[B.A.T.M.A.N.] Blocking OGMs from a node for testing purpose

[B.A.T.M.A.N.] Blocking OGMs from a node for testing purpose

[Antonio Quartulli]

Hi all,
	I'm tring to make some tests on batman-adv with some stations,
but I'm in trouble since I'm not able to "hide" a node to another. In
other words I would like to create some personalized topologies to
to test batman against them.

To do this, first of all, I should block OGMs from a particular station.
I tried with ebtables in order to block all the packets with source MACa
(where MACa is the MAC address of the station I would prevent to
communicate with me), but I failed.

Does anyone know a working way to do what I described before?

Thank you so much!

Regards


-- 
Antonio Quartulli

Ognuno di noi, da solo, non vale nulla 
Ernesto "Che" Guevara

Re: [B.A.T.M.A.N.] Blocking OGMs from a node for testing purpose

[Marek Lindner]

Hi,

welcome on our list!  :-)

> To do this, first of all, I should block OGMs from a particular station.
> I tried with ebtables in order to block all the packets with source MACa
> (where MACa is the MAC address of the station I would prevent to
> communicate with me), but I failed.
> 
> Does anyone know a working way to do what I described before?

I think it would be easier to help you, if described in more detail what 
exactly you tried so far and why it was not successful. Please give us all the 
settings & commands involved otherwise we have to guess what is going on.

Cheers,
Marek

Re: [B.A.T.M.A.N.] Blocking OGMs from a node for testing purpose

[Antonio Quartulli]

Hi,

On lun, mag 10, 2010 at 01:47:58 +0800, Marek Lindner wrote:
> 
> Hi,
> 
> welcome on our list!  :-)

Thank you! :)

> 
> > To do this, first of all, I should block OGMs from a particular station.
> > I tried with ebtables in order to block all the packets with source MACa
> > (where MACa is the MAC address of the station I would prevent to
> > communicate with me), but I failed.
> > 
> > Does anyone know a working way to do what I described before?
> 
> I think it would be easier to help you, if described in more detail what 
> exactly you tried so far and why it was not successful. Please give us all the 
> settings & commands involved otherwise we have to guess what is going on.

Ok, I'm going to list all the commands I used.
First of all, I'm using the svn version of batman-adv, in order to be up to date.
The topology, actually, is a simple adhoc net between two hosts.

What I did is: inserting the module, activating the if and adding the phy if to bat0:
# insmod batman-adv.ko
# ifconfig bat0 up
# batctl if add  wlan0

Then I tried to block any kind of packets from a known mac (say MACa).

# ebtables -A INPUT -s MACa -j DROP

After this I checked with "battctl o" if I was still able to see the other host, and even waiting a few minutes, the host was still in the list.

What am I missing?
I tried also using the FORWARD chain of ebtables, and also adding more constraints on the filer, but it didn't help.

I hope to have explained it clearly.

Regards
Antonio

Re: [B.A.T.M.A.N.] Blocking OGMs from a node for testing purpose

[Linus Lüssing]

Hi Antonio,

>Then I tried to block any kind of packets from a known mac (say MACa).
>
># ebtables -A INPUT -s MACa -j DROP
>
>After this I checked with "battctl o" if I was still able to see the other host, and even waiting a few minutes, the host was still in the list.

I tried it on two routers with ebtables and iptables here, too. I fired away all (redundant and like the forwarding stuff usually even useless) commands that came to my mind that could possibly block ANY traffic at all:
---
ebtables -A INPUT -j DROP
ebtables -A OUTPUT -j DROP
ebtables -A FORWARD -j DROP
ebtables -t broute -A BROUTING -j DROP
ebtables -t nat -A PREROUTING -j DROP
iptables -I INPUT -m physdev --physdev-is-in -j DROP
iptables -I OUDPUT -m physdev --physdev-is-out -j DROP
iptables -I FORWARD -m physdev --physdev-is-brigded -j DROP
---
Of course, no ssh connection and stuff like that and basically no other communication got through... despite batman-adv's OGMs and batping packets, looking at that over a serial console! So it looks like batman-adv is getting hold of the OGMs before any filtering rules of the iptables/ebtables modules can get hold of them.

Additionally, the iptables/ebtables packet counts didn't seem to recognise any packets. 

