAAAAIgAABMAAAAALAAAAAwAAAAAAAAAPAAAAAwAAACAAAAAYAAAAAwAAAEAAAAAdAAAAAwAAAGAAAAArAAAAAwAAAIAAAAA0AAAAAwAAAKAAAABBAAAAAwAAAMAAAABKAAAAAwAAAOAAAABVAAAAAwAAAAABAABeAAAAAwAAACABAABuAAAAAwAAAEABAAB2AAAAAwAAAGABAAB/AAAABQAAAIABAACCAAAAAwAAACACAACHAAAAAwAAAEACAACSAAAAAwAAAGACAACXAAAAAwAAAIACAACgAAAAAwAAAKACAACoAAAAAwAAAMACAACvAAAAAwAAAOACAAC6AAAAAwAAAAADAADEAAAABwAAACADAADPAAAABwAAAKADAADZAAAAAwAAACAEAADlAAAAAwAAAEAEAADwAAAAAwAAAGAEAAAAAAAACAAAAIAEAAD6AAAACgAAAMAEAAABAQAAAwAAAAAFAAAKAQAAAwAAACAFAAAAAAAADAAAAEAFAAATAQAAAwAAAIAFAAAcAQAADgAAAKAFAAAoAQAACgAAAMAFAAAxAQAAAAAACAQAAAA3AQAAAAAAAQQAAAAgAAAAAAAAAAAAAAMAAAAAAwAAAAYAAAAFAAAARAEAAAAAAAEEAAAAIAAAAAAAAAAAAAADAAAAAAMAAAAGAAAABAAAAAAAAAABAAAFCAAAAFgBAAAJAAAAAAAAAAAAAAAAAAACFwAAAGIBAAAAAAAICwAAAGgBAAAAAAABCAAAAEAAAAAAAAAAAQAABQgAAAB7AQAADQAAAAAAAAAAAAAAAAAAAhgAAAB+AQAAAAAACA8AAACDAQAAAAAAAQEAAAAIAAAAAAAAAAEAAA0RAAAAkQEAAAEAAACVAQAAAAAAAQQAAAAgAAABmQEAAAEAAAwQAAAA+QUAAAAAAAEBAAAACAAAAQAAAAAAAAADAAAAABMAAAAGAAAABAAAAP4FAAAAAAAOFAAAAAEAAAAHBgAAAQAADwAAAAAVAAAAAAAAAAQAAAAPBgAAAAAABwAAAAAdBgAAAAAABwAAAAAAX19za19idWZmAGxlbgBwa3RfdHlwZQBtYXJrAHF1ZXVlX21hcHBpbmcAcHJvdG9jb2wAdmxhbl9wcmVzZW50AHZsYW5fdGNpAHZsYW5fcHJvdG8AcHJpb3JpdHkAaW5ncmVzc19pZmluZGV4AGlmaW5kZXgAdGNfaW5kZXgAY2IAaGFzaAB0Y19jbGFzc2lkAGRhdGEAZGF0YV9lbmQAbmFwaV9pZABmYW1pbHkAcmVtb3RlX2lwNABsb2NhbF9pcDQAcmVtb3RlX2lwNgBsb2NhbF9pcDYAcmVtb3RlX3BvcnQAbG9jYWxfcG9ydABkYXRhX21ldGEAdHN0YW1wAHdpcmVfbGVuAGdzb19zZWdzAGdzb19zaXplAHRzdGFtcF90eXBlAGh3dHN0YW1wAF9fdTMyAHVuc2lnbmVkIGludABfX0FSUkFZX1NJWkVfVFlQRV9fAGZsb3dfa2V5cwBfX3U2NAB1bnNpZ25lZCBsb25nIGxvbmcAc2sAX191OAB1bnNpZ25lZCBjaGFyAHNrYgBpbnQAZHJvcF9hcnAAdGMAL3Vzci9zcmMvYnVpbGQvZUJQRi9kcm9wX2FycF92bGFuX2Zyb21fZ3cyLmMAaW50IGRyb3BfYXJwKHN0cnVjdCBfX3NrX2J1ZmYgKnNrYikAICAgIHZvaWQgKmRhdGFfZW5kID0gKHZvaWQgKikobG9uZylza2ItPmRhdGFfZW5kOwAgICAgdm9pZCAqZGF0YSAgICAgPSAodm9pZCAqKShsb25nKXNrYi0+ZGF0YTsAICAgIGlmICgodm9pZCAqKShldGggKyAxKSA+IGRhdGFfZW5kKQAgICAgX191MTYgaF9wcm90byA9IGJwZl9udG9ocyhldGgtPmhfcHJvdG8pOwAgICAgaWYgKGhfcHJvdG8gPT0gRVRIX1BfQVJQKSB7ACAgICAgICAgaWYgKCh2b2lkICopKGFycCArIDEpID4gZGF0YV9lbmQpACAgICAgICAgaWYgKGFycC0+YXJfaHJkICE9IGJwZl9odG9ucyhBUlBIUkRfRVRIRVIpIHx8ACAgICAgICAgICAgIGFycC0+YXJfcHJvICE9IGJwZl9odG9ucyhFVEhfUF9JUCkgICB8fAAgICAgICAgICAgICBhcnAtPmFyX2hsbiAhPSBFVEhfQUxFTiAgICAgICAgICAgICAgIHx8ACAgICAgICAgICAgIGFycC0+YXJfcGxuICE9IDQpACAgICAgICAgX19idWlsdGluX21lbWNweSgmc3BhLCBzZW5kZXJfaXAsIHNpemVvZihzcGEpKTsAICAgIGlmIChoX3Byb3RvID09IEVUSF9QXzgwMjFRIHx8IGhfcHJvdG8gPT0gRVRIX1BfODAyMUFEKSB7ACAgICAgICAgaWYgKCh2b2lkICopKHZoICsgMSkgPiBkYXRhX2VuZCkAICAgICAgICBfX3UxNiBpbm5lcl9wcm90byA9IGJwZl9udG9ocyh2aC0+aF92bGFuX2VuY2Fwc3VsYXRlZF9wcm90byk7ACAgICAgICAgaWYgKGlubmVyX3Byb3RvID09IEVUSF9QX0FSUCkgewAgICAgICAgICAgICBpZiAoYXJwLT5hcl9ocmQgIT0gYnBmX2h0b25zKEFSUEhSRF9FVEhFUikgfHwAICAgICAgICAgICAgICAgIGFycC0+YXJfcHJvICE9IGJwZl9odG9ucyhFVEhfUF9JUCkgICB8fAAgICAgICAgICAgICAgICAgYXJwLT5hcl9obG4gIT0gRVRIX0FMRU4gICAgICAgICAgICAgICB8fAAgICAgICAgICAgICAgICAgYXJwLT5hcl9wbG4gIT0gNCkAICAgICAgICAgICAgaWYgKHZsYW5faWQgPT0gMTAwIHx8IHZsYW5faWQgPT0gNDAwKQAgICAgICAgICAgICBfX2J1aWx0aW5fbWVtY3B5KCZzcGEsIHNlbmRlcl9pcCwgc2l6ZW9mKHNwYSkpOwB9AGNoYXIAX2xpY2Vuc2UAbGljZW5zZQBicGZfZmxvd19rZXlzAGJwZl9zb2NrAAAAn+sBACAAAAAAAAAAFAAAABQAAAA8AgAAUAIAAAAAAAAIAAAAogEAAAEAAAAAAAAAEgAAABAAAACiAQAAIwAAAAAAAAClAQAA0gEAAABcAAAIAAAApQEAAPYBAAApgAAAEAAAAKUBAAAoAgAAKXwAABgAAAClAQAAVgIAABaYAAAoAAAApQEAAFYCAAAJmAAAMAAAAKUBAAB8AgAAFagAAFAAAAClAQAAqQIAAAm0AABYAAAApQEAAMkCAAAaxAAAaAAAAKUBAADJAgAADcQAAHAAAAClAQAA8wIAABLcAAB4AAAApQEAAPMCAAA03AAAgAAAAKUBAAApAwAAEuAAAIgAAAClAQAAKQMAADLgAACQAAAApQEAAF0DAAAS5AAAmAAAAKUBAABdAwAAM+QAAKAAAAClAQAAkgMAABLoAACoAAAApQEAAPMCAAAN3AAAyAAAAKUBAACwAwAACRgBACgBAAClAQAA6AMAACA8AQBAAQAApQEAACUEAAAZTAEAWAEAAKUBAAAlBAAADUwBAGABAAClAQAATgQAAB1oAQBoAQAApQEAAJQEAAANdAEAiAEAAKUBAAC8BAAAFpQBAJABAAClAQAAvAQAADiUAQCYAQAApQEAAPYEAAAWmAEAoAEAAKUBAAD2BAAANpgBAKgBAAClAQAALgUAABacAQCwAQAApQEAAC4FAAA3nAEAuAEAAKUBAABnBQAAFqABAMABAAClAQAAvAQAABGUAQDwAQAApQEAAIkFAAAZ4AEAAAIAAKUBAACJBQAAIOABABACAAClAQAAuwUAAA3QAQCIAgAApQEAAPcFAAABDAIADAAAAP////8EAAgACHwLABQAAAAAAAAAAAAAAAAAAACQAgAAAAAAAHsBAAAFAAgApAAAAAgBAfsODQABAQEBAAAAAQAAAQEBHwIAAAAAFAAAAAMBHwIPBR4GGQAAAACZxxtBcnqud9kM21xhIpDsMgAAAAG4EPJwcz4QYxm2fvUSxiRuUQAAAAHjBdrTMhjzw13Sbzy+3zLGZQAAAAHAreGhownWiWzmCApRotEFewAAAAEWP1T7GvLiH+pBDxTrGPp2lAAAAAFPoSiq3pr35kvzP7IZT+4XBAAACQIAAAAAAAAAAAMXAQUpCigfBRYnBQkGLgUVBiQFCU0FGiQFDQYuBRIGJgU0BiAFEgYhBTIGIAUSBiEFMwYgBRIGIQUNHQYDSSADNy4FCQYDDyAGA7p/ngUgBgPPAC4GA7F/IAPPACAFGQYkBQ0GPAUdBicFDSMGA6N/IAPdAC4FFgYoBTgGIAUWBiEFNgYgBRYGIQU3BiAFFgYhBREdBgObfyAD5QAuA5t/IAUZBgP4AC4FIAYuBQ0GKgYDjH+eBQEGA4MBWAIBAAEBL3Vzci9zcmMvYnVpbGQvZUJQRgAvdXNyAGRyb3BfYXJwX3ZsYW5fZnJvbV9ndzIuYwBpbmNsdWRlL2FzbS1nZW5lcmljL2ludC1sbDY0LmgAaW5jbHVkZS9saW51eC9icGYuaABpbmNsdWRlL2xpbnV4L3R5cGVzLmgAaW5jbHVkZS9saW51eC9pZl9ldGhlci5oAGluY2x1ZGUvbGludXgvaWZfYXJwLmgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyAAAAAQA8f8AAAAAAAAAAAAAAAAAAAAAAAAAAAMAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAMABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAMABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAMACQAAAAAAAAAAAAAAAAAAAAAAAAAAAAMACwAAAAAAAAAAAAAAAAAAAAAAAAAAAAMADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAEgAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAFgAAAAAAAAAAAAAAAAAAAAAAdAAAABIAAwAAAAAAAAAAAJACAAAAAAAAmwAAABEABAAAAAAAAAAAAAQAAAAAAAAACAAAAAAAAAADAAAABAAAABEAAAAAAAAAAwAAAAUAAAAVAAAAAAAAAAMAAAAJAAAAHwAAAAAAAAADAAAABwAAACMAAAAAAAAAAwAAAAMAAAAIAAAAAAAAAAMAAAAGAAAADAAAAAAAAAADAAAABgAAABAAAAAAAAAAAwAAAAYAAAAUAAAAAAAAAAMAAAAGAAAAGAAAAAAAAAADAAAABgAAABwAAAAAAAAAAwAAAAYAAAAgAAAAAAAAAAMAAAAGAAAAJAAAAAAAAAADAAAABgAAACgAAAAAAAAAAwAAAAYAAAAsAAAAAAAAAAMAAAAGAAAAMAAAAAAAAAADAAAABgAAADQAAAAAAAAAAwAAAAYAAAA4AAAAAAAAAAMAAAAGAAAAPAAAAAAAAAADAAAABgAAAEAAAAAAAAAAAwAAAAYAAABEAAAAAAAAAAMAAAAGAAAASAAAAAAAAAADAAAABgAAAEwAAAAAAAAAAwAAAAYAAABQAAAAAAAAAAMAAAAGAAAAVAAAAAAAAAADAAAABgAAAFgAAAAAAAAAAwAAAAYAAABcAAAAAAAAAAMAAAAGAAAAYAAAAAAAAAADAAAABgAAAGQAAAAAAAAAAwAAAAYAAABoAAAAAAAAAAMAAAAGAAAAbAAAAAAAAAADAAAABgAAAHAAAAAAAAAAAwAAAAYAAAB0AAAAAAAAAAMAAAAGAAAAeAAAAAAAAAADAAAABgAAAHwAAAAAAAAAAwAAAAYAAACAAAAAAAAAAAMAAAAGAAAAhAAAAAAAAAADAAAABgAAAIgAAAAAAAAAAwAAAAYAAACMAAAAAAAAAAMAAAAGAAAAkAAAAAAAAAADAAAABgAAAJQAAAAAAAAAAwAAAAYAAACYAAAAAAAAAAMAAAAGAAAAnAAAAAAAAAADAAAABgAAAKAAAAAAAAAAAwAAAAYAAACkAAAAAAAAAAMAAAAGAAAAqAAAAAAAAAADAAAABgAAAKwAAAAAAAAAAwAAAAYAAACwAAAAAAAAAAMAAAAGAAAAtAAAAAAAAAADAAAABgAAALgAAAAAAAAAAwAAAAYAAAC8AAAAAAAAAAMAAAAGAAAAwAAAAAAAAAADAAAABgAAAMQAAAAAAAAAAwAAAAYAAADIAAAAAAAAAAMAAAAGAAAAzAAAAAAAAAADAAAABgAAANAAAAAAAAAAAwAAAAYAAADUAAAAAAAAAAMAAAAGAAAA2AAAAAAAAAADAAAABgAAANwAAAAAAAAAAwAAAAYAAADgAAAAAAAAAAMAAAAGAAAA5AAAAAAAAAADAAAABgAAAOgAAAAAAAAAAwAAAAYAAADsAAAAAAAAAAMAAAAGAAAA8AAAAAAAAAADAAAABgAAAPQAAAAAAAAAAwAAAAYAAAD4AAAAAAAAAAMAAAAGAAAA/AAAAAAAAAADAAAABgAAAAABAAAAAAAAAwAAAAYAAAAEAQAAAAAAAAMAAAAGAAAACAEAAAAAAAADAAAABgAAAAwBAAAAAAAAAwAAAAYAAAAQAQAAAAAAAAMAAAAGAAAAFAEAAAAAAAADAAAABgAAABgBAAAAAAAAAwAAAAYAAAAcAQAAAAAAAAMAAAAGAAAAIAEAAAAAAAADAAAABgAAACQBAAAAAAAAAwAAAAYAAAAoAQAAAAAAAAMAAAAGAAAALAEAAAAAAAADAAAABgAAADABAAAAAAAAAwAAAAYAAAA0AQAAAAAAAAMAAAAGAAAAOAEAAAAAAAADAAAABgAAADwBAAAAAAAAAwAAAAYAAABAAQAAAAAAAAMAAAAGAAAARAEAAAAAAAADAAAABgAAAEgBAAAAAAAAAwAAAAYAAABMAQAAAAAAAAMAAAAGAAAAUAEAAAAAAAADAAAABgAAAFQBAAAAAAAAAwAAAAYAAABYAQAAAAAAAAMAAAAGAAAAXAEAAAAAAAADAAAABgAAAGABAAAAAAAAAwAAAAYAAABkAQAAAAAAAAMAAAAGAAAAaAEAAAAAAAADAAAABgAAAGwBAAAAAAAAAwAAAAYAAABwAQAAAAAAAAMAAAAGAAAAdAEAAAAAAAADAAAABgAAAHgBAAAAAAAAAwAAAAYAAAB8AQAAAAAAAAMAAAAGAAAAgAEAAAAAAAADAAAABgAAAIQBAAAAAAAAAwAAAAYAAACIAQAAAAAAAAMAAAAGAAAAjAEAAAAAAAADAAAABgAAAJABAAAAAAAAAwAAAAYAAACUAQAAAAAAAAMAAAAGAAAAmAEAAAAAAAADAAAABgAAAJwBAAAAAAAAAwAAAAYAAACgAQAAAAAAAAMAAAAGAAAApAEAAAAAAAADAAAABgAAAAgAAAAAAAAAAgAAAAwAAAAQAAAAAAAAAAIAAAACAAAAGAAAAAAAAAACAAAAAgAAACAAAAAAAAAAAgAAAAIAAAAoAAAAAAAAAAIAAAACAAAAHAMAAAAAAAAEAAAADAAAACwAAAAAAAAABAAAAAIAAABAAAAAAAAAAAQAAAACAAAAUAAAAAAAAAAEAAAAAgAAAGAAAAAAAAAABAAAAAIAAABwAAAAAAAAAAQAAAACAAAAgAAAAAAAAAAEAAAAAgAAAJAAAAAAAAAABAAAAAIAAACgAAAAAAAAAAQAAAACAAAAsAAAAAAAAAAEAAAAAgAAAMAAAAAAAAAABAAAAAIAAADQAAAAAAAAAAQAAAACAAAA4AAAAAAAAAAEAAAAAgAAAPAAAAAAAAAABAAAAAIAAAAAAQAAAAAAAAQAAAACAAAAEAEAAAAAAAAEAAAAAgAAACABAAAAAAAABAAAAAIAAAAwAQAAAAAAAAQAAAACAAAAQAEAAAAAAAAEAAAAAgAAAFABAAAAAAAABAAAAAIAAABgAQAAAAAAAAQAAAACAAAAcAEAAAAAAAAEAAAAAgAAAIABAAAAAAAABAAAAAIAAACQAQAAAAAAAAQAAAACAAAAoAEAAAAAAAAEAAAAAgAAALABAAAAAAAABAAAAAIAAADAAQAAAAAAAAQAAAACAAAA0AEAAAAAAAAEAAAAAgAAAOABAAAAAAAABAAAAAIAAADwAQAAAAAAAAQAAAACAAAAAAIAAAAAAAAEAAAAAgAAABACAAAAAAAABAAAAAIAAAAgAgAAAAAAAAQAAAACAAAAMAIAAAAAAAAEAAAAAgAAAEACAAAAAAAABAAAAAIAAABQAgAAAAAAAAQAAAACAAAAYAIAAAAAAAAEAAAAAgAAABQAAAAAAAAAAwAAAAgAAAAYAAAAAAAAAAIAAAACAAAAIgAAAAAAAAADAAAACgAAACYAAAAAAAAAAwAAAAoAAAAyAAAAAAAAAAMAAAAKAAAARwAAAAAAAAADAAAACgAAAFwAAAAAAAAAAwAAAAoAAABxAAAAAAAAAAMAAAAKAAAAhgAAAAAAAAADAAAACgAAAJsAAAAAAAAAAwAAAAoAAAC1AAAAAAAAAAIAAAACAAAACwwALmRlYnVnX2FiYnJldgAudGV4dAAucmVsLkJURi5leHQALmRlYnVnX2xvY2xpc3RzAC5yZWwuZGVidWdfc3RyX29mZnNldHMALmRlYnVnX3N0cgAuZGVidWdfbGluZV9zdHIALnJlbC5kZWJ1Z19hZGRyAGRyb3BfYXJwAC5yZWwuZGVidWdfaW5mbwAubGx2bV9hZGRyc2lnAF9saWNlbnNlAC5yZWwuZGVidWdfbGluZQAucmVsLmRlYnVnX2ZyYW1lAHRjAGRyb3BfYXJwX3ZsYW5fZnJvbV9ndzIuYwAuc3RydGFiAC5zeW10YWIALnJlbC5CVEYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADhAAAAAwAAAAAAAAAAAAAAAAAAAAAAAABqKAAAAAAAAPoAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAADwAAAAEAAAAGAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAMUAAAABAAAABgAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAkAIAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAACcAAAAAQAAAAMAAAAAAAAAAAAAAAAAAADQAgAAAAAAAAQAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAIgAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA1AIAAAAAAABqAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAEAAAABAAAAAAAAAAAAAAAAAAAAAAAAAD4DAAAAAAAAMQEAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAACBAAAAAQAAAAAAAAAAAAAAAAAAAAAAAABvBAAAAAAAANEEAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAfQAAAAkAAABAAAAAAAAAAAAAAAAAAAAASB4AAAAAAABQAAAAAAAAABgAAAAHAAAACAAAAAAAAAAQAAAAAAAAADYAAAABAAAAAAAAAAAAAAAAAAAAAAAAAEAJAAAAAAAAqAEAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAyAAAACQAAAEAAAAAAAAAAAAAAAAAAAACYHgAAAAAAAIAGAAAAAAAAGAAAAAkAAAAIAAAAAAAAABAAAAAAAAAASQAAAAEAAAAwAAAAAAAAAAAAAAAAAAAA6AoAAAAAAADKAwAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAGgAAAABAAAAAAAAAAAAAAAAAAAAAAAAALIOAAAAAAAAMAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAABkAAAACQAAAEAAAAAAAAAAAAAAAAAAAAAYJQAAAAAAAFAAAAAAAAAAGAAAAAwAAAAIAAAAAAAAABAAAAAAAAAA9QAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA5A4AAAAAAABiCQAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAPEAAAAJAAAAQAAAAAAAAAAAAAAAAAAAAGglAAAAAAAAEAAAAAAAAAAYAAAADgAAAAgAAAAAAAAAEAAAAAAAAAAZAAAAAQAAAAAAAAAAAAAAAAAAAAAAAABIGAAAAAAAAHACAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAFQAAAAkAAABAAAAAAAAAAAAAAAAAAAAAeCUAAAAAAABAAgAAAAAAABgAAAAQAAAACAAAAAAAAAAQAAAAAAAAALgAAAABAAAAAAAAAAAAAAAAAAAAAAAAALgaAAAAAAAAKAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAC0AAAACQAAAEAAAAAAAAAAAAAAAAAAAAC4JwAAAAAAACAAAAAAAAAAGAAAABIAAAAIAAAAAAAAABAAAAAAAAAAqAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA4BoAAAAAAAB/AQAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAKQAAAAJAAAAQAAAAAAAAAAAAAAAAAAAANgnAAAAAAAAkAAAAAAAAAAYAAAAFAAAAAgAAAAAAAAAEAAAAAAAAABUAAAAAQAAADAAAAAAAAAAAAAAAAAAAABfHAAAAAAAAKsAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAjQAAAANM/28AAACAAAAAAAAAAAAAAAAAaCgAAAAAAAACAAAAAAAAABgAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAOkAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAdAAAAAAAAOAEAAAAAAAABAAAACwAAAAgAAAAAAAAAGAAAAAAAAAA=

J'ai compilé sous x86_64 ⇒ si vous n'arrivez pas à build le code C, vous pouvez simplement mettre le base64 dans une variable puis réécrire le binaire:

$ sudo apt install base64
$ drop_arp_vlan_from_gw_base64='f0VMRgIBAQAAAAAAAAAAAAEA9wABAA.....'
$ echo -n ${drop_arp_vlan_from_gw_base64} | base64 -d >./drop_arp_vlan_from_gw.o
$ tc qdisc add dev enp3s0 clsact
$ tc filter add dev enp3s0 ingress bpf obj ./drop_arp_vlan_from_gw.o sec tc