So it looks like either this is intended and batman-adv is also a very stealthy super-trojan (but couldn't find any proof for this in the source code yet ;) ) or batman-adv is just mistakenly catching them (and maybe even dropping them although the skb-copy should prevent this?) before the kernel or any other (filtering) kernel modules could have a glance at them.

I'm sorry having said that this should work on IRC before, but filtering (even bridged) arp/ip-packets over bat0 works like a charm - hadn't tried filtering raw batman-adv ethernet frames yet.

Cheers, Linus
___________________________________________________________
GRATIS: Movie-Flat mit über 300 Top-Videos. Für WEB.DE Nutzer
dauerhaft kostenlos! Jetzt freischalten unter http://movieflat.web.de

Re: [B.A.T.M.A.N.] Blocking OGMs from a node for testing purpose

[Antonio Quartulli]

Hi Linus,

thank you for your time spent on my problem :)

The problem seems to be that iptables filters only packets that are sent
to IP layer and over..so any packet
intended for a protocol living on a layer lower than IP is not recognized
(e.g. batman frame).

Ebtables instead works only on eth bridges...I tried it because I thought
that bat0 was acting like a bridge indeed
but this is not the case...The only solution I thought could be this:
create a bridge-if br0, attach wlan0 to it and then 
attach br0 to bat0 and then you could let ebtables work between wlan0 and
br0....maybe it could work...
But attaching a wlan-if to a eth-bridge-if is not actually possible.

So it seems that batman-adv is too clever for us :P

Regards,

On Wed, 12 May 2010 23:02:50 +0200 (CEST), Linus Lüssing
<linus.luessing@web.de> wrote:
> Hi Antonio,
> 
>>Then I tried to block any kind of packets from a known mac (say MACa).
>>
>># ebtables -A INPUT -s MACa -j DROP
>>
>>After this I checked with "battctl o" if I was still able to see the
>>other host, and even waiting a few minutes, the host was still in the
>>list.
> 
> I tried it on two routers with ebtables and iptables here, too. I fired
> away all (redundant and like the forwarding stuff usually even useless)
> commands that came to my mind that could possibly block ANY traffic at
all:
> ---
> ebtables -A INPUT -j DROP
> ebtables -A OUTPUT -j DROP
> ebtables -A FORWARD -j DROP
> ebtables -t broute -A BROUTING -j DROP
> ebtables -t nat -A PREROUTING -j DROP
> iptables -I INPUT -m physdev --physdev-is-in -j DROP
> iptables -I OUDPUT -m physdev --physdev-is-out -j DROP
> iptables -I FORWARD -m physdev --physdev-is-brigded -j DROP
> ---
> Of course, no ssh connection and stuff like that and basically no other
> communication got through... despite batman-adv's OGMs and batping
packets,
> looking at that over a serial console! So it looks like batman-adv is
> getting hold of the OGMs before any filtering rules of the
> iptables/ebtables modules can get hold of them.
> 
> Additionally, the iptables/ebtables packet counts didn't seem to
recognise
> any packets. 
> 
> So it looks like either this is intended and batman-adv is also a very
> stealthy super-trojan (but couldn't find any proof for this in the
source
> code yet ;) ) or batman-adv is just mistakenly catching them (and maybe
> even dropping them although the skb-copy should prevent this?) before
the
> kernel or any other (filtering) kernel modules could have a glance at
them.
> 
> I'm sorry having said that this should work on IRC before, but filtering
> (even bridged) arp/ip-packets over bat0 works like a charm - hadn't
tried
> filtering raw batman-adv ethernet frames yet.
> 
> Cheers, Linus
> ___________________________________________________________
> GRATIS: Movie-Flat mit über 300 Top-Videos. Für WEB.DE Nutzer
> dauerhaft kostenlos! Jetzt freischalten unter http://movieflat.web.de

-- 
Antonio Quartulli

Ognuno di noi, da solo, non vale nulla
Ernesto "Che" Guevara

Re: [B.A.T.M.A.N.] Blocking OGMs from a node for testing purpose

[Marek Lindner]

Hey,

> The problem seems to be that iptables filters only packets that are sent
> to IP layer and over..so any packet intended for a protocol living on a
> layer lower than IP is not recognized (e.g. batman frame).

I'd say you are right here.


> Ebtables instead works only on eth bridges...I tried it because I thought
> that bat0 was acting like a bridge indeed but this is not the case...The
> only solution I thought could be this: create a bridge-if br0, attach wlan0
> to it and then attach br0 to bat0 and then you could let ebtables work
> between wlan0 and br0....maybe it could work...
> But attaching a wlan-if to a eth-bridge-if is not actually possible.

At the WCW we sat together to discuss the issue. The easiest thing to test 
would be this: You create a bridge "br0" and add the wifi interface batman 
usually runs on (e.g. wlan0). Then you configure batman-adv to run on the 
bridge instead on wlan0 directly (batctl if add br0). Since the packets travel 
through the bridge interface first, it might be possible to drop them there. 

Be sure to create an individual bridge interface for each wifi interface you 
want to run batman-adv on. The purpose of the bridge interface is to allow 
packet filtering, not to bridge interfaces.

Please let us know how it goes.  :-)

Cheers,
Marek

Re: [B.A.T.M.A.N.] Blocking OGMs from a node for testing purpose

[Antonio Quartulli]

Hi!

On lun, mag 17, 2010 at 03:37:44 +0800, Marek Lindner wrote:
> 
> Hey,
> 
> > The problem seems to be that iptables filters only packets that are sent
> > to IP layer and over..so any packet intended for a protocol living on a
> > layer lower than IP is not recognized (e.g. batman frame).
> 
> I'd say you are right here.
> 

> 
> > Ebtables instead works only on eth bridges...I tried it because I thought
> > that bat0 was acting like a bridge indeed but this is not the case...The
> > only solution I thought could be this: create a bridge-if br0, attach wlan0
> > to it and then attach br0 to bat0 and then you could let ebtables work
> > between wlan0 and br0....maybe it could work...
> > But attaching a wlan-if to a eth-bridge-if is not actually possible.
> 
> At the WCW we sat together to discuss the issue. The easiest thing to test 
> would be this: You create a bridge "br0" and add the wifi interface batman 
> usually runs on (e.g. wlan0). Then you configure batman-adv to run on the 
> bridge instead on wlan0 directly (batctl if add br0). Since the packets travel 
> through the bridge interface first, it might be possible to drop them there. 
> 

It is what i described just a few rows before..the problem is that
adding wlan0 interface to a eth-bridge (using cfg80211 driver) is not possible (due to
operation not permitted error, probably because devs don't want to do
that :P) either with iwlagn or rt2x00

:(:(:(

> Be sure to create an individual bridge interface for each wifi interface you 
> want to run batman-adv on. The purpose of the bridge interface is to allow 
> packet filtering, not to bridge interfaces.
> 
> Please let us know how it goes.  :-)
> 
> Cheers,
> Marek

Regards

-- 
Antonio Quartulli

Ognuno di noi, da solo, non vale nulla 
Ernesto "Che" Guevara

Re: [B.A.T.M.A.N.] Blocking OGMs from a node for testing purpose

[Marek Lindner]

On Monday 17 May 2010 05:27:55 Antonio Quartulli wrote:
> It is what i described just a few rows before..the problem is that
> adding wlan0 interface to a eth-bridge (using cfg80211 driver) is not
> possible (due to operation not permitted error, probably because devs
> don't want to do that :P) either with iwlagn or rt2x00

Ok, I did not quite get that the first time but it seems you are right: The wifi 
stack sets IFF_DONT_BRIDGE on any wifi interface in adhoc or station mode to 
keep it from being added to a bridge. Normally, this would be a very correct 
behaviour ..

Then we have to add ebtables support by calling some ebtables hooks that will 
tell us whether or not to drop the packet ? Is that possible (I'm not the 
ebtables expert here) ?  :-)

Cheers,
Marek

Re: [B.A.T.M.A.N.] Blocking OGMs from a node for testing purpose

[Antonio Quartulli]

On lun, mag 17, 2010 at 06:53:01 +0800, Marek Lindner wrote:
> On Monday 17 May 2010 05:27:55 Antonio Quartulli wrote:
> > It is what i described just a few rows before..the problem is that
> > adding wlan0 interface to a eth-bridge (using cfg80211 driver) is not
> > possible (due to operation not permitted error, probably because devs
> > don't want to do that :P) either with iwlagn or rt2x00
> 
> Ok, I did not quite get that the first time but it seems you are right: The wifi 
> stack sets IFF_DONT_BRIDGE on any wifi interface in adhoc or station mode to 
> keep it from being added to a bridge. Normally, this would be a very correct 
> behaviour ..
> 
> Then we have to add ebtables support by calling some ebtables hooks that will 
> tell us whether or not to drop the packet ? Is that possible (I'm not the 
> ebtables expert here) ?  :-)
> 
I'm not an expert too :P But it would be very nice, in this way bat0
could be controlled like a bridge.

Thanks.

> Cheers,
> Marek

-- 
Antonio Quartulli

Ognuno di noi, da solo, non vale nulla 
Ernesto "Che" Guevara

[B.A.T.M.A.N.] [PATCH] batman-adv: Adding netfilter-bridge hooks

[Linus Lüssing]

batman-adv is receiving and sending the packets of its own ether type
on a very early/low level. Therefore we need to add explicit hooks to
give netfilter/ebtables a chance to filter them.

Signed-off-by: Linus Lüssing <linus.luessing@web.de>
Reported-by: Antonio Quartulli <ordex@ritirata.org>
---
 batman-adv-kernelland/hard-interface.c |   17 +++++++++++++++--
 batman-adv-kernelland/send.c           |    8 ++++++--
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/batman-adv-kernelland/hard-interface.c b/batman-adv-kernelland/hard-interface.c
index cc7fbae..6a64930 100644
--- a/batman-adv-kernelland/hard-interface.c
+++ b/batman-adv-kernelland/hard-interface.c
@@ -28,9 +28,11 @@
 #include "bat_sysfs.h"
 #include "originator.h"
 #include "hash.h"
-#include "compat.h"
 
 #include <linux/if_arp.h>
+#include <linux/netfilter_bridge.h>
+
+#include "compat.h"
 
 #define MIN(x, y) ((x) < (y) ? (x) : (y))
 
@@ -433,6 +435,11 @@ out:
 	return NOTIFY_DONE;
 }
 
+int batman_skb_recv_finish(struct sk_buff *skb)
+{
+	return NF_ACCEPT;
+}
+
 /* receive a packet with the batman ethertype coming on a hard
  * interface */
 int batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
@@ -452,6 +459,13 @@ int batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
 	if (atomic_read(&module_state) != MODULE_ACTIVE)
 		goto err_free;
 
+	/* if netfilter/ebtables wants to block incoming batman
+	 * packets then give them a chance to do so here */
+	ret = NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, dev, NULL,
+		      batman_skb_recv_finish);
+	if (ret != 1)
+		goto err_out;
+
 	/* packet should hold at least type and version */
 	if (unlikely(skb_headlen(skb) < 2))
 		goto err_free;
@@ -531,7 +545,6 @@ err_out:
 	return NET_RX_DROP;
 }
 
-
 struct notifier_block hard_if_notifier = {
 	.notifier_call = hard_if_event,
 };
diff --git a/batman-adv-kernelland/send.c b/batman-adv-kernelland/send.c
index 99d11fe..b0d3627 100644
--- a/batman-adv-kernelland/send.c
+++ b/batman-adv-kernelland/send.c
@@ -29,6 +29,7 @@
 #include "vis.h"
 #include "aggregation.h"
 #include "gateway_common.h"
+#include <linux/netfilter_bridge.h>
 
 #include "compat.h"
 
@@ -93,9 +94,12 @@ int send_skb_packet(struct sk_buff *skb,
 
 	/* dev_queue_xmit() returns a negative result on error.	 However on
 	 * congestion and traffic shaping, it drops and returns NET_XMIT_DROP
-	 * (which is > 0). This will not be treated as an error. */
+	 * (which is > 0). This will not be treated as an error.
+	 * Also, if netfilter/ebtables wants to block outgoing batman
+	 * packets then giving them a chance to do so here */
 
-	return dev_queue_xmit(skb);
+	return NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
+		       dev_queue_xmit);
 send_skb_err:
 	kfree_skb(skb);
 	return NET_XMIT_DROP;
-- 
1.5.6.5

Re: [B.A.T.M.A.N.] [PATCH] batman-adv: Adding netfilter-bridge hooks

[Antonio Quartulli]