# vérification
$ tc filter show dev enp3s0 ingress    
filter protocol all pref 49152 bpf chain 0 
filter protocol all pref 49152 bpf chain 0 handle 0x1 drop_arp_vlan_from_gw.o:[tc] not_in_hw id 73 name drop_arp tag 991544dbfd60aaf2 jited

En espérant que ça puisse aider ceux qui ne sont pas à l'aise avec le C ou la compilation d'applications sous Linux ;)

Pour ceux qui souhaitent comprendre ce que sont ces filtres, ce sont des filtres eBPF qui s'appliquent avant le processing du paquet par le kernel, juste après la création du 'skb' (socket buffer) contenant le paquet.
Ci après un schéma simplifié de la stack NETFILTER et l'endroit ou on applique ces filtres:

[Packet enters NIC]
          |
          v
   +----------------+  /!\ 
   |  eBPF/XDP prog |  <-- optional XDP/eBPF at NIC ingress: WE ARE WORKING HERE
   +----------------+  /!\
          |
          v
      [Ingress qdisc]
          |
          v
   +----------------+
   |   PREROUTING   |  <-- raw / mangle / nat tables
   +----------------+
          |
          v
   +----------------+
   | eBPF classifier|  <-- TC BPF hook (optional)
   +----------------+
          |
          v
   +------------------+
   | Routing Decision |
   +------------------+
       |           |
       |           v
       |     [Local delivery]
       |           |
       |           v
       |       +--------+
       |       | INPUT  |  <-- raw / mangle tables
       |       +--------+
       |           |
       |           v
       |       [Socket]
       |
       v
   [FORWARD] <-- raw / mangle tables
       |
       v
   +----------------+
   |  OUTPUT        |  <-- raw / mangle tables
   +----------------+
       |
       v
   +----------------+
   | POSTROUTING    |  <-- mangle / nat tables
   +----------------+
       |
       v
      [Egress qdisc]
          |
          v
   +----------------+
   |  eBPF prog     |  <-- optional TC eBPF / XDP egress
   +----------------+
          |
          v
[Packet leaves NIC]

PS :
je vous invites (tous lecteurs de ce thread) au quotidien à compiler par vous même après relecture du code source plutôt que d'utiliser du code compilé par les autres car au final rien ne garanti que les binaires compilés par les autres n'incluent pas du code indésirable ajouté au code original (ce n'est pas le cas ici mais je comprendrais que certains n'aient pas confiance)

Cordialement
nbanba