Hi all,

On Wed, May 19, 2010 at 03:25:49AM +0200, Linus Lüssing wrote:
> batman-adv is receiving and sending the packets of its own ether type
> on a very early/low level. Therefore we need to add explicit hooks to
> give netfilter/ebtables a chance to filter them.
> 
> Signed-off-by: Linus Lüssing <linus.luessing@web.de>
> Reported-by: Antonio Quartulli <ordex@ritirata.org>
> ---
>  batman-adv-kernelland/hard-interface.c |   17 +++++++++++++++--
>  batman-adv-kernelland/send.c           |    8 ++++++--
>  2 files changed, 21 insertions(+), 4 deletions(-)
> 
> diff --git a/batman-adv-kernelland/hard-interface.c b/batman-adv-kernelland/hard-interface.c
> index cc7fbae..6a64930 100644
> --- a/batman-adv-kernelland/hard-interface.c
> +++ b/batman-adv-kernelland/hard-interface.c
> @@ -28,9 +28,11 @@
>  #include "bat_sysfs.h"
>  #include "originator.h"
>  #include "hash.h"
> -#include "compat.h"
>  
>  #include <linux/if_arp.h>
> +#include <linux/netfilter_bridge.h>
> +
> +#include "compat.h"
>  
>  #define MIN(x, y) ((x) < (y) ? (x) : (y))
>  
> @@ -433,6 +435,11 @@ out:
>  	return NOTIFY_DONE;
>  }
>  
> +int batman_skb_recv_finish(struct sk_buff *skb)
> +{
> +	return NF_ACCEPT;
> +}
> +
>  /* receive a packet with the batman ethertype coming on a hard
>   * interface */
>  int batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
> @@ -452,6 +459,13 @@ int batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
>  	if (atomic_read(&module_state) != MODULE_ACTIVE)
>  		goto err_free;
>  
> +	/* if netfilter/ebtables wants to block incoming batman
> +	 * packets then give them a chance to do so here */
> +	ret = NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, dev, NULL,
> +		      batman_skb_recv_finish);
> +	if (ret != 1)
> +		goto err_out;
> +
>  	/* packet should hold at least type and version */
>  	if (unlikely(skb_headlen(skb) < 2))
>  		goto err_free;
> @@ -531,7 +545,6 @@ err_out:
>  	return NET_RX_DROP;
>  }
>  
> -
>  struct notifier_block hard_if_notifier = {
>  	.notifier_call = hard_if_event,
>  };
> diff --git a/batman-adv-kernelland/send.c b/batman-adv-kernelland/send.c
> index 99d11fe..b0d3627 100644
> --- a/batman-adv-kernelland/send.c
> +++ b/batman-adv-kernelland/send.c
> @@ -29,6 +29,7 @@
>  #include "vis.h"
>  #include "aggregation.h"
>  #include "gateway_common.h"
> +#include <linux/netfilter_bridge.h>
>  
>  #include "compat.h"
>  
> @@ -93,9 +94,12 @@ int send_skb_packet(struct sk_buff *skb,
>  
>  	/* dev_queue_xmit() returns a negative result on error.	 However on
>  	 * congestion and traffic shaping, it drops and returns NET_XMIT_DROP
> -	 * (which is > 0). This will not be treated as an error. */
> +	 * (which is > 0). This will not be treated as an error.
> +	 * Also, if netfilter/ebtables wants to block outgoing batman
> +	 * packets then giving them a chance to do so here */
>  
> -	return dev_queue_xmit(skb);
> +	return NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
> +		       dev_queue_xmit);
>  send_skb_err:
>  	kfree_skb(skb);
>  	return NET_XMIT_DROP;
> -- 
> 1.5.6.5

I gave a try to this patch, but I see something strange.
After enabling a simple ebtables rule:
ebtables -A INPUT -s MAC -j DROP
and
ebtables -A FORWARD -s MAC -j DROP (to be sure..)

I saw that batman ping was timing out, while the "originator list" (shown
with batctl o) is still filled with the other node entry...

I did something wrong?

Regards


-- 
Antonio Quartulli

Ognuno di noi, da solo, non vale nulla 
Ernesto "Che" Guevara

Re: [B.A.T.M.A.N.] [PATCH] batman-adv: Adding netfilter-bridge hooks

[Linus Lüssing]

>
>I gave a try to this patch, but I see something strange.
>After enabling a simple ebtables rule:
>ebtables -A INPUT -s MAC -j DROP
>and
>ebtables -A FORWARD -s MAC -j DROP (to be sure..)
>
>I saw that batman ping was timing out, while the "originator list" (shown
>with batctl o) is still filled with the other node entry...

Hi Antonio,

thanks for trying the patch! In my case, it worked, I tried it with
ebtables -I INPUT -s MAC -j DROP or
ebtables -I INPUT -p 0x4305 -j DROP
(and the same for -I OUTPUT)

batctl td reported, that it's not receiving any batman packets anymore and also
the originator table was empty after a couple of minutes.

Hmm, and also that batping is timing out for you seems to indicate that it should work
on your side. Could you check with batctl td too? How long have you been waiting for
the originator table to clear? (dead nodes are not being cleared immediately in batman,
as they don't harm the routing decisions and we still need the last measurements in case they
might get alive again)

Cheers, Linus
___________________________________________________________
NEU: WEB.DE DSL für 19,99 EUR/mtl. und ohne Mindest-Laufzeit!
http://produkte.web.de/go/02/

Re: [B.A.T.M.A.N.] [PATCH] batman-adv: Adding netfilter-bridge hooks

[Antonio Quartulli]

On ven, mag 21, 2010 at 12:17:28 +0200, Linus Lüssing wrote:
> >
> >I gave a try to this patch, but I see something strange.
> >After enabling a simple ebtables rule:
> >ebtables -A INPUT -s MAC -j DROP
> >and
> >ebtables -A FORWARD -s MAC -j DROP (to be sure..)
> >
> >I saw that batman ping was timing out, while the "originator list" (shown
> >with batctl o) is still filled with the other node entry...
> 
> Hi Antonio,
> 
> thanks for trying the patch! In my case, it worked, I tried it with
> ebtables -I INPUT -s MAC -j DROP or
> ebtables -I INPUT -p 0x4305 -j DROP
> (and the same for -I OUTPUT)
> 
> batctl td reported, that it's not receiving any batman packets anymore and also
> the originator table was empty after a couple of minutes.
> 
> Hmm, and also that batping is timing out for you seems to indicate that it should work
> on your side. Could you check with batctl td too? How long have you been waiting for
> the originator table to clear? (dead nodes are not being cleared immediately in batman,
> as they don't harm the routing decisions and we still need the last measurements in case they
> might get alive again)
> 
> Cheers, Linus

Hi Linus,
	I thought that the dead node should be pushed away after a
while, not 3 minutes. So that was my mistake...indeed everything was working correctly!

I tried it again five minutes ago, and everything went as I expected!

Thanks very much!

Regards

P.S. batctl td was not so usefull since I have to point it to wlan0..and
obviously I can see all the packets there.

-- 
Antonio Quartulli

Ognuno di noi, da solo, non vale nulla 
Ernesto "Che" Guevara

Re: [B.A.T.M.A.N.] [PATCH] batman-adv: Adding netfilter-bridge hooks

[Marek Lindner]

Hey,

>  I thought that the dead node should be pushed away after a
> while, not 3 minutes. So that was my mistake...indeed everything was
> working correctly!
> 
> I tried it again five minutes ago, and everything went as I expected!

I just pushed the patch (revision 1678). Thanks for bringing it up and thanks 
to Linus for fixing it.

Cheers,
Marek

Re: [B.A.T.M.A.N.] [PATCH] batman-adv: Adding netfilter-bridge hooks

[Linus Lüssing]

>Hi Linus,
>	I thought that the dead node should be pushed away after a
>while, not 3 minutes. So that was my mistake...indeed everything was working correctly!
>
>I tried it again five minutes ago, and everything went as I expected!
>
>Thanks very much!

Great! You're welcome :). Feel free to share any interesting tests and results with this 
manual, explicit filtering capabilities.

>P.S. batctl td was not so usefull since I have to point it to wlan0..and
>obviously I can see all the packets there.
Usually I my self am using "batctl td" in conjunction with grep. For instance I'm having an interface which is nearly only
having batman-adv traffic. I'm also usuallly not deactivating IPv6 so I get some annoying extra packets in batctl td -
but I can easily get rid of this with " batctl td | grep -v "Warning" ". '-v' is pretty handy to throw out undesired lines from
the output.

Cheers, Linus

>
>-- 
>Antonio Quartulli
>
>Ognuno di noi, da solo, non vale nulla 
>Ernesto "Che" Guevara
___________________________________________________________
NEU: WEB.DE DSL für 19,99 EUR/mtl. und ohne Mindest-Laufzeit!
http://produkte.web.de/go/02